De Barra (2023)
De Barra (2023)
Kevin De Barra
Abstract
In recent years the role of the internal audit function has gained increasing
prominence and is now seen as a cornerstone in the overall governance of
public sector bodies. This article explores the experience of 127 public sector
bodies and illuminates key insights for public sector bodies seeking to realise
more meaningful results from the efforts currently directed towards the
internal audit function. Among the most significant research findings is the
evidence that the function is not viewed by its most key stakeholders as a
primary driver of continuous improvement. This finding identifies a
disconnect between the real-world practice of internal audit function and the
definition of the function across relevant academic literature, public policy
and practitioner guidance. The author concludes that an overemphasis on
assurance activities can be to the detriment of the other value-add functions
which the internal audit function can deliver. While currently widely viewed as
a divorced function, the real value of internal audit will only be realised by
integrating it within the organisation. Such integration will allow the sharing
of enterprise-wide learning, thus enabling the function to become a primary
driver of a permanent culture of continuous improvement.
Introduction
In recent years the role of the internal audit function has gained
increasing prominence and is now seen as a cornerstone in the overall
governance of public sector bodies. Indeed, under the Code of Practice
for the Governance of State Bodies, as laid out by the Department of
25
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 26
26 KEVIN DE BARRA
28 KEVIN DE BARRA
Research methodology
This study set out to explore how the internal audit function is
executed in practice in the Irish public sector. A comprehensive review
of the literature on internal audit, through the theoretical lens of
agency theory, identified six key themes relating to the execution of
the function, which merited further exploration. Based on these
themes, a framework of analysis emerged, and twenty research topics
were identified, which informed the research design of this study. A
non-experimental cross-sectional design was developed, and an
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 30
30 KEVIN DE BARRA
Research findings
At the core of this research study was a desire to learn more about the
real-world execution of the internal audit function in the Irish public
sector. The key findings from the study are presented here, and their
significance and implications are further considered in the next
section.
Among the most significant findings from the study was the
discovery that the prevalence of outsourcing in the Irish public sector
is more than 2.5 times the global public sector average, with over
84 per cent of Irish public sector organisations employing an
outsourced function. While partnering, co-sourcing and partially
outsourcing models do exist, the most typical model applied by the
organisations in the Irish public sector is one where the internal audit
function is wholly outsourced to a private firm. Two specific high-
profile firms provide the internal audit function in over half of Irish
public sector agencies, with the remaining agencies engaging a small
pool of other firms. This experience of drawing from a small pool is
similar to that reported by Selim & Yiannakas (2000, p. 221), who
found that of those public sector bodies in the UK that had outsourced
their internal audit function to some degree, almost 65 per cent
engaged one of what were then known as the ‘Big Five’ public
accounting firms.
In general, individual public sector organisations consume around
fifty days of internal audit activity per year. Adherence to the IIA
standards is high across the sector. The study reveals that the
allocation of resources is clearly stacked towards the provision of
assurance rather than consulting. Traditional accounting and auditing
skills are by far the most dominant skill background among internal
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 31
audit teams within the Irish public sector, which can lead to challenges
due to a lack of real knowledge or understanding of the business or
operations of the public sector organisation.
Alignment of the internal audit function to the organisation’s
strategic plan is an indicator of internal audit maturity and ensures a
synergy between the work of the unit and the overall organisation. The
evidence suggests strong and deliberate alignment between internal
audit strategies and the organisation’s strategic plan across the Irish
public sector, with results tracking well ahead of global norms. Most
organisations operate to a three-year internal audit strategy, with
annual plans which are then updated once or twice per year. While
such strong alignment to the overall strategic planning mechanisms
can only be regarded as positive, the results of the study do raise a
concern over a potential disconnect between the internal audit
function and the implementation of the general risk-management
framework, characterised by the remarkably low level of respondents
(3 per cent) who indicated that their internal audit strategy is informed
by the corporate risk register. When compared to the global norms,
the contrast is particularly stark, with 85 per cent of respondents to
CBOK 2015 indicating that they employed a risk-based methodology
to develop their internal audit strategy.
Whereas a risk-based methodology is the primary driver in
developing an internal audit strategy in other jurisdictions, the Irish
public sector relies most significantly on requests from its audit
committee, analysis of its organisational strategy or business
objectives, and compliance or regulatory requirements. For those who
fully outsource their internal audit function, consultation with the
parent department is not a major factor (13 per cent) in developing
their internal audit strategy, whereas this is as high as 60 per cent
among respondents representing a partially outsourced model. A
consequence of the prevalence across the Irish public sector of
outsourcing the internal audit function to private firms is evident in
the high number of organisations that had limited knowledge of their
internal auditing procedures. The areas that the internal audit
function is most likely to review include the system of internal
financial controls, followed by review of operational matters, risk
management assurance/effectiveness and corporate governance.
