Chapter 4. Auditing for more robust internal control and risk management systems

This chapter explores select challenges the Brazilian government faces related to internal control and risk management, considering the role of numerous actors, and emphasising the contributions of Brazil’s supreme audit institution, the Tribunal de Contas da União (TCU). This chapter offers recommendations for TCU to nuance its work in this more traditional area in a way that promotes risk management, control and integrity that is more targeted to the changing policy landscape. Recommendations are framed around international principles in (i) government-wide systems of internal control and risk management (ii) entity-level ownership and capacity for implementation of internal control and risk management and (iii) capacity for use of tools for implementation. The time is now for actors in Brazil to prioritise a more robust internal control and risk management system that supports the government in achieving objectives, while reducing risks of fraud, corruption, waste and abuse.

  

4.1. Introduction

A key function of good governance is an internal control system and risk management function that supports government in the achievement of its policy priorities and ministries in pursuit of related objectives. This includes policies and procedures, established by the Centre of Government (CoG) or relevant audit body, as well as mechanisms and tools for implementing internal control systems at the entity level. In addition, an internal control and risk management framework helps to reduce risks of fraud, corruption, waste and abuse, providing a reasonable level of assurance of an entity’s efficiency, performance and compliance with laws, regulations and standards.

In Brazil, the internal control system and risk management function is continually evolving, yet the recent environment places greater urgency for continued and lasting change towards a greater culture of integrity in the Brazilian administration. One step on this path is the recent creation of new internal control and risk management standards, based on international good practices, including COSO’s 2013 Internal Control-Integrated Framework. These standards, and policy formulation for the internal control system in general, is the remit of the Ministry of Planning, Development and Management (Ministério do Planejamento, Desenvolvimento e Gestão, MP) and Brazil’s internal control body, the Ministry of Transparency, Supervision and Control (the Ministério da Transparência, Fiscalização e Controle, CGU), formerly the Comptroller General of the Union (CGU). Another evolutionary step is in the introduction of Monitoring and Evaluation Committee Of Federal Public Policies (Comitê de Monitoramento e Avaliação de Políticas Públicas Federais, or CMAP), which is donned the responsibility of improving policies and actions of the Federal Executive and improving the allocation of expenditure. As part of its evaluation of cross-cutting programmes of the federal government, the initiative is meant to include an analysis of risks to achievement of their objectives (MP, 2016a; 2016b; 2016c; 2016d). The initiative being new, there is little evidence yet on the effectiveness of this promising initiative.

The MP and CGU spearhead the policy making and guidance related to internal control and risk management activities in Brazil, among other activities. Brazil’s supreme audit institution, the Tribunal de Contas da União (TCU), is another key contributor to this function in government. Through its audits, guidance and reviews of contracts, TCU contributes to the oversight for internal control system as well as the integrity of the system as a whole. From this perspective, TCU is a critical actor in the broader governance of Brazil. This aligns with OECD’s Recommendation of the Council on Public Integrity, among others, which highlight the important role of SAIs in preserving and strengthening integrity systems. In addition, TCU plays a role in providing insight and foresight, anticipating the vulnerabilities, challenges and opportunities for the Brazilian government to address integrity risks and systemic vulnerabilities. In its compliance and judicial role, TCU has other activities that contribute to integrity and accountability, including the ability to issue sanctions and non-binding resolutions. This chapter focuses more on proactive, rather than reactive mechanisms for strengthening integrity through internal control and risk management.

As described in this chapter, TCU makes numerous contributions to more effective and efficient internal control systems and risk management in the Brazilian government. TCU’s traditional role is in assessing compliance with financial law, as evident through the comprehensive audit of the year-end government report. However, strategic objective 7 of TCU’s 2015-2021 Strategic Plan notes a core aim of TCU “to induce the improvement of risk-management and internal controls of public administration.” TCU’s external control strategy for 2015 to 2017 estimates a resource allocation of 12% to this objective, which gives it the third largest resource allocation of all external control objectives (TCU, 2015a). TCU has made the strategic and financial commitment to play a key role in strengthening integrity in the Brazilian government.

This chapter explores select challenges that the Brazilian government faces related to internal control and risk management, considering the role of numerous actors – particularly those in the Centre of Government (CoG). This chapter looks at what TCU is doing with a view towards opportunities for greater, more effective contributions to this governance function. In particular, this chapter proposes the following actions for TCU to consider in strengthening its role as an inducer of better internal control and risk management in government.

4.2. Overview: internal control and risk management at the federal level

The internal control system, its risk management functions and resulting internal controls activities are not ends themselves, but means to achieving objectives and better governance largely by detecting and hindering mismanagement and misuse. Thus, they are also means of achieving integrity in the public sector. Control activities should be balanced and risk-based to avoid being overly burdensome. Frameworks for internal control systems vary, with different institutional, policy and managerial arrangements. An array of standards and international good practices exist, such as those produced by the Committee of the Sponsoring Organisation of the Treadway Commission (COSO), the Institute of Internal Auditors (IIA) and others, to help guide entities in developing a robust internal control system and risk management function. In addition, countries have developed their own frameworks, based in part on these international good practices, such as the Standard Model of Internal Control (Modelo Estandar de Contro Interno, or MECI) of Colombia and Mexico.

An internal control and risk management system unfolds at two levels. The first is at the central level – whereby a central agency or agencies provides top down guidance and oversight of implementation of IC and RM mechanisms at the entity level. The second then, is the entity level. Effective risk management is critical because it drives the selection and adaptation of internal control activities, which could involve both the augmenting and reduction of controls, depending on the results of risk assessments. Risk assessments can inform managers about the perceived likelihood and impact of risks, allowing for prioritisation and effective resources allocation the highest risks. Among other activities, risk management involves the systematic implementation of policies, procedures and practices to identify, analyse, respond, and monitor risks.

Effective systems involve a number of external actors. For the ‘supervision of accounting, finances, and budget,’ Brazil’s Constitution establishes a system of internal control to be maintained, in an integrated way, in the Legislature, Executive and Judiciary (Article 70; 74).1 As such, the effectiveness of the internal control system relies on the contributions of an array of institutions, including the National Congress, the supreme audit institution (TCU), the Attorney General’s Office, the Judiciary and the Office of the Prosecutor General within the Federal Public Ministry (Ministério Público Federal, or MPF). The Office of the Prosecutor General is an autonomous agency responsible for holding parties accountable for acts of corruption and wrongdoing under the civil, administrative and criminal law code.

Ensuring accountability and integrity in government relies not only on effective top-down design, but also on implementation of internal control and risk management. While an internal control system is primarily the responsibility of managers within the entity, co-ordination and joint actions between the MPF, CGU and TCU, among other actors, are necessary for promoting greater integrity, accountability and transparency in the Brazilian government. This includes audits and evaluations to achieve the goals set out in Brazil’s multi-year plans (Plano Plurianual de Acao, or PPAs). In addition, the CGU and TCU co-ordinate in their respective processes in order to render the opinion on the consolidated year-end government report, the Accounts of the President of the Republic (Contas do Presidente da República, or CPR), which is a core element of the federal government’s financial reporting framework established by the 1988 Constitution of the Republic of Brazil and the 2000 Law on Fiscal Transparency (Complementary Law 101/2000). As OECD noted in 2013, the CPR does not include an assessment of the functioning of the Internal Control System of the Federal Public Administration. OECD recommended that the CPR include such an assessment to demonstrate progress in enhancing internal control systems and delivering on policies (OECD, 2013).

Developing robust internal control mechanisms can be seen as an iterative process aimed at strengthening integrity of the entity, as well as improving performance and governance. With the introduction of the 1988 Constitution and in line with reforms and public management trends in the 1990s, the system of internal control in Brazil evolved from a focus on compliance to assessments of management and operations.2 In addition, in 2003, Brazil centralised the internal audit function, which was once dispersed in ministries, to a single body with ministerial status, the Comptroller General of the Union (CGU) (Olivieri et. al, 2015).3 Figure 4.1 illustrates the arrangement of other countries with regards to the internal audit function.

Figure 4.1. Centralised and decentralised internal audit functions in different countries
picture

Source: OECD Secretariat

In May 2016, the CGU was renamed as the Ministry of Transparency, Supervision and Control, but it still maintains its core mandate, which is to support the President and the Executive Branch in matters related to internal control activities, anti-corruption and public audit, among others (Government of Brazil, 2016).4 Within the CGU, there are entities for ensuring integrity and accountability in government, including the Commission of Co-ordination of Internal Control and the Secretariat of Transparency and the Prevention of Corruption. In addition, in 2000, the Internal Control Co-ordination Commission (CCCI) was established as a collegiate body with an advisory function in the Executive Branch for the internal control system. CCCI aims to conduct analyses and make proposals and suggestions for procedures for evaluation and improvement of internal control across the federal government. The internal control system has the following purposes:

  • Evaluating the attainment of the goals established in the Multi-annual plan (Plano Pluriannual, PPA), the implementation of government programmes and of the budgets of the Union;

  • Verifying the lawfulness and evaluating the results, as to effectiveness and efficiency, of the budgetary, financial and property management in the agencies and entities of the federal administration, as well as the use of public funds by private legal entities;

  • Exercising control over credit transactions, collateral signatures and guarantees, as well as over the rights and assets of the Union;

  • Supporting external control in the exercise of its institutional mission (Constitution 1988).

In May 2016, the MP and the CGU published new standards for internal control, risk management and governance (MP/CGU, 2016). The standards offer top-down guidance to help institutionalise and strengthen the internal control system in government. For instance, the standards emphasise that managers of each government entity should be responsible for the design, implementation, monitoring and improvement of the internal control system and risk management function (MP/CGU, 2016). This reflects a fundamental notion of management control, which places ownership of the internal control system inside an entity (i.e. the 1st line of assurance). In other words, in the public sector context, the primary “owners” of an internal control system and its related components are executive branch managers, as opposed to other actors, such as the internal audit bodies. Brazil’s Constitution of 1967 recognised this, assigning responsibilities of the internal control system to the executive branch (Article 71). The CGU within the executive branch constitutes the 3rd line of assurance, responsible for assessing the effectiveness of other actors that have the primary responsibility of designing and implementing internal control and risk management activities.

Brazil’s internal control standards also provide for the creation of Governance, Risk and Internal Committees within all ministries. Each committee should be composed of top managers and heads of units within ministries, with the support of CGU’s Special Advisor for Internal Control. Per the standards, these committees are meant to play a lead role in various activities, such as: institutionalising the internal control system, ensuring compliance with laws and regulations, setting policies, supervising risk assessment activities and making recommendations to improve internal control and risk management. In Brazil, the development of such institutional mechanisms illustrates a positive step forward in the country’s efforts to develop a capacity and structure to further institutionalise internal control and risk management in the public sector.

SAIs have a unique role for establishing and maintaining effective internal control mechanisms. As noted above, the three lines of defence in the public sector context include entities within the executive branch. A fourth line of defence is the external auditor, i.e., TCU in the Brazilian context. Traditionally, SAIs’ compliance and financial audits have aimed primarily at assessing financial expenditure and financial conduct in accordance with controls. SAIs’ audit scopes cover how controls are set in an attempt to ensure that controls facilitate the achievement of the policy goals they are aiming to protect (OECD, 2016a). In looking at the efficiency and effectiveness of internal controls and risk management, SAIs have been able to gather insight into what does and does not work. SAIs are also actively assessing processes for the development of guidance around internal control and risk management; some SAIs are even responsible for developing guidance themselves. In OECD’s (2016a) “SAIs and good governance: Oversight, Insight and Foresight”, six out of ten peer SAIs provide written guidance on establishing rules and controls, and five out of ten undertake research in this area.

