2. Integrity risk management in Thailand: Immediate challenges and areas for improvement

In the past three years, Thailand has made legal and regulatory reforms that sought to modernise the internal control system in line with international standards, such as those established by the Committee of the Sponsoring Organisation of the Treadway Commission (COSO) and the Institute of Internal Auditors (IIA). By improving the legal and policy frameworks for internal control, risk management and internal audit functions, Thai policy makers have signalled the need to balance an enforcement-focused model with preventive approaches.

While recent reforms have aided in modernisation, the Thai government faces a number of challenges to implement reforms. The responsibility for facing these challenges is shared across the Thai government. One of the key institutions is the Comptroller General’s Department (CGD), which is the centralised internal audit function in the Thai government. As part of the reform process, the CGD took over key responsibilities for internal control from the State Audit Office (SAO). Other central bodies that are critical allies for the CGD in advancing internal control and risk management in government are the Office of the National Anti-Corruption Commission (NACC) and the Office of the Public Sector Anti-Corruption Commission (PACC). In addition, managers in government have many of the core responsibilities to implement recent changes to strengthen internal control and risk management for safeguarding integrity. For this reason, it is critical that these individuals on the frontlines understand the value of and benefits from internal control and risk management first hand.

This chapter elaborates on key challenges and recommends actions for the Thai government, particularly the CGD and managers in agencies, to further improve integrity risk management and assessments. The chapter focuses on the following overarching issues:

  • Ensuring clarity of roles and making good governance a central theme: While reforms are still fresh, risk assessments can be positioned as management tools for better governance as opposed to compliance exercises. Doing so requires improvements to standards and guidelines to ensure clarity of roles and responsibilities for managing risks and further demonstrating the value of risk management for everyday operations and control decisions. The CGD and other government-wide entities can help to advance this governance-oriented mindset, in particular, by demonstrating the value of risk management, control and audit for achieving policy goals, as well as means to demonstrate the government’s transparency and accountability to citizens.

  • Overcoming implementation challenges to better manage and assess risks: Thailand’s recent legal reforms have further codified the need for risk-based approaches, and there are existing tools to build on, including the Integrity and Transparency Assessment. However, the government faces new challenges for assessing integrity risks, particularly across levels of government, as it modernises its risk management policies and practices. The need for harmonising existing approaches and offering more guidance is a key issue facing the CGD, in addition to addressing gaps in capacity and knowledge for conducting risk assessments at national and regional levels.

  • Enhancing monitoring and evaluation, as well as quality assurance assessments: With several parallel efforts in Thailand to safeguard integrity and manage risks, effective monitoring and evaluation (M&E) is critical for ensuring an effective internal control system and the fulfilment of policy goals and objectives. The CGD developed a process for quality assurance assessments, which is a positive signal and recognition of the need for monitoring and evaluation (M&E) and continuous improvement of internal audit activities. The CGD can take additional steps to develop M&E plans concerning integrity risk management in particular, in line with the OECD’s Recommendation on Public Integrity.1

These areas represent critical, but not all, areas for improvement to advance integrity risk management in Thailand. Responses of Thai officials to OECD questionnaires and input during interviews focused largely on legal and policy concerns, given recent reforms. Therefore, recommendations and findings related to integrity risk management in practice are limited, including key issues such as managing and assessing risks at the provincial level and methodological considerations for risk assessments. Some of these issues may be be addressed in subsequent phases of co-operation.

After the passage of new laws and standards in recent years, Thailand has developed a strong foundation for internal control, risk management and internal audit in the public sector. The State Fiscal and Financial Disciplines Act, B.E. 2561 (2018) applies to all public entities, including state-owned enterprises, and it stipulates that government entities should establish an internal control system in compliance with standards and rules prescribed by the Ministry of Finance (Section 79). The Act also defines managerial control and civil servants’ responsibilities related to internal control and risk management. To complement this Act, the CGD within the Ministry of Finance recently developed the Risk Management Standards and Practical Rules for State Agencies, B.E. 2562 (2019). It focuses on13 practical rules for risk management, which includes a general reference to the need of public institutions to conduct risk assessments.

