In public sector organisations, having an internal control system and risk management framework is essential for upholding public integrity. Effective internal control and risk management policies and processes reduce the vulnerability of public sector organisations to fraud and corruption by providing reasonable assurance to management that the organisation is achieving its objectives and managing its risks effectively. These policies and processes also help to ensure value for money and facilitate decision making by ensuring that governments are operating optimally to deliver programmes that benefit citizens and avoid wasteful spending. They help governments balance an enforcement-focused model with more preventive, risk-based approaches.

Internal control and risk management cover a range of measures to prevent, detect and respond to fraud and corruption. These include policies, practices and procedures that guide management and staff to fulfil their roles in safeguarding integrity by adequately assessing risks and developing risk-based controls. Mechanisms for responding to cases of corruption and breaches of integrity standards are equally critical. A strong internal control system should also include internal auditing to better evaluate the strength of the internal control system and a robust risk management framework to help organisations identify and respond to the corruption risks they face (OECD, 2020[12]). In light of this, the OECD Recommendation on Public Integrity calls on adherents to “apply an internal control and risk management framework to safeguard integrity in public sector organisations” (OECD, 2020[12]; OECD, 2017[17]).

The needed improvements of internal control, risk management and internal audit systems must embrace new technologies and embed them into existing frameworks. As explored in later chapters, AI can add value to public governance and specifically corruption prevention if better embedded in risk management, internal control and internal audit systems. When deployed responsibly, AI tools can help management identify fraud risks and internal auditors to detect fraud. It is therefore important that public sector organisations take steps to increase AI literacy, particularly among internal auditors who will also soon be called on to conduct audits of AI systems within the organisation. This upskilling includes the greater use of technical tools to identify risks and detect malfeasance.

This chapter shows that:

• Countries’ regulations on risk management and internal control are strong, but those on internal audit could improve.

• Implementation of risk management practices has not yet matured.

• Internal audit remains an underutilised governance tool against corruption.

Across OECD countries, regulations on risk management and internal control are strong, with countries on average having 72% and 81% of the elements of standard regulations. On the other hand, on average countries only have 51% of standard regulation on internal audit, highlighting this as an area for further improvement.

These regulations also address fraud and corruption risks in most cases. 70% of countries have issued guidelines on fraud and corruption prevention as part of their internal control systems, and 71% of countries explicitly address these risks in their risk management framework (Figure ‎3.1).

Despite strong regulations, the effectiveness of risk management and internal audit processes could be improved in practice. While most OECD countries have a risk management framework that addresses corruption and integrity risks, this is not commonly carried out in practice. Regulations adopted at the central government level are not consistently applied in line ministries and agencies where the actual corruption prevention happens (Figure ‎3.2). In only six countries have all line Ministries or agencies performed a risk assessment in the past three years. This is perhaps to be expected since only seven countries have roles and responsibilities for risk management established in line ministries or agencies.

Other risk management and audit good practices have also not been implemented in all executive branch bodies in most OECD countries. For example, only five OECD countries can evidence that at least half of these bodies had planned internal audits related to fraud and corruption. Moreover, while an audit charter forms the foundation of effective internal audit in an organisation, an audit charter was in place in all ministries or agencies in just 12 countries. And just eight countries had conducted an external quality assurance of all internal audit units in the past five years.

Internal audit is only effective if it can cover an adequate part of the public budget. Internal audit provides assurance on the operation of internal control and can have a considerable deterrent effect on fraudulent activities and officials. Legislation and practice varies significantly across OECD countries. Some countries have full coverage both in legislation and in practice. Others have full coverage in legislation but do not audit all entities in practice. Some countries do not extend internal audit coverage to the full public budget (Figure ‎3.3). Yet again, many countries do not collect the necessary data to be able to assess this.

Finally, the value of internal audit units ultimately rests on public sector managers acting upon the auditors’ recommendations, whether in terms of implementing suggested changes or considering them and finding a valid reason not to. In countries where it is monitored centrally, implementation of audit recommendations is typically high. This is a positive sign as it suggests that management is willing to act on the recommendations of internal auditors in most cases. However, around half of OECD countries do not collect central data on implementation of audit recommendations, and so they do not know whether they implemented them (Figure ‎3.4). This stands to undermine the impact of internal audit in those countries.