Chapter 5. Applying an internal control and risk management framework that safeguards public integrity in Argentina

5.2.1. SIGEN could ensure that clear objectives for the control environment are communicated to staff across the national public sector

Before assessing risks and determining internal control activities, it is vital that an entity establishes clear objectives for the entity as a whole, for individual programmes and for the control environment. Where there is no clear objective, internal controls and risk management cannot be effectively implemented.

According to SIGEN, projects must align with the National Government’s 100 priority initiatives (which are grouped into eight strategic objectives). In addition, there are plans to establish a Control Board within the scope of the Chief of Cabinet of Ministers (JGM), which will monitor these projects. The National Budget Office (ONP), also provides direct technical assistance, in order to help link strategic planning to the national budget.

Through its General Internal Control Standards for the National Public Sector, SIGEN outlines that entities should clearly define the way in which each area contributes to the achievement of the entity’s objectives (SIGEN, 2014, p. 20[2]). However, interviews during the OECD’s October 2017 mission to Argentina indicated that, within the public administration, there is little awareness of these standards and that these standards are not being consistently applied. It is unclear whether entities have defined their objectives and the way in which each area contributes to this objective.

The control environment is the foundation for all components of internal control. According to the International Organization of Supreme Audit Institutions’ (INTOSAI’s) Guidelines for Internal Control Standards for the Public Sector, elements of the control environment include: organisational structure; and “tone at the top” (i.e., management’s philosophy and operating style); and a supportive attitude toward internal control throughout the organisation (INTOSAI, 2010, p. 17[3]) (see also chapter 3).

In Argentina, SIGEN is the Office of the Comptroller General and the entity responsible for coordinating the internal audit units and establishing standards of internal control. According to Article 97 of the National Financial Administration and Public Sector Control Systems Act—Law No. 24.156 (Financial Administration Act), SIGEN is an "entity with its own legal status and administrative and financial autarchy dependent on the National Executive Power". According to Articles 100, 101 and 102, the internal control system is made up of SIGEN and the internal audit units in each entity. Under the law, units are created in each jurisdiction and in the entities that depend on the National Executive Power. These units depend hierarchically on the authority of each entity, but are coordinated by SIGEN. The superior authority of each entity is ultimately responsible for the implementation of an adequate system of internal control.

Regarding SIGEN’s technical coordination of the Internal Audit Units, SIGEN provided information in April 2018 that the powers granted under Decree No. 72/2018, such as the designation or removal of the Internal Auditor, has increased the institutional strength and independence of internal audit units.

Article 103 of the Act stipulates that the internal control model must be comprehensive and integrated and must be based on the criteria of economy, efficiency and effectiveness. Article 104 outlines SIGEN’s functions—which includes supervising “the proper functioning of the internal control system”, and the responsibility for the internal audit system. (Argentina, 2016[4]).

Argentina established Internal Control standards in 1998, basing them on the first version of the COSO framework. The most recent version, General Internal Control Standards for the National Public Sector, was published in 2014 (SIGEN, 2014[2]). These standards were designed to help implement the internal control system that is set out in the Financial Administration Act. Although the standards themselves are strong, the implementation of them is not. As mentioned, the OECD found during its October 2017 mission that there was a lack of awareness of these standards in the public administration. Further information provided by SIGEN in April 2018 indicated that they disseminated the standards in 2015 and provided a number of training courses for the 190 Internal Audit Units (UAI) between 2015 and 2017. Courses included:

• Audit 1, 2 and 3: for improving the control and audit processes, as well as increasing, strengthening and updating knowledge in this area;

• Control tools and Intermediate and Advanced Audit: for mastering procedures and control techniques and strengthening knowledge of internal audit and control and internal audit supervision;

• Risk Assessment: for improving risk assessment and identifying applicable methodologies; and

• Planning of an audit: for improving the planning and control processes, the elaboration of standards, and the dissemination of control regulations.

SIGEN could coordinate with human resources units to incorporate key internal control and risk management requirements into mandatory training and induction sessions for operational staff, in addition to auditors. Government entities could also work to embed internal control standards in the daily work of the public service—incorporating them into standard operating procedures and outlining concrete actions that need to be undertaken by operational staff in their everyday work and for their specific positions. Measures could include:

• introducing awareness programs on the need for internal control and on the roles of each area and staff member; and

• induction training for all staff, including senior management and managers on the internal control system

SIGEN indicated in April 2018 that they agreed that new dissemination and awareness strategies would be valuable.

5.2.2. SIGEN could assist government entities to more consistently apply the principles of the three-lines-of-defence model to give greater responsibility for internal control and risk management to operational management

While senior managers should be primarily responsible for managing risk, implementing internal control activities and demonstrating the entity’s commitment to ethical values, all officials in a public organisation—from the most senior to the most junior—should play a role in identifying risks and deficiencies and ensuring that internal controls address and mitigate these risks.