The CGD is also responsible for setting internal audit standards, including the 2017 Internal Audit Standards and Ethics for Internal Auditing of Government Agencies, which draws from the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing. Other actors in government have developed additional materials related specifically to managing corruption risks. This includes central bodies like the NACC and the PACC, as well as individual line ministries, which produce their own frameworks and guidelines for managing integrity and corruption risks in the government’s daily operations.

The legal and policy foundation for the internal control system in Thailand, including managerial control, risk management and internal audit is extensive, but can also create confusion in the context of integrity and anti-corruption measures. First, corruption and fraud risks are explicitly addressed in internal audit standards, including the role of internal audit to assess such risks, but they are not directly addressed in the Rules. This sends a message that the management of fraud and corruption risks is the responsibility of the internal audit function. The CGD could amend the Rules to include a specific reference to integrity risks to avoid artificially separating this type of risk from the broader policies, practices and tools used to assess risk management in general. This would also reinforce the notion that corruption risk management is also the responsibility of managers within line ministries.

In addition, the CGD could amend standards or provide additional guidance to further clarify the role of the internal audit function for integrity risk management vis-à-vis managers. For instance, the Ministry of Finance’s internal audit standards note, “Internal audit operations must assess the likelihood of corruption, and methods of managing risks related to fraud” (Ministry of Finance, 2018[1]). They also include requirements for internal audit to report fraud to heads of government and the audit committee, if applicable. Yet, the Risk Management Standards and Practical Rules for State Agencies say the internal audit function should not be responsible for risk management. The Rules stipulate that the head of each government agency is responsible for appointing a lead for risk management, which can be an individual or a team. Interviews with Thai officials and responses to questionnaires confirmed that internal audit functions in government agencies are leading risk management activities in practice, including carrying out risk assessments.

The CGD can address this confusion and ensure consistency of its standards and guidance so that government officials know their roles and responsibilities within the internal control system. In particular, the internal audit function should not have the primary responsibility for managing and assessing integrity risks. The IIA’s Three Lines Model can be instructive for how the Thai government can define roles and responsibilities.2 This could include revising the 2017 Internal Audit Standards and Ethics for Internal Auditing of Government Agencies to make it clear that internal auditors should not be leading risk assessments. Integrity risk management is primarily the responsibility of managers (i.e. the first line), as Thailand’s own Practice Rules for Risk Management outlines. In addition, the CGD could consider improving self-assessment tools to further promote responsibility, accountability and the authority of managers with regards to internal control and risk management. For instance, the OECD SIGMA programme has developed guidelines for assessing the quality of internal control systems (Boryczka, Bochnar and Larin, 2019[2]). See Box 2.1 for an example of such a tool from the Netherlands (The Dutch Ministry of Finance, March 2018[3]).

Unclear roles and responsibilities can undermine the independence of internal audit functions and lead to a compliance-oriented approach to risk management and internal control. Many agencies in Thailand’s government do not have experience in risk management, according to Thai officials. Addressing these issues at the early stages of Thailand’s efforts will help to avoid the institutionalisation of systemic and long-term challenges, and ensure that resources and training on managing and assessing risks are targeted at the right people.

The CGD, along with the NACC, the PACC and leadership of line ministries, can enhance future guidance and communications about risk management and control by having coherent messages that promote managerial ownership and risk management as a tool for better governance. In interviews with Thai officials, line ministries tend to view the risk management plan required by the CGD’s Risk Management Standards and Practical Rules for State Agencies as a compliance exercise. This 2017 Internal Audit Standards and Ethics for Internal Auditing of Government Agencies, which assigns corruption and fraud risk assessments to the internal audit function, only reinforces this perception.

Following recent reforms in Thailand, the integration of risk management into the operations of line ministries depends on how well managers understand and see evidence of the value of risk management for governance and the achievement of objectives. If managers do not see the value of risk management for making decisions and solving problems, they will have little commitment to integrate risk-based thinking into operations and therefore a risk-informed culture is unlikely to take root. The CGD, the NACC and the PACC can enhance guidance with positive messages that emphasise a perspective on risk management and control that is oriented towards good governance and achieving the results of policies and goals, rather than compliance with laws and standards. Similarly, they can communicate perspectives on risk assessments oriented towards solutions management, as opposed to check-the-box exercises.

