0% found this document useful (0 votes)
25 views20 pages

De Barra (2023)

Uploaded by

Daniela Minas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
25 views20 pages

De Barra (2023)

Uploaded by

Daniela Minas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

04 De Barra article.qxp_Vol. 71 No.

4 19/12/2023 19:08 Page 25

Administration, vol. 71, no. 4 (2023), pp. 25–44


doi: 10.2478/admin-2023-0024

Making internal audit count

Kevin De Barra

Abstract
In recent years the role of the internal audit function has gained increasing
prominence and is now seen as a cornerstone in the overall governance of
public sector bodies. This article explores the experience of 127 public sector
bodies and illuminates key insights for public sector bodies seeking to realise
more meaningful results from the efforts currently directed towards the
internal audit function. Among the most significant research findings is the
evidence that the function is not viewed by its most key stakeholders as a
primary driver of continuous improvement. This finding identifies a
disconnect between the real-world practice of internal audit function and the
definition of the function across relevant academic literature, public policy
and practitioner guidance. The author concludes that an overemphasis on
assurance activities can be to the detriment of the other value-add functions
which the internal audit function can deliver. While currently widely viewed as
a divorced function, the real value of internal audit will only be realised by
integrating it within the organisation. Such integration will allow the sharing
of enterprise-wide learning, thus enabling the function to become a primary
driver of a permanent culture of continuous improvement.

Keywords: Internal audit, governance

Introduction
In recent years the role of the internal audit function has gained
increasing prominence and is now seen as a cornerstone in the overall
governance of public sector bodies. Indeed, under the Code of Practice
for the Governance of State Bodies, as laid out by the Department of

25
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 26

26 KEVIN DE BARRA

Public Expenditure and Reform (DPER, 2016a), the board of each


public body is required to have an internal audit unit operating to the
international standards of the Institute of Internal Auditors (IIA) or
equivalent professional standard. The manner in which the internal
audit function is executed can, however, differ greatly from one public
body to another.
The discussion in this article is based on a research study
undertaken by the author in 2020/1. Emerging themes are firstly drawn
from the literature and their impact on the execution of the internal
audit function is explored. Following on from this research section, the
methodology for the research undertaken is described. The research
design allowed for a range of themes and practices to be explored and
understood. Analysis of these findings are then set out alongside the
data set derived from the Internal Audit Common Body of Knowledge
Global Stakeholder Survey 2015 (CBOK) (Internal Audit Foundation,
2015), which allows for benchmarking of the Irish context against
international experience. This approach supports a greater depth of
understanding of the findings of the Irish study and provides an
accurate picture of internal audit in the Irish public sector compared
to global norms.

Evolution of the internal audit function in the Irish public


sector
The public sector can be defined in many ways. However, in general
terms, it can be understood, as defined by the IIA, to consist of
‘governments and all publicly controlled or publicly funded agencies,
enterprises, and other entities that deliver public programs, goods, or
services’ (IIA, 2011, p. 3). Within this study, public sector bodies refer
to those public organisations that work on behalf of the government to
deliver public programmes, goods or services, but exist as separate
organisations in their own right, possibly as distinct legal entities, and
operate with a partial degree of operational independence. They are
often, but not necessarily, governed by a board of directors, council,
commission or other appointed body. While a common code of
practice sets the broad operating context for the sector, including the
required standards of corporate governance, this sector does not
represent a homogeneous group. The diversity of this sector,
depending on type, nature and governance structures of the individual
bodies, can lead to practice variations in how particular functions,
including internal audit, are executed.
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 27

Making internal audit count 27

The Central Statistics Office maintains a detailed register of public


sector bodies in Ireland. This register is reviewed and updated
regularly, as government-controlled bodies are established, closed and
merged over time. For most public bodies, the governing legislation
which established the body sets out that the CEO, or equivalent, is
accountable to the Public Accounts Committee of the Oireachtas on
the basis that the financial statements of the public body are first
audited by the state’s supreme audit institution (SAI) and then laid
before the Houses of the Oireachtas. The external audit, conducted by
the Office of the Comptroller and Auditor General (C&AG), in its
role as SAI, is an independent examination of the financial statements.
The mission of the C&AG, as external auditor, is to provide
independent assurance that public funds and resources are used in
accordance with the law, managed to good effect and properly
accounted for, and to contribute to improvement in public
administration. While the role of the external auditor is well
understood, and clearly set out in legislation, the role of the internal
audit function is set out within the provisions of a code of practice and,
as such, it is open to a greater degree of interpretation, which gives rise
to a level of practice variation in terms of its execution.
The internal audit function has developed alongside a raft of public
sector reform initiatives spanning over two decades, but with limited
deliberate integration through central policies. While the Irish public
sector has established a performance management and enhanced
accountability framework, which it continues to refine, many of the
initiatives that have contributed to this overall framework are
surprisingly silent on the role of the internal audit function. A range of
central policies and initiatives, which were implemented to enhance
accountability, governance and performance management across the
sector, have not identified specific roles or responsibilities for the
internal audit function. Under the Public Spending Code (DPER,
2012b), public sector bodies are obliged to treat public funds with care,
and to ensure that the best possible value for money is obtained
whenever public money is being spent or invested. As the areas on
which this code focuses (which include evaluating, planning and
managing current expenditure, quality assurance processes, value-for-
money reviews and focused policy assessments) fall so firmly within
the potential remit of the internal audit function, with the benefit of
hindsight it appears a missed opportunity that a specific role was not
identified for the internal audit function. A further evolution of this
guidance (DPER, 2019) introduces a new project life cycle, tightens
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 28

