Effectiveness of internal control and risk management

Regulatory framework for internal control

Review of relevant regulations for internal control (IC), including, regulations specific to financial control and risk management and regulations for internal audit (IA). The criteria below are based on COSO 2013 IC-IF, IIA IPPF standards 2017, and INTOSAI GOV 9100 and 9130.

Risk management framework

Review of risk management regulations adopted at the central government level. The criteria below are based on COSO 2017 ERM Framework, ISO 31000:2018, ISO 37301:2021, ISO 37001:2016, and ACFE 2016 Fraud Risk Management Framework.

Regulatory framework for internal audit

Review of the regulations established for the internal audit (IA) function. The central IA function must be located in the executive branch of government and be responsible for coordinating all internal audit activities, including training for IA staff. For criterion 8, if the IA function is fully centralised then internal audit units are not established and the criterion is automatically fulfilled. The criteria below are based on the IIA IPPF Standards 2017, and INTOSAI GOV 9140 professional standards.

Coverage of central functions to implement internal control and internal audit

Review of the mandate and specific duties of the central government body responsible for co-ordinating and monitoring implementation of internal control (IC) and internal audit (IA) activities. This is often described as the central harmonisation function or the central harmonisation unit (CHU). If a CHU is not in place, the central but separate government (executive branch) functions for internal control and internal audit are analysed. Criteria 2 and 3 are automatically fulfilled if criterion 1 is fulfilled. Criteria 5 and 6 are automatically fulfilled if criterion 4 is fulfilled. Criteria 8 and 9 are automatically fulfilled if criterion 7 is fulfilled. The criteria below are based on COSO 2013 IC-IF, IIA IPPF standards 2017, INTOSAI GOV 9100, and 9130 and the EU PIC model.

Central reporting on internal control and internal audit

Review of reports for internal control (IC) and internal audit (IA). It can be one report or two separate reports. The annual report refers to a summary of all individual IC reports.

Internal audit and risk-based approaches in practice

Review of data provided by Central Harmonisation Unit (CHU) or the central IA function responsible for co-ordinating the development of internal audit (IA). For criteria 6 to 10, a sample is taken to review practice. The sample organisations include all ministries and the 10 central government agencies reporting directly to a ministry, the Government, or the central budget authority with the largest budgets.

Use of integrity risk management in budget organisations in practice

Review of data provided by the central government body responsible for risk management. Α sample is taken to review practice. The sample organisations include all ministries and the 10 central government agencies reporting directly to a ministry, the Government, or the central budget authority with the largest budgets. Integrity risk assessments have to be conducted within the past 3 years.

National budget organisations covered by internal audit

The analysis is carried out based on the number of total organisations that are actually covered by internal audit (IA) regulations, divided by the number of all public organisations in the country financed by public funds (national budget), expressed as a percentage. Public organisations included in the IA mandate are defined by the IA charter or regulation (audit universe), which legally represent a range of potential audit activities to be carried out by the audit function, consisting of auditable entities, processes, systems and activities. This indicator measures the de jure share of national organisations covered by IA regulation.

National budget organisations internally audited in the past five years

The analysis is carried out based on the number of actual organisations that were audited in the past 5 years divided by the number of all public organisations in the country financed by public funds (national budget). Public organisations included in the internal audit (IA) mandate are defined by the IA charter or regulation (audit universe), which legally represent a range of potential audit activities to be carried out by the audit function, consisting of auditable entities, processes, systems and activities. This indicator measures the de facto share of national budget audited in the past 5 years.

Adoption rate for internal audit recommendations

Review of data from the CHU or the central function responsible for co-ordinating the development of internal audit (IA) to identify the share of IA recommendations made during the year prior to the latest full calendar year that were adopted within one year. “Adopted” means that the recommendation was accepted by management and they intend to act on it. The same data request is made to the Supreme Audit Institution. If no central statistics have been collected a sample is taken that includes as a minimum all ministries and central government agencies. The adoption rate is expressed as a percentage of the total number of recommendations.

Implementation rate for internal audit recommendations

Review of data from the CHU or the central function responsible for co-ordinating the development of internal audit (IA) to identify the share of IA recommendations made during the year prior to the latest full calendar year that were implemented within one year. “Implemented” means that management completed the actions that addressed the recommendation from internal audit. The same data request is made to the Supreme Audit Institution. If no central statistics have been collected a sample is taken that includes as a minimum all ministries and central government agencies. The implementation rate is expressed as a percentage of the total number of recommendations.