In addition, messages about the value of risk management or assessments should avoid causal linkages to improvements in Transparency International’s Corruption Perception Index (CPI). For instance, in responses to the OECD’s questionnaire, respondents of the National Economic and Social Development Council (NESDC) indicated that most public sector entities realise the importance of risk management as a proactive measure to prevent corruption in Thailand, as well as “an essential tool for enhancing Thailand’s Corruption Perception Index”. Respondents added that the aim is for Thailand to rise in the CPI to become one of the “top twenty” in the world by the year 2030, in line with the Master Plan Under the National Strategy initiated by Prime Minister Prayuth Chan-Ocha’s government (Government of Thailand, 2017[4]). The Fraud Risk Management Plan for fiscal year 2019 of the (NESDC) makes a similar assertion. It directly links risk management to changes in the CPI by stating, “fraud risk assessment is a risk management tool that helps to raise the [CPI] score” (National Economic and Social Development Council of Thailand, 2019[5]).

The examples above signal a fundamental misunderstanding about risk management, risk assessments and their purposes, as well as the CPI. The CPI cannot be used to measure the performance of specific actions taken to address corruption or to mitigate risks, and raising the score should not be a policy objective. There is no causal linkage between day-to-day risk management and the CPI, since many factors contribute to the CPI and isolating the effect of risk management on public perception is unrealistic. In many countries, the CPI is used as an input for risk assessments that provide broad context about the environment. However, by linking integrity risk management to changes in the CPI, it creates the impression that the CPI can be a performance metric for the quality and effectiveness of integrity risk management and assessments at an institutional level. This also risks undermining the concept of risk management as a critical tool for managers to support decision making and drive results related to objectives. In the 2018 Integrity Review of Thailand, the OECD highlighted the limitations of using the CPI as a diagnostic tool and recommended different types of indicators for the government to evaluate anti-corruption policies. Box 2.2 provides additional insights on the CPI, its benefits and its limitations as a diagnostic tool.

The CGD, NACC and PACC, as entities with government-wide responsibilities, can play a critical role in changing, or at a minimum, diversifying this message and promoting the added-value added of risk management. As discussed, this can include positive, governance-focused statements about the contributions of the results of risk management and assessments to an effective control environment. This could include messages about risk management supporting managers in making informed decisions to find solutions to mitigate risks related to organisational objectives, as opposed to raising the score in the CPI or addressing broad sets of environmental risks that are outside the purview of an individual line ministry.

The Risk Management Standards and Practical Rules for State Agencies lay the foundation for a risk-based approach to governance and control in Thailand’s government. Additional guidance could help to educate agencies as to how to implement them to ensure consistency and harmonisation. Line ministries have wide discretion in how they apply the Rules, and there are at least three different risk assessments that agencies conduct, including the following:

  1. 1. Managers are responsible for a risk assessment at the entity level, which according to the new Rules, every government agency must conduct on an annual basis as part of their risk management plans. This type of risk assessment is in its second year of implementation. Laws and regulations do not require line ministries to submit the risk management plan or the results of the risk assessments to the Ministry of Finance. The format for documenting the risk analysis is left to the discretion of line ministries. Corruption and fraud risks are not taken into account as part of these risk assessments, as discussed.

  2. 2. The internal audit function carries out the second type of risk assessment. As noted, this role for the internal audit function is outlined in Ministry of Finance's regulations on standards and guidelines of internal audit for government agencies B.E. 2561 (2018), which state that the internal audit must assess and address fraud risks. (Ministry of Finance, 2018[1]).

  3. 3. The third type of evaluation is the Integrity and Transparency Assessment (ITA). The ITA is an evaluation that focuses on fraud and corruption in line ministries, as described in greater detail in the next section. Thai agencies have been conducting these evaluations since 2014. In the 2018 Integrity Review of Thailand, the OECD offered recommendations to improve the methodology, knowledge sharing and co-ordination of the ITA. To what extent the ITA or risk assessments fulfil the CGD’s requirements related to risk management in practice, as defined in the Rules, is unclear.

