Chapter 4. Strengthening Coahuila’s internal control and risk management framework

This chapter discusses how Coahuila could strengthen its internal control and risk management framework to better safeguard integrity in public sector organisations and enable effective accountability. It highlights the value of ensuring a strategic approach to risk management, which Coahuila could cultivate by encouraging implementation of the existing framework through guidance, training, and capacity building. The chapter also focuses on the role of the internal audit function in providing reasonable assurance over risk management and internal control processes, stressing the need to gradually appoint internal control units in all ministries and to scale up professionalism and capacities to fulfil the investigative attributions that the Ministry for Audit and Accountability (SEFIR) will undertake within the Local Anti-corruption System with respect to non-serious offences of public officials.



An effective internal control and risk management framework is essential in public sector organisations to safeguard integrity, improve accountability, and prevent corruption. This framework should include internal control measures, risk management, and internal audit and be designed to provide reasonable assurance about the achievement of the organisation’s objectives with regard to reliability of financial reporting, effectiveness, and efficiency of operations and compliance with applicable rules, regulations, and legislation.

Internal controls are the policies, structures, procedures, and processes that enable an organisation to identify and appropriately respond to risks, whether these are internal or external and strategic, operational, financial, or compliance. Internal controls are checks and balances that are the responsibility of management and are carried out by staff as part of their everyday activities. An effective internal control and risk management framework helps an organisation comply with its mandate and any relevant legislation, safeguard its assets, and facilitate internal and external reporting. It also helps ensure greater accountability, better management and increased cost-effectiveness, because controls help organisations to run more smoothly, reduce costs, avoid waste, hold officials to account for their actions, and report to the public and oversight institutions on the performance and value for money achieved.

While senior managers are primarily responsible for implementing internal controls and monitoring their effectiveness, all officials in a public organisation – from the most senior to the most junior – play a role in identifying risks and deficiencies and ensuring that internal controls address and mitigate these risks. Every staff member should be encouraged to contribute continually to the development of better systems and procedures that enhance the organisation’s integrity and its resistance to corruption.

A mature internal control and risk management framework needs to include a strategic approach to risk management that effectively identifies the likelihood of events occurring that may hamper the operations of an organisation and the achievement of its objectives and sets up adequate controls to mitigate them. Risk assessment plays a key role in the selection of appropriate internal control measures.

Internal audit is another key element of an internal control and risk management framework. Internal audit provides objective assurance that risk management and internal controls are functioning properly. An effective internal audit monitoring and assurance function ensures that internal control deficiencies are identified and communicated in a timely manner to those responsible for taking corrective action. The monitoring process involves establishing risk-based monitoring procedures, assessing and reporting results, and following up on corrective action where necessary.

In Coahuila, the Ministry for Audit and Accountability (Secretaría de Fiscalización y Rendición de Cuentas, or SEFIR) is the state-level entity, within the Executive, responsible for developing and overseeing policies, standards, and tools on internal control including risk management and internal audit functions in the state administration. Its activities are carried out within the framework governing the internal control system in Coahuila—the General Standard for Internal Control (Norma General de Control Interno)—which was published in August 2013. It is based on five standards set by the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control Integrated Framework (Figure 4.1).

Figure 4.1. Coahuila’s general standard for internal control

Source: SEFIR presentation, July 2016 (translation by OECD).

This chapter examines Coahuila’s internal control and risk management framework as defined by the COSO Internal Control Integrated Framework, focusing on areas where the implementation gap is most significant and emphasising the extent its risk management framework safeguards integrity in public sector organisations. The analysis is informed by internationally-recognised standards such as the COSO Internal Control Integrated Framework (COSO, 2013) and the INTOSAI Guidelines for Internal Control Standards for the Public Sector (INTOSAI, 2004), as well as by the OECD Recommendation on Public Integrity (OECD, 2017a), which calls states to “ensure a strategic approach to risk management that includes assessing risks to public integrity, addressing control weaknesses (including building warning signals into critical processes), and building an efficient monitoring and quality assurance mechanism for the risk management system.”

Demonstrating high-level commitment to integrity objectives and risk management

The risk administration framework in Coahuila

Risk assessments are key to understanding risk exposure and allowing public organisations to reach informed risk management decisions. COSO defines entity risk management as “a process affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the entity, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004). This broad definition may also be applied in the public sector, where the concept of operational risk management would encompass the systems, processes, procedures, and culture that facilitate the identification, assessment, evaluation, and treatment of risks in order to help public sector organisations successfully pursue their strategies and performance objectives (OECD, 2013).

Operational risk management begins with establishing the context and setting an organisation’s objectives and continues with the identification of events—related to both internal and external factors—that might have an impact on their achievement. Those events that may have a negative impact represent risks. Risk assessment is a three-step process that starts with risk identification and is followed by risk analysis, which includes developing an understanding of each risk, its consequences, the likelihood of those consequences occurring, and the risk’s severity. The third step is risk evaluation, which involves determining the tolerability of each risk and whether the risk should be accepted or treated. Risk treatment is the process of adjusting existing internal controls or developing and implementing new controls to bring a risk’s severity to a tolerable level (Figure 4.2).

Figure 4.2. Risk management cycle according to ISO 31000: 2009

Source: Adapted by OECD from ISO 31000: 2009; OECD (2013), OECD Integrity Review of Italy: Reinforcing Public Sector Integrity, Restoring Trust for Sustainable Growth, OECD Publishing, Paris,

The process of establishing the context and assessing and treating risk is linear, while communication and consultation, monitoring, and reviewing are continuous. Communication and consultation with internal and external stakeholders is, where practicable, a key step towards securing their input into the process and giving them ownership of the outputs of risk management. It is also important to understand stakeholders’ concerns about risk and risk management so that their involvement can be planned and their views taken into account in determining risk criteria. Finally, monitoring and reviewing support the identification of new risks and reassessment of existing ones that result from changes either in the organisation’s objectives or in the internal and external environment where they are pursued. This involves scanning for possible new risks and learning lessons about risks and controls from the analysis of successes and failures (OECD, 2013).

The risk management framework in Coahuila is outlined in the General Standard for Internal Control. Although all officials in the organisation are responsible for communicating and reporting risks, the framework assigns specific responsibilities to the following actors, who should follow minimum steps and requirements in line with the process described in Figure 4.3:

  • the head of the public entity (titular de dependencia/entitdad) oversees compliance with the risk administration process

  • the internal control co-ordinator (coordinador de control interno) co-ordinates the risk administration process and communication between the head of the entity and the liaison officer for risk management

  • the liaison officer for risk management (enlace de administración de riesgos) links the internal control co-ordinator with all the administrative and operational areas of the organisation; supports the managers and the staff throughout the different steps of the process; reviews and analyses their inputs to elaborate risk administration-related documents; and follows up the Programme of Work for Risk Management (Programa de Trabajo de Administración de Riesgos, PTAR), whose primary objective is to monitor and assess the execution of the mitigating strategies and controls aiming to address risks.