One of the core missions of public officials responsible for internal control is to help ensure that the organisation’s ethical values, and the processes and procedures underpinning those values, are communicated, maintained and enforced throughout the organisation.

Indeed, the leading fraud and corruption risk management models among OECD member and partner countries underscore that the primary responsibility for preventing and detecting corruption rests with the staff and management of public entities. Such corruption risk management models often share similarities with the Institute of Internal Auditor’s (IIA) Three Lines of Defence Model (see Figure ‎5.1).

Figure ‎5.1. The three lines of defence model

Source: (Institute of Internal Auditors, 2013, p. 2[5]).

According to the IIA, the first line of defence comprises operational management and personnel. Those on the frontline naturally serve as the first line of defence because they are responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives (Institute of Internal Auditors, 2013[5]). According to information provided by SIGEN in April 2018, SIGEN has been working for a number of years to establish the first line of defence—establishing tools to generate awareness and to modify behaviours and working to transform the public administration over time. SIGEN indicates that they have incorporated the three lines of defence model into their control system, but acknowledges that they have further to go before reaching their optimum point.

The second line of defence includes the next level of management—those with responsibility for the oversight of delivery. This line is responsible for establishing a risk management framework, monitoring, identifying emerging risks, and regular reporting to senior executives. Operational management in Argentina’s government entities could be given greater responsibility for the implementation and oversight of internal control and risk management activities. Operational management should regularly report to senior management and be held accountable for the implementation of internal control activities.

The third line of defence is the internal audit function. Its main role is to provide senior management with independent, objective assurance over the first and second lines of defence arrangements (Institute of Internal Auditors, 2013[5]).

According to SIGEN, their internal audit units, as the third line of defence, issue reports on:

• special audits;

• internal audit unit supervision;

• evaluation of the internal control system; and

• regulatory compliance control—such as, year-end reports, budget evaluation, subsidies and transfers, contract management, and verification of the purchasing and contracting process.

Further, Decree No. 1344/2007 established that higher authorities must request a prior opinion from the Internal Audit Unit for the approval and modification of regulations and procedural manuals, which “must incorporate suitable instruments for the exercise of control”. To guide this work, SIGEN issued the "Guidelines for intervention by the Internal Audit Units in the approval of regulations and procedural manuals" in 2014 (Resolution SIGEN No. 162/2014).

Article 102 of Argentina’s Financial Administration Act establishes that “the functions and activities of internal auditors must be kept separate from the operations subject to their examination". Interviews during the OECD Mission to Buenos Aires in October 2017 indicated that some officials did not have a clear understanding of the three lines of defence model or the importance of separation, with some operational staff stating that the Internal Audit function should bear full responsibility for internal control.

SIGEN should assist government entities, building on already existing training and awareness activities, to help ensure that staff understand and consistently apply the internationally recognised three lines of defence model across the public sector.

5.3.1. SIGEN could improve its risk management approach to ensure it is consistent and clearly separated from the internal audit function

An effective internal control and risk management framework includes policies, structures, processes and tools that enable an organisation to identify and appropriately respond to risks. SIGEN’s Principle 7 of Internal Control states that each entity should identify, analyse, and manage risks that can affect the achievement of the entity’s objectives, which aligns with good governance practices among OECD countries. However, the OECD found through interviews, that operational risk management was generally not being undertaken by operational management and that SIGEN’s standards related to risk management were not being applied at the operational level.

SIGEN’s 2017 Annual Plan outlined, among its strategic objectives, that it would design and maintain a risk management system. During mission interviews, SIGEN internal audit representatives indicated that they were currently piloting a new risk management methodology with one entity (which included an evaluation carried out jointly between the internal audit unit and the entity, as well as a separate evaluation carried out by SIGEN). SIGEN indicated that they intended to move from the pilot to general implementation—however, they were expecting some difficulties with getting engagement from entities. This will particularly be the case if entity management sees it as an audit tool to be used by auditors to identify and expose entity failings.

SIGEN issues an annual Risk Map of the National Public Sector, which is made up of a matrix that exposes the levels of risk associated with the functions of government for each agency or entity of the National Public Sector. This document assists with audit planning and has been issued since 2005. Further, according to SIGEN, 2018 guidelines for internal audit planning established the obligation to incorporate actions to induce the superior authority of the entity to draw up a risk matrix. Internal Auditors developed a risk analysis and management methodology that included a self-evaluation form for the superior authority and each area of the organisation.