    The ITA is a core element of component Strategy 4, “Development of proactive corruption prevention systems system to counter corruption” of the National Anti-Corruption Strategy, Phase 3 (2017-2021)”. The ITA is an annual assessment at the organisational level across government institutions at national and regional levels. The assessment methodology was adapted from the Anti-Corruption and Civil Rights Commission of South Korea, and was then developed and integrated to match with the transparency indicator of the NACC. The NACC, along with the PACC, lead the implementation. The methodology consists of three surveys, which cover 10 topics, including corruption prevention.3

PACC officials communicated the development of a fourth approach, called a “Risk Assessment System,” for detecting corruption and misconduct in the public sector. The system envisions three levels—policy, ministerial/departmental and provincial. The system at the policy level entails developing polices and consistent criteria for fraud risk indicators, guided by the work of the NACC. At the ministerial or departmental level, the system involves designating ACOCs as the leads for carrying out fraud risk assessments related to service delivery, the use of authority, and budget spending and management of resources. Lastly, ACOCs would also conduct assessments at the provincial level, focusing on programmes with large budgets. At the time of drafting this report, the Risk Assessment System is in the conceptual stage and could not be assessed for effectiveness or harmonisation with existing efforts in terms of its design or implementation. The recommendations below take into account these four parallel efforts.

The CGD, in co-ordination with the NACC and the PACC, can offer further guidance that explains how each of these assessments fulfil risk management requirements established in the Rules, and specifically, to what extent risk assessments should focus on fraud and corruption risks given the parallel work line ministries do to conduct the ITA. In addition, as noted, the internal audit function should not lead risk assessments, in line with international standards, and this can include corruption and fraud risk assessments. Additional guidance from the CGD, the NACC and the PACC could address the following issues:

  • Clarify the strategic and operational importance of risk assessments, including an explicit reference to managing fraud and corruption risks. The CGD should communicate that the ITA should not be a substitute for risk assessments at an institutional or operational level that support managers to make decisions about control activities and mitigation measures, as required in the Rules. Separate from the ITA, risk assessments should take into account fraud and corruption risks that could affect the achievement of the agency’s objectives.

  • Clarify the roles and responsibilities specific to integrity risk management. This could include clarifying the roles and responsibilities of managers for risk management and internal control, as discussed in the previous section. In addition, it could include clarifications about the roles and responsibilities of the internal audit function, the NACC and the PACC, including its network of Anti-Corruption Centres, in the context of risk management requirements. Involving the latter can help to promote risk management at the regional level, which Thai officials highlighted as an ongoing challenge. Moreover, further CGD guidance could clarify the expectations of managers to co-ordinate and benefit from the internal audit function’s risk assessments as an input into their own risk management plans and activities.

  • Clarify the purpose and use of the results of the ITA relative to integrity risk assessments that managers or internal audit functions may conduct. The ITA serves as a comprehensive, high-level self-assessment tool and means for raising awareness about key integrity issues. However, it is not clear how the government uses the results of the ITA, and whether there are linkages between the ITA and ongoing risk management activities at an operational level. Moreover, any additional guidance or promotional materials that convey the importance of risk management and risk assessments should be cautious about creating causal linkages with Transparency International’s Corruption Perception Index (CPI), as described in the previous section. Instead, the guidance can reiterate the benefits of risk management as an approach for navigating uncertainty and driving policy results rather than a means for complying with regulations.

Additional guidance from the CGD can also serve as an opportunity to showcase positive examples across government related to risk management and internal control in the promotion of a race-to-the-top. For instance, every year, the NACC has awarded organisations in the public sector for their contributions and success in launching proactive measures to combat corruption and conduct the ITA, including a ranking of ministries that are top performers. In addition, each year the Office of the Public Sector Development Commission (OPDC) offers a Public Sector Excellence Award (PSEA). In 2017, the OPDC awarded a PSEA to the Department of Rural Roads in the Ministry of Transport for excellence in strategic planning and efficient implementation of the organisation strategy, which included effective risk management and internal control. Additional guidance can showcase such efforts to motivate improvements to integrity risk management and internal control, and more generally a culture of risk that promotes value-based, coherent risk management policies and practices.