Figure 4.3. Coahuila’s risk administration framework

Source: SEFIR presentation, July 2016 (translation by OECD).

Coahuila could strengthen standards and policies in order to place greater emphasis on corruption and fraud as it relates to risk management and to clarify how and when to undertake risk assessments.

Developing a dedicated risk management framework for corruption and fraud risks is crucial in increasing awareness of those risks and in detecting and mitigating the different types of corruption that may take place within public entities. Such risks impact on resource allocation and decision making. They also affect the integrity of public policies and the public’s trust in government.

Although 44% of the population think corruption is very frequent in state institutions in Coahuila (INEGI, 2015), there is currently no dedicated policy to manage fraud and corruption risks. In particular, the risk administration framework does not include a specific process for addressing these kinds of risks, which impairs the government’s ability to mitigate them.

Considering the adverse impact that corruption and fraud have on carrying out government policies and building public trust, SEFIR could gradually introduce specific guidance, processes, and responsibilities to address those risks in its standards and policies. In the short term, SEFIR could integrate the existing internal control and risk management framework with additional guidance and information on dealing with corruption risks. To do so, it could follow the model of the Independent Commission Against Corruption (ICAC) in the Australian state of New South Wales (Box 4.1).

Box 4.1. Corruption risk management guidance in New South Wales (Australia)

The Independent Commission Against Corruption (ICAC) established by the government of New South Wales in 1988 has, among its functions, the task to actively prevent corruption through advice and assistance. Through its website, it provides guidance and information to help identify the risks of corruption and to develop strategies to manage these risks effectively. This is considered “the first step in preventing corruption.” In particular, four topics are dealt with by the ICAC:

  • The risk management approach addresses the importance of risk management for preventing corruption and recognizes the specificities of corruption risks compared to other risks.

  • Identifying corruption risks includes methods for identifying such risks such as using existing information/experience/skills and having recourse to external professionals or techniques.

  • Managing corruption risks illustrates treatment options and corruption risk plans.

  • Internal audit illustrates the role and options of internal auditors in assisting agencies with their corruption risk management process, also by means of a case study.

Source: ICAC website section on Corruption Risk Management:, accessed 1 June 2017.

In the medium term, SEFIR could then consider aligning to the Standard Model of Internal Control adopted by the federal Ministry of Public Administration (Secretaría de Función Pública, or SFP) in 2016, which introduces for the first time a principle dedicated to managing corruption risks (Gestión de riesgos de corrupción) and illustrates specific methodologies, risk factors, and mitigation strategies to address them (Acuerdo por el que se emiten las Disposiciones y el Manual Administrativo de Aplicación General en Material de Control Interno, MAAG-CI, November 2016). Lastly, as a long-term objective, SEFIR could consider adopting a set of dedicated procedures, standards, and tools to effectively prevent, detect, and respond to risks of fraud and corruption in the manner of the United States and Colombia (Box 4.2).

Box 4.2. Dedicated fraud and corruption risk management frameworks: the United States and Colombian examples

A. United States Government Accountability Office (GAO): A framework for managing fraud risks in federal programmes

The framework encompasses the control activities as well as structures and environmental factors that help managers to mitigate fraud risks. The framework consists of the following four components for effectively managing fraud risks:

  1. Commit: Demonstrate commitment to combating fraud by creating an organisational culture and structure conducive to fraud risk management.

  2. Assess: Plan regular fraud risk assessments and assess risks to define a fraud risk profile.

  3. Design and implement: Design and implement a strategy with specific control activities to mitigate assessed fraud risks and collaborate to help ensure effective implementation.

  4. Evaluate and adapt: Evaluate outcomes using a risk-based approach and adapt activities to improve fraud risk management.

In addition, the framework reflects activities related to monitoring and feedback mechanisms, which include ongoing practices that apply to all four concepts above.

B. Colombia: Guide for Corruption Risk Management

In Colombia, anti-corruption risk management became obligatory for all public entities in 2011 with Law 1474, the Anti-corruption Statute. Corruption risk identification and assessment started as an add-on exercise in 2012, promoted by the Transparency Secretariat (Secretaría de Transparencia, or ST). From the beginning the methodology was widely based on the existing internal control model (i.e. Modelo Estándar de Control Interno, or MECI). Taking stock of the experience of the latter exercise, a second version of the methodology highlighting the inherent characteristic of corruption risks versus the institutional risks of public organisations and aligning even better and more explicitly with the MECI was issued in 2015. As a result, Colombian public organisations must develop two different risk maps following standardised procedures and templates.

A system with two separate risk management exercises based on the same methodological model has both positive and negative attributes. On the one hand, it may be seen as burdensome and bureaucratic, duplicating efforts and wasting valuable resources. On the other hand, this exercise could raise awareness among senior management and staff of the importance of having a sound anti-corruption policy with risk activities distinct from the mainstream financial control and risk activities.

The following figure depicts the Colombian methodology for corruption risk management:


Source: US GAO (2015), A Framework for Managing Fraud Risks in Federal Programs, Washington, GAO-15-593SP, and Colombia Transparency Secretariat (2015), Guía para la Gestión de Riesgo de Corrupción,

Coahuila could strengthen its “tone at the top” and its leadership’s commitment to integrity and effective control environment.

In order to manage fraud and corruption risks effectively, an additional fundamental step is to create an internal control environment where organisations demonstrate commitment to integrity, and where managers and senior public officials demonstrate the right tone at the top. Indeed, the “tone at the top” – which refers to entity-wide attitudes of integrity and control consciousness as exhibited by the most senior executives of an organisation (Association of Certified Fraud Examiners-ACFE, 2006) – is a crucial component in the promotion of ethics. In this context, although every public official has a role in creating and maintaining an internal control environment aligned with institutional objectives and values, including their adherence to integrity, managers are primarily responsible for modelling ethical behaviour and creating an environment that demonstrates the entity’s commitment to ethical values.

In Coahuila, interviews during the fact-finding mission indicated minimal commitment of senior managers in setting the tone to create a sustainable and functional control environment. This seems to be consistent with Coahuila’s existing General Standard for Internal Control, which only requires those responsible for the internal control’s strategic level to create and update and diffuse Coahuila’s Codes of Ethics and Conduct and to design and implement the corresponding controls (Article 13(I)(b) and (c)).

