Risk management and internal audit are critical functions for better governance and are the cornerstone of an organisation’s defence against corruption and other unethical practices. Effective risk management and internal audit policies and processes reduce the vulnerability of public sector organisations to fraud and corruption while ensuring that governments are operating optimally to deliver programmes that benefit citizens, thereby also increasing trust in government. Furthermore, such activities help to ensure value for money and facilitate decision-making. Mature internal control and risk management policies and procedures help governments to balance an enforcement-focused model with more preventive, risk-based approaches
Risk management is the starting point for proportionate, efficient and effective control measures to mitigate the identified risks. Over the last decade, with an increased focus in international integrity standards on managing and assessing risks, countries have adopted policies, practices and tools to identify and assess risks. Nonetheless, more can be done to integrate a fraud and corruption perspective into risk management and risk assessments. According to the results of the 2018 Questionnaire on Public Integrity in Latin America, 36% of the countries had explicitly outlined specific principles and practices to manage the risks of fraud and corruption. Another 45% only had general references to fraud and/or corruption in a broader context of risk management activities. Ecuador and Peru reported not having any principles nor practices to manage risks of corruption.
In turn, internal auditors in public sector organisations play an important role by providing independent, objective assessments of whether public resources are being managed effectively to achieve the intended results. Their objective, value-based insights and evidence can support senior management in public sector organisations to better manage and assess integrity risks. In addition to their contributions to the evaluation of integrity risk factors, internal auditors can play a critical role by assessing whether internal controls to manage integrity risks are operating effectively and efficiently and by flagging high-risk areas for integrity breaches such as third-party relationships, outsourced activities or procurement. According to the survey results, 73% of countries have an internal audit unit in every ministry, and 27% only have such unit in some of them. In Peru, with the exception of some public entities, there is currently no internal audit function. There is, however, an Office of Institutional Control in each public entity, which depends functionally and administratively on the Office of the Comptroller General of the Republic, the supreme audit institution of Peru. This could lead to a confusion between internal and external controls by public managers (OECD, 2017).
Indeed, to implement effectively risk management and internal audit policies, it is key that all public officials understand their own role and responsibility in identifying and managing integrity risks through adequate internal control. In countries such as Costa Rica, Ecuador, Honduras and Peru where the supreme audit institution leads the internal audit policy framework, there is a risk that public managers may more easily be confused about their own role and responsibility, tending to see the control function as being the responsibility of the external actor. In turn, when the lead responsibility rests within the executive, as in Argentina, Brazil, Chile, Colombia, Mexico, Paraguay and Uruguay, the relevance of risk management and internal audit can be embedded in broader public management policies, improving the ownership of the public administration.