TCU supports internal control and risk management in 3 main ways. First, TCU conducts performance audits and evaluations aimed at improving internal control systems and risk management in government. Second, on the basis of its compliance and financial audits, TCU can issue sanctions and binding resolutions in response to non-compliance with law. Third, TCU provides advisory services to external stakeholders, such as representatives of the executive branch and the Congress. TCU officials pointed out that recently TCU has provided inputs to Congress on 3 bills related to the topic. In addition, in 2017, TCU established an internal Department of Institutional Relations on Fight Against Fraud and Corruption, charged with collaborating with other entities (e.g. the Federal Police and prosecutors) to improve information sharing, strengthen audits and conducting relevant trainings. As discussed in the next section, TCU has also developed guidance for the executive branch to help improve fraud risk management, among other issues. Through these activities, TCU contributes to the effectiveness of the internal control system and strengthens the integrity of government.

TCU’s external control activities in this area have focused both on issues within an entity or sector, as well as broader, systemic internal control and risk management issues. For example, in 2012, TCU evaluated the maturity level of risk management across sixty six entities of the indirect administration, including the MP. The audit focused on municipalities, foundations, public enterprises and joint stock companies, assessing risk management environments, processes, partnerships and results (TCU, 2012). Subsequent sections further explore TCU’s contributions to this governance function.

TCU faces heightened expectations to contribute to the reduction of corruption in the country, as evidenced by a recent survey commissioned by Brazil’s National Industry Confederation that showed 90 % of respondents thought TCU is an important actor for fighting corruption. This role is aligned with TCU’s mandate. TCU can meet these expectations not only by maintaining the effectiveness of its compliance audits and judicial function, but also by undertaking new approaches that take into account systemic issues at the central level, implementation at the entity level, and tools for tackling on the ground.

TCU can build on this work to strengthen its contributions to this function of government, as discussed in the sections below. Amidst low government trust and corruption-related scandals, TCU is in a position to rise above the short-term politics of the moment in support of a long-term vision for improving this governance function. However, the expectation is not that TCU exercise functions that are already being serviced by, or should be serviced by, another expert body or institution. SAIs should not compensate for a lack of maturity in internal control. An SAI’s role should be to support, not displace, other public entities.

The OECD makes recommendations to below (Table 4.1) to support TCU in this endeavour of driving improvements in public administration through improved monitoring and evaluation. The following recommendations aim to support TCU in the fulfilment of its mandate and, particularly the achievement of strategic objective 7 of TCU’s 2015-2021 Strategic Plan: “to induce the improvement of risk-management and internal controls of public administration” (TCU, 2015a). The external control strategy (2015-2017) estimates a resource allocation of 12% to this objective, which gives it the third largest resource allocation of all external control objectives (TCU, 2015b).

Table 4.1. Recommendations: Auditing for more robust risk management and internal control at the federal level

TCU could strengthen the effectiveness and consistency of internal control and risk management approaches across government by identifying and communicating systemic and high-risk areas for central entities to address, including the Ministry of Planning, Development and Management and Comptroller General of the Union.

TCU could induce managers to overcome implementation challenges and further institutionalise key risk management and control activities.

  • TCU could take steps, such as applying change management paradigms, to further institutionalise management ownership over internal control systems and risk management.

  • TCU could enhance guidance and audits about how to improve the culture of integrity across government, in co-ordination with the key actors.

TCU could help strengthen the capacity of government to prevent fraud and corruption through audits and additional guidance that ensure the effectiveness policies and use of tools, such as data analytics.

4.3. Identifying systemic, high-risk areas for better internal control systems and risk management at the whole-of-government level

TCU could strengthen the effectiveness and consistency of internal control and risk management approaches across government by identifying and communicating systemic and high-risk areas for central entities to address, including the Ministry of Planning, Development and Management and Comptroller General of the Union.

A key element of good governance is an internal control and risk management system that supports the entire government in the achievement of its policy priorities and ministries in pursuit of related objectives. Moreover, the rise in cross-cutting initiatives in OECD member governments necessitates a broader, more holistic view, of the risks that are presented and how they can be controlled. This context highlights the critical role that the Centre of Government (CoG) can play in guiding the effective design and implementation of the internal control system. In a study of OECD member countries, 52% of CoGs share the responsibility for risk management and strategic foresight with another body, while 18% have the primary responsibility (OECD, 2014a). The contributions of central institutions to a more robust internal control system and risk management function include the following:

  • The CoG can a responsibility to manage risks to the overall government strategy at the highest level. This means having processes to identify and manage the most pressing risks to the achievement of policy objectives and government priorities.

  • The CoG provides policies and procedures in support of more consistent and effective design, implementation, monitoring and improvement by managers at the entity level.

  • The CoG can play a role in oversight of management ownership and execution.

In order to ensure that central entities can adequately fulfil their role, they must have the policies, procedures and capacity to take a horizontal view across government. It is here that SAIs can play a key role. The comparative advantage of an SAI, in relation to other actors in an accountability system, is its ability to take a government-wide view of key governance functions in order to identify systemic issues affecting multiple agencies. SAIs are incorporating into their strategic plans and audit programming such systemic reviews, which provide a perspective on the overall quality of internal control and risk management in government. This can include a focus not only implementation of these functions in government, but also the formulation of policies, procedures and guidance. This cross-cutting work can complement audit and oversight activities that are more reactive and focus on short-term risks. Box 4.1 below provides an example of government-wide reviews conducted by various SAIs.

Box 4.1. Supreme audit institution and government-wide studies for improved integrity, internal control and risk management

Institutional mechanisms, policy interactions, contextual factors and effects are all examples of elements that contribute to policy coherence (OECD, 2016b). SAIs are in a unique position to look across government agencies to assess an issue and the extent to which governments are achieving policy and operational coherence. For instance, they offer perspectives of oversight, insight and foresight to reviews of policies and programme planning, such as the integration of government-wide objectives into current strategies and planning and the preparedness of government to tackle future goals.

Mexico’s ASF:

Every year since 2012, ASF has conducted at least one government-wide integrity review that touches on elements of coherence, looking specifically at the strategies and mechanisms of federal public institutions to strengthen integrity and prevent corruption. These studies focus on what government is doing in these areas, particularly activities related to internal control systems and risk-management functions. Examples of these studies include the following:

  • Study about the Strategies for Combating Corruption in the Public Sector – ASF conducted this study to understand the actions federal public sector institutions had been making to tackle corruption, based on the applicable standards and international best practices, in order to identify areas of opportunity and promote the implementation of an integrity programme (ASF, 2014).

  • Technical Study for the Promotion of a Culture of Integrity in the Public Sector - ASF analysed and described the best international practices in integrity, as well as implementation of anti-corruption controls, to help government institutions formulate an integrity programme for strengthening the culture of transparency, probity and accountability (ASF, 2015).

Canadian Office of the Auditor General (OAG): assessment of entities risk management frameworks

In Canada the Auditor General has been assessing entities controls for integrated risk management. In responses to audits 2003 and 2006 the OAG found government entities did not have adequate integrated risk management frameworks. In 2009 then, the OAG performed an audit on the Treasury Board of Canada Secretariat, Office of the Comptroller General and seven large federal departments to assess the progress of the recommendations and commitments from the previous audits. Importantly, this audit did not assess appropriateness or completeness of internal controls or the risks identified in their Corporate Risk Profiles, but rather focused on whether the departments were assessing their internal controls and practices and their approach to risk management.

In regard to developing policies, frameworks and relevant guidance on internal controls, and implementing risk management measures, departments made satisfactory progress. Each of the selected departments has developed a corporate risk profile that summarises the assessment of the department’s key risks with processes to update the profiles regularly. The departments have also incorporated that risk profile into business planning, priority setting, and decision making and reporting. They still have not, however, assessed their internal control systems in order to address weaknesses. Further, the Comptroller General has yet to establish processes for monitoring the completion of these assessments or assessing actions taken by departments to address internal control issues.

The Netherlands Court of Audit: assessing financial risk exposure of government

The Netherlands Court of Audit assessed the risk of financial ties between the government and eight international financial institutions following the financial crisis in 2008. In order to do this, the Court prepared eight factsheets that show the ties between the government and these eight institutions, highlighting their financial profiles and the measures the Dutch government has taken to mitigate risks. This allowed for exposure of public finances to be easily mapped out, and provided the Parliament with better insights into which risks are shared, how institutions mitigate risks, the institutions’ precautionary balances and the risk to the Netherlands.

Portuguese Tribunal de Contas: Audit of internal audit in state owned enterprises.

The Portuguese Tribunal de Contas in order to strengthen overall governance of selected entities, assessed the internal audit function of state owned enterprises. Through a performance audit of 20 state owned enterprises, the Court evaluated internal audit function in each of the public enterprises and compared it to international best practices. The audit also assessed the influence of governance models on the effectiveness of the internal audit function. On the 20 entities that responded to the survey, 16 had an internal audit unit, however only 5 of those 16 were familiar with the full breadth of internal audit concepts. Additionally, half of the respondents of the survey had internal audit units that reported to the board, however, many of the boards did not have non executives on them which largely compromise the independence of the audits.

Hungarian State Audit Office: Cross-government integrity surveys

Since 2011, the State Audit Office of Hungary has been carrying out a series of integrity surveys of public sector institutions, ranging from national to regional and local levels, and covering a wide range of public sector branches. These integrity surveys are based on integrity questionnaires, which were inspired by the Dutch methodology of integrity assessment used in many countries. The integrity surveys consider three main components of integrity:

  • Inherent risks which emanate from the legal standing and permanent tasks of the organisation, such as providing public services

  • Risk-increasing factors which result from everyday organisational functioning and structure, such as recruitment practices

  • Level of controls which encompass the system of control mechanisms, such as based on a code of conduct. The survey focuses on organisational experience, events and actions taken, not on perceptions or attitudes.

The annual survey has already been implemented six times. Analyses on the results of the surveys available on the website of SAO, have been essential in informing the work on integrity in the Hungarian public sectors. The approach and terminology regarding integrity has been widely acknowledged by all levels of public management and by the broader public. SAO complements this survey with annual international seminars that are dedicated to strengthening public sector integrity.

Source: OECD (2016a), Supreme Audit Institutions and Good Governance: Oversight, Insight and Foresight, OECD Public Governance Reviews, OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264263871-en; OECD (2017a), Mexico’s National Auditing System: Strengthening Accountable Governance, OECD Public Governance Reviews, OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264264748-en; ASF (Office of the Auditor General of México, or Auditoría Superior de la Federación) (2015), “Technical Study for the Promotion of a Culture of Integrity in the Public Sector”, https://www.asf.gob.mx/uploads/180_Estudios/1173_Estudio_Tec_para_la_Promocion_de_la_Cultura_de_Integridad_en_el_Sec_Pub.pdf; ASF (2014), “Study about the Strategies for Combating Corruption in the Public Sector”, https://www.asf.gob.mx/Trans/Informes/IR2014i/Documentos/Auditorias/2014_1642_a.pdf; OAG (Office of the Auditor General of Canada), Chapter 1, Financial Management and Control and Risk Management, http://www.oag-bvg.gc.ca/internet/English/parl_oag_201106_01_e_35369.html; NCA (Netherlands Court of Audit) (2011), financial risks to the Netherlands, www.courtofaudit.nl/english/Publications/Audits/Introductions/2013/09/Financial_risks_to_the_Netherlands_of_international_guarantees; NCA (2011), Risks to Public Finances, http://www.courtofaudit.nl/english/Publications/Audits/Introductions/2012/06/Risks_to_public_finances; http://www.courtofaudit.nl/english/Publications/Audits/Introductions/2011/05/Spending_Cuts_Monitor_2011. TdC (Tribunal de Contas de Portugal) (2011), The internal audit function in the State Owned Enterprises, www.tcontas.pt/en/reports/audit_report_08-2011-2s_abstract.pdf.