However, as noted in Chapter 2, commendable initiatives have been developed by SEFIR’s Deputy Ministry of Government Auditing and Administrative Development (Subsecretaría de Auditoría Gubernamental y Desarrollo Administrativo) aimed at raising awareness and which include:

  • posters with the values in each ministry and government entity

  • dissemination through the internal network: in SEFIR, for example, the value of the month is displayed on the computer screen

  • buttons with the slogan “With ethics and values, better public officials” (Con Ética y Valores, Funcionarios Mejores) for officials interacting directly with the public

  • banners with the values and principles as established in the code of conduct and ethics, which are set in visible places in each ministry and government entity

  • leaflets with specific information about the values and responsibilities of public officials

To improve its internal control environment, Coahuila could consider, as a starting point, revising its general standard in line with the Standard Model of Internal Control (Modelo Estándar de Control Interno) adopted by the SFP in 2015 and codifying the principle that “the organisation demonstrates a commitment to integrity and ethical values”, including the following subset of elements substantiating it:

  1. Sets the tone at the top: The board of directors and management at all levels of the entities demonstrate through their directives, actions, and behaviour the importance of integrity and ethical values to support the functioning of the system of internal control.

  2. Establishes standards of conduct: The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entities’ standards of conduct and understood at all levels of the organisations and by outsourced service providers and business partners.

  3. Evaluates adherence to standards of conduct: Processes are in place to evaluate the performance of individuals and teams against the entities’ expected standards of conduct.

  4. Addresses deviations in a timely manner: Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner (OECD, 2017b).

Furthermore, Coahuila could ensure that its control environment is part of planning, daily operations, and standard evaluation and monitoring processes. It could thus consider the measures compiled by the European Union to create an optimal anti-corruption control environment (Box 4.3).

Box 4.3. Key measures towards developing an environment non-conducive to corruption
  • all management plans, regardless of level, should reflect the organisation’s values and ethics

  • requiring an individual “ethical contract’” or code of conduct to be signed between recruiter and recruit at the moment of first entry into service and periodical (e.g. annual) re-signing

  • dilemma training during which the organisation’s values are explained in very concrete situations (for all levels of the organisation, including management)

  • workshops on ethics and values including some especially for senior and middle management

  • HR procedures for hiring, evaluation and dismissal must reflect and openly support the organisation’s mission and values

  • the organisation’s values are included in function profiles and job descriptions

  • ethical clauses in procurement processes and in contracts with external suppliers

  • ethics co-ordinators with specific responsibilities to promote and enhance awareness of ethics

  • the key values of the organisation are publicly displayed

  • developing a process to report suspected violations of the organisation’s code of conduct

Source: Public Internal Control Systems in the European Union, Position Paper 2015.

Lastly, Coahuila could emphasise the value of role models and the tone at the top for promoting ethical behaviour among managers and could consider the following initiatives:

  • screening managers on traits favouring ethical behaviour and testing ethical compliance during management selection procedures

  • seminars and awareness campaigns on ethics and values for management both collectively and individually

  • self-assessment tools for managers (evaluation questionnaires) including ethical aspects

  • complete evaluations for senior managers as well as managers in high-risk positions (with evaluations including ethical aspects)

  • communicating concrete compliance actions, for example, high-ranking officials giving up gifts (OECD, 2017d)

Overcoming implementation gaps for improved risk management

SEFIR could help improve management ownership and awareness of the internal control system and risk management by developing awareness-raising activities on risk-based approaches and could also work to provide enhanced capacity-building initiatives, additional guidance, and training.

Many OECD member and partner countries face challenges in closing the implementation gap between their conceptual internal control and risk management frameworks and the actual internal control activities and risk management functions that need to take place on a daily basis. There are four basic stages of a maturity towards achieving the integration of internal control and risk management processes into the organisation’s overall governance and management systems (Figure 4.4).

Figure 4.4. Maturity levels of integrating internal control and risk management

Source: OECD (2017d), Integrity Review of Colombia.

One of the major issues in linking internal control with the governance and management systems of public organisations is that politically-appointed personnel, public managers, and staff may not fully understand the added value of internal control in improving performance and achieving institutional objectives. Many do not appreciate that internal controls can help organisations to run more smoothly, reduce costs, and avoid waste, as well as to help hold officials to account for their actions and to report to the public and oversight institutions on the performance and value-for-money achieved (OECD, 2017d).

Public managers have key responsibilities in relation to establishing and maintaining sound internal control processes and activities. In particular, senior managers are primarily responsible for implementing internal controls and monitoring their effectiveness consistent with the three-lines-of-assurance model of the Institute of Internal Auditors (2013) (Table 4.1), which differentiates between the following three core functions:

  1. Management (First Line): Functions responsible for designing, developing, implementing, and executing controls, processes, and practices to deliver services and objectives and to drive intended results (i.e., outcomes). This line may also be referred to as “programme management” and is responsible for the effective and efficient management of the service delivery and the daily operations of the entity. Because oversight and independent assurance cannot compensate for weak management or control, these functions generally have the greatest influence on entity-wide risk management.

  2. Oversight (Second Line): Functions responsible for overseeing and monitoring line management and front desk activities. These groups may include (but are not limited to) functions responsible for financial control/oversight, privacy, security, risk management, quality assurance, integrity, and compliance. Oversight functions also inform decision makers with objective perspectives and expertise, and provide continuous monitoring to strengthen risk management.

  3. Internal Audit (Third Line): A professional, independent, and objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control, and governance processes. Internal Audit may provide consulting, assurance, or a combination of both to inform key decisions and support good and accountable public governance.

Table 4.1. The three lines of assurance model

1st line of assurance

2nd line of assurance

3rd line of assurance

Operational level:

  • Own and manage the risks

  • Good policy and performance data

  • Monitoring statistics

  • Risk registers

Independent from delivery units

  • Compliance assessments or reviews

  • Programme and project management

  • Direct reporting line to senior management and the minister

Independent internal audit function

  • Assess and provide assurance over the effectiveness of the 1st and the 2nd lines arrangements

  • Risk-based approach on addressing gaps or inefficiencies in the assurance system

Source: OECD (2017c), Integrity Review of Peru, OECD Publishing, Paris.

While the conceptual framework defined in the General Standard for Internal Control shows that a risk management strategy is developing in Coahuila, interviews during the fact-finding mission highlighted limitations in the implementation of corresponding processes and tools throughout the state. In particular, the OECD found that the internal control and risk management processes in Coahuila are still not part of the organisation’s overall management system, but are rather seen as a formal administrative exercise. As such, the processes add up to a number of administrative commitments rather than to a process to prevent risks and achieve objectives and value for money more effectively. Similarly, the risk management exercise is seen as the responsibility of a specific group of people who are separate from the operational units where real risks are present. This inhibits an entity’s ability to identify, address, and mitigate a range of risks that could threaten the achievement of the entity’s objectives.

In order to build greater ownership within Coahuila’s public administration over internal control and risk, the roles and responsibilities of managers in this context could be clarified. As a first step, SEFIR could release an official communication framing the content of managerial responsibility in line with the circular adopted by the United States Office of Management and Budget (Box 4.4).

Box 4.4. United States Office of Management and Budget (OMB) Circular A-123: Management’s responsibility for internal control

The circular states the office policy as:

  1. Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations.