Thailand is a unitary country with three levels to the state administration structure, including central, provincial and local administrations (see Box 2.3 for additional details). The CGD and other bodies, including the PACC and the NACC, have subnational offices that carry out the mandate of the institutions at the regional level. The CGD has 76 offices in the provinces. The ACOCs also have a presence in 76 provinces. In 2018, the OECD recommended the government of Thailand to increase the capacity of the ACOCs. Capacity remains an issue at the provincial level, not only for the ACOCs, but also for the CGD and line ministries with a regional presence, according to Thai officials. In particular, a key area for improvement highlighted by government officials is the capacity of local governments and regional representation of the CGD, the NACC and the PACC to implement reforms for improving integrity risk management and control.

In interviews, government officials highlighted ongoing challenges facing local administrative agencies to conduct risk assessments and establish effective internal control systems. Officials declared there was no guidance for provincial government entities. This has led to a wide variation and lack of coherence with regard to how local governments approach internal control and risk management. Across all provinces, capacity is low for implementing recent reforms.

The CGD can take the lead to address capacity issues and improve the coherence of approaches to internal control and risk management at the regional level. The aforementioned guidance can address this issue directly, with considerations and support that is tailored to the maturity levels of local administrations. The CGD is already conducting trainings for provincial government entities on risk management, according to officials. Further guidance can provide greater clarity as to how local entities can comply with new reforms. Going beyond that, guidance can add clarity and help to build capacity related to key areas communicated to the OECD in interviews, including: the roles and responsibilities of local government entities for managing risks; methodologies for assessing risks that are commensurate with skill levels and resources; and good practices for using the results of risk assessments.

International standards emphasise the need for governments to monitor and evaluate the internal control system, and in particular, to assess outcomes and update activities to improve fraud and corruption risk management (COSO, 2016[8]). The OECD’s Recommendation on Public Integrity also highlights the need for governments to build efficient monitoring and quality assurance mechanisms for safeguarding integrity in the public sector. Thailand’s regulations echo these standards. For instance, Thailand’s Risk Management Standards and Practical Rules for State Agencies say that heads of agencies should monitor and evaluate risk management activities to ensure the agency adheres to standards and the IIA’s Three Lines Model. In addition, government agencies are subject to reporting requirements to ensure they have internal control systems in place and consider risks.

Thailand’s reporting requirements include a a “Certificate of Internal Control Assessment,” which is a self-assessment report that indicates a public entity has assessed whether internal controls are compliant with the Rule of the Ministry of Finance on Standards and Internal Control Practice for Government Agency B.E. 2561 (2018). As part of this internal control assessment, line ministries must also highlight improvements to internal control activities based on perceived risks. This certificate is the only requirement for public entities to monitor, evaluate and report on M&E of the internal control system. There are other bodies that support these efforts, including a Committee within the CGD that consists of internal auditors as well as financial and compliance auditors of the State Audit Office (SAO). However, the primary responsibility for M&E of the internal control system is within line ministries, in accordance with Thailand’s standards.

In principle, the certifications and their underlying assessments can be useful mechanisms for monitoring and evaluating the internal control system in the Thai government. However, the quality and effectiveness of these efforts depend on the methodology, scope and frequency of monitoring, which is not prescribed and is therefore inconsistent from one line ministry to the next. The Certificates promote monitoring and evaluation of the general existence of an internal control structure, and to some extent risks, but there are more determinants of the quality of an internal control system beyond these factors. Box 2.4 provides an example from guidance produced for the United States Agency for International Development (USAID) as part of a toolkit for managers in the health sector, but with broader lessons that are applicable to self-assessment methodologies for internal control.