SIGEN could consider improving its risk management framework to be more strategic, consistent, operational, and clearly separated from the audit function. Operational managers should be able to undertake risk assessments without the fear of reprisal and completely separate from risk assessment undertaken by auditors in their audit planning. Auditors should, of course, have access to risk management information during an audit, but managers should have the freedom to manage their risks in an operational way that is frank and that exposes the real issues. Managers will not have this liberty if auditors are the ones setting up the risk management framework and having operational management create risk management information for the specific use of audit planning. There would be a conflict in this instance. To be effective, the real purpose of the risk management tool needs to be considered. Auditors should, indeed have access to all governance information, including risk management information and should continue to conduct their own separate risk analyses during their audit planning. However, operational management should be undertaking their own risk assessments for use operationally—not in conjunction with auditors or at the behest of the auditors.

Internal auditors could drive change by including audits in their audit work programmes on how risks are being managed and drawing attention to the lack of operational risk management across government in their audit reports.

In the Canadian government, the Treasury Board of Canada Secretariat has a range of branches and responsibilities, including internal audit coordination under the Office of the Comptroller General and the development of the Risk Management Framework under the Priorities and Planning Unit, as outlined in Box ‎5.1. These functions are clearly separated to avoid a conflict of interest. Auditors should not design frameworks, create guidance or set standards on risk management, as they are responsible for auditing the risk management system.

5.3.2. SIGEN could promote the incorporation of risk management into the culture of government entities by providing clear guidance for operational staff and including risk management requirements in mandatory training

Once a clear risk management framework has been established, risk management should be promoted and communicated and should permeate the organisation’s culture and activities in such a way that it becomes the business of everyone within the organisation—it should not be the domain of the internal audit units and should not be managed in isolation. Informed employees who can recognise and deal with risks are more likely to identify situations that can undermine the achievement of institutional objectives. Operational risk management begins with establishing the context and setting an organisation’s objectives. This concept is captured in SIGEN’s Principle 6 of Internal Control, which states that an Organisation ‘must specify objectives with clarity’ (SIGEN, 2014, p. 23[2]). Risk management continues with the identification of events that might have a negative impact on their achievement and represent risks.

SIGEN outlines a risk assessment model under its Principle 7 of Internal Control, which includes risk identification, analysis and evaluation, in alignment with international risk management standards (SIGEN, 2014, pp. 25–26[2]). According to the ISO standards for risk management, risk assessment is a three-step process that starts with risk identification and is followed by risk analysis, which involves developing an understanding of each risk, its consequences, the likelihood of those consequences occurring, and the risk’s severity. The third step is risk evaluation, which involves determining the tolerability of each risk and whether the risk should be accepted or treated. Risk treatment is the process of adjusting existing internal controls or developing and implementing new controls to bring a risk’s severity to a tolerable level (ISO, 2009[9]). A depiction of the risk management cycle is provided at Figure ‎5.2.

Figure ‎5.2. Risk management cycle

Source: (ISO, 2009[9]).

SIGEN’s General Internal Control Standards outline a solid risk management framework; however, it does not clearly state what risk information should be collected or how responsibility for risk will be assigned. Further, the OECD found through interviews with government officials that although auditors undertake an annual risk mapping exercise, these standards were not consistently applied at the operational level.

Appropriate and reliable risk information is essential to operationalising a risk management framework. Information to support risk management can come from a number of internal and external sources. Further, a consistent approach to sourcing, recording, and storing risk information improves the reliability and accuracy of required information. Staff should be made aware of the risk management framework and key requirements through training and awareness-raising activities. Communication and consultation with staff is also a key step towards securing input into the risk management process and giving staff ownership of the outputs of risk management. The Australian Government has developed guidance on building risk management capability in entities (outlined in Box ‎5.2), which could provide some useful insights.

5.3.3. Argentinian government entities could operationalise the risk management framework by assigning clear responsibility for risk management to senior managers

Managers should be responsible for the design, implementation, and monitoring of the internal control and risk management functions, with this being recognised in laws and policies of many countries. Having laws that ensure managers’ ownership over these activities can provide incentives for managers, and aid countries in achieving committed oversight and stronger accountability. In the majority of OECD countries, managers in the executive branch are held responsible by law for monitoring and implementing control and risk management activities. Moreover, many countries have laws that hold managers specifically responsible for integrity risk management policies, as depicted in Table ‎5.1. However, in Argentina line managers have not been given responsibility for internal control or risk management (OECD, 2017, p. 158[11]).

Responsibility for specific risks, including fraud and corruption risks needs to be clearly assigned to the appropriate senior managers. These managers need to take ownership of the risks that could affect their objectives, use risk information to inform decision-making and actively monitor and manage their assigned risks. These managers should also be held accountable to the executive through regular reporting on risk management – (Department of Finance, 2016[10]).

