The OECD Recommendation on Public Integrity emphasises the need to implement a framework for risk management and control that safeguards integrity in public sector entities (OECD, 2017[1]). The three lines of defence model helps distinguish the existence of three groups within a public organisation for effective risk management and control. By acting effectively, they can better ensure compliance with organisational objectives (OECD, 2019[2]). The Colombian model adopted a fourth line, which they called the “strategic line”, taking into account the legal framework of internal control that expressly assigns responsibility for the system to the legal representative of the entity. Therefore, these representatives, as well as their management teams, constitute the fourth complementary line to the regular three-lines of defence scheme. The SAI, in turn, can be understood as a fifth line of defence, external to the public organisation, which complements the internal control systems and ensures their proper functioning and effective governance (Arndorfer and Minto, 2015[3]). For this, good co-ordination between the internal and external control systems is vital.

As regards internal control, the Internal Control Units (Unidades de Control Interno, UCI) play a fundamental role as advisor, evaluator, system integrator and energiser of the internal control system. These functions are aimed at improving the organisational culture and, therefore, contribute to the fulfilment of the purposes of the State. This is why the OECD Integrity Review of Colombia highlighted the challenges in strengthening co-ordination between the CGR, the DAFP and the Auditor General Office (Auditoría General de la República, AGR) and in particular the articulation, alignment and harmonisation of standards with respect to the internal control system (OECD, 2017[4]).

As such, Legislative Act 04 of 2019 and Decree 403 of 2020 (Art. 57 (c)) established a new role for the UCI for the preventive and concomitant control. In the CGR, the administration of the SACI was given to the Delegate for Citizen Participation to promote fluent communication between the UCI and the General and Sectorial Delegate Comptrollers' Offices to appropriately exchange information for the real time surveillance of public resources.

Moreover, the Internal Control System (Law 87 of 1993) is implemented for the public sector in Colombia under the Internal Control Standard Model (Modelo Estandár de Control Interno, MECI), which is composed of two elements: a control structure and a scheme for assigning responsibilities, called lines of defence (Decree 1083 of 2015 on the Institutional Internal Control Co-ordination System). Under the lines of defence scheme, the UCI are in charge of the third line of defence aimed at being the “control of controls”. That is, the UCI verify and evaluate whether the controls implemented and monitored by the strategic line (senior management and the Institutional Internal Control Co-ordination Committee (Comité Institucional de Coordinación de Control Interno, CICI)), the first line of defence (leaders, process managers, collaborators) and the second line of defence (co-ordinators, planning offices and axis leaders) are implemented, applied and effective. Therefore, the UCI are only a part of the internal control system, not the system as a whole, among other reasons because based on the independence and objectivity to which they are bound, they are not permitted to be part of all of the processes of an institution.

The interviews conducted for this report revealed the need to improve co-ordination and the link between the UCI and the Office of the Comptroller General. The interaction between public entities and the CGR, for the purposes of preventive or concomitant control, is currently being defined and structured. For example, the interviews indicated that public administrations still follow a reactive logic to the observations of the CGR and that this also holds for the preventive and concomitant control, even when the law states explicitly that "warnings" are non-binding and entail no legal consequences. However, the UCI expressed doubts with respect to whether the warning system really does not have legal consequences. This may be a consequence of the fact that many associate the CGR to its traditional role related to sanctions. In addition, concerns about disparate criteria and the scope of the role of UCI in preventive control were confirmed, as well as opportunities for improvements in this new mechanism. The problems identified in the framework of this project are summarised below (Figure 3.1).

Therefore, the concerns of the UCI about the application of preventive and concomitant control can be summarised into three areas for improvement.

• Improving CGR’s co-ordination with internal control, including procedures and information requests.

• Strengthening the role of UCI in the identification and treatment of integrity risks, beyond the identification and notification of possible cases of corruption.

• Strengthening the UCI in its entirety, allocating the necessary resources and support for the fulfilment of their functions, including on the territorial level.