  2. Management shall consistently apply the internal control standards to meet each of the internal control objectives and to assess internal control effectiveness.

  3. When assessing the effectiveness of internal control over financial reporting and compliance with financial laws and regulations, management must follow the OMB’s outlined assessment process.

  4. Annually, management must provide assurances on internal control in its Performance and Accountability Report, including a separate assurance on internal control over financial reporting, along with a report on identified material weaknesses and corrective actions.

Actions required by the circular indicate agencies and individual Federal managers must take systematic and proactive measures to:

  • develop and implement appropriate, cost-effective internal control for results-oriented management

  • assess the adequacy of internal control in federal programmes and operations

  • separately assess and document internal control over financial reporting consistent with the process

  • identify needed improvements

  • take corresponding corrective action

  • report annually on internal control through management assurance statements

Source: OMB Circular A-123,; and

As a following step and as an objective on the longer term, Coahuila could take into account the approach of the Belgian Public Federal Service of Budget and Management Control, which completely integrates the risk cycle and, by extension, the maintenance of the internal control system into the four phases of the Deming’s management cycle (Plan – Do – Check – Act) (Box 4.5).

Box 4.5. Leveraging internal control over the Deming’s management cycle

A public entity’s scope and activities are determined and influenced by factors such as:

  • political strategic goals

  • annual policy priorities

  • citizen expectations

  • resource limitations

The head of a public entity is accountable for managing available resources to meet stakeholders’ expectations in the most effective way. To this end, he or she is responsible for:

  • evaluating what was accomplished against what was planned

  • taking action to improve the situation

  • anticipating changes and possible new risks

Deming’s cycle illustrates the need to integrate internal control processes within the daily management operation.


The Belgian Public Federal Service for Budget and Management Control has adopted an approach that completely integrates the risk cycle and, by extension, the maintenance of the internal control system into the four phases of the management cycle (Plan – Do – Check – Act, cf. Deming), in twelve steps.

  • During the planning phase (Plan), the organisation defines periodic expectations concerning the services to be provided and the necessary resources. The measuring system, comprised of a set of indicators and reports, takes into account the results of the periodic monitoring.

  • The execution phase (Do) includes the “regular” activities of the organisation. During this phase, basic information is collected in order to be examined in the analysis phase. The management ensures the proper execution of activities and the adequate application of the measuring system.

  • During the analysis phase (Check), results obtained are assessed and discussed. This is one of the most important aspects of management control. In this stage, the internal control system begins to be updated based on the events that occurred during the execution phase. To this end, Management Support created an intuitive tool, Diabolo, which serves as a process sheet and contains a complete risk module. It facilitates the identification and assessment of risks. The control measures can then be evaluated, which reduces the organisation’s vulnerability to risks. Risk exposure is an indication of the possible need to deal with a priority risk.

  • During the reaction phase (Act), appropriate measures are developed so as to address a risk. Good support is required to ensure that the measures taken are properly implemented.

Policy-related risks have to be indicated separately because they are related to longer-term objectives in the management plan or the governmental agreement. Their monitoring requires a lower frequency than the monitoring of management risks. They can be estimated during the planning phase by means of a SWOT (strengths, weaknesses, opportunities, and threats) analysis, with a view to possible strategic or operational rectifications. Periodic reporting from the management cycle provides a valuable contribution in this case.

Source: Public Internal Control Systems in the European Union and Practical Guide for the Development and maintenance of an Internal control System by the Belgian Public Federal Service for Budget and Management Control.

In addition, since internal control is an “integral process effected by the entity’s management and personnel” (EU Commission, 2015), Coahuila could also consider developing further guidance and training not only for senior and middle management, but for all staff in general. The inclusion of operational staff would help to clarify the tasks and responsibilities within the internal control and risk management system and would contribute to closing the implementation gap. It could also motivate staff to link operational objectives and associated risks to the higher level management plans and organisational-level risks.

Specific training is currently provided in Coahuila to 54 Internal Control Committees and 38 municipalities through the Network of Trainers (Red Estatal de Instructores), which relies on volunteer work from public officials trained by SEFIR (see Chapter 2). Although the Network of Trainers is a valuable model for training staff in charge of the internal control function, SEFIR could consider building on these activities and develop further initiatives such as:

  • e-learning modules on principles, roles, and responsibilities within the risk management process

  • dilemma training scenarios underpinning the attributes of a sound internal control environment

  • workshops on the added value of internal controls in improving management and governance systems, including some especially designed for senior and middle management

  • training modules and awareness campaigns focusing on bridging the gap between organisational objectives, daily operations, and internal control activities

Furthermore, there is little evidence that SEFIR or single ministries in Coahuila are promoting awareness among all staff of the internal control and risk management framework and its developments. As a consequence, some measures and initiatives could also be considered to help raise awareness, including:

  • using awareness campaigns or events on the importance of integrating the internal control and risk management activities into daily business as a tool to influence public perception and enhance the accountability, and therefore the legitimacy, of public entities

  • communicating with all staff (e.g. by videos, electronic messages, newsletters) good practices and individual achievements in integrating and using internal control as a management tool

  • providing regular feedback about the linkages between a sound internal control environment and the achievement of the entity’s objectives by using periodic messages (e.g. newsletters, videos, etc.) from senior management to highlight progress and achievements on improving the actual implementation and integration of the internal control requirements and activities

  • linking issues such as budget allocation, expenditure limits, staff and payroll ceilings, especially at the municipal level, with the progress made in mainstreaming internal control and risk management into daily operations

  • reflecting the organisation’s mission and ethical values within human resources procedures

  • introducing concrete tasks and responsibilities in relation to allocation of internal control functions (OECD, 2017b)

Findings from the fact–finding mission in July 2016 and the workshop in December 2016 also highlighted that the limitations in implementing internal control and risk management processes and tools throughout the state seemed to be due to the difficulties in understanding the rationale and in integrating such a process in each entity. In order to address this issue, SEFIR could complement the general guidelines provided through the Manual for General Application on Internal Control (Manual Administrativo de Aplicación General en Materia de Control Interno) released in November 2016 with ad-hoc guidance on risk-management arrangements, tools, and methodology, which could support public sector entities in better understanding, and eventually integrating, risk management in daily tasks and operations. For this purpose, such guidance could contain graphs and tables illustrating the process in line with the Manual, as well as narrative explanations of the objectives, concepts, and processes in accessible language. In these efforts, Coahuila could follow the example of the documents released by State of Victoria in Australia and by Colombia’s Administrative Department of Public Function (Departamento Administrativo de la Función Pública, or DAFP) (Box 4.6). Such guidance could also support entities in using the Matrix and Risk Analysis Map (Matriz y Mapa de Analisis de Riesgos Institucionales), which was provided by SEFIR and which follows the model shared by the General Comptroller Office of the Baja California State within the Commission of State and Federal Comptrollers (Comisión Permanente de Contralores Estados Federación, or CPCE-F).