5.4.1. SIGEN could assist government entities to strengthen their internal control mechanisms to ensure that they are implemented and effective and that reasonable assurance is provided

One fundamental way risks are mitigated is through internal control mechanisms. Internal control mechanisms are implemented by an entity’s management and personnel and continuously adapted and refined to address changes to the entity’s environment and risks. Argentina’s General Internal Control Standards define internal control as:

This aligns with INTOSAI’s definition, which views internal control as activities designed to address risks that may affect the achievement of the entity’s objectives and to provide reasonable assurance that the entity’s: operations are ethical, economical, efficient and effective; accountability and transparency obligations are met; activities and actions are compliant with applicable laws and regulations; and resources are safeguarded against loss, misuse, corruption and damage (INTOSAI, 2010, p. 6[12]).

Internal control activities should not attempt to provide absolute assurance – as this could constrict activities to a point of severe inefficiency. ‘Reasonable assurance’ is a term often used in audit and internal control environments. It means a satisfactory level of confidence given due consideration of costs, benefits and risks. Argentina’s internal control standards include the concept of reasonable assurance, stating that “an effective internal control system provides reasonable assurance regarding the achievement of the objectives of the organisation” (SIGEN, 2014, p. 9[2]).

Determining how much assurance is reasonable requires judgment. In exercising this judgment, managers should identify the risks inherent in their operations and the levels of risk they are willing to tolerate under various circumstances. Reasonable assurance accepts that there is some uncertainty and that full confidence is limited by the following realities: human judgment in decision-making can be faulty; breakdowns can occur because of simple mistakes; controls can be circumvented by collusion of two or more people; and management can choose to override the internal control system.

Argentina’s standards outline three considerations that should be taken into account when internal control mechanisms are designed:

• Integrity: ensuring integrity during the treatment, processing and registration of all transactions or operations;

• Accuracy: ensuring operations are timely and correct; and

• Validity: ensuring posted transactions accurately represent executed operations (SIGEN, 2014, p. 30[2]).

These are valid considerations that could assist Argentina government entities with establishing more effective internal control activities. Further, it is not enough to have standards and controls in place; they need to be implemented and effective. It has been observed that a characteristic feature of the Argentine government is ‘not the lack of control, but the fiction of control’ and that ‘while the law is complied with formally, it is not complied with substantially (Santiso, 2009, p. 86[13]). Further, this ‘façade formalism’ constrains managers by detecting minor administrative mistakes rather than addressing structural dysfunctions and political corruption (Santiso, 2009, p. 86[13]). To provide reasonable assurance on an entity’s operations, it is vital that internal control and its underlying principles are fully integrated.

Argentina’s standards for internal control include a section on “control activities”, which outlines and defines general controls, IT controls and relevant policies and procedures. According to Argentina’s standards, control activities should be aimed at reducing the risks that can affect the achievement of the objectives of the organisation, are both preventive and detective, and carried out by all areas of an entity (SIGEN, 2014, p. 29[2]). This corresponds well with INTOSAI’s Guidelines for Internal Control Standards for the Public Sector, which states that internal control activities should occur throughout an entity, at all levels and in all functions and that internal controls should include a range of detective and preventive control activities. However, as noted in the previous sections, SIGEN’s standards are not being systemically applied.

In particular, interviews during the OECD’s October 2017 mission indicated that internal audits frequently find issues with the use of petty cash and expenditure on travel – related to mismanagement, inefficiency and corruption. In addition to internal auditors examining the internal control system and identifying areas for improvement, government entities could consider updating its internal controls related to petty cash and travel and improving or introducing controls where there are identified gaps. For example, authorising and executing procurement transactions should only be done by persons with appropriate authority. Authorisation is the principal means of ensuring that only valid transactions and events are initiated as intended by management. Authorisation procedures, which should be documented and clearly communicated to managers and employees, should include the specific conditions and terms under which authorisations are to be made. Conforming to the terms of an authorisation means that employees act in accordance with directives and within the limitations established by management or legislation (INTOSAI, 2010, p. 29[12]).

SIGEN provided further information to the OECD in April 2018 that it has worked to strengthen the internal control system since its creation in 1992. SIGEN sees this as a long-term process and initially aimed its efforts at determining the status of the system, establishing internal audit units, and developing the regulatory framework. Subsequently, SIGEN has designed monitoring tools and methodologies to assist entities, such as the Program for Strengthening the Internal Control System, which includes the Commitment Plan to Improve Management and Internal Control, the Particular Rules for the Establishment and Operation of Control Committees, and the Self-Assessment and Diagnosis Methodology of Processes.