In the last few years, TCU has conducted research and evaluations that provide a systemic view of issues related to internal control and risk management, including the following examples:

  • Framework to Assess Governance in Public Policies: After reviewing and building upon various national and international models of governance in public policies, TCU developed a model for governance evaluation in public policies comprised of eight components. One of them is comprised by a gathering of good practices concerning risk management and internal controls. (TCU, 2014b).

  • Sector-level review of risk management maturity in government: In 2013, TCU conducted a survey of risk management activities at the sector level. In this evaluation, TCU assessed the maturity of risk management in various sectors of the federal government with the help of its indicator based on COSO’s Enterprise Risk Management Framework, ISO 31000 on Risk Management and governmental models of risk management in Canada and the United Kingdom. The participating institutions were then classified into five categories of maturity. At the time, 67% of organisations were in the bottom two classifications. The risk management maturity levels were higher in oil (61%) and financial sectors (65%) than transportation (28%) and regulatory sectors (31%) (TCU, 2013a).

  • Survey on the governance system focused on implementation of public policies: Evaluation of the co-ordination efforts and the Brazilian internal control system compared with main international standards (TCU, 2013b).

  • General Criteria for Internal Control in Public Administration: A study of the models and the disciplinary regulations in different countries. The study explores the role models for internal risk management and controls and how the surveyed countries have addressed the issue in their legal systems. The goal is to support the discussion, in the Federal Senate, of a bill to define general criteria of internal controls, risk management and governance in the Brazilian government (TCU, 2009b).

Building on this body of work, TCU could help to strengthen the effectiveness and consistency of internal control and risk management approaches across government by emphasising, in its audits and evaluations, areas for the central entities to act. Specifically, TCU could help to ensure an effective internal control system and risk management function across government by identifying and communicating systemic issues and high-risk areas.

The design and implementation of an effective internal control system and risk management function is first and foremost the responsibility of the Executive Branch, as reflected in international standards and indicated in Brazil’s Joint Normative Instructions (MP/CGU, 2016). Nonetheless, TCU can play a critical role in ensuring that systemic and high-risk areas in government are addressed by identifying and communicating issues for the central entities (e.g. the MP and CGU) to address. As discussed in Chapter 2, systemic issues often highlight the need for better coherence and co-ordination between government entities that have shared activities or a collective impact on national policy goals. Systemic issues include vulnerabilities and areas for improvement that are cross-cutting and can affect multiple public entities or programs.

The perspective of “systemic errors” by the European Court of Auditors (ECA), in its review of the management and control systems of member states of the European Union, is instructive. According to the ECA, an error is considered as systemic when there is a high probability that the same problem may affect other projects in a similar manner.” The ECA further notes that it is necessary to identify the extent of this systemic error (ECA 2012). For instance, multiple public entities may uniformly be interpreting and applying procurement rules incorrectly, leading to reduced effectiveness and efficiency, as well as increased risks of fraud, waste and abuse.

As indicated in the ECA’s definition, analysing systemic issues is not just about identifying problems, but also understanding the extent of them. TCU’s own work offers an example of evaluations that focus on systemic issues, whether that was explicitly the purpose. For example, in addition to those noted above, in 2014, TCU conducted a survey of 7,700 public entities to evaluate their governance practices, including those related to risk management. TCU assessed the maturity of risk management based on a set of criteria. Among the 380 federal public entities surveyed, 80% of organisations were in the early stage of risk management, 13% the intermediate stage and only 7% have the ability to structure improved risk management. Based on the survey, TCU concluded that there are inefficiencies in risk management in public sector entities (TCU, 2014a). Such surveys not only illustrate potentially systemic issues across different government entities, but also suggest high-risk areas and institutions that could help the CoG to direct resources efficiently and effectively.

Few entities in government have the remit, resources and expertise to conduct such evaluations. TCU could further leverage this comparative advantage by systematising its evaluations of systemic issues and high-risk areas, and linking its findings to areas where the CoG can act to improve policies upstream. As the CoG works to institutionalise its Normative Instructions, and TCU advances its framework for managing fraud risks, such evaluations could be beneficial for refining policies and enhancing the co-ordination and consistency of how the standards and leading practices are applied across government. The comparative evidence from evaluations and surveys can be a beneficial input for the CoG, as well as TCU itself, to promote a common interpretation of standards and frameworks for internal control and risk management. The evidence can also inform TCU’s recommendations directed at the CoG itself for amending policies, rules or guidelines to improve government-wide performance.

In addition to government-wide evaluations and surveys, TCU can incorporate systemic perspectives into the design of its audits. This can involve scoping the audit to include multiple entities within a specific part of the audit universe, sector or type of institution, incorporating research objectives that focus explicitly on the systemic aspects of a particular issue. For instance, in 2014, the Ministry of Veteran Affairs of Canada conducted an audit of four programs to provide assurance that processing of overpayments was done in compliance with laws, policies and regulations. The audit design included specific research objectives to identify systemic issues among the programs that caused overpayments. The audit revealed, among other things, that oversight, monitoring, and reporting of overpayments could be strengthened to determine and address systemic issues (Veteran Affairs Canada, 2014). In the last few years, TCU has conducted several audits that were systemic in design and scope, including the following:

  • Evaluation of internal controls of Roraima’s municipalities: Members of the Public Management Control Framework, including TCU, CGU and the State Court of Accounts of Roraima, reviewed the entities and activities of municipalities of the State of Roraima to identify systemic issues and assess the maturity of the internal control systems in the State’s municipalities (TCU, 2014c).

  • Audit of internal controls of university hospitals procurement: Evaluation of internal control of bidding and contract area of university hospitals. The audit addressed key aspects of the internal environment, with emphasis on the internal audit and control activities applied on a sample of processes (TCU, 2013c).

  • Performance audit of internal control units of Executive, Legislature and Judicial Branches: The audit found need for improvements in the institutional structures for performance and development of staff. (TCU, 2009a).

To the extent TCU emphasises systemic issues within its audits, whether at an institutional or sector level, it could further develop approaches to aggregate the findings from those audits to paint a bigger picture of cross-government issues. Doing so could help TCU to identify the extent of systemic challenges, but also the viability and scalability of potential solutions. In this role, TCU can act as an interlocutor between government entities for innovation and change, facilitating dialogue on how multiple institutions can better address shared issues. For instance, identification of systemic issues with the bidding and contracts related to hospitals could be analysed against similar issues in other sectors and among different institutions, since procurement policies, rules and practices are often shared. TCU is in a unique position to identify the linkages between different parts of Brazil’s governance structure, and communicate solutions formally through its recommendations and informally through dialogue, forums and trainings.

To complement a view towards systemic issues, TCU could consider a more systematic approach to identifying, analysing and communicating the highest risks in government, particularly with regards to strengthening integrity through risk management and internal controls. Findings and recommendations that focus on the highest risks could highlight for the CoG possible improvements to policies, guidance and inter-entity co-ordination. In addition, identifying sectors, programs or institutions that are high risk can help to focus resources on key challenges, and motivate managers responsible for those programs to act. In the context of internal control and risk management, high risk areas can include those that are most vulnerable to fraud, corruption, waste and abuse. TCU’s existing evaluations, surveys and audits, such as those described above, can help to identify the highest risks.

SAIs can take different approaches for determining high risks. For instance, beginning in 1990, the U.S. Government Accountability Office (GAO) has analysed and reported on the progress of government entities in addressing high-risk areas, focusing on areas that are vulnerable to fraud, waste, abuse and mismanagement, or those that are in need of transformation (GAO 2017). The criteria GAO uses for assessing whether a program is a high risk include leadership commitment, capacity, action plan, monitoring and demonstrated progress (GAO 2017). GAO based its methodology for its High Risk List on its publication, Determining Performance and Accountability Challenges and High Risks, which guides auditors in making assessments about the challenges government faces. In it, the guide highlights the following criteria for determining government-wide high risks, noting that any material weakness must:

  • “Be evident at multiple agencies

  • Affect a significant portion of the government’s total budget or other resources

  • Stem from a deficiency that should be monitored and addressed through individual agency actions as well as through Office of Management and Budget [i.e. Centre of Government] initiatives, legislative action, and/or congressional oversight (GAO 2000).”

GAO developed a body of work for analysing and reporting on high-risks; however, many SAIs conduct similar processes as part of their risk-based audit programming, as described in Chapter 1. GAO’s process draws from existing audits, applying its high-risk criteria to recent findings. The example demonstrates an opportunity for SAIs to use their own work, information and data to provide a broader view of the functioning of government. Aligning with objective 7 of its strategic plan, TCU could also enhance analysis of its own work to identify potential vulnerabilities in the internal control system, and areas where the CoG can act. For instance, TCU conducts audits and investigations that highlight individual instances of potential fraud, corruption, waste or abuse. These cases can serve as a rich dataset for analysing risks in government and potential systemic weaknesses in the control environment. TCU could also collect data and information from the CGU, and use these cases as inputs to inform its own audit programming and planning to ensure its audits focus on the highest risks. They could also act as inputs for performance audits that are taking a broader look at internal control and risk management in government. Such approaches could help TCU to connect its reactive work to its more proactive portfolio, which is more preventive in the context of internal control and risk management.

4.4. Advancing risk management and internal control at the entity level by overcoming implementation challenges

TCU could induce managers to overcome implementation challenges and further institutionalise key risk management and control activities.

In 2014, TCU conducted a survey in co-ordination with the Rui Barbosa Institute, the Association of Members of the Brazilian Courts of Accounts (Atricon), and 28 subnational audit entities, that highlighted the systemic need for improved risk management and control in government. Specifically, TCU surveyed public entities to evaluate their governance practises, including those related to risk management. TCU assessed the maturity of risk management based on a set of criteria, and identified immaturity and inefficiencies in risk management in public sector entities. The Figure 4.2 below depicts the results of the survey of federal organisations. It indicates that among the 380 federal public entities surveyed, 80% of organisations (column C11) were in what TCU defined as the early stage of risk management (i.e. inexistent, insufficient or initial), and 13% were in the intermediate stage (TCU, 2014a). The remaining 7% of organisations showed more advanced (or “improved”) risk management.

Figure 4.2. TCU government-wide survey on risk management in public sector entities
picture

Legend:

C111: Risk guidelines for management and establishment of internal controls are set, and include the development of tolerance to risk, roles and responsibilities, classification criteria risks

C112: The management process of risk is implemented and includes the following components: control environment; fixation objectives; evaluation of risks; control activities; information and communication; monitoring activities

C113: Risk criteria of the organisation is identified

C114: Internal controls to mitigate the identified critical risks are deployed

C115: Continuity plan related to critical elements of the area of expertise is deployed

C116: The responsibility for co-ordinating the management structure of the risk attributed to the organisation

C117: The internal governance uses the information resulting from the management of risk to support their decision-making processes

Source: TCU (2014a), Survey of Risk Management in Public Governance, Gestão De Riscos Levantamento De Governança Pública, http://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A24E08D405014E0D42E95B3708

The reasons for the low levels of capacity of risk management vary, but such surveys point to challenges related to implementation rather than design. In Brazil, the framework for the internal control system is generally aligned with COSO’s Internal Control-Integrated Framework, as described in greater detail below. This framework embodies the internal control system within the governance architecture, which also includes the risk management function and internal control activities (see Figure 4.3).