Box 4.6. Practical guidance for risk administration in Victoria (Australia) and Colombia

In the State of Victoria (Australia) the Victorian Managed Insurance Authority (VMIA) has developed a Practice Guide to the Victorian Government Risk Management Framework with the aim to support the agencies in implementing it and meeting related obligations. The Guide provides a practical explanation of the framework, presenting risk management requirements, principles, and concepts in a practical and synthetic way. In order to further assist agencies in dealing with the risk management processes, the Guide also includes figures and graphs as well as practical tips and case studies. The final section of the Guide provides a list of the templates to fulfil the steps of the risk management process, in particular on the risk management policy, communication plan, risk assessment, risk register, sources of risk, risk rating criteria, and risk treatment plan.

On the other hand, the Risk Administration Guide of Colombia’s DAFP is a document that provides guidance and clarifications in relation to the risk administration methodology applying in Colombia’s public administration. For this purpose, it does not only mention objectives, policies, and the legal framework, but it also addresses introductory questions (what is risk? what does it mean to manage risks?) as well as basic concepts for each of the steps of the process (e.g. context, identification, analysis, and evaluation). The document is written in plain language but includes concrete examples, tables, and graphs.

Source: State of Victoria (2016), Victorian Government Risk Management Framework. Practice Guide, Melbourne, Australia,; DAFP (2011), Guía para la administración del riesgo, Bogotá, Colombia,

SEFIR could make better use of data to identify and address integrity risks, and thereby improve the quality of its institutional risk maps and mitigation strategies. It could develop an action plan and use the Local Digital Platform to be established within the Local Anti-corruption System, which will allow the interconnectivity of several datasets.

An effective risk management function relies on the capacity and the knowledge of the staff involved but also on the quality of the data and input used to inform each phase of the activities, including risk identification and assessment, evaluation of the effectiveness of existing controls, and identifying patterns and historical trends.

Considering the increasing amount of data produced by public administrations, governments have been developing data analytics, which are the techniques and tools to extract information from data by revealing the context in which they are embedded, their organisation, and their structure (OECD, 2015). In this sense, governments are increasingly improving the analytical process to extract insights from operational, financial, and other forms of electronic data internal or external to the organisation. The outcome of this process can also lead to the production of risk-focused analysis on a number of issues such as controls effectiveness, fraud, waste, abuse, and policy/regulatory non-compliance.

Data analytics can therefore help detect operational risks, improper transactions, and integrity breaches such as corruption events, either before they are manifested or after they occur. By incorporating data analytics practices into the risk management function, organisations can monitor performance through risk sensitivity analysis, model key risk event scenarios, and become more risk-intelligent in developing intervention and mitigation strategies (OECD, 2017b). This could be particularly helpful in the state of Coahuila, where the risk management function needs to be further implemented and integrated in daily operations, and where there is room to improve the understanding over the potential impact of corruption risks (Box 4.7).

Box 4.7. Leveraging data analytics for managing corruption risks

The 2016 Global Fraud Study of the Association of Certified Fraud Examiners (ACFE) report identifies proactive data monitoring and analysis as the most effective tool for anti-corruption control in helping reduce corruption losses and corruption scheme duration. More specifically, the 36.7% of victim organisations that used proactive data monitoring and analysis techniques as part of their anti-fraud programme suffered fraud losses that were 54% lower and detected fraud in half the time compared to organisations that did not use this technique.

Furthermore, according to the Institute of Internal Auditor’s Global Technology Audit Guide (IPPF-Practice Guide), data analysis can help internal auditors meet their auditing objectives relating to the efficiency of risk management arrangements. Analysing data within key organisational processes enables internal auditors to:

  • identify instances of fraud, errors, inefficiencies, or noncompliance, with data driven from 100 percent of relevant transactions and diverse sources

  • detect changes, vulnerabilities, and weaknesses that could expose the organisation to undue or unplanned risk

  • identify changes in organisational processes and ensure that it is auditing today’s risks and not yesterday’s

A number of specific analytical techniques have been proven highly effective in analysing data for wrongdoing and anti-fraud auditing purposes:

  • calculation of statistical parameters (e.g., averages, standard deviations, highest and lowest values) to identify outlying transactions

  • classification to find patterns and associations among groups of data elements

  • stratification of numeric values to identify unusual (i.e. excessively high or low) values

  • digital analysis using Benford’s Law to identify statistically unlikely occurrences of specific digits in naturally occurring data sets

  • joining different data sources to identify inappropriately matching values such as names, addresses, and account numbers in disparate systems

  • duplicate testing to identify simple and/or complex duplications of organisational transactions such as payments, payroll, claims, or expense report line items

  • gap testing to identify missing numbers in sequential data

  • summing of numeric values to check control totals that may have errors

  • validating data entry dates to identify postings or data entry times that are inappropriate or suspicious

Sources: ACFE, Report to the nations on occupational fraud and abuse, 2016 and IIA Global Technology Audit Guide, IPPF-Practice Guide, 2011.

Coahuila’s General Standard for Internal Control includes the concept of “self-control” (autocontrol), which encompasses the assessment/evaluation mechanisms, actions, and practices that operate automatically through digital systems and allow risks to be identified, prevented, or mitigated, as well as any other condition limiting or hindering the achievement of objectives. At the same time, open government is an emerging theme in Coahuila’s political agenda and its institutions are producing an increasing amount of open data, which could be exploited for analytical and anti-corruption purposes (cf. Chapter 5).

In spite of the theoretical framework and work on open data, the use of data analytics is not a common practice in the internal control system and the risk management function of Coahuila. Considering the potential impact of data analytics in identifying, preventing, and mitigating corruption risks, SEFIR, in co-operation with all other relevant institutions and stakeholders, could consider implementing the “self-control” element of its General Standard for Internal Control by developing a concrete action plan to promote data quality and the use of data analytics tools for effective risk management. In this context, SEFIR could leverage the Local Digital Platform to be created within the CLACS (cf. Chapter 1) and connect various databases to provide relevant information for preventing corruption including, for instance:

  • database of assets, conflict of interests, and tax declarations

  • database of public officials involved in public procurement contracts

  • database of sanctioned public officials and individuals

  • information and communications system of the Local Anti-corruption System and the Local Auditing System

  • database of public complaints related to corruption (both administrative and criminal)

  • database of public procurement contracts

Furthermore, Coahuila could consider one of the recommendations emerging from civil society organisations (IMCO and Transparencia Mexicana, or TM) which, among the priorities of the Local Anti-corruption System, identifies the need to create a specialised intelligence unit within state comptrollers such as SEFIR. This unit would have with access to all the information needed for auditing and investigating purposes and could co-ordinate with similar areas around the executive through formal agreements (IMCO/TM, 2016) (see Chapter 2).