Above all, M&E should support public entities in obtaining a better understanding of implementation challenges or vulnerabilities on an ongoing basis. Managers in public entities can conduct M&E in regular intervals and incorporate the results into the reporting process for the Certificates. Risk assessments are not a substitute for M&E. The monitoring and review of risk management processes is a distinct activity from M&E and assessing the quality of internal control systems as a whole, even though these activities may inform each other. For instance, the results of fraud and corruption risk assessments (i.e. the perceived likelihood and impact of the effect of fraud and corruption on objectives) can be one of several factors that help manager’s to set priorities for broader M&E activities and quality assessments. Other considerations for prioritising M&E activities include the following:

  • objectives and the scope of activities of the public organisation

  • issues identified and recommendations of internal and external auditors

  • issues identified by the Ministry of Finance or CGD in their role of providing general oversight of the financial operations of line ministries

  • results of previous M&E activities or quality assessments

  • proportion of irregular expenditure within the overall budget of the public organisation (Boryczka, Bochnar and Larin, 2019[2]).

In the integrity context, the unit of analysis for M&E is not just individual risks, but other governance and institutional factors that determine the effectiveness of the internal control system. Specifically, M&E involves the systematic collection of evidence dealing with the design, implementation and results of the policies, controls and actions taken to manage fraud and corruption risks. Effective monitoring allows managers to adapt controls when issues arise, and evaluations can offer insights into an ongoing or completed activity, to support decisions about relevance, effectiveness and potential alternatives. The current M&E activities related to internal control and risk management help to promote awareness of this critical component of standards, like COSO and Thai’s own regulations, but the Certificate process facilitates a check-the-box exercise for line ministries. As a result, there is a danger of government officials perceiving internal control and risk management as compliance activities. In contrast, M&E should facilitate manager’s decisions and understanding of the effectiveness of the internal control system, based on evidence of how well measures to safeguard integrity are producing results and advancing organisational objectives.

As part of its monitoring and evaluation activities, the CGD developed a quality assurance assessment framework for the internal audit function in the public sector. The framework is structured according to international standards of the Institute of Internal Auditors (IIA) and the IIA’s International Professional Practices Framework (IPPF), as well as the Principle of Total Quality Management (TQM) and the Deming Management Cycle. It covers four main areas of activity of the internal audit function—governance, staff, management and process—as shown in Table 2.2.

Values for the assessment are attributed at three levels: at the “item” level, the level of the internal audit activity and the overall assessment results. The performance of each item is rated on a scale of 0 to 4, where 0 stands for no action taken and 4 for complete conformity with the established criteria. The points received for each item under the internal audit activity assessed (i.e. governance, staff, management, process) are calculated together to end up with an average score. In the end, the average score is weighted for each internal audit activity. All weighted average scores are added together to reach the overall evaluation score following again a scale of 0 to 4 (where 0-1.99 stands for “does not conform” 2-2.99 stands for “partially conforms” and 3-4 for “generally conforms”).

Thailand’s quality assurance process includes both quantitative and qualitative criteria depending on the content of each assessment. For example, item 4 on “Expertise in internal audit” uses mostly quantitative indicators such as the percentage of staff with more than 3 years’ experience in internal audit and the percentage of certified internal auditors. In comparison, item 8 on “Risk assessment for audit planning” focuses on qualitative indicators related to the risk assessment process, such as coverage of risk factors, use of risk assessment results for audit planning and ability to adjust risk factors depending on the circumstances (Comptroller General's Department, 2016[11]). Using mixed types of indicators is a recommended approach that helps capture and measure the various aspects contributing to the improvement of the internal audit function as a whole.

The CGD’s quality assurance assessment aligns with the goals set forth in IIA’s Standard 1300, Quality Assurance and Improvement Programme (QAIP), which states, “The chief audit executive must develop and maintain a quality assurance and improvement programme that covers all aspects of the internal audit activity” (IIA, 2017[12]) QAIPs help internal auditors to assess the efficiency and effectiveness of their work and identify areas of improvement. Moreover, they can facilitate a better understanding of risks and performance indicators, thereby aiding decision making and implementation of strategies, policies and procedures. The following are common focus areas of QAIPs:

  • Conformance with the definition of internal auditing, the code of ethics, and the standards, including timely corrective actions to remedy non-conformance.

  • Adequacy of the internal audit activity’s charter, goals, objectives, policies, and procedures.

  • Contributions to the organisation’s governance, risk management, and control processes.

  • Compliance with applicable laws, regulations, and other government standards.