The Three Lines of Defence Model, in which internal audit is
positioned as an independent and separate function in the third line of
defence, is considered by the IIA to be good practice from the
perspective of independent assurance. Management acts as the first
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 32
32 KEVIN DE BARRA
34 KEVIN DE BARRA
36 KEVIN DE BARRA
38 KEVIN DE BARRA
which they deem too sensitive to share with internal audit, with
smaller organisations – those with fewer than 75 staff – being much
more likely to deem documents to be too sensitive to share with
internal audit.
Risk-management processes are well established and mature across
the sector; however, the evidence suggests that these processes have
not been well integrated with the internal audit function, and are
viewed as stand-alone or divorced functions, a consequence of which
is that obvious synergies are not being exploited. This is most clearly
portrayed in the extremely low level (3 per cent) of public sector
bodies whose internal audit strategy is informed by the corporate risk
register. This finding corroborates the findings of Coetzee (2016), who
investigated the contribution of the internal audit function to risk
management in the South African public sector and found that
internal audit functions fail to incorporate the risks of the organisation
appropriately into internal audit-engagement plans. The results also
present a cause for concern as to whether due diligence is being
effectively exercised, with more than one in three internal audit
functions in the Irish public sector not formally updating their risk
assessments in some way over the course of a year.
The Code of Practice which introduced an emphasis on an overall
system of internal control, replacing the more traditional focus on the
system of internal financial control, has been in place since 2016;
however, the evidence suggests that the primary concern of the
internal audit function remains focused on the system of internal
financial control. Use of technology is not being optimised by the
public sector in relation to its internal audit function, with only 5 per
cent of internal audit functions using extensive technology across the
entire audit process, including data mining and analysis. Furthermore,
almost one in three Irish public sector bodies use only manual systems
and processes, which signals a general lack of maturity of the internal
audit function. Use of technology is further developed, however, in
relation to risk management, but is far from being optimised. While
some bodies have begun to use specific software designed to manage
risk information, most still rely on spreadsheet or database software to
maintain their risk assessments. An appropriate focus on the
incorporation of QAIPs within internal audit functions has not been
achieved across the sector. While 86 per cent of public sector bodies
monitor and review the effectiveness of their internal audit unit, there
is a tendency for this to be undertaken in an informal manner, with
over one in five having no formal performance measures established,
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 39
40 KEVIN DE BARRA
widely to allow work streams and operational units that have not been
audited to learn from the experience of those that have. The shared-
services approach would also lead to enhanced career-development
opportunities within the public sector internal audit function, and over
time might address the current failing of the internal audit function to
develop a good understanding of the business operations of the
individual agencies. The downside of such an approach would be that
individual organisations might have less autonomy to tailor the
approach adopted to suit their individual requirements, and this
approach does not necessarily help to overcome the challenge of the
function being seen as separate, stand-alone or divorced from other
internal units. Similarly, such an approach might make individual
organisations and their audit and risk committees feel that they were
moving from being policy-makers to policy-takers in relation to
internal audit, that they were no longer driving this function, but
rather that their internal controls were being subjected to external
assessment.
Establishing a new agency to provide internal audit services across
the public sector might also give rise to practical issues. Given the
current buoyant market for employees from auditing backgrounds in
the private sector, it might prove difficult to source and retain strong
talent. According to Mubako (2019, p. 532), the practice of out-
sourcing has been fuelled by an increase in the demand for internal
auditors worldwide, and Sanglier (2015) suggests that the demand for
internal auditors has risen significantly while the number of candidates
seeking roles in internal audit has fallen. Also, given that so many
public sector bodies rely on the internal audit function to provide
assurance in relation to submissions that are driven by the same
statutory deadlines, it might be challenging to manage capacity in a
way that addresses the inevitable peaks and troughs in demand over a
calendar year. In executing its external audit function, the C&AG
relies on the private market to address temporary capacity demands
driven by shared statutory deadlines across the entire sector, with a
number of external audits for recent financial years being outsourced
to private firms. In doing so, the C&AG is drawing from the same
resource well and the same small pool of private firms currently
servicing the internal audit needs of the sector. Similar capacity
challenges would likely arise if a new agency were established for
internal audit.
Finally, the question of cost-benefit analysis arises. Considering
that the single agency model would not be on the basis of profit
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 42
42 KEVIN DE BARRA
maximisation, and assuming that the current model is costing the state
in the region of €6.5 million per year, it would be reasonable to
assume that centralisation would bring with it economies of scale,
which might achieve lower operational costs. With a starting base as
low as €6.5 million, and bearing in mind that it would require the
coordination and buy-in of up to 127 organisations, with the
accompanying administrative burden and change management
transformational processes this would entail, a back-of-an-envelope
exercise would quickly dismiss this to be a non-runner. Potential
savings would be extremely limited and almost insignificant in the
context of the totality of the collective annual budgets. Furthermore,
it is worth noting that while the internal audit activity can be
outsourced, the literature and professional guidance reminds us that
the associated responsibilities cannot be successfully devolved to an
external party. The other alternative to outsourcing is that agencies
would establish their own internal units to satisfy their internal audit
requirements, but with the average consumption currently at only fifty
days per annum, this is not a feasible option, as it would not merit
hiring specific talent to staff the function. Splitting the role, whereby a
staff member is part-time internal auditor while also having other
responsibilities elsewhere in the organisation, would also be
problematic as it would erode the objectivity and independence
required for the role.