One of the main concerns identified by the UCI is undoubtedly related to their interaction with the CGR and the use and purpose of the information they produce. In particular, concerns were observed related to requests for information as well as the times and the applicable procedures for each process (alerts or warnings). A fundamental aspect unanimously highlighted was the idea of the CGR as a kind of “black box”, to which they send information, but no feedback is received on its use or usefulness. Because of this, the interviewed actors considered it necessary to establish informal communication channels (such as feedback meetings) and to create clear links for the requests of information made to the UCI.

This interaction may enhance positive aspects discussed during the virtual fact-finding mission, which, among others, evidenced significant institutional changes. In particular, the UCI feel that even though there are aspects to be fine-tuned, overall there has been an important cultural change among CGR officials. Proof of this were the references to moving from a "scarier" to friendlier entity, which can use the UCI as a leverage to fulfil its role, with a strengthened legal framework and more modern work tools. In interviews conducted for this report, the UCI expressed the imperative need to potentiate this last point, since not only the technical and instrumental aspects are key to achieving the desired interaction, but also the attitudinal changes that have been perceived from the CGR auditors.

These efforts should be complemented with a better articulation with internal control. For example, articles 57 and 61 of Decree 403 of 2020 mention the need for co-ordination with internal control, but the CGR guidelines on how this co-ordination would occur are still pending, including at all levels of the control system, such as legal representatives, administrators and the CICI. As explained below, the modification of Resolution 49 of 2019 could be an opportunity to implement some of these recommendations and refine procedural aspects of this interaction, including identifying other co-ordination mechanisms and finding the limits and common points of each of the controls.

Secondly, the UCI show concern in how the CGR understands their role in relation to the concomitant and preventive control. In particular, their role in the detection of corruption cases or their role in the internal control process, which, as already explained, is limited to the third line of defence and not to the whole system.

To this end, it is necessary to consider several points:

• The UCI exercise their roles and functions in accordance with their Annual Audit Plan and on prioritised topics based on risks.

• Internal audit is based on sampling and is aimed at evaluating processes, it is neither appropriate nor possible to evaluate the universe of contracts, projects or programmes, nor participate or intervene in institutional activity.

• The assessment that the UCI can provide, according to its competences, is carried out fundamentally in matters of risks, control and formulation of actions.

• The UCI evaluate the procurement process ensuring that it has controls throughout all its stages and that these controls are present in any selection process. For this, within the framework of an audit, “samples” are selected based on various modalities and in relation to different stages. This is given as input for the actions to be taken by the administration.

For this reason, the UCI cannot verify everything that happens in the contracts nor can they alert about all situations that arise. Furthermore, and as highlighted in the OECD Public Integrity Review of Colombia (OECD, 2017[4]), it is not their role to identify specific corruption cases (Box 3.1). In this sense, the Office of the Comptroller General could consider strengthening and giving a clearer perspective to the "alert" mechanism so it is not confused with the public "warnings" of the Comptroller General, making it clear that the “alerts” and what the SACI is intended for, is more aligned to the function of the UCI, which includes the identification of risks that jeopardises the achievement of the State's goals in the investment of public resources and that can generate loss or damage, rather than in the identification of specific corruption cases. As such, the UCI would have the potential to play a more proactive role by providing inputs or even supporting risk assessments with regards to the preventive control.

Strengthening the UCI, particularly in terms of resources and personnel, is not a new concept in Colombia. The OECD Public Integrity Review of Colombia has warned of the imperative need to allocate human, financial and technological resources needed for its proper functioning, as well as to promote the conditions for the independent development of its function (OECD, 2017[4]). This situation tends to worsen even more at the territorial level, where the UCI do not have the personnel or access to sufficient technology to carry out their tasks. In this sense, the situation seems not to have evolved much since the report produced by the OECD in 2017. This became even more evident during the interviews conducted for this report, where the UCI (on the national and territorial level) expressed that even though they are well aware of their obligation and commitment to contribute to the prevention of the loss of public resources, this task must be carried out in compliance with their functions and competences (which are not to identify specific cases of corruption) as well as considering their technical and human capacities.