5.5.1. SIGEN could ensure that its central coordination of internal audit leverages the available resources in order to strengthen oversight and enable a cohesive response to integrity risks

Having a central internal audit function, particularly that includes integrity in its strategic objectives, can strengthen the coherence and harmonisation of the government’s response to integrity risks. Auditing of multiple entities at a central level can: leverage available audit resources; enhance the government’s ability to identify systemic, cross-cutting issues; and put measures in place to respond from a whole-of-government perspective (OECD, 2017[11]). Many OECD countries have a central internal audit function that has responsibilities for auditing more than one government ministry – and most of these central internal audit functions have dedicated integrity objectives, as shown in Figure ‎5.3.

Figure ‎5.3. Existence of centralised internal audit function with dedicated strategic integrity objectives

Note: Czech Republic and Chile have plans to develop a centralised audit function, and the Swedish National Audit Office, an external audit institution located under the Parliament, audits the whole public sector.

Source: (OECD, 2017, p. 159[11]).

Argentina has a centrally coordinated internal audit function, an annual audit risk map, and guidelines for internal audit planning, but it could build on this to enhance oversight by establishing dedicated strategic integrity objectives and by identifying trends and systemic issues and giving management the ability to respond to integrity risks, in a cohesive and holistic way. The United Kingdom’s Government Internal Audit Agency is a good example of an internal audit entity that has dedicated integrity objectives, as outlined in Box ‎5.3.

5.5.2. All Argentinian government entities could implement control committees to better monitor the implementation of audit recommendations

SIGEN’s Internal Audit Standards state that auditors must outline recommendations of possible steps to correct detected shortcomings as outlined in audit observations, with these recommendations seeking to increase the efficiency and effectiveness of the entity and its internal control mechanisms. The Standards further state that formal recommendations will “provide a basis for the subsequent follow-up on the part of the internal audit unit, the SIGEN or others” (SIGEN, 2002, p. 26[15]).

According to SIGEN, it requires the follow-up of observations through Resolution SIGEN N ° 15/2006 and Resolution SIGEN N ° 73/2010. Further, through the recent Decree No. 72/2018, it is necessary to follow up through the Control/Audit Committee with the participation and commitment of the superior authority.

The Standards also state that auditors must monitor compliance with the instructions given by the entity authorities for solving the shortcomings exposed in audit reports. This must be verified through follow-up audits. To this end, SIGEN expects that databases be maintained, containing all the observations and recommendations made in connection with the work. SIGEN expects that periodic monitoring will enable the auditor to ensure that appropriate action is taken and to determine areas for the conduct of new audits. Further, monitoring can assist auditors with evaluating not only the correctness of their advice, but also if the results obtained from their recommendations correspond with expectations. (SIGEN, 2002, p. 32[15]).

According to SIGEN’s 2017 Annual Plan, of the 53 process controls activities planned to be undertaken in 2017, three were to relate to the follow-up of audit recommendations:

• Follow-up on pending comments and recommendations in audit reports related to non-contributory pensions (Ministry of Social Development);

• Follow-up on the Report executed by the Internal Audit Unit of the Posadas National Hospital; and

• Follow-up on the Report executed by the Internal Audit Unit of the National Hospital Network Specialized in Mental Health and Addiction (SIGEN, 2017, pp. 100–104[16]).

According to SIGEN, it records and regularly follows up internal audit observations and recommendations. In 2001, SIGEN dictated (through Circular No. 1, 17 January 2001) that all Internal Audit Units under its jurisdiction had to present the details of the audit observations pending regularisation at the close of fiscal year (using the SISIO System). In 2006, the Annual Plans of the Internal Audit Units were integrated into the SISIO system, which provided an online platform for including follow-up in the internal audit planning process across the public sector.

Further, the recent Work Instruction N° 2/2017 requires the updating of information related to the observations and their status of regularisation. The information generated from this work is then included both in recurring audit reports (where prior audits are referred to in the background section) and year after year in the Internal Control System Evaluation Reports, which are carried out for each entity.

During mission interviews in October 2017, the OECD found that SIGEN had assisted agencies with setting up control committees in approximately 30 entities – with the goal to roll out the concept to the almost 200 unique entities in the public sector. Since Decree No. 72/2018 was issued in January 2018, all entities in the national public sector are required to establish a control committee. According to Article 1 of this decree, each committee is required to meet at least twice each year, with attendance to include the superior authority of the entity (or a nominated representative), the head of the internal audit unit, a representative from SIGEN, and those responsible for the operational areas of the entity.

These committees will be valuable for monitoring the implementation of audit recommendations. This concept is similar to the audit committee model in use in OECD countries such as the United Kingdom, Canada and Australia. Argentina could consider following this ‘audit committee’ model more closely, where each entity has an audit committee that is independent from the day-to-day activities of management and regularly reviews the entity’s systems of audit, risk management and internal control as well as its financial and performance reporting. These committees are well positioned to assess and track the entity’s implementation of audit recommendations. The Australian example is provided at Box ‎5.4.