Having considered, and dismissed, the alternative options, the most
viable option available is to continue with the current model, whereby
the function is directed by the organisation, but the service is provided
by the open market, albeit by a very small pool of competitors. To
continue with the current outsourced model does not mean that it
cannot be improved, and the results of this study give food for thought
for practitioners and senior decision-makers across several areas
relevant to maximising the performance and impact of the internal
audit function. Key areas of focus should include the appropriate
integration with risk-management processes and the application of a
risk-based approach to internal auditing transparency and informa-
tion-sharing, ensuring that audit recommendations are appropriately
enacted and improving the use of technology. The final area for
decision-makers and practitioners to reflect on is arguably the greatest
challenge relevant to the internal audit function, and is not unique to
the public sector, and that is how to leverage audit findings for
enterprise-wide improvements. Decision-makers and practitioners
alike must begin to understand that a preoccupation with assurance
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 43
Conclusion
This study set out to explore how the internal audit function is
executed in practice in the Irish public sector. The research findings
address an identified gap in the literature and offer a practical
contribution to knowledge, by providing a comprehensive account of
how the internal audit function is currently being executed across a
broad range of public sector bodies in the Republic of Ireland whose
purpose, size and structure vary greatly.
Among the most significant findings from this research is the
evidence that the function is not viewed by its most key stakeholders
as a primary driver of continuous improvement within their
organisations, which causes its real-world implementation to conflict
with its very definition. This finding conflicts with the accepted
definition of internal auditing, and identifies a disconnect between the
real-world practice of internal audit function and the relevant
academic literature, public policy and practitioner guidance.
The study shows widespread adoption of outsourcing of internal
auditing services across the sector. Having considered the various
resourcing models currently employed, along with further potential
models from other jurisdictions, the author concludes that the practice
of outsourcing the internal audit function to a small pool of private
firms is here to stay.
Overall, the research shows both some of the strengths of internal
audit practice in the Irish public sector and also some of the
opportunities, related both to structures and to practices, to enhance
internal audit practice to add greater value to the activities of public
sector bodies in Ireland.
Further information
This article stems from research undertaken as part of a Doctorate in
Governance, which was supervised by Professor Colin Scott and Dr
Michael Mulreany. For further information in relation to this research
study, please see De Barra (2022).
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 44
44 KEVIN DE BARRA
References
Coetzee, P. (2016). Contribution of internal auditing to risk management:
Perceptions of public sector senior management. The International Journal
of Public Sector Management, 29(4), 348–64.
De Barra, K. (2022). Understanding the internal audit function in the Irish public
sector. Dublin: Institute of Public Administration.
Department of Public Expenditure and Reform. (2011). Public service reform
plan 2011–2013. Dublin: The Stationery Office.
Department of Public Expenditure and Reform. (2012a). Internal audit
standards. Dublin: The Stationery Office.
Department of Public Expenditure and Reform. (2012b). The public spending
code. Dublin: The Stationery Office.
Department of Public Expenditure and Reform. (2014). Public service reform
plan 2014–2016. Dublin: The Stationery Office.
Department of Public Expenditure and Reform. (2016a). Code of practice for
the governance of state bodies. Dublin: The Stationery Office.
Department of Public Expenditure and Reform. (2016b). Ireland’s open
government partnership national action plan 2016–2018. Dublin: The
Stationery Office.
Department of Public Expenditure and Reform. (2018). Internal audit
standards for government departments and offices. Dublin: The Stationery
Office.
Department of Public Expenditure and Reform. (2019). Update of the Public
Spending Code (PSC), guidelines for the use of public private partnerships
(PPPs) and related rules. www.gov.ie/en/circular/716f16-update-of-the-
public-spending-code-psc-guidelines-for-the-use-of-pub/
Institute of Internal Auditors. (2011). Supplemental guidance: Public
sector definition. https://global.theiia.org/standards-guidance/Public per
cent20Documents/Public per cent20Sector per cent20Definition.pdf
Internal Audit Foundation. (2015). Internal Audit Common Body of Knowledge
global practitioner survey 2015. [Electronic data set received in April 2021.]
Internal Audit Foundation.
Mubako, G. (2019). Internal audit outsourcing: A literature synthesis and
future directions. Australian Accounting Review, 29(3), 532–45.
Sanglier, T. C. (2015). The versatile auditor. Internal Auditor, 72(4), 41–5.
Selim, G., & Yiannakas, A. (2000). Outsourcing the internal audit function:
A survey of the UK public and private sectors. International Journal of
Auditing, 4(3), 213–26.