To the limited allocation of budget and personal, there is an additional concern related to the lack of independence in the implementation of their functions, the high turnover of UCI heads and teams, as well as the excess of regulations and functions assigned to the unit. This situation does not allow consolidating an adequate management of controls or the possibility to permeate correctly through the different dependencies of an entity.

To overcome some of these challenges, the OECD Integrity review of Colombia had proposed, for example, that the DAFP explores the benefits of piloting a shared audit services model in a specific policy sector, for example, in the health sector or for local governments, as a strategy to strengthen internal control in local areas that have been affected by the armed conflict and as required by the Peace Agreement (OECD, 2017[4]). This recommendation could undoubtedly be taken up within the framework of the new preventive and concomitant control function, as well as in the process of unification and standardisation of the surveillance and control of fiscal management in Colombia, implementing, for example, initial pilots at the territorial level where UCI have limited resources to carry out their functions.

As already mentioned, the Delegate for Citizen Participation (Delegado de Participación Ciudadana, DPC) plays a fundamental role in managing the SACI and works as a dependency that is constantly in communication with the DAFP. According to the DPC, the relationship with the UCI is determined in two spaces. On the one hand, the UCI play a role in accompanying the Participatory Fiscal Control (Control Fiscal Participativo, CFP), which is a service designed for citizens, so that they can exercise their right to monitor public management. In these institutional and social workshops, public entities, internal control units, contractors and citizens are invited to examine a problem related to the execution of national, regional or local projects. In these workshops, entities identify imminent or materialised risks in the development of a project and, with the aim to seek a solution and prompt completion, sign management agreements with the CGR. These agreement finalise once the good or service is delivered or when the execution of the process is restored.

On the other hand, since the issuance of Decree 403 of 2020 and Resolution 762 of 2020, the Delegate for Citizen Participation is also in charge of managing the SACI, understood as a communication mechanism with the UCI for monitoring the permanent implementation of preventive and concomitant control. Without a doubt, the creation of the SACI will contribute significantly to the exchange of information between the UCI and the CGR.

This constant interaction between the CGR and the UCI has been fundamental in the development of the preventive and concomitant control function, but some challenges remain. For instance, the UCI indicate inefficiencies between the reports to the multiple systems and platforms where records must be made, such as the system for reporting acts of corruption in charge of the Secretariat of Transparency of the Presidency of the Republic. This shows the importance and relevance of the SACI as an opportunity for the CGR to contribute to the co-ordination and unification of reporting systems.

The CGR also points out to challenges and opportunities. Among them stands out the difficulty encountered in the participation of the UCI when invited by the CGR for the purposes of Participatory Fiscal Control, since, according to the CGR, its vision is centred on the fact that interaction with citizens must always be mediated by the Citizen Service System (Sistema de Servicio al Ciudadano) that the entity in question has implemented. In addition, there is no feedback by the UCI on the comments made by citizens or whether the UCI follow up on actions implemented by the entities following their accountability processes.

As such, the interviews conducted for this report revealed a need to leverage the role of the Delegate for Citizen Participation and provide it with a more leading role in relation to the empowerment of citizens, which would facilitate to incorporate a citizen-based approach into the work of the CGR and the UCI. For the purposes of consolidating these actions, the CGR is developing the modification of Resolution 49 of 2019 to adapt and strengthen the Participatory Fiscal Control System.

Notwithstanding said reform, the CGR could also consider taking the following actions, in the way it deems best, to clarify and provide the scope for preventive and concomitant control and particularly its relationship with the UCI and with the general public:

• Strengthen and give a clearer perspective to early alerts so that they are not confused with the public warnings of the Comptroller General.

• Clarify the role of the UCI in relation to identifying early alerts in the context of the preventive and concomitant control, taking into consideration the limits of their role and functions, in particular with respect to their contributions to the identification of specific acts of corruption.