5.6.1. Argentina’s National Congress could strengthen the functional independence of the AGN by increasing the AGN’s power to select its own audit topics and by clearly outlining the AGN’s independence and mandate in a specific organic law

In Argentina, the external audit function is provided by the Auditoría General de la Nación (AGN). The AGN is a collegiate board model supreme audit institution with seven members –a President and six auditors general. The President of the AGN is appointed by the National Congress under the proposal of the opposition party for a renewable term of 8 years; if the opposition party changes, a new president is appointed. The remaining six members of the Board are elected for on 8-year renewable terms – with three selected by the Senate and three selected by the Chamber of Deputies, along political party lines.

The AGN received constitutional status as a legislative body in 1994. Article 85 of the National Constitution of Argentina states that “the Legislative Power is exclusively empowered to exercise the external control of the national civil service” with its opinions to be based on the reports of the AGN. Article 85 further states that the AGN is a technical advisory body of Congress with functional autonomy”. It is in charge of the control of the legal aspects, management and auditing of all the activities of the centralized and decentralized civil service (Argentina, 1994, p. 14[19]).

Article 85 also states that the AGN ‘shall be made up as established by the law regulating its creation and operation, which shall be approved by the absolute majority of the members of each House.’ Although the 1994 Constitution foreshadowed that an organic law specific to the AGN would be introduced, this law has been pending for 14 years.

The Auditor General’s functions are outlined in Article 118 of the Financial Administration Act (summary provided at Table ‎5.2).

OECD country SAIs are established under specific laws that outline, among other things, the powers, responsibilities and independence of the Auditor General. For example, the Australian SAI is established under the Auditor-General Act 1997 (Australia, 1997[20]) and the Canadian SAI is established under the Auditor General Act 1985 (Canada, 1985[21]). Within the Latin American and Caribbean context, the SAI of Argentina is the only one that does not have an organic law—with the following 17 countries introducing organic laws for their SAIs between 1953 and 2002: Bolivia, Brazil, Chile, Colombia, Costa Rica, Dominican Republic, Ecuador, El Salvador, Guatemala, Honduras, Mexico, Nicaragua, Panama, Paraguay, Peru, Uruguay, and Venezuela (Santiso, 2009, pp. 52–55[13]).

In its 2013–17 Strategic Plan, the AGN outlined, as one of its strategic objectives, that it would “strengthen the identity of the AGN and its relationship with stakeholders” (AGN, 2013, p. 6[22]). A specific law regulating and outlining the creation, operation, powers, responsibilities, independence, and internal governance of the AGN would be beneficial for strengthening the independence, powers and identity of the AGN and for clarifying its mandate and relationship with stakeholders.

The AGN’s values are independence, objectivity, institutional commitment, probity, professionalism, and ethics. The Auditor General defines ethics as “observing the set of values and principles that guide our daily work”. The AGN is guided by the Government External Control Standards, which were based on INTOSAI’s International Standards of Supreme Audit Institutions (ISSAI), as well as international best practices and professional standards in force in Argentina.

INTOSAI’s first cross-cutting priority for 2017–22 is the independence of SAIs. INTOSAI strongly advocates for and supports constitutional and legal frameworks that call for comprehensive audit mandates, unlimited access to needed information, and unrestricted publication of SAI reports. According to INTOSAI, “only fully independent, capable, credible, and professional SAIs can ensure accountability, transparency, good governance, and the sound use of public funds” (INTOSAI, 2017, p. 9[23]).

Argentina’s Government External Control Standards outline that all government external control work should contribute to the good governance by providing objective, independent, and reliable information (Auditor General of Argentina, p. 5[24]). The Standards further outline that the Auditor General must comply with basic ethical principles, such as: independence of judgement, objectivity and political neutrality (Auditor General of Argentina, pp. 10–12[24]).

Although the AGN’s values, standards and principles emphasise the importance of independence and political neutrality, the current structures and processes for the planning and approval of audits make it difficult for the AGN to undertake its functions in a completely independent and political neutral way.

The AGN’s main liaison point with the National Congress is through the Joint Parliamentary Committee of Audit, which has 12 members – 6 senators and 6 deputies. Each year, this committee elects a president, a vice-president and a secretary. The Joint Parliamentary Committee of Audit has a long history. It was first created in 1878 by Law No. 923. Its current powers arise from Law No. 24.156 – the Financial Administration Act (Senado Argentina, 2017[25]). According to Article 129 of the Financial Management Act, the committee must, among other things: approve the annual action programme on external control developed by the AGN; and instruct the AGN on studies and special investigations and set deadlines for their implementation, which does not align withinternational good practice.

INTOSAI has published a number of documents that cite the importance of independence for external auditors – which includes the need for independence in audit planning and the content and timing of audit reports. Further information is outlined in Box ‎5.5.