Figure 4.3. Entity-level internal control systems and relationship to other components
picture

Source: Adapted from COSO Internal Control-Integrated Framework (2013).

Policy making and guidance related to internal control and risk management activities in Brazil is spearheaded by the Ministry of Planning, Development and Management (Ministério do Planejamento, Desenvolvimento e Gestão, MP), considered part of the CoG, and Brazil’s internal control body, the Ministry of Transparency, Supervision and Control (Ministério da Transparência, Fiscalização e Controle, CGU). In May 2016, the MP and the CGU published a new framework and standards for internal control, risk management and governance (MP/CGU, 2016).

Brazil’s new standards for internal control, risk management and governance (MP/CGU, 2016) assign responsibilities for these areas to managers’ in the executive branch, underscoring the importance of management ownership. The framework is structured, and includes internal control components according to relevant international standards, such as the 2013 COSO Internal Control-Integrated Framework, the Enterprise Risk Management-Integrity Framework and standards of the International Organisation of Supreme Audit Institutions. The framework recognises a key relationship between organisational objectives, internal control components and the Three Lines of Defence Model, as depicted in Figure 4.4 In addition, the standards call for executive branch managers to actively manage and assess various risks.

Figure 4.4. Relationship between an organisation’s objectives, the internal control components and the three Lines of Assurance Model
Core Organisational Objectives
picture

Source: Adapted by the OECD Secretariat with inputs from the Committee of Sponsoring Organisations of the Treadway Commission (COSO); COSO (2013), An Update of COSO’s Internal Control – Integrated Framework, Committee of Sponsoring Organisations of the Treadway Commission, www.coso.org/documents/cosoicifoutreachdeck_05%2018%2012.pdf; IIA (2013), IIA Position Paper – Three Lines of Defense in Effective Risk Management and Control, The Institute of Internal Auditors, Altamonte Springs, www.theiia.org/goto/3Lines; IIA (2015): Three Lines of Defence Model, Assurance Maps presentation-PIC EU-28 Conference 2015, http://slideplayer.com/slide/10129777/.

As discussed further in the recommendations below, the perspective of managers with regards to internal control and risk management, characterised by an externalisation of the function to other entities, indicates that a culture of integrity is lacking in many entities of the Brazilian government. As a result, such a culture can limit the extent to which controls can be an integrated and aligned with the entities’ strategy (OECD, 2013). To aid managers in overcoming the implementation challenge related to new internal controls standards, TCU and can build on existing audit work and other activities to focus on skill development, awareness raising and cultivating a culture of integrity. TCU already has developed a number of products to aid the government in strengthening risk management at the entity level (Box 4.2). This work is in line with objective 7 of TCU’s strategic plan, and includes a Maturity Assessment in Risk Management in Public Administration, the General Criteria for Internal Control in Public Administration and the Basic Governance Reference Guide. TCU also is developing a Fraud Risk Management Framework to aid managers in implementing new standards for assessing fraud risks. TCU could complement this guide and other efforts by further developing its support for implementing good risk management practices. In particular, TCU could further strengthen its efforts to guide managers in overcoming implementation challenges for further institutionalising key risk management and control activities to address high-risks by:

  • TCU could take steps, such as applying change management paradigms, to further institutionalise management ownership over internal control systems and risk management; and

  • Aligning and disseminating guidance with high-risk areas, in co-ordination with the key actors and building on existing efforts to improve fraud risk management in government.

Box 4.2. TCU activities in support implementation of risk management and internal control at the entity level

Evaluation of units of internal control and internal audit: Assessed the internal audit units, internal control unit and internal control consultants of entities in the federal public administration. Recommended strengthening management and rationalization of control actions (TCU, 2014d).

Performance audit on risk maturity of Central Bank: Assessed risk management, activity in implementation, reaching units, activities and processes of Brazil’s central bank. Also evaluated adherence to the guidelines of best practice guides (TCU, 2015e).

Evaluation of risk management maturity of Electrosul: Entity maturity considered intermediate in risk management, both in relation to the environment and the processes (TCU, 2015f).

Audit of risk management of Secretariat of Ports: TCU verified the risk management of Ports Secretariat on National Dredging Program. There was an institutionalised absence of procedures for identifying and assessing risks. (TCU, 2014e).

Source: Adapted from OECD (2016a), Supreme Audit Institutions and Good Governance: Oversight, Insight and Foresight, OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264263871-en; TCU (2014d), Evaluation of units of internal control and internal audit, (Acordao TCU 821/2014) http://www.lexml.gov.br/urn/urn:lex:br:tribunal.contas.uniao;plenario:acordao:2014-04-02;821; TCU (2015e), TCU Judgement 0548/2015, Acordo TC-020.137/2014-1 – Plenary, Performance Audit http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/Acord/20150320/AC_0548_09_15_P.doc; TCU (2015f), Evaluation of risk management maturity of Electrosul, TCU 605/2015, Acordo TC-019.140/2014-2, http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/Acord/20150330/AC_0605_10_15_P.doc; TCU (2014e), Audit of risk management of Secretariat of Ports, Judgement 735/2014 – Plenary, Acordo TC 009.504/2013-3, Performance audit, http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/Acord/20140402/AC_0735_09_14_P.doc

TCU could take steps, such as applying change management paradigms, to further institutionalise management ownership over internal control systems and risk management.

In Brazil, internal control is often seen as the remit of internal audit, not managers within the executive branch. TCU officials noted that managers do not see internal control and risk management as one of their core responsibilities, and TCU’s surveys, discussed above, provide further evidence of this mentality, reflecting a low level of awareness or misunderstanding about this governance function. In addition, documents of Brazil’s internal audit body itself, the CGU, illustrate the need for improving the culture of integrity through a greater emphasis on communicating the importance of management ownership over the internal control system. For instance, CGU’s “Operational Plan of Decentralised Actions: Transparency and Prevention of Corruption,” describes the role of the Secretariat of Transparency and Corruption Prevention (STCP) as the body responsible for the prevention of corruption in the Federal Public Administration (CGU, 2015). While the STCP plays an important role, such statements draw an incomplete picture. Managers within the executive branch are also responsible for preventing fraud and corruption, per international standards and Brazil’s Normative Instructions. Failure to address this issue poses a threat to the implementation of these new standards.

An OECD review of the contributions of SAIs to strengthening internal control systems showed that the majority of SAIs that are effectively contributing to this area focus on the entity level. In a survey of ten SAIs, nine had assessed processes for the development of internal control guidelines, including the incorporation of risk management, the openness and consultation of the process and the alignment with international principles. Only half (five of ten) had reviewed leadership in establishing a culture conducive to risk-management and control. There is an opportunity for TCU to focus further on the latter, given its importance for change within an institution and system more broadly (OECD, 2016a).

TCU has already taken a number of actions to contribute to stronger internal control and risk management in the executive branch by improving skills and raising awareness. One recent effort is TCU’s creation of a guide to help managers to evaluate fraud and corruption risks. TCU can build on this initiative by engaging CGU, the MP and other executive branch entities in implementing the practices and tools it promotes in both the guidance and its audits. Doing so would help to institutionalise Brazil’s Normative Instructions, and advance international standards. For instance, ISO 31000 notes that the introduction of risk management and ensuring its continued effectiveness relies on strong and sustained commitment by managers, as well as rigorous and strategic planning to build commitment at all levels of an entity (ISO 2009).

Having standards and guides, Brazil now faces the challenge of further institutionalising internal control and risk management through greater management ownership. Applying change management principles and practices can help TCU to shift paradigms to help address this challenge. Various factors can undermine effective implementation of internal control and risk management, including institutional legacies, failure to understand complexity and a lack of leadership support. Institutionalisation also has a strong behavioural component involving the beliefs, habits and motivations of individuals. Common behavioural elements when faced with change include (Stoop, 2016):

  • Feeling threatened by change, as a result of consequences on power structures, prestige, individual opportunities, or careers;

  • A lack of understanding of the need for change or the implications of the change;

  • Not having confidence in the promoters of change.

There are myriad of change management models that could be applied to the improving management ownership in Brazil, and ultimately the internal control and risk management functions. For instance, in the 1950s, renowned psychologist Kurt Lewin suggested that effective change requires successful completion of a three-step process of “unfreezing” the existing behaviour, moving to a new level and “refreezing” at the new level (Hayes 2014). Over the years, the process has evolved in different contexts to include concrete activities for each step. In the context of strengthening integrity in Brazil, this approach can be instructive for TCU, particularly as it enhances its own capacity and reorients its strategy to reduce fraud and corruption in government. Lewin’s theory argues that “pull” strategies, whereby restraining forces are removed to strengthen a culture of integrity, are more effective than “push” strategies (i.e. outside pressure for change), because they are more likely to increase commitment and result in permanent change (Hayes 2014). Through its audits, evaluations, guidelines and convening power, TCU can act a strong pull agent to complement other entities in government.

Another preeminent change management model, developed by Harvard University professor John Kotter, employs an 8-step process (Kotter 2014):

  1. Create a sense of urgency

  2. Build a guiding coalition

  3. Form a strategic vision and initiatives

  4. Enlist a volunteer army

  5. Enable action by removing barriers

  6. Generate short-term wins

  7. Sustain acceleration

  8. Institute change

TCU could develop concrete activities mapped against these steps with the goal of refining its recommendations and findings related to management ownership, and addressing the behavioural aspects of institutionalising reforms. For instance, recent turmoil and scandals in Brazil could help TCU to justify in its audits the urgency for more robust risk management and internal control systems across government to regain citizens’ trust in government. The importance of successfully implementing the new Normative Instructions issued by MP and CGU can also add a sense of urgency at the entity level. Moreover, to Kotter’s second point on building a coalition, TCU could enlist the Internal Control Co-ordination Commission (Comissão de Co-ordenação de Controle Interno (CCCI)), of which TCU is a part. Founded in 2001, the commission includes high level officials and is chaired by the Chief Minister of the Comptroller General (CGU, 2016b). The group has only met 4 times in 15 years, and initiatives to improve management ownership and improve co-ordination between responsible entities to implement the Normative Instructions could reenergise the network. A strategic vision, related to Kotter’s third point, could focus on policy outcomes and highlight the public value that is derived from strengthening internal control and risk management, such as reductions in loss of public funds to corruption and fraud and improved execution of the budget (OECD, 2017b).

Numerous change theory models exist that can help entities to address these issues, and understand “where they are” and “where they want to go” with regards to management ownership and building a culture of integrity. TCU could also adapt existing models, such as those described above, to its unique context. Indeed, one of the benefits of applying change management paradigms is that they can be flexible enough to be tailored to the individual contexts of institutions. They also are based on the notion that change is not an end state that can be reached through programmed steps, but rather an ongoing process (Paton 2008). In the Brazilian context, change management can help to bridge theory, as defined in new standards and guidelines to promote integrity, with practice in individual entities. It also provides insights on how to manage resistance to change, which could include the following techniques (adapted from Stoop, 2016):

  • Demonstrate that the status quo cannot be maintained and why;

  • Collect information concerns and rationale for the current situation, and provide factual and considerate responses;

  • Understand and use resistance to change for making improvements;

  • Engage those that are promoting change;

  • Create new perspectives that are sustainable, rooted in the medium and long-term, not only the short term.