• Incorporate the information produced via "alerts" or "warnings" as an additional element for planning internal audits, in particular through giving feedback to the UCI. This will allow better decision making in the identification of processes and auditable units within the entities, as well as improving interaction between the parties. Therefore, even when is clear that the CGR should not give feedback to the UCI on internal work documents (since these are confidential), it can give feedback to the UCI related to the information provided by them and the risk analysis conducted based on the information provided by them.

• Create adequate communication channels with the UCI in order to fine-tune the co-operation mechanisms, so that requests for information from the UCI are streamlined and requests for the same documents by multiple units of the CGR are avoided. This could be achieved, for example through a strengthening of the Integrated Planning and Management Model (Modelo Integrado de Planeación y Gestión, MIPG) and the MECI regarding the identification of fiscal risks, as well as through clear guidelines on risk management with a focus on fraud and corruption.

• Generate citizen empowerment processes and more clearly establish their role in the context of the preventive and concomitant control. The CGR must consider citizens not only as a source of information on specific cases, but to whom accountability is given on the use and results of preventive and concomitant control. This would imply a cultural change in which the CGR is not seen as a "black box", where information from the citizen only enters, but a "glass box", where all the processes and procedures associated with preventive and concomitant control can be followed up on, respecting the due limitations of some of the processes or information. To this end, the CGR could make more visible certain actions taken to generate alerts, the processes and organisation charts associated with preventive control, as well as the indicators mentioned in Chapter 1 related to the improvement of processes of public entities.

• The Delegate for Citizen Participation could promote collaboration agreements between social organisations, including universities and the CGR to collaborate in citizen technology initiatives and empower citizens as partners in the promotion of open data.

• The Delegate for Citizen Participation could, based on alerts issued, prepare risk maps made available to citizens and allow their feedback, including on how to make use of these tools and information.

• Co-ordinate the CGR’s existing information systems to be able to identify risks that have materialised and which should be known by all public institutions with the aim of using them as example in the review and update of risk maps and to strengthen controls. Said information could have a filter, so that the integrity of the investigation in progress is not affected, but ensuring that the information serves as a preventive alert to avoid damage and impact to public resources in other entities.

• Conduct feedback processes with UCI on the quality of the information they collect and produce.

• The Office of the Auditor General may be invited to take part in the actions to strengthen the two controls and, in particular, make use of the information it produces through its "red flag" system.

Finally, the implementation of the SACI is urgent, as it will contribute significantly to the exchange of information between the UCI and the CGR. To this end, the CGR and the DAFP have been working on a joint circular addressed to the heads of internal control, or those who act as such, of any level and that execute national public resources, establishing guidelines for the implementation of mechanisms for the articulation of external fiscal control with the entities' internal fiscal control through the SACI. The CGR has made progress in this task, since for the issuance of the aforementioned circular, multiple working groups have been held between teams from the CGR and the DAFP, seeking to clarify and define the scope that the SACI should have with regard to the public entities that, as a general rule, are not subject to control by the CGR, discussing as well whether the SACI should become fully operational at once or whether it is necessary to first implement pilots to be able to identify points for improvement and adjustment..

[3] Arndorfer, I. and A. Minto (2015), “The “four lines of defence model” for financial institutions: Taking the three-lines-of-defence model further to reflect specific governance features of regulated financial institutions Isabella Arndorfer Bank for International Settlements”, http://www.bis.org (accessed on 27 September 2021).

[2] OECD (2019), La Integridad Pública en América Latina y el Caribe 2018-2019: De Gobiernos reactivos a Estados proactivos, OECD, Paris, https://www.oecd.org/gov/integridad/integridad-publica-en-america-latina-caribe-2018-2019.htm.

[4] OECD (2017), OECD Integrity Review of Colombia: Investing in Integrity for Peace and Prosperity, OECD Public Governance Reviews, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264278325-en.

[1] OECD (2017), OECD Recommendation on Public Integrity, OECD, Paris, https://www.oecd.org/gov/ethics/OECD-Recommendation-Public-Integrity.pdf.