In its efforts to embrace the use of data analytics and therefore the processes of inspecting, cleaning, transforming, and modelling data with the goal of highlighting useful information, suggesting conclusions, and supporting decision making in internal control and risk assessment, Coahuila could take the example provided by several OECD countries, which are moving towards more advanced use of data analytics for anti-corruption purposes and could represent a model for the long-term strategy of Coahuila in this field (Box 4.8).

Box 4.8. Data analytics and data sharing for managing fraud and corruption risks in the United Kingdom and United States

Data Analytics and Data Sharing: With the growing sophistication of corruption, many public sector organisations in the UK are looking to take a more proactive approach to verifying and validating transactions in order to uncover potential and actual corruption. Common approaches have included real-time credit reference and other data checks, online verification techniques, data matching with data held by other public and private sector organisations, and predictive/innovative analytics, which involves developing a model to score data for potential fraud and error. This model can then forecast probabilities of fraud and error to an acceptable level of reliability.

A. The UK example:

The National Fraud Initiative was launched as the UK’s largest data matching exercise in relation to fraud. The Serious Crime Act of 2007 enabled bodies other than those that have a mandatory requirement to provide data for the National Fraud Initiative to volunteer to participate by providing data to the Audit Commission (and after March 2015, the Cabinet Office). The following figure shows how the Department for Work and Pensions, the Driver and Vehicle Licensing Agency, and HM Revenue & Customs use data matching to detect evasion acts and how the BBC and the NHS Counter Fraud Service have used data mining for the same purpose.

  1. The Department for Work and Pensions has a dedicated Database and Matching Service to identify possible fraud and error. It matches data across benefit systems, between other government departments and Department for Work and Pensions data, for other government departments, and for Local Authorities on Housing and Council Tax Benefits. It also works to tackle internal fraud.

  2. The Driver and Vehicle Licensing Agency uses data matching to detect vehicle excise duty evasion.

  3. The HM Revenue & Customs application of data matching has identified people who may have received income from property but have not disclosed it.

  4. The BBC uses data mining software tools to match details of licensable places with external commercially available data to identify specific places or segments of the population for targeted enforcement activity.

  5. The NHS Counter Fraud Service uses data mining and analysis software to examine pharmaceutical and dental data. The software is capable of advanced data analysis that establishes data profiles and highlights anomalies. These can indicate potential fraud for further investigation.

B. The US example:

The US Bureau of Fiscal service has created the Do Not Pay (DNP) Business Center which is a multi-functional analytics tool and one-stop data shop.

DNP’s mission is to protect the integrity of the government’s payment process by assisting agencies in mitigating and eliminating improper payments in a cost-effective manner while safeguarding the privacy of individuals.

DNP allows government agencies to check various data sources for pre-award, pre-payment eligibility verification, at the time of payment and any time in the payment lifecycle. It allows them to verify eligibility of a vendor, grantee, loan recipient, or beneficiary. This will help prevent, reduce, and stop improper payments, as well as prevent fraud, waste, and abuse.

  • DNP offers a centralised system (the DNP portal) that agencies can use at no cost to isolate and identify the potential for improper payments.

  • DNP will benefit the federal agency that enters into a financial transaction with a person or entity.

  • DNP is NOT a list of entities or people that should not be paid.

  • DNP centralises many data sources that agencies can use to verify eligibility.

  • DNP is committed to providing quality data, more data sources, continuous system development, cutting edge data analytics, and customised agency outreach.

Overview of data source functions:

Data Sources


Credit Alert System (CAIVRS) inputs from Department of Justice (DOJ), Education, Small Business Administration (SBA), Department of Housing and Urban Development (HUD), Department of Agriculture (USDA) & Department of Veterans Affairs (VA)

Verify whether an individual is a delinquent federal borrower

Department of Health and Human Services’ (HHS) List of Excluded Individuals & Entities (LEIE)

Verify whether payments are to entities excluded from participating in federal health care programmes

General Services Administration’s (GSA) System for Award Management (SAM) Entity Registration Records

Verify that a vendor seeking to do business with the federal government has registered, in accordance with the Federal Acquisitions Regulation (FAR)

GSA SAM Exclusion Records

Verify whether payments are to debarred individuals

Treasury’s Office of Foreign Assets Control (OFAC)

Verify whether an individual or entity is prohibited from entering into financial transactions with U.S. financial institutions and the U.S. government

Social Security Administration’s (SSA) Death Master File (DMF)

Verify whether a payee is deceased

Treasury Offset Program (TOP) Debt Check

Verify whether payee owes delinquent non-tax debts to federal government (and participating states)

Source: HM Treasury & National Audit Office, Good Practice Guide on Tackling External Fraud, and HM Treasury, London, 2008, HM Treasury, Tackling Internal Fraud, London, 2011 and United States Government, “Do Not Pay List”

Strengthen the presence and impact of internal audit in Coahuila

In order to strengthen the internal audit function and improve the effectiveness of governance, risk management, and internal controls, SEFIR could gradually ensure that all ministries have an internal control unit. A corruption risk assessment could be conducted and a priority list created to start the appointment of internal control units in the ministries with the greatest need first.

According to the three lines of assurance model (Table 4.1), internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organisation. Accordingly, the Institute of Internal Auditors defines internal auditing as “an independent, objective assurance, and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” (Institute of Internal Auditors, 2017a)

The audit function on government and public procurement activities in Coahuila is carried out by SEFIR, whose Internal Regulation (Reglamento Interior de la Secretaría de Fiscalización y Rendición de Cuentas del Estado de Coahuila de Zaragoza) gives the head of such Ministry the responsibility to appoint the internal control units (Órganos Internos de Control, or OICs) within Coahuila’s ministries and entities upon proposal of the Deputy Minister for Government Audit and Administrative Development (Subsecretaría de Auditoría Gubernamental y Desarrollo Administrativo). However, it emerged that only few ministries have OICs, while audit activities for the rest of the ministries are currently carried out directly by other areas such as legal and administrative departments. As a result, the degree of accountability in the latter entities is diminished insofar as the audit activity is not carried out by dedicated staff having specific responsibilities and resources to devote to the auditing activity in a continuous manner and in close co-ordination with SEFIR. Furthermore, in both cases, relevant personnel is appointed by the entity, thereby posing the risk that its activity may not be carried out independently.

In order to provide closer assurance to senior management and better support entities in implementing their risk-management process, SEFIR could implement its Internal Regulation and appoint internal control units which could be designed in line with the model established at the federal level (Box 4.9). The creation of OICs could begin in selected ministries after carrying out a risk-based assessment. For example, news sources from Coahuila and experience in other countries point out that health and infrastructure are two areas which are exposed to a number of risks and where those units could be first integrated.