  • Effectiveness of continuous improvement activities and adoption of best practices (OECD, 2018[13]).

The CGD’s Internal Audit Quality Assessment is described as a collection of information about the internal audit function of government agencies. The CGD identifies the government agencies participating in the quality assurance process. After receiving relevant notice, the heads of the participating government agencies inform the internal audit function, which is asked to complete a self-assessment form and provide all supporting documents and evidence. Examples of supporting documents used in the assessment include the annual audit plan, the code of ethics, audit reports, the internal audit charter and training plans. As a next step, the CGD assesses the quality of the internal audit function based on the established criteria and the evidence provided. During this process, the internal audit function of the participating agencies continues to support the CGD providing additional information and explanations, as necessary. Finally, the quality assessment results are analysed and reported to a committee that consists of CGD officials, as well as senior experts from the private sector, called the Public Sector Quality Assurance Committee.

As described, a key characteristic throughout Thailand’s quality assurance assessment of the internal audit function is the heavy involvement of the CGD itself. The CGD, as the central institution monitoring the internal audit function in the public sector, plays a key role in ensuring its quality. While the Public Sector Quality Assurance Committee certifies the results of the assessments, concerns about independence remain. An analogous approach is followed in some EU member countries (European Commission, 2014[14]), reflecting the tasks of central harmonisation units (CHUs) that are similar to the CGD. CHUs can go beyond overseeing, monitoring and advising public sector internal audit functions, and they may conduct external assessments of the internal audit activities of operational units. This practice has raised concerns with regards to the independence and “externality” of the CHU vis-à-vis the internal audit functions under assessment.

In 2012, the European Commission issued an opinion that stated if a CHU’s assessment is the only one carried out, it does not satisfy the requirements of IIA’s Standards.4 According to the Commission, despite being a distinct organisational structure, the CHU’s assessment should not be considered as both external and independent in line with Standard 1312, since the CHU provides the internal audit activity with assistance and professional guidance (European Commission, 2014[14]). To address this issue, the United Kingdom, for instance, completely outsourced its external quality assurance assessments, which are carried out by an independent contractor as described in Box 2.5 (U.K. HM Treasury, 2013[15]).

In addition to full external assessments, the CGD could consider other ways to improve the independence of its quality assurance assessments for the internal audit function. For instance, it could create firewalls within its institution to ensure dedicated personnel focus entirely on the quality assessments of the internal audit function. This could be part of or in addition to CGD’s own internal audit function. For instance, Peru’s Office of the Comptroller General (Contraloría General de la República, or CGR) uses an evaluation system for assessing the maturity of internal control components. The independence and “externality” of the evaluator are also crucial in this case. Currently, the CGR has a department of internal control that is primarily responsible for assessing the degree and maturity of the internal control components within public entities (OECD, 2017[16]). Thailand could consider a similar approach in order to further ensure the independence and objectivity of its assessments.


[2] Boryczka, M., D. Bochnar and A. Larin (2019), “Guidelines for assessing the quality of internal control systems”, SIGMA Papers, No. 59, OECD Publishing, Paris, https://dx.doi.org/10.1787/2a38a1d9-en.

[11] Comptroller General’s Department (2016), Criteria for quality assurance of internal audit in the public sector.

[8] COSO (2016), Fraud Risk Management Guide, Committee of Sponsoring Organizations of the Treadway Commission, https://www.coso.org/Pages/Purchase-Guide.aspx (accessed on 13 September 2020).

[14] European Commission (2014), Public Internal Control Systems in the European Union Quality Assurance for Internal Audit, https://ec.europa.eu/budget/pic/lib/docs/pic_paper3_en.pdf.

[4] Government of Thailand (2017), Master Plan under the National Strategy on Anti-Corruption and Misconduct.

[10] IIA (2017), International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors Research Foundation, https://na.theiia.org/standards-guidance/Public%20Documents/IPPF-Standards-2017.pdf.

[12] IIA (2017), Quality Assessment Manual for the Internal Audit Activity, The Institute of Internal Auditors Research Foundation, https://global.theiia.org/standards-guidance/topics/Pages/Quality-Assessment-Manual.aspx.