There are other ways that TCU could incorporate change management paradigms into its audits, evaluations and other initiatives. For instance, TCU could integrate the concepts into the audit process by having auditors take into account the drivers and inhibitors of change in the behaviour of auditees. TCU could also disseminate the concepts of change management paradigms through trainings and awareness-raising with audit teams, promoting more constructive approaches with auditees that focus on the process of change and holding auditees accountable for behaviour-based improvements. In addition, TCU could audit the change management or behaviour change as a specific subject unto itself. For instance, the U.K. National Audit Office (NAO) conducted a review, “Auditing behaviour change,” that looked at the government’s ability “to encourage individuals to change their behaviour in a way that will help Government achieve its policy goals.” The NAO undertook this audit in view of “…a growing belief that policy goals may be achieved more effectively if the design and use of interventions incorporate a better understanding of behaviour.” This concept can similarly be applied to behavioural change of auditees with regards to management ownership, with the belief that TCU recommendations may be achieved more effectively if audits incorporate a better understanding of the drivers and barriers to change in the context of improving internal control systems (NAO, 2011).

Finally, marginalising or ignoring the input of those who may resist change can slow or impede the process of change as a whole. In discussing findings with the auditee, and in line with the change management principles above on understanding resistance to change (Stoop 2016), TCU could emphasise in internal trainings and communication the importance of understanding the action (or inaction) of the auditee to facilitate a more constructive outcome. TCU may find the audit of the Netherlands Court of Audit instructive in this regard. In an audit of entities’ fulfilment of requirements to assess policies with social aims, the NCA found that some ministries did not fulfil its obligations. The NCA reported on the non-fulfilment, without inquiring as to why evaluations were not carried out. Following some ministries’ questioning of this approach, the NCA conducted a follow-up audit that looked specifically into the reasons why ministries did not evaluate the effectiveness of these policies.

Ministries provided, in several cases, reasonable explanations to have not evaluated particular programmes. The follow-up audit led to a recommendation that struck a balance, “if a minister thinks an effectiveness audit is neither feasible nor desirable for a particular policy measure, the reasons should be explained to the House of Representatives and the minister should reconsider the benefit and need for the policy, with the possible outcome being that the policy is terminated”. The NCA treated this as a lesson learned (OECD, 2016a). A change management mindset of the auditor may provide contextual sophistication to an audit, eventually leading to more practical and constructive recommendations that do not risk raising resistance to the audit or auditors.

TCU could enhance guidance and audits about how to improve the culture of integrity across government, in co-ordination with the key actors.

Given the publication of new Normative Instructions, which requires managers to conduct risk assessments, future initiatives of TCU, as well as the CoG, could focus on the “how to” aspects of managing risks. These would complement existing guidance that provides a picture of risk management in government, but not necessarily practical applications and tools. In developing such guidance and engaging audited entities and the CoG, TCU should be mindful of maintaining its independence, to avoid designing risk management functions that it will ultimately audit.

TCU is well-positioned to improve risk management systems by building on past work and engaging more strategically with existing networks. For example, in addition to those discussed above, TCU has developed a number of products to aid the government in strengthening risk management. This work is in line with its strategic plan, which notes an objective to induce improvement of risk management and internal control of public administration through assessments (objective 7). Examples of TCU’s work in this area include the following:

  • Brazil’s TCU report, Maturity Assessment in Risk Management in Public Administration, classifies government agencies by the level of development of their risk management mechanisms, from low formalisation (“initial” and “basic”) to fully optimised (“enhanced” and “advanced”). The assessment enabled TCU to rank the maturity of risk assessment in public entities based on 4 axes: i) risk management environment; ii) risks management processes; iii) risks management in collaborations; and iv) achieved results with risks management (see Figure 4.5).

  • General Criteria for Internal Control in Public Administration: This TCU study explores role models for internal risk management and controls, and shows how surveyed countries have addressed this issue in their legal systems. The study’s goal was to support federal senate discussions concerning a bill to define the general criteria of internal controls, risk management and governance in the Brazilian government. The study revealed that the Brazilian internal control system did not comply with international standards (TCU, 2009b).

  • Basic Governance Reference Guide: TCU’s best governance practice guide provides important definitions for risk management and other relevant concepts. Good practices in the guide include, ‘establish risk management and internal control systems’ and ‘monitor and evaluate the risk management and internal control system,” in order to ensure that it is effective and that it contributes to the improvement of organisational performance’ (TCU, 2014f).

Figure 4.5. TCU’s axes for ranking maturity of risk management in federal entities
picture

Source: TCU (2013a), Measuring the degree of maturity of public entities in the management of risks, TC 011.745/2012-6, Relatório, Voto e Acórdão 2467/2013 - TCU/Plenário, http://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?inline=1&fileId=8A8182A14D92792C014D928003212A5A

As noted, TCU also is developing a guide with a framework for managing fraud risks in the public sector to aid managers in implementing new standards for assessing fraud risks. TCU could complement this guide and other efforts by further developing its support for implementing good risk management practices. Given the publication of new standards for internal control and risk management, which requires managers to conduct risk assessments, future initiatives of TCU could focus on the “how to” aspects of managing risks, such as data analytics as described in the next section. These would complement some of the other efforts of TCU that provide a picture of risk management in government, but are less useful for managers themselves as practical guidance.

These products are useful tools for managers and help to promote a culture of integrity, but dissemination and institutionalisation of the leading practices they communicate is critical. In addition, TCU could focus its performance audits to promote a culture of integrity through effective trainings and awareness-raising. Indeed, Designing and implementing internal control and risk management processes, beyond a mere compliance exercise, requires trainings and awareness raising that are tailored to the needs of leadership, line managers and staff. Trainings and awareness raising efforts can emphasise the following policies and practices, which TCU could incorporate into its analytical frameworks when conducting performance audits (adapted from IIA 2013a and GAO 2015):

  • Are employees required to attend trainings, including managers? Attendance of managers at trainings not only helps to develop their knowledge and skills, but also demonstrates a tone-at-the-top and ownership of the internal control and risk management responsibilities. Requirements to attend trainings the focus on integrity, internal controls and risk management, particularly for new hires, can demonstrate the entity’s commitment to the function.

  • Are the right people being trained, and the right people involved as trainers? Effective internal control systems rely on the contributions of many actors. Some of these actors reside within the organisation, at different levels. Trainings can bring managers together with staff. Other actors are external to the entity. For instance, external actors like the internal audit function, contractors and investigators may be responsible for or contribute to key internal control processes. Trainings can help to bring these actors together and avoid siloes for information sharing and generating insights about the system.

  • Are the trainings tailored to the context, highlighting relevant and specific risks? While internal control systems should follow standards, in particular those recently issued by the CGU, no one system is alike. Within entities, systems and the challenges they face can vary based on resources, expertise, types of risks, entity-level political economy, leadership and other factors. Trainings not only help to educate participants about the risks the entity faces, but they can also be a tool for managers to identify risks raised through exercises and discussions between different levels and teams within the entity. Other content that trainings and awareness raising campaigns can convey include the following:

    • Increase understanding of political leadership and senior public officials about the linkages between an effective internal control system and the achievement of the entity’s objectives.

    • Provide concrete examples of how the early identification of risks can help avoid future problems, and thus save valuable time and resources.

    • Demonstrate concrete ways to integrate specific integrity policies at the entity-level planning and operations.

    • Explain the assurance as well as the consulting role of the internal audit function and the value of evidence based policy choices consolidating on existing audit reports.

  • Does the entity use different mediums to educate and raise awareness about internal control and risk management? Trainings, on their own, may not be sufficient, particularly if they are periodically administered. Consistent messages using various mechanisms, such as newsletters, brochures, dedicated events and time period (e.g. anti-corruption week), can help to raise the profile of internal control and risk management policies and procedures. Importantly, the messages can communicate the benefits of an effective internal control system, including the demonstration of prevented fraud or corruption cases. Publicising the entity’s integrity efforts externally is also valuable, not only for demonstrating impact, but as a deterrent for would-be corrupt actors.

In developing awareness and a culture of integrity, it is important that TCU focus not just on what the government may be doing wrong, but also on what it is doing right. Success stories and detailed case studies are important tools for communicating and illustrating an effective approach to managers. TCU could encourage entities to do this through its own reviews and recommendations in order to facilitate constructive dialogue and positive exchange of ideas. For instance, in Peru, an initiative of the supreme audit institution (the Contraloría General de la Republica, or CGR), calls on public entities to publish all the activities, good practices and achievements related to the implementation of the National Control System (through web and other tools such as internal newsletters). The new directive also requires public entities to elaborate awareness campaigns and capacity development plans within the 90 days following the publication of the directive. In addition to the new directive, some specific guidelines for the dissemination of internal control inside the public entity (Lineamientos sugeridos para la difusion del Control Interno al interior de la entidad) have been developed by the CGR. The guidelines suggest, for example, publishing news on the status of the implementation of the pilot projects (CGR, 2016).

Finally, other mechanisms exist for dissemination of key concepts, such as engaging in existing networks and developing seminars on select topics, as other SAIs have done. For instance, TCU is a member of the Internal Control Co-ordination Commission, a co-ordination-centre that aims to improve the effectiveness of the control function over public management. TCU could more proactively use the Network to draw attention to systemic issues, propose joint solutions and build awareness around the importance of managerial responsibility over the internal control system.

4.5. Improving use of tools, methodologies and guidance for effective risk management and control

TCU could strengthen the capacity of government to prevent fraud and corruption through audits and additional guidance that ensure the effectiveness of policies and use of tools, such as data analytics.

Aforementioned studies of TCU demonstrate the need for stronger capacities for managing risks in government. Moreover, new internal control standards place a greater emphasis on managers addressing implementation challenges. Effective implementation relies on managers to be proactive and to take responsibility over the internal control system, thereby promoting a culture of integrity. Policies, procedures, structures and tools are all part and parcel of a culture of integrity and critical for effective management of integrity risks. TCU recognised the need for managers to have a framework that touches on each of these elements to help guide their fraud risk management activities. TCU can build on this initiative by focusing its audits, additional guidance and engagement with the executive branch with an eye towards improved implementation of its framework and internal control standards.

A key area where TCU could focus its efforts, particularly audits and awareness-raising, is on the preconditions for successful fraud risk management within an entity, including policies and structures. Knowing the laws, government-wide policies and standards that set requirements is the first step for managers to know what policies should be in place to guide institutional efforts. The Australian Attorney-General’s Department developed a Fraud Control Framework that outlines requirements for fraud control, including that government entities establish a comprehensive fraud control program covering prevention, detection, investigation and reporting strategies (Australian Attorney-General’s Department, 2014). Australia’s approach, among others, can help TCU to ensure its audits and awareness-raising effectively target the preconditions for effective fraud and corruption risk management. Key questions to consider include (adapted from Australian Attorney-General’s Department 2014 and IIA 2013a):

  • Does the entity have an effective and articulated fraud risk management framework (policies, assigned roles, procedures and controls) in place that represent activities to prevent, detect, respond and monitor?

  • Is the framework, as well as key information (e.g. values, code of conduct, conflict of interests policies) easily accessible to employees and communicated early in the hiring and often?

  • Are there policies and requirements for training related to fraud and corruption risk management for all levels of the entity?

  • Is there a central point of contact for fraud risk management within the entity?