Box 4.9. Offices of Internal Control (Órganos Interno de Control) at the federal level in Mexico

The current model of the OICs consists of four different areas including internal audit, complaints management, investigation and disciplinary activities, and performance evaluation issues. The relevant institutional arrangements and roles are described in Articles 76 and 80 of the Internal Regulation of the SFP as well as in the “Acuerdo por el que se adscriben orgánicamente las unidades administrativas de la Secretaría de la Función Pública y se establece la subordinación jerárquica de los servidores públicos previstos en su Reglamento Interior”, which was published in the Official Gazette on 9 December 2015.

With regards to auditing functions, OICs have the following responsibilities: co-operating in carrying out the functioning of the control system; monitoring compliance with the internal control standards; analysing and proposing regulations and guidelines to strengthen internal control within entities; planning and carrying out audits, revisions and inspections; and following up on observations made during SFP audits.

Source: OECD (2017b) and SFP Internal Regulation (most recently revised in January 2017),

Considering increased competence to conducting administrative proceedings for non-serious offences of public officials within the CLACS, SEFIR could improve the internal audit function with regards to fraud and corruption investigations by scaling up professionalism and ensuring adequate capacities and resources.

Internal auditors should have a role in fighting corruption, although such responsibility should be limited to evaluating the existing situation and submitting proposals to improve governance in order to promote the right ethical values and principles inside the entity (Institute of Internal Auditors, 2017b). In particular, the auditors should act to identify fraud and corruption indicators that can be recognised in most of the core business processes relying on their technical experience, professional judgment, and good understanding of how potential fraud and corruption acts can be committed. Audit strategy could focus on areas and operations prone to fraud and corruption by developing and applying effective high risk indicators. Box 4.10 provides an example of the internal audit’s role in combatting fraud and corruption.

Box 4.10. Fraud and Corruption - Internal Audit’s Role

Internal audit’s primary role is not to detect fraud and corruption, rather it exists to provide an independent opinion based on an objective assessment of the framework of governance, risk management, and control. In doing so, internal auditors may:

  • review the organisation’s risk assessment seeking evidence on which to base an opinion that fraud and corruption risks have been properly identified and responded to appropriately (i.e. within the risk tolerance)

  • provide an independent opinion on the effectiveness of prevention and detection processes put in place to reduce the risk of fraud and/or corruption

  • review new programmes and policies (and changes in existing policies and programmes) seeking evidence that the risk of fraud and corruption had been considered where appropriate and providing an opinion on the likely effectiveness of controls designed to reduce risks

  • consider the potential for fraud and corruption in every audit assignment and identify indicators that crime might have been committed or control weaknesses that might indicate a vulnerability to fraud or corruption

  • review areas where major fraud or corruption has occurred in order to identify any system weaknesses that were exploited or controls that did not function properly and make recommendations about strengthening internal controls where appropriate

  • assist with or undertake investigations on management’s behalf: internal auditors should only investigate suspicious or actual cases of fraud or corruption if they have the appropriate expertise and understanding of relevant laws to allow them to undertake this work effectively, and investigation work is undertaken, management should be made aware that the internal auditor is acting outside of the core internal audit remit and of the likely impact on the audit plan

  • provide an opinion on the likely effectiveness of the organisation’s fraud and corruption risk strategy (e.g. policies, response plans, whistleblowing policy, codes of conduct) and if these have been communicated effectively across the organisation; management has primary responsibility for ensuring that an appropriate strategy is in place and the role of internal audit is to review the effectiveness of the strategy.

Source: United Kingdom, HM Treasury, Fraud and the Government Internal Auditor, January 2012.

According to SEFIR’s Internal Regulation (Reglamento Interior de la Secretaría de Fiscalización y Rendición de Cuentas del Estado de Coahuila de Zaragoza), SEFIR is currently responsible for administrative disciplinary cases based on the findings from audits or related to the lack of compliance with public officials’ obligations. However, interviews during the OECD fact-finding mission made clear that the enforcement of integrity-related obligations in Coahuila is limited because of the lack of capacity and expertise to carry out investigations. This is confirmed by the fact that no sanctions have been issued for conflict-of-interest cases. This challenge is likely to become more relevant in the future, because in the context of the CLACS reform process, Coahuila will have to revise its State Responsibilities Law. Similarly to the federal model adopted in July 2016, this law will increase SEFIR’s responsibility to conduct administrative proceedings in relation to non-serious administrative offences.

Considering the existing limits and the prospective responsibilities in sanctioning integrity breaches, SEFIR would need to increase their technical expertise and capacity as well as allocate adequate resources and expertise to fulfil its duties. With regards to capacity-building and training needs, there could also be a state-wide certification policy for internal control and audit professionals linked with training and capacity-building activities. Recent reviews and relevant data from Latin America and the Middle East and North Africa (MENA) region document that there is a low percentage of practitioners who have acquired certifications such as the IIA’s Certified Internal Auditor (CIA) or Certified Government Auditing Professional (CGAP).

In order to address the issues of weak professional expertise and capacity, Coahuila could include the development of customised training modules in co-operation with the Network of Trainers, the Supreme Audit Institution of the State of Coahuila (Auditoría Superior del Estado de Coahuila, or ASEC), local professional chambers (i.e. public accountants, associations, and universities). Furthermore, Coahuila could consider the key elements of the Canadian internal auditor recruitment and development programme (IARD) and the training for internal auditors in the public sector (TIAPS) programme, which are two different approaches to improving the capacity and the skills of internal auditors in public organisations (Box 4.11).

Box 4.11. Professionalization and capacity-building of the internal audit service

A. The Canadian Internal Auditor Recruitment and Development Programme (IARD Programme)

I. Benefits of the Internal Audit Recruitment and Development Programme

In addition to coaching, mentoring, and professional development courses, the Internal Audit Recruitment and Development (IARD) Programme offers:

  • the experience and on-the-job training needed to pursue a Certified Internal Auditor (CIA) designation

  • a development plan designed to help recruits succeed including competency-based work objectives and support from senior staff

  • unique on-the-job learning opportunities where recruits will learn the profession of internal audit in the government of Canada

  • professional development sessions offered by the Institute of Internal Auditors that are related to the position and CIA certification

  • potential for promotion

II. Internal Audit Recruitment and Development Programme work experience

Recruits will work under general supervision, providing support and performing assigned tasks within each of the phases of an audit engagement as a member of an audit team. Audit teams typically report to the Internal Audit Principal or the Director of Internal Audit.

Audit teams are designed to:

  • provide departmental senior management with opinions on the effectiveness and adequacy of risk management, control, and governance processes

  • report on the results of risk-based audits

III. The Comptroller General of Canada has developed Internal Audit Competency Profiles and Dictionary as a tool of the overarching Internal Audit (IA) Human Resources Management Framework (HRMF).

The IA HRMF aims to support and enable a self-sufficient, quality IA community across the federal public sector. It provides an excellent infrastructure along with tools and support services to position the IA community as professionals who perform unique, high value-added work within the government of Canada.

