Measurement guidance
Regular and adequate feedback to management is required on the performance of the internal control systems, through an internal audit function (or equivalent systems monitoring function). Such a function should use a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. In the public sector, the function is primarily focused on assuring the adequacy and effectiveness of internal controls: the reliability and integrity of financial and operational information; the effectiveness and efficiency of operations and programs; the safeguarding of assets; and compliance with laws, regulations, and contracts. Effectiveness of risk management, control, and governance processes should be evaluated by following professional standards such as the International Standards for the Professional Practice of Internal Auditing, issued by the Institute of Internal Auditors. These include: (a) appropriate structure particularly with regard to organizational independence; (b) sufficient breadth of mandate, access to information; and power to report; and (c) use of professional audit methods, including risk assessment techniques.
The internal audit function may be undertaken by an organization with a mandate across entities of the central government or by separate internal audit functions for individual government entities. The combined effectiveness of such audit organizations is the basis for rating this indicator.
Internal audit functions in certain countries are concerned only with pre-audit of transactions, which is here considered part of the internal control system. This is assessed in PI-25.
For dimensions 26.1, 26.3, and 26.4 the same interpretation of all, most, and majority used elsewhere in the PEFA guidance applies for centralized systems. In decentralized systems, or where complete information is not available, a sampling approach should be applied, using the five major budgetary units or institutional units as measured by gross expenditure in the last completed fiscal year. For an A score, every one of the five need to meet the requirements. For B and C scores four and three entities, respectively, need to meet the requirements.
Dimension 26.1 assesses the extent to which government entities are subject to internal audit. This is measured as the proportion of total planned expenditure or revenue collection of the entities covered by annual audit activities, whether or not substantive audit work (including audit reports) is carried out. Typical features of an operational audit function are the existence of laws, regulations and/or procedures and the existence of audit work programs, audit documentation, reporting, and follow-up activities leading to the achievement of the internal audit objectives, as described in international standards. The exact nature of audit in each country may vary. The assessor will need to make a judgment about whether the arrangements and activities occurring constitute sufficient evidence of operational audit.
Dimension 26.2 assesses the nature of audits performed and the extent of adherence to professional standards. When audit activities focus only on financial compliance (reliability and integrity of financial and operational information and compliance with rules and procedures) the internal audit function provides limited assurance of the adequacy and effectiveness of internal controls. A wider approach as well as evidence of a quality assurance process is required to show adherence to professional standards.
Dimension 26.3 assesses specific evidence of an effective internal audit (or systems monitoring) function as shown by the preparation of annual audit programs and their actual implementation including the availability of internal audit reports.
Dimension 26.4 assesses the extent to which action is taken by management on internal audit findings. This is of critical importance since lack of action on findings undermines the rationale for the internal audit function. Response means that management provides comments on the auditors’ recommendations and takes appropriate action to implement them where necessary. Internal audit validates whether the response provided is appropriate.
If there is no audit function, the score for dimension 26.1 would be D. NA would be entered for dimensions 26.2, 26.3, and 26.4. The aggregate score in this case would be D.