  • To what extent does an external body (e.g. CGU or the Internal Control Co-ordination Commission) have a role in overseeing the development and implementation of the fraud risk assessment and fraud control plan?

TCU’s guide for managing fraud risks highlights other areas then those covered above that could be adapted into concrete tools for auditors to hone the focus of their audits on fraud and corruption risk management. In doing so, TCU can induce change in alignment with the leading practices it sets out in its guide. In addition, TCU could create complementary guidance to aid auditor in incorporating the standards and practices into their plans, interviews, and findings. Box 4.3 below provides an example from the supreme audit institution of Costa Rica in the context of auditing to strengthen ethics in the public sector.

Box 4.3. Auditing for Ethics in Costa Rica

In 2008, the Office of the Comptroller General of the Republic of Costa Rica (CGR) developed a technical guide (Guía Técnica para el Desarrollo de Auditorías de la Ética, or Guide) to support internal auditors in performing ethics audit, which the CGR defines as the systematic, objective and professional process for evaluating the functioning and effectiveness of the institution’s ethical framework, in order to promote its strengthening. Such guidance was provided after realizing that there was little knowledge about the audit of ethics both among Costa Rica’s auditors as well as within the world’s audit community.

The legal basis and standards supporting ethics audit in Costa Rica lays in several domestic and international instruments such as the Internal Control General Law (Ley General de Control Interno), the Manual to conduct internal audit in the Public Sector (Manual de normas para el ejercicio de la auditoría interna en el Sector Público), the International Standards for the Professional Exercise of Internal Audit (Normas Internacionales para el Ejercicio Profesional de la Auditoría Interna 2100, 2130, 2130 A1) and the Institute of Internal Auditor Practice Advisory 2130-1 (Consejo para la práctica 2130-1).

Ethics audit are carried out by those responsible of internal audit function within their competences and duties. Object of the audit is the institutional ethical frameworks, which includes the following three components:

  • The ethical program: formal factors regarding ethical matters set out in the organization, such as the statement of institutional values, the code of ethics, the vision and mission, the definition of indicators of ethical management, and a formal strategy for strengthening ethics.

  • The ethical environment: shared values, beliefs and behaviours of the organization’s members. It includes observable informal factors such as the organizational climate, the management style, the models of decision making, the verbal expressions, and the behaviours of individuals.

  • The integration of ethics within the institution’s management systems: incorporation of ethical controls in the systems and procedures used in processes that are particularly sensible and exposed to ethical failure and corruption, such as human resources, financial management, administrative contracting and activities with potential political interference.

Considering the sensitiveness and complexity of the issues surrounding ethics, the Guide stresses the importance of the ethics auditors’ professional competence and expertise. At the same time, the audited entity is also called to ensure a set of basic conditions for the ethics audits to be possible such as high management commitment with ethics, as well as support and an open-mind attitude prior to, during and after the audit process.

Next to the Guide, which sets out the methodology of ethics audit, the CGR has put at disposal of auditors a set of additional tools to support them in the systematic development of evaluations on ethical frameworks and which include:

  • General work plan;

  • Guide for evaluating the institutional ethical framework;

  • Guide for the analysis of strengths, opportunities, weaknesses and threats;

  • Ethics maturity model;

  • Guides for interviewing high and middle management and others;

  • Survey on the institution’s ethical environment;

  • Summary sheet of findings.

Although the users of the guide are internal auditors, it is also directed to the management when deciding to perform a self-evaluation of ethical issues as well as to external auditors.

Source: CGR (2008), Guía Técnica para el Desarrollo de Auditorías de la Ética, https://cgrfiles.cgr.go.cr/publico/jaguar/Documentos/control_interno/secretaria/2009/Auditoria%20de%20la%20etica/mo_aud_etica_final.doc; CGR’s website: https://www.cgr.go.cr/04-documentos/normativa/auditoria-etica.html

Fraud and corruption risk management is a multi-faceted function with many applications involving varied types of risks, depending on the context. The value of audit recommendations, guidance and consultations improves with more tailored, specific insights on the types of risks facing a particular entity or sector. For instance, the types of fraud risks inherent in the procurement cycle can different from those in the delivery of services for health and education. In addition, risk management relies on key tools and methodologies, such as risk assessments and data analytics. Such topics, whether sector-specific or about risk management techniques, require specific types of guidance and targeting in audits, given the unique nature of risks, skills and challenges they each have. TCU could build on existing frameworks for managing fraud risks with follow-on guidance that focuses on specific areas. Such guidance can be directed to managers in the executive branch and auditors alike.

One area TCU could explore, building on its leadership and initiatives in this area, is the harnessing of “big data” and the use of data analytics for integrity. Individuals who engage in fraud and corruption are effectively making cost-benefit analyses to better themselves at the expense of others, and data analytics can increase the risk and cost of being discovered (Persons 2016). TCU has evolved into a leader in this area, not only within the Brazilian government, but among supreme audit institutions as well. For instance, in 2015, TCU conducted numerous audits in an effort to go beyond a conventional “pay and chase” model of oversight, to more preventive actions to avoid fraud, corruption, waste and abuse through use of data analytics.

TCU has employed statistical methods, the analysis of images and geo-referencing techniques, among other approaches, to reduce the time allotted for analyses and encourage more cost-effective auditing (TCU 2015g). In one review, TCU applied Benford’s Law as a data mining tool to conduct pricing analysis of a public works project. Benford’s Law is one specific form of anomaly detection that can be used to identify potential fraud, and it states that numbers from sufficiently large data sources are typically distributed in a specific, non-uniform way (ACL 2013). Specifically, the number 1 typically appears as the first digit in the largest percentage of numbers in a data source (about 30%), with each successive number typically appearing as the first digit in a decreasing percentage of numbers in the data source, with the number 9 appearing as the first digit in just under 5 percent of numbers in any given data source. Deviations from this pattern are statistically unlikely in randomly occurring data sets and could indicate potential fraud (IIA 2009).

As a result of TCU’s review using Benford’s Law, it found 17 services that were overpriced in the budget, amounting to 72% of the total overpricing found and nearly 150 million reals (nearly 47 million euros, adjusted for 2014) (TCU 2014g). This particular data analytics approach, like others, can reduce the amount of time auditors spend analysing large datasets, and help them to identify the highest risks for potential follow up audits. TCU has a number of other initiatives to improve the use of data analytics in government as well as its adoption by auditors, including trainings and projects as part of its innovation lab, the “Co-Participation Laboratory” (coLAB-i) (TCU, 2015g). Box 4.4 below describes another example of using data mining in the context of public procurement, with the additional benefit of developing an index that could produce comparative data on risks.

Box 4.4. Data mining to identify corruption in public procurement in the European Union

In recent years, a team of sociologists developed a new system to identify potential corruption in public procurement in Europe. The research team developed a “Corruption Risk Index” (CRI) that could mine available information related to public procurements to identify potential corruption issues. To develop the CRI, the lead researcher spoke with experts on public procurement to identify 13 “red flags” that could indicate corruption in an individual contract or tender. Among others, these red flags included very short tender periods (e.g., a tender issued on a Friday and awarded the following Monday), very specific or suspiciously complex tenders compared with others in the field, tender modifications leading to bigger contracts, inaccessible tender documents, and very few bidders in highly competitive markets. The flags were then weighted to determine a risk ranking for each contractor or firm. In a proof-of-concept conducted using data from Hungary, Slovakia, and the Czech Republic, the research team found that firms with a higher CRI score made more money than firms with lowers CRIs, and were also more likely to have politicians involved as either managers or owners and to be registered in tax havens.

Source: Research Center Budapest (2014), http://mihalyfazekas.eu/wp-content/uploads/2015/08/Fazekas-Toth_State_capture_PP_2014Nov.pdf;

In addition to data mining, a number of other techniques can be used to apply data analytics in the area of integrity. Data-analytic techniques allow entities to analyse large volumes of transactions or other data more effectively and efficiently than with manual techniques. For example, as shown above data-mining tools can facilitate comparisons, matching datasets can speed up and improve the accuracy of investigative results and predictive modelling as well as data visualisation can help to identify complex patterns in large datasets to identify fraudulent transactions (UN-INTOSAI 2013). In addition, data analytics can be used to test the effectiveness of internal controls. For example, the Office of the Auditor General of Western Australia recommends that agencies consider the use of data analytics to identify fraud or errors after a new system or process has been implemented, or after key controls have been modified as the identification of such issues can highlight gaps in the new or revised controls (Western Australia OAG 2016).

Detailing the leading practices for implementing the varied techniques is beyond the scope of this report; however, TCU could further support the executive branch in its use of data analytics through additional guidance and audits, focusing on both the process of using data analytics for integrity (as well as in other contexts) and leading practices related to specific techniques. With regards to the former, the steps described below (as well as Figure 4.6) for implementing data analytics for integrity purposes could help guide TCU’s work. The steps are applicable both to auditors using data analytics for their reviews, as well as managers within government who are responsible for preventing and detecting potentially fraudulent or irregular behaviour.

Figure 4.6. Steps for Implementing Data Analytics for Integrity Purposes
picture

Source: OECD Secretariat

Define analytics objectives and identify fraud indicators

The first step in implementing data analytics for integrity purposes is to determine the objective. As a good practice, conducting a risk assessment can help the analytics team understand the areas in which fraud, corruption, or other integrity risks are most likely to occur, which can help focus the analysis. After defining the objective, the analytics team could identify the fraud or corruption indicators or “red flags” they plan to identify with the data-analytics test. When identifying fraud indicators, the analytics team could consider experience, typical business rule limits, and common fraud schemes (EY 2014). Understanding rules, processes and ‘normal’ behaviour, before implementing analytics tests, can help reduce false positives.

Identify data needs and sources

The next step is to identify the data that will be needed to identify the fraud or corruption indicators defined in the first step, as well as to identify the sources of that data. This may include data that exist within the entity, data from other government agencies, or data from external, non-government entities. The specific data needed to conduct the analysis will depend on the analytics objectives and the specific indicators the analytics tests will be used to identify.

Obtain data

The next step is to obtain the data necessary to conduct the analysis. As previously noted, the amount of time spent on this step may vary considerably depending on whether the data are available in-house or need to be obtained from external entities.

Obtain an understanding of the data

The next step is to obtain an understanding of the data. As previously noted, some understanding of the data is necessary in order to develop a formal data request; thus, this step may occur in conjunction with the prior step.

One good practice to assist the analytics team in obtaining and understanding of the data is to obtain the data dictionary, if one is available. Data dictionaries explain each field within the data and, as such, are a main source of information for data analysts (Auditor General of South Africa 2016). Data dictionaries are particularly useful when the data analysis involves combining data from different sources. In particular, data dictionaries help ensure everyone is using the same definition (GAO 2013) and help data analysts understand when different terms are used for the same thing or when the same term has different meanings across government entities or programs (Henderson and Hammersburg 2013).

Another good practice is to work with both system owners and information-technology experts to obtain an understanding of the data. System owners can provide information on how transactions are processed in the system and information-technology experts, particularly the database administrator, can provide technical information such as the rules of the system (Auditor General of South Africa 2016).