The IA competency profiles and dictionary are the main building blocks of competency-based management (CBM). They allow organisations to focus on how someone undertakes his or her job based on the skills, abilities, and knowledge required to perform the work. CBM is the application of a set of competencies to the management of human resources (i.e., staffing, learning, performance management, and human resources planning) to achieve excellence in performance and results that are relevant to organisations.

B. Training for Internal Auditors in the Public Sector (TIAPS)

The Training for Internal Auditors in the Public Sector (TIAPS) initiative provides an example of public-sector-oriented internal audit certification that merges international best practices with localised regulatory concerns, delivered in the host country’s language.

I. Scope and key characteristics

The idea behind TIAPS started in Slovenia in 2002. The TIAPS Programme was developed to strengthen qualifications in internal audit processes in the public sector while devoting special attention to requirements introduced by the accession processes of the European Union. The mandatory and recommended guidelines issued by the IIA have long been viewed as private-sector centric and unable to address comprehensively the concerns of the public sector.

One of the ways TIAPS addresses such gaps is to include a customisable module on legislation and taxation, written by experts from the participating country. The way in which standards and practices are taught is different from the IIA in that it is more rules-based than principles-based. TIAPS clearly outlines what should be done and how, as opposed to guidance issued by the IIA, which leaves room for interpretation.

TIAPS targets public sector employees who hold a Bachelor’s degree and already have practical experience in areas such as accounting, financial oversight, and control. The programme comprises seven modules – divided into two levels, certificate, and diploma – of which all but the module on National Legislation and Taxation were developed by CIPFA.

II. Challenges

The biggest hurdle for implementing TIAPS is also its greatest strength—localising the curriculum. This requires involved institutions to do significant preparation work prior to the delivery of the programme, which includes translating training material and coaching the local tutors who will deliver the content of modules in local languages.

A related issue is the need to find and hire experts to create the legislation and taxation modules. The programme-implementation team engages translators with sound knowledge of the material, and the initial translation is checked by an editor/proofreader who makes language revisions in line with standard terminology in each country.

Despite being a relatively young programme, TIAPS provides specialisations. These, however, have yet to achieve the total level of equivalence to directly replace specialised certifications such as the Certified Information Systems Auditor (CISA), provided by the Information Systems Audit and Control Association (ISACA). However, there are plans of achieving these equivalence levels in the medium term.

The programme also does not have a way to monitor and ensure that its certified practitioners stay informed of evolving audit trends, which both IIA and ISACA do, through their continuing professional education requirements.

Source: Office of the Comptroller General of Canada: IARD Post-Secondary Recruitment;; IARD Program;; Training for Internal Auditors in the Public Sector-An Alternative Approach for State Internal Auditors, Knowledge Showcases, Asian Development Bank, 2016.

Proposals for Action

Coahuila has a ministry responsible for audit and accountability (SEFIR), which is tasked with developing and overseeing policies, standards, and tools on internal control, risk management, and internal audit. These activities are to be carried out within Coahuila’s framework for governing the internal control system. This framework is called the General Standard for Internal Control (Norma General de Control Interno).

Although Coahuila has an internal control framework in place, it is having difficulty integrating and implementing this framework, raising awareness about the framework among all levels of staff, setting an appropriate tone at the top, and assessing and mitigating fraud and anti-corruption risks. To face these challenges, the OECD recommends that Coahuila consider taking the following actions:

Demonstrating high-level commitment to integrity objectives and risk management

  • Coahuila could strengthen standards and policies in order to place greater emphasis on corruption and fraud as it relates to risk management and to clarify how and when to undertake risk assessments.

  • Coahuila could strengthen its “tone at the top” and its leadership’s commitment to integrity and effective control environment.

Overcoming implementation gaps for improved risk management

  • SEFIR could help improve management ownership and awareness of the internal control system and risk management by developing awareness-raising activities on risk-based approaches and could also work to provide enhanced capacity-building initiatives, additional guidance, and training.

  • SEFIR could make better use of data to identify and address integrity risks, and thereby improve the quality of its institutional risk maps and mitigation strategies. It could develop an action plan and use the Local Digital Platform to be established within the Local Anti-corruption System, which will allow the interconnectivity of several datasets.

Strengthen the presence and impact of internal audit in Coahuila

  • In order to strengthen the internal audit function and improve the effectiveness of governance, risk management, and internal controls, SEFIR could gradually ensure that all ministries have an internal control unit. A corruption risk assessment could be conducted and a priority list created to start the appointment of internal control units in the ministries with the greatest need first.

  • Considering increased competence to conducting administrative proceedings for non-serious offences of public officials within the CLACS, SEFIR could improve the internal audit function with regards to fraud and corruption investigations by scaling up professionalism and ensuring adequate capacities and resources.


Colombia Transparency Secretariat (2015), Guía para la Gestión de Riesgo de Corrupción,

Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004), Enterprise Risk Management.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2013), Internal Control-Integrated Framework.

DAFP (2011), Guía para la administración del riesgo, Bogotá, Colombia.

EU Commission (2015), Public Internal Control Systems in the European Union. Principles of Public Internal Control. Position Paper No. 1: Public Internal Control. An EU Approach, Ref. 2015-1,

IMCO/TM (2016), Guía de Implementación para los Sistemas Locales Anticorrupción,

INEGI (2015), Encuesta Nacional de Calidad e Impacto Gubernamental 2015,

Institute of Internal Auditors (2013), The Three Lines of Defense in Effective Risk Management and Control, IIA’s Position Paper, Altamonte Springs, Fla., USA,

Institute of Internal Auditors (2017a), Definition website,

Institute of Internal Auditors (2017b), International Standards for the Professional Practice of Internal Auditing,

INTOSAI (2013), INTOSAI GOV 9100 – Guidelines for Internal Control Standards for the Public Sector,

OECD (2013), OECD Integrity Review of Italy: Reinforcing Public Sector Integrity, Restoring Trust for Sustainable Growth, OECD Publishing, Paris,

OECD (2015), Data-Driven Innovation: Big Data for Growth and Well-Being, OECD Publishing, Paris,

OECD (2017a), Recommendation of the Council on Public Integrity, Paris,

OECD (2017b), OECD Integrity Review of Mexico: Taking a Stronger Stance Against Corruption, OECD Publishing, Paris.

OECD (2017c), OECD Integrity Review of Peru: Enhancing Public Sector Integrity for Inclusive Growth, OECD Publishing, Paris.

OECD (2017d), OECD Integrity Review of Colombia: Investing in Integrity for Peace and Prosperity, OECD Publishing, Paris.

State of Victoria (2016), Victorian Government Risk Management Framework. Practice Guide, Melbourne, Australia,

U.S. GAO (2015), A Framework for Managing Fraud Risks in Federal Programs, Washington, GAO-15-593SP,