Box ‎5.5. International standards for ensuring independence of audit institutions

Ensuring audit institutions are free from undue influence is essential to ensure the objectiveness and effectiveness of their work, and principles of independence are therefore embodied in the most fundamental standards concerning public sector audit. The International Organization of Supreme Audit Institutions (INTOSAI), for example, has two fundamental declarations citing the importance of independence. Specifically, the “Lima Declaration of Guidelines on Auditing Precepts” (ISSAI 1) states that SAIs require organisational and functional independence to accomplish their tasks.

The “Mexico Declaration on SAI Independence” (ISSAI 10) and INTOSAI’s Strategic Plan 2017–2022 outline eight related principles of independence:

In relation to Principle 3 on functional independence, ISSAI 10 states that an SAI should have a sufficiently broad mandate and full discretion in the discharge of its functions, and SAIs should be empowered to audit the: use of public monies, resources, or assets; collection of revenues owed to the government or public entities; legality and regularity of government or public entities accounts; quality of financial management and reporting; and economy, efficiency, and effectiveness of government or public entities operations. Further information is provided in INTOSAI’s Guidelines and Good Practices Related to SAI Independence (INTOSAI, 2007[26]).

SAIs should be free from direction or interference from the Legislature or the Executive in the: selection of audit issues; planning, programming, conduct, reporting, and follow-up of their audits; organisation and management of their office; and enforcement of their decisions where the application of sanctions is part of their mandate.

Sources: (INTOSAI, 1977[27]; INTOSAI, 2007[28]; INTOSAI, 2017[23]).

Independence rarely happens to a supreme audit institution by accident. Independence needs to be planned for carefully and can take years of persistent work by many key partners – including the legislature, the Public Accounts Committee and the Ministry of Finance. Like any project, it is important that the SAI is clear about what it wants to achieve, has a full appreciation of the barriers and risks, makes a strong case to those who can help achieve the greater independence (such as the Public Accounts Committee), sets milestones and assigns responsibility for achieving those milestones. Wider support from stakeholders such as the media and civil society organisations can also help keep the campaign on track – if they are fully informed of the role of SAIs and the value of greater independence (National Audit Office, 2015, pp. 7–11[29]).

Once the legislature has agreed to consider developing new organic law, the AGN would need to work closely with the legislature and law commissions involved in drafting legislation so that they understand the areas of potential contention. The AGN would need to carefully review current legislation and compare this with the audit laws developed for other SAIs in similar circumstances – there would be no need to start from scratch (National Audit Office, 2015, p. 12[29]).

SAIs that are strong and functionally independent have greater credibility and are better able to effect change. There have been issues in recent years with the National Congress of Argentina ignoring audit reports submitted by the AGN – even those detailing serious cases of administrative irregularities and possible corruption (Manzetti, 2014, p. 192[30]).

The AGN could work with the National Congress to strengthen its functional independence, particularly by increasing the power of the AGN to select its own audit topics during the audit planning and audit approval processes and by clearly outlining the AGN’s independence and mandate in a specific organic law.

5.6.2. The AGN could strengthen its processes for the follow-up and monitoring of audit recommendations

As mentioned a core principle of SAI independence is effective mechanisms for the follow-up of audit recommendations (INTOSAI, 2007[26]). Audits help improve public administration and increase accountability and transparency when the audit findings are addressed and the audit recommendations are implemented. The SAIs for OECD member countries have a variety of methods for following-up recommendations. For example, the Australian National Audit Office (ANAO) conducts a selection of follow-up performance audits each year to assess entities’ implementation of performance audit recommendations from previous years. Australian government entities also have Audit Committees that meet regularly to, among other things, monitor the implementation of audit recommendations, and the ANAO can attend these meetings as an observer and/or request the meeting minutes. The Auditor-General has also written to entities to request an update on recommendations during the annual planning process for the audit work program.

In Canada, the office of the Auditor General of British Columbia, a sub-national audit office, has published follow-up reports based on self-assessments from audited entities and conducted follow-up audits on a selected number of them (see Box ‎5.6). The AGN could consider strengthening its processes to allow for the follow-up of recommendations, such as through a selection of follow-up audits or through organising annual self-assessments

5.6.3. The AGN could increase its influence by setting an example of transparency

In its 2013–17 Strategic Plan, the AGN outlined, as one of its strategic objectives, that it would “promote transparency and accountability in the national public sector” (AGN, 2013, p. 6[22]). Further, Section 6.ii of the Declaration of Asunción on Budget Security and Financial Stability of SAIs, which was signed by members of the Latin American and Caribbean Organization of Supreme Audit Institutions (OLACEFS) on 4 October 2017, states:

Supreme Audit Institutions, such as the AGN, should set an example for the public sector on transparency and on administering public funds with regard to efficiency, effectiveness and economy. Currently, the AGN provides little to no information on its website particularly regarding its discretionary expenditure. The AGN would increase its influence and credibility by providing the public with information on the AGN’s discretionary spending. This would serve as an example of transparency for the rest of the public sector. A good practice on SAI transparency from the Canadian Office of the Auditor General is presented in Box ‎5.7.