[9] Long, B. and J. Kanthor (2013), Self-Assessment of Internal Control Health Care: A Toolkit for Managers, United States Agency for International Development, Health Finance & Governance Project, Abt Associates Inc., https://www.hfgproject.org/toolkit-ministries-health-work-effectively-ministries-finance/.

[1] Ministry of Finance (2018), B.E. 2561: Internal Audit Standards and Ethics for Internal Auditing of Government Agencies.

[5] National Economic and Social Development Council of Thailand (2019), Fraud risk management plan for fiscal year 2019.

[13] OECD (2018), Internal Audit Manual for the Greek Public Administration, OECD Public Governance Reviews, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264309692-en.

[7] OECD (2018), Multi-dimensional Review of Thailand (Volume 1): Initial Assessment, OECD Development Pathways, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264293311-en.

[6] OECD (2018), OECD Integrity Review of Thailand: Towards Coherent and Effective Integrity Policies, OECD Public Governance Reviews, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264291928-en.

[16] OECD (2017), OECD Integrity Review of Peru: Enhancing Public Sector Integrity for Inclusive Growth, OECD Public Governance Reviews, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264271029-en.

[3] The Dutch Ministry of Finance (March 2018), Good Financial Governance and Public Internal Control, Presentation to the OECD.

[17] The Office of the National Anti-Corruption Commission (2019), Integrity and Transparency Assessment, https://itas.nacc.go.th/file/download/113259.

[15] U.K. HM Treasury (2013), Internal Audit Quality Assessment Framework, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/204214/internal_audit_quality_assessment_framework.pdf.


← 1.  Principle 10 of the OECD’s Recommendation on Public Integrity focuses on the following objectives: 1) ensuring a control environment with clear objectives that demonstrate managers’ commitment to public integrity and public-service values, and that provides a reasonable level of assurance of an organisation’s efficiency, performance and compliance with laws and practices; 2) ensuring a strategic approach to risk management that includes assessing risks to public integrity, addressing control weaknesses (including building warning signals into critical processes) as well as establishing an efficient monitoring and quality assurance mechanism for the risk management system; 3) ensuring control mechanisms are coherent and include clear procedures for responding to credible suspicions of violations of laws and regulations, and facilitating reporting to the competent authorities without fear of reprisal.

← 2.  As of April 2020, the IIA is the process of revising its Three Lines of Defense Model, including changing the name to the Three Lines Model and considering its applicability to the public sector. See the IIA’s website (http://bit.ly/39Y3QT1) for additional information.

← 3.  The three surveys conducted for the ITA include the following: 1) the Internal Integrity and Transparency Assessment, a self-assessment to gather employees’ perceptions about organisational culture and management; 2) the External Integrity and Transparency Assessment, an external survey focused on organisational reputation and stakeholders’ perceptions about performance; and 3) the Open Data Integrity and Transparency Assessment, an evidence-based survey that assesses the organisation’s open data activities through reviews of websites and online publications. In general, the ITA covers 10 topics for each organisational assessment, including: 1) performance effectiveness; 2) efficiency and transparency of performance budgeting; 3) legitimacy and use of powers; 4) efficiency and integrity for use of public assets and properties; 5) effectiveness of corruption mitigation measures; 6) quality of operations; 7) communications effectiveness; 8) effectiveness of performance improvement; 9) transparency of public data; and 10) corruption prevention (The Office of the National Anti-Corruption Commission, 2019[17]). The Integrity and Transparency Assessment System (ITAS) supports the data collection for the ITA to ensure timely and consistent assessments across entities.

← 4. Opinion of 13 November 2012 of the Commission’s Directorate-General for Budget addressed to the CHUs of (potential) candidate countries, qualifying European Neighbourhood Policy countries and delegates in the Public Expenditure Management Peer Assisted Learning (PEMPAL) organisation.

Metadata, Legal and Rights

This document, as well as any data and map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Extracts from publications may be subject to additional disclaimers, which are set out in the complete version of the publication, available at the link provided.

© OECD 2021

The use of this work, whether digital or print, is governed by the Terms and Conditions to be found at http://www.oecd.org/termsandconditions.