Assess the reliability of the data and prepare data for analytics

The next step is to assess the reliability and integrity of the data and to take steps as necessary to clean the data to ensure that it can be used in the analysis. This may include converting the data to a format suitable for analysis (EY 2014). In its “Guide to Data Mining as a Tool in Fraud Investigation,” the Supreme Audit Institution of South Africa notes that data analysts can use one or more of the following data-validation tests to verify the integrity and completeness of the data provided (Auditor General of South Africa 2016):

  • Verify the data types against the record layout and data dictionary (for example, text fields contain text)

  • Confirm the record count with the control totals received

  • Confirm the hash totals of numeric fields with the control totals received

  • Identify missing data (for example, blank fields or gaps in sequences)

  • Check for duplicate data and confirm whether any duplicates identified are false positives

  • Reconcile the data to accounting records

  • Perform reasonability tests (for example, calculate the number of transactions per month and determine if the number is near the number that would reasonably expected in a month)

  • Perform period testing to determine if the data cover the requested period

Any discrepancies identified should be addressed before performing the analysis, which may include re-requesting the data (Auditor General of South Africa 2016). Care should be taken at this step to understand and assess any discrepancies or outliers identified as a result of data validation tests or data cleaning procedures as outliers or anomalies may be indicative of fraud or corruption.

Develop an analysis plan, including specific analytics tests

The next step is to develop an analysis plan that describes the data to be analysed, the specific analytics tests that will be performed, and the frequency with which the analytics will be performed. When using data analytics for integrity purposes, particularly for fraud detection and testing the effectiveness of internal controls, public-sector entities should:

  • Analyse all relevant data: Public-sector entities should apply analytics tests to the full data population. Random sampling is useful for identifying problems that occur relatively consistently throughout data populations. However, as fraudulent transactions do not occur randomly, sampling may not be sufficient to identify fraud (ACL 2013). The INTOSAI Working Group on IT Audit notes that, by using data-analytics tools, auditors can look at all data, which makes it possible to spot connections and details that may be difficult to notice as the amount of information increases. By analysing all data, the auditor can identify anomalies or high-risk areas for further review (INTOSAI 2015).

  • Design data-analytics tests based on the identified fraud indicators: The analytics team should translate the specific indicators of fraud or corruption identified at the beginning of the analysis into specific analytical procedures.

  • Determine whether the analysis will be conducted on an ad hoc, repetitive, or continuous basis: Data-analytics tests can be applied ad hoc or can be applied on a repetitive or continuous basis, and the frequency with which to run data-analytics tests depends on the purpose for which analytics are being used. For example, data-analytics tests can be applied on an ad-hoc basis to identify potential issues that may indicate opportunities exist for fraud to occur (ACL 2013). This approach may be sufficient for an auditor using data analytics to test the effectiveness of an agency’s internal controls. However, program managers using data analytics to maintain program integrity should automate data-analytic tests to monitor for fraud indictors on a continuous, real-time basis, if possible (GAO 2015). If data-analytics tests cannot be automated to occur on a continuous basis, such as when data can only be obtained on a periodic basis, performing data-analytics tests on a regular, periodic basis, can still be informative. For example, implementing data-analytics tests during monthly transaction cycles can help ensure that risks are being mitigated throughout the year, rather than on an annual basis (Mazur 2015).

Perform the analysis

At this stage, the analytics team implements the analysis plan to perform the analysis.

Review the results

After performing the analysis, the analytics team reviews the results. Data-analytics tests cannot confirm fraud; rather, such tests identify the existence of indicators that then need to be reviewed. Analysts can review the results and determine whether there is a logical explanation for why specific indicators were identified or if there are signs of fraudulent activity (GAO 2013). As reviewing results can be time consuming, taking time at the beginning of the analytics process to obtain a strong understanding of the process can help the analytics team develop more refined analytics tests that may produce fewer false positives.

Communicate the results

Once analytics tests have been implemented and the results have been reviewed, the analytics team communicates the results to relevant parties. When data analytics are used for identifying fraud or corruption, this may include providing information on potential fraudsters to law-enforcement entities for investigation. This may also include communicating information necessary to address control weaknesses or risks that managers may need to take steps to address. Good practices for communicating the results of analytics tests include understanding the needs of the audience and using data-visualization tools. Tailoring the output of data analytics to the intended audience can help ensure the results are usable, which helps ensure the overall success of the data-analytics initiative (GAO 2015). Data visualization tools, such as dashboards and maps, or even simple charts and figures, can illustrate areas of greater risks more clearly than spreadsheets, statistics, and lists of transactions. In addition, communicating the results to potential fraudsters can also be beneficial for reducing fraud and corruption, as described in the example in the box below (Box 4.5).

Box 4.5. USDA’s use of data analytics to reduce fraudulent crop insurance claims

The U.S. Department of Agriculture (USDA) experienced a dra-matic drop in fraudulent claims for crop insurance after they implemented data analytics ap-proaches. The Federal Crop Insurance Corporation (FCIC), managed by the USDA’s Risk Management Agency, offers insurance to farmers and other agricultural entities to for crop failures in the event of bad weather, as well as revenue losses when the price of commodities drop. USDA’s Crop Insurance Program Compliance and Integrity Data Warehouse used multi-ple datasets to prevent and detect potentially fraudulent claim payments, resulting in billions of dollars in savings. Specifically, USDA data analysts used 170 data sour-ces, including terabytes of policy information, weather and satellite data, and millions of crop insurance policies across 3,200 countries, to cross-check potentially fraudulent claims with data from other sources, such as satelli-te images and weather records.

USDA’s response to atypical patterns involved both conventional activi-ties (i.e. investigative approaches) as well as “soft” ap-proaches, like sending letters of inquiry to suspected fraudsters. The latter approach exemplifies the deterrent effect of communicating the results of the data analytics. Following the letters, there was a dramatic drop in claims, indicating that program participants were now aware of USDA’s new ability to detect fraud or suspected fraudulent activities.

Source: Persons, Timothy, Chief Scientist of the U.S. Government Accountability Office (2016), Interview with TCU, Revista do TCU, Issue 135, http://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A25AC9F28A015ACE19A18D4354

The amount of time spent on each step may vary considerably depending on circumstances. For example, an institution with a centralized data warehouse that plans to analyse existing data owned and maintained within the institution may spend very little time obtaining data needed for the analysis. On the other hand, an institution that needs access to data held by an external entity—such as another government agency—may need to spend considerable time and resources in establishing processes and procedures to obtain the data. In Brazil, for instance, much of the procurement data involves government-wide databases and sources, such as the Integrated Federal Financial Administration System (Sistema Integrado de Administração Financeira do Governo Federal, SIAFI), Integrate System of Administration of General Services (SIASG), and Comprasnet, Brazil’s central procurement website and e-procurement portal. TCU’s Logistics Procurement Secretariat (SELOG) incorporates data analytics into its audits, referring to these systems. In this context, TCU’s audits and reviews of data analytics can have application to numerous entities that provide input to and rely on these systems for their own work.

References

ACL (2013), Detecting and Preventing Fraud with Data Analytics, https://www.acl.com/pdfs/ACL_fraud_ebook.pdf

ASF (Office of the Auditor General of México, or Auditoría Superior de la Federación) (2015), “Technical Study for the Promotion of a Culture of Integrity in the Public Sector”, http://asf.gob.mx/uploads/180_Estudios/1173_Estudio_Tec_para_la_Promocion_de_la_Cultura_de_Integridad_en_el_Sec_Pub.pdf

ASF (2014), “Study about the Strategies for Combating Corruption in the Public Sector”, http://informe.asf.gob.mx/Documentos/Auditorias/2014_1642_a.pdf

Australian Attorney-General’s Department (2014), Commonwealth Fraud Control Framework, https://www.ag.gov.au/CrimeAndCorruption/FraudControl/Documents/CommonwealthFraudControlFramework2014.pdf

Auditor General of South Africa (2016), “Guide to Data Mining as a Tool in Fraud Investigation,” November 3, 2016, http://content.intosaicommunity.org/library/audit-of-information-technology/guidelines/75-data-mining/file

CGR (Comptroller General of the Republic of Peru, Contraloría General de la Republica) (2016), Directiva N°013-2016-CG/GPROD, Implementación del Sistema de Control Interno en las Entidades del Estado, http://doc.contraloria.gob.pe/Control-Interno/web/documentos/normativa/RC_N149-2016-CG.zip

CGU (Ministry of Transparency, Supervision and Control) (2016), website, http://www.cgu.gov.br/ (accessed September 2016).

CGU (2016b), CCCI, http://www.cgu.gov.br/assuntos/auditoria-e-fiscalizacao/comissao-de-coordenacao-de-controle-interno-ccci/composicao

CGU (2015), Operational plan of decentralized actions for transparency and prevention of corruption, Second semester of 2015, http://www.cgu.gov.br/sobre/institucional/planejamento-estrategico/arquivos/plano-operacional-stpc-2015.pdf

COSO (2013), An Update of COSO’s Internal Control – Integrated Framework, Committee of Sponsoring Organisations of the Treadway Commission, www.coso.org/documents/cosoicifoutreachdeck_05%2018%2012.pdf.

Eklund, Aapo Länsiluoto Annukka Jokipii Tomas, (2016),»Internal control effectiveness – a clustering approach», Managerial Auditing Journal, Vol. 31 Iss 1 pp. 5 – 34 http://dx.doi.org/10.1108/MAJ-08-2013-0910

Ernst and Young (2014), Y, “The Role of Data Analytics in Fraud Prevention,” http://www.ey.com/Publication/vwLUAssets/EY_-_Forensic_Data_Analytics/$FILE/EY-Data-Analytics-The-role-of-data-analytics-in-fraud-prevention.pdf

European Commission (2014), Compendium of the Public Internal Control Systems in the EU Member States, http://ec.europa.eu/budget/pic/lib/book/compendium/HTML/index.html, accessed 23 November 2015

European Court of Auditors (2012), Structural Funds: Did the Commission Successfully Deal with Deficiencies Identified in the Member State’s Management and Control Systems? Special Report No. 3 http://www.eca.europa.eu/Lists/ECADocuments/SR12_03/SR12_03_EN.PDF

Government Accountability Office (GAO) (2017), High-Risk Series: Progress on many high-risk areas, while substantial efforts needed on others (GAO-17-317), accessed February 2017, http://www.gao.gov/assets/690/682765.pdf

Government Accountability Office (GAO) (2015), A Framework for Managing Fraud Risk in Federal Programs (GAO-15-593SP), accessed March 2017, http://www.gao.gov/assets/680/671664.pdf

Government Accountability Office (GAO)(2013), “Data Analytics for Oversight and Law Enforcement.” Washington, D.C., July 15, 2013. www.gao.gov/products/GAO-13-680SP

Government Accountability Office (GAO) (2000), Determining Performance and Accountability Challenges and High Risks (GAO-01-159SP), accessed February 2017, http://www.gao.gov/assets/210/200448.pdf

Government of Brazil, Provision N° 726, of 12 May, 2016, http://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2016/Mpv/mpv726.htm

Henderson, Greg, and Carl Hammersburg (2013), “An Enterprise Approach to Fraud Prevention and Detection in Government Programs.” SAS. Accessed December 16, 2016. http://www.sas.com/en_us/whitepapers/enterprise-approach-fraud-detection-prevention-government-106136.html.