Box ‎5.7. Transparency – Office of the Auditor General of Canada

The Office of the Auditor General of Canada (OAG) has a prominent section on its website entitled Transparency. This includes information on its audit practice accountability (such as detail on its external reviews and internal audits), office operations (such as travel, hospitality, contracts and client surveys) and access to information.

The OAG publishes annual travel reports on its website, as well as quarterly travel expense reports for the Auditor General and all of its executives. Reporting is timely. For example, the OECD accessed the reports for June to September 2017 (as well as all previous quarters going back to 2011) on 18 October 2017. With a few clicks, it was easy to see the details of expenditure for each trip.

Source: OAG of Canada website, http://www.oag-bvg.gc.ca.

Establishing a control environment with clear objectives

SIGEN could ensure that clear objectives for the control environment are communicated to staff across the national public sector by:

• including mandatory training on control objectives and requirements;

• introducing awareness programs on the need for internal control and on the roles of each area and staff member; and

• induction training for all staff, including senior management and managers on the internal control system

• clearly outlining standards for specific roles; and

• embedding controls into the daily operations of the public service

SIGEN could assist government entities to more consistently apply the principles of the three lines of defence model by:

• giving greater responsibility for internal control and risk management to operational management;

• assisting government entities with capacity building; and

• building on already existing training and awareness activities for public servants, to help ensure they understand and consistently apply the internationally recognised three lines of defence model across the public sector.

Developing a strategic approach to risk management

SIGEN could improve its risk management approach to ensure it is consistent and clearly separated from the internal audit function by:

• improving its risk management framework to be more strategic, consistent, and operational;

• incorporating a risk management tool that is clearly separated from the audit function;

• giving operational managers the ability to undertake risk assessments without the fear of reprisal;

• maintaining a separate risk assessment process undertaken by auditors in their audit planning.

SIGEN could promote the incorporation of risk management into the culture of government entities by:

• providing clear guidance for operational staff; and

• including risk management requirements in mandatory training and induction sessions.

Argentinian government entities could operationalise the risk management framework by:

• assigning clear responsibility for specific risks, including fraud and corruption risks needs, to the appropriate senior managers;

• managers taking ownership of the risks that could affect their objectives;

• managers using risk information to inform decision-making;

• managers actively monitoring and managing their assigned risks; and

• holding managers accountable to the executive through regular reporting on risk management.

Implementing coherent internal control mechanisms

SIGEN could assist government entities to strengthen its internal control mechanisms to ensure that they are implemented and effective and that reasonable assurance is provided by:

• aiming control activities at reducing the risks that can affect the achievement of the objectives of the organisation;

• ensuring that internal control activities are being implemented throughout each entity, at all levels and in all functions; and

• ensuring that internal controls include a range of detective and preventive control activities.

Improving the internal audit function

SIGEN could ensure that its central coordination of internal audit leverages available resources to strengthen oversight and enable a cohesive response to integrity risks by:

• building on the existing annual audit risk map and guidelines for internal audit planning by establishing dedicated strategic integrity objectives and by identifying trends and systemic issues; and

• giving management the ability to respond to integrity risks, in a cohesive and holistic way—through reporting on the status of integrity risks, trends and issues that are systemic across the public service.

All Argentinian government entities could implement control committees to better monitor the implementation of audit recommendations by:

• setting up committees that are independent from the day-to-day activities of management and that regularly review the entity’s systems of audit, risk management and internal control; and

• giving these committees the ability to assess and track each entity’s implementation of audit recommendations.

Strengthening the supreme audit institution

Argentina’s National Congress could strengthen the functional independence of the AGN by:

• increasing the AGN’s power to select its own audit topics; and

• clearly outlining the AGN’s independence and mandate in a specific organic law.

The AGN and Argentina’s National Congress could strengthen the follow-up and monitoring of audit recommendations through:

• adding a selection of follow-up audits to their annual audit work program; or

• organising annual self-assessments of entities by writing to the management of entities to ask for their assessment of the status of audit recommendation implementation. The AGN could then select a sample for further follow, as has been done by the British Columbia audit office.

The AGN could increase its influence by setting an example of transparency, by:

• providing the public with information on the AGN’s discretionary spending. This would serve as an example of transparency for the rest of the public sector. This could be done by providing access to information on the AGN’s website—similar to how information is provided by the Australian SAI.