Hayes, John,(2014), The Theory and Practice of Change Management, Palgrave Mammillan, United Kingdom

IIA (Institute of Internal Auditors) (2015), Three Lines of Defence Model, Assurance Maps presentation-PIC EU-28 Conference 2015, http://slideplayer.com/slide/10129777/

Institute of Internal Auditors (IIA) (2013), IIA Position Paper – Three Lines of Defense in Effective Risk Management and Control, The Institute of Internal Auditors, Altamonte Springs, www.theiia.org/goto/3Lines

Institute of Internal Auditors (IIA), American Institute of Certified Public Accountants, and Association of Certified Fraud Examiners (2013a), Managing the Business Risk of Fraud: A Practical Guide https://www.acfe.com/uploadedFiles/ACFE_Website/Content/documents/managing-business-risk.pdf

Institute of Internal Auditors (IIA) (2009), Global Technology Audit Guide (GTAG) 13: Fraud Prevention and Detection in an Automated World, https://chapters.theiia.org/montreal/ChapterDocuments/GTAG%2013%20-%20Fraud%20Prevention%20and%20Detection%20in%20a%20Automated%20World.pdf

International Organisation for Standardisation (ISO) (2009), ISO 3100 – Risk Management, http://www.iso.org/iso/home/standards/iso31000.htm

INTOSAI Working Group on IT Audit (2015), “Big Data Management and Data Analytics,” June 2015. http://www.intosaiitaudit.org/working_group_paper_lists/20.

Kotter, J. (2014), Accelerate, https://www.kotterinternational.com/8-steps-process-for-leading-change/

KPMG (2015), “How Big Data Affects Auditing,”

Mazur, Edward J (2015), “Data Analytics-a Tool for Building Trust in Government.” The Journal of Government Financial Management, July 2015.

MP (Ministry of Planning, Development and Management) (2016a), Bimonthly reports and reports issued every quarter, accessed online, September 2016, http://www.planejamento.gov.br/assuntos/orcamento/informacoes-orcamentarias/rel-de-avaliacao-fiscal-e-cumprimento-de-meta/relatorios-de-avaliacao-fiscal-e-cumprimento-de

MP (2016b), government Establishes Committee to Monitor and Evaluate Public Policies: http://www.planejamento.gov.br/noticias/governo-institui-comite-para-monitorar-e-avaliar-politicas-publicas

MP (2016c), Interministerial Committee Discusses Evaluation of Public Policies, http://www.planejamento.gov.br/noticias/comite-interministerial-discute-politicas-publicas-e-avalia-efetividade-de-acoes

MP (2016e), National Press (Impresa Nacional), Ministry of Planning, Development and Management, “Ministério do Planejamento, Orçamento e Gestão” (now Ministério do Planejamento, Desenvolvimento e Gestão), http://pesquisa.in.gov.br/imprensa/jsp/visualiza/index.jsp?data=08/04/2016&jornal=1&pagina=79&totalArquivos=204;

MP/CGU (2016), Joint Normative Instructions MP/CGU No 01, http://www.cgu.gov.br/sobre/legislacao/arquivos/instrucoes-normativas/in_cgu_mpog_01_2016.pdf (accessed September 2016)

NAO (National Audit Office) (2011), Auditing Behaviour Change, accessed February 2017, https://www.nao.org.uk/wp-content/uploads/2011/09/NAO_Auditing_Behaviour_Change.pdf

NCA (Netherlands Court of Audit) (2011), Financial risks to the Netherlands, www.courtofaudit.nl/english/Publications/Audits/Introductions/2013/09/Financial_risks_to_the_Netherlands_of_international_guarantees

NCA (2011), Risks to Public Finances, www.courtofaudit.nl/english/Publications/Audits/Introductions/2012/06/Risks_to_public_finances

NCA (2011), Spending Cuts Monitoring, www.courtofaudit.nl/english/Publications/Audits/Introductions/2011/05/Spending_Cuts_Monitor_2011

OAG (Office of the Auditor General of Canada), Chapter 1, Financial Management and Control and Risk Management, http://www.oag-bvg.gc.ca/internet/English/parl_oag_201106_01_e_35369.html

OECD (2017a), Mexico’s National Auditing System: Strengthening Accountable Governance, OECD Public Governance Reviews, OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264264748-en

OECD (2017b), “Observatory of Public Sector Innovation: Working with Change: Systems Approaches to Governance” Conference agenda, 28 February, 2017, Paris.

OECD (2016a), Supreme Audit Institutions and Good Governance: Oversight, Insight and Foresight, OECD Public Governance Reviews, OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264263871-en

OECD (2016b), Better Policies for Sustainable Development 2016: A New Framework for Policy Coherence, OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264256996-en

OECD (2016), Recommendation of the Council on Public Integrity (forthcoming)

OECD (2014a) ‘Centre Stage: Driving Better Policies from the Centre of Government’ OECD Publishing, Paris, https://www.oecd.org/gov/Centre-Stage-Report.pdf

OECD (2013), Brazil’s Supreme Audit Institution: The Audit of the Consolidated Year-end Government Report, OECD Public Governance Reviews, OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264188112-en

Olivieri, C. et al, (2015), Public Management Performance in Brazil: Challenges for Co-ordination. http://dx.doi.org/10.5539/ibr.v8n8p181

Paton, Robert A and James McCalman, (2008), Change Management: A Guide to Effective Implementation, Third Edition, SAGE Publications, London

Persons, Timothy, Chief Scientist of the U.S. Government Accountability Office (2016), Interview with TCU, Revista do TCU, Issue 135, http://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A25AC9F28A015ACE19A18D4354

Stoop, P. (2016), Concepts for facilitating and managing change: challenges in institutional and organisational development, with respect to the processes of regionalisation of a Supreme Audit Institution, presentation, Rabat, 2016, not available.

TCU (Tribunal de Contas da União) (2017), PORTARIA-SEGECEX Nº 5 DE 7 DE MARÇO DE 2017 [Department of Institutional Relations for Control on Fight Against Fraud and Corruption], Brasilia.

TCU (2015a), Strategic Plan of Brazil’s Federal Court of Accounts, 2015-2021 (Plano Estratégico do Tribunal de Contas da União para o período 2015-2021) PORTARIA-TCU Nº 141, DE 1º DE ABRIL DE 2015, Brasilia, http://portal.tcu.gov.br/tcu/paginas/planejamento/2021/index.html.

TCU (2015b), External Control Plan of Brazil’s Federal Court of Accounts (Plano de Contrôle Externo do Tribunal de Contas da União) April, 2015, Brasilia, http://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A153234E0A01535D1006D60567.

TCU (2015d), Survey of Public governance, Summary, http://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A14F613FB5014F6B5206735279.

TCU (2015e), TCU Judgement 0548/2015, Acordo TC-020.137/2014-1 – Plenary, Performance Audit http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/Acord/20150320/AC_0548_09_15_P.doc

TCU (2015f), Evaluation of risk management maturity of Electrosul, TCU 605/2015, Acordo TC-019.140/2014-2, http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/Acord/20150330/AC_0605_10_15_P.doc

TCU (2015g), Innovation at the Service of Control, Annual Report 2015, https://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A25A4C7F07015A4D5527C25DAC

TCU (2014a), Survey of Risk Management in Public Governance, Gestão De Riscos Levantamento De Governança Pública, http://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A24E08D405014E0D42E95B3708

TCU (2014b), Framework to Assess Governance in Public Policies, TCU Publishing, Brasilia, http://portal2.tcu.gov.br/portal/pls/portal/docs/2686056.PDF

TCU (2014c), Evaluation of internal controls of Roraima’s municipalities, TCU Judgement 568/2014 – Plenary, Survey report. http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/Acord/20140314/AC_0568_07_14_P.doc

TCU (2014d), Evaluation of units of internal control and internal audit, (Acordao TCU 821/2014) http://www.psc-intosai.org/media/16694/tcu_performance_audit_manual.pdf;plenario:acordao:2014-04-02;821

TCU (2014e), Audit of risk management of Secretariat of Ports, Judgement 735/2014 – Plenary, Acordo TC 009.504/2013-3, Performance audit, http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/Acord/20140402/AC_0735_09_14_P.doc

TCU (2014f), TCU’s Basic Governance Reference Guide for Public Sector Organizations, 2nd version, accessed February 2017, http://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A253234F6C015333B3DE131B3F

TCU (2014g), Benford’s Law and Public Works Audit: an analysis of overpricing in the maracanã remodelling, Revisita do TCU, Issue 131, http://revista.tcu.gov.br/ojs/index.php/RTCU/article/viewFile/63/327

TCU ((2013a), Measuring the degree of maturity of public entities in the management of risks, TC 011.745/2012-6, Relatório, Voto e Acórdão 2467/2013 - TCU/Plenário, http://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?inline=1&fileId=8A8182A14D92792C014D928003212A5A

TCU (2013b), Survey on the governance system focused on implementation of public policies, https://contas.tcu.gov.br/etcu/AcompanharProcesso?p1=17064&p2=2013&p3=9

TCU (2013c), Audit of internal controls of university hospitals procurement, http://www.lexml.gov.br/urn/urn:lex:br:tribunal.contas.uniao;plenario:acordao:2013-06-26;1610

TCU (2009a), Survey report. Search for information about the performance of the internal control bodies of the three branches: executive, legislative and judicial, http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/Acord/20090521/025-818-2008-4-AUD-WDO.rtf

TCU (2009b), Survey report, General Criteria for Internal Control in Public Administration A study of disciplinary models and norms in various countries, http://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A15A4C80AD015A4D5CA9965C37

TdC (Tribunal de Contas de Portugal) (2011), The internal audit function in the State Owned Enterprises, www.tcontas.pt/en/reports/audit_report_08-2011-2s_abstract.pdf

United Nations and the International Organisation of Supreme Audit Institutions (UN-INTOSAI) (2013), A UN-INTOSAI Joint Project: Collection of Important Literature on Strengthening Capacities of Supreme Audit Institutions on the Fight against Corruption, http://www.intosai.org/fileadmin/downloads/downloads/4_documaents/publications/eng_publications/E_UN_INTOSAI_Joint_Project.pdf

Veteran Affairs Canada (2014), Audit of Overpayments, http://www.veterans.gc.ca/pdf/deptReports/2014-audit-of-overpayments.pdf

Western Australia Office of the Auditor General (2016), “Audit of Payroll and Other Expenditure Using Data Analytic Procedures,” May 6, 2016, https://audit.wa.gov.au/wpcontent/uploads/2016/05/report2016_06-DataAnalytics.pdf.

Notes

← 1. Article 74 of Brazil’s Federal Constitution of 1988 outlines requirements for the system of internal control. The legislative, Executive and Judicial Powers shall maintain an integrated system of internal control for the purpose of: i) evaluating the attainment of the goals established in the Multi-annual Plan (plano pluriannual, PPA), the implementation of government programmes and of the budgets of the Union; ii) verifying the lawfulness and evaluating the results, as to effectiveness and efficiency, of the budgetary, financial and property management in the agencies and entities of the federal administration, as well as the use of public funds by private legal entities; iii) exercising control over credit transactions, collateral signatures and guarantees, as well as over the rights and assets of the Union; iv) supporting external control in the exercise of its institutional mission. Paragraph 1. The persons responsible for internal control shall, upon learning of any irregularity or illegality, inform the Federal Audit Court about it, subject to joint liability. Paragraph 2. Any citizen, political party, association or labour union has standing under the law to denounce irregularities or illegalities to the Federal Court of Accounts.

← 2. Other benefits that accrue through internal control include oversight and evaluation of operations, which are discussed in further detail in Chapter 4.

← 3. See Decree 8.109/2013.

← 4. On 12 May, 2016, the former Office of the Comptroller General of the Union (CGU) became the Ministry of Transparency, Supervision and Control, as per provision Nº 726, of 12 May, 2016 (Government of Brazil, 2016). The CGU was established to support the President concerning the protection of government property and increasing the transparency of management by means of internal controls and public audit, preventing and fighting corruption and was ombudsman (CGU, 2016a).