28 KEVIN DE BARRA

the arrangements for project decision-making and clarifies the roles of


parties involved, but again remains silent on any particular role for the
internal audit function.
Ireland’s Open Government Partnership National Action Plan 2016–
2018 (DPER, 2016b) includes commitments to make the state more
transparent, more accountable and more inclusive in how it reaches
decisions, delivers services and communicates with its citizens. Once
again there was an opportunity to explicitly call out a role for the
internal audit function, given that this plan includes a commitment to
increase accountability, which requires public bodies to assess their
financial results in the context of the achievement of service-delivery
objectives and requires reporting of non-financial as well as financial
information about service delivery activities, achievements and/or
outcomes during the reporting period. Through this plan, the
compilation of relevant and meaningful performance information may
have received a new-found emphasis. However, no particular role has
been identified for the internal audit function in this regard. A further
example of a missed opportunity for integration of the internal audit
function was the omission of a defined role for this function in the
public service reform plans (DPER, 2011, 2014). These reform plans
set the scene for the management of the relationship between
departments and bodies under their aegis through specific
performance delivery agreements (PDAs). A very valuable contribu-
tion could have been called out for the internal audit function in
monitoring ongoing performance against the agreed PDAs.
Rather than stitching the role of the internal audit function into the
operational fabric of the public sector in an integrated fashion, instead
the function has been defined and developed in a stand-alone manner.
In 2012 DPER published its Internal Audit Standards (DPER, 2012a),
which comprised the ‘Definition of Internal Auditing’, the ‘Code of
Ethics’ and the ‘Standards’ issued by the global professional body, the
IIA. In response to a revised set of standards issued by the IIA with
effect from January 2017, DPER issued its Internal Audit Standards for
Government Departments and Offices in December 2018, which
updated its 2012 guidance. These new standards comprise the ‘Mission
of Internal Audit’, the ‘Definition of Internal Auditing’, the ‘Core
Principles for the Professional Practice of Internal Auditing’, the
‘Code of Ethics’ and the ‘International Standards for the Professional
Practice of Internal Auditing’, issued by the IIA. The published
document is addressed to accounting officers, management board and
audit committee members, heads of internal audit, internal auditors
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 29

Making internal audit count 29

and their customers, as well as external audit providers and other


stakeholders. The IIA standards have been adopted without
amendment for the purposes of the practice of internal audit in the
central government sector and will be updated in line with any future
revisions by the IIA. The revised standards from DPER set out to
define the nature of internal auditing within central government; to set
basic principles for carrying out internal audit in central government;
to establish a framework for providing internal audit services, which
add value to the organisation, leading to improved organisational
processes and operations; and to establish the basis for the evaluation
of internal audit performance and to drive improvement planning.
While the lack of integration of internal audit within central
policies could leave the function isolated, equally it is worth
considering whether an overly prescriptive role assigned by central
government could conflict with the independence of the function to
survey its own universe and set its own objective audit plan to focus on
areas it identifies as most relevant. In an effort to retrospectively
balance the lack of integration, the Code of Practice sets broad
operating parameters for the function, and seeks to create linkages to
other central policies; for example, by reminding stakeholders that in
planning, executing and reporting its work, the internal audit unit
should ensure that value-for-money auditing receives adequate
attention based on the principles and provisions of the Public Spending
Code (DPER, 2012b). The most significant change for the function,
arising from the Code of Practice, is a broadening of scope from the
traditional approach, which centred on assurances related to the
system of internal financial control, to a wider focus to include the
overall system of internal control, thus expanding the narrow focus
away from merely financial matters and bringing into scope all aspects
of the public body’s operations.

Research methodology
This study set out to explore how the internal audit function is
executed in practice in the Irish public sector. A comprehensive review
of the literature on internal audit, through the theoretical lens of
agency theory, identified six key themes relating to the execution of
the function, which merited further exploration. Based on these
themes, a framework of analysis emerged, and twenty research topics
were identified, which informed the research design of this study. A
non-experimental cross-sectional design was developed, and an
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 30

30 KEVIN DE BARRA

appropriate sample frame was selected, comprising principals and


agents, primarily representing board chairpersons and CEOs, in 127
selected public sector bodies in the Republic of Ireland. Participants
completed a highly structured online questionnaire, which included
several questions deliberately crafted to allow for international
benchmarking against the results of CBOK 2015 (Internal Audit
Foundation, 2015). With 134 valid responses received, the final sample
represented 95 of the 127 public sector bodies (75 per cent), with a
ratio between principal and agent within the sample of 2:3. Data were
analysed using a series of analytical methods and techniques within
IBM Statistical Package for the Social Sciences 24 (SPSS).

Research findings
At the core of this research study was a desire to learn more about the
real-world execution of the internal audit function in the Irish public
sector. The key findings from the study are presented here, and their
significance and implications are further considered in the next
section.
Among the most significant findings from the study was the
discovery that the prevalence of outsourcing in the Irish public sector
is more than 2.5 times the global public sector average, with over
84 per cent of Irish public sector organisations employing an
outsourced function. While partnering, co-sourcing and partially
outsourcing models do exist, the most typical model applied by the
organisations in the Irish public sector is one where the internal audit
function is wholly outsourced to a private firm. Two specific high-
profile firms provide the internal audit function in over half of Irish
public sector agencies, with the remaining agencies engaging a small
pool of other firms. This experience of drawing from a small pool is
similar to that reported by Selim & Yiannakas (2000, p. 221), who
found that of those public sector bodies in the UK that had outsourced
their internal audit function to some degree, almost 65 per cent
engaged one of what were then known as the ‘Big Five’ public
accounting firms.
In general, individual public sector organisations consume around
fifty days of internal audit activity per year. Adherence to the IIA
standards is high across the sector. The study reveals that the
allocation of resources is clearly stacked towards the provision of
assurance rather than consulting. Traditional accounting and auditing
skills are by far the most dominant skill background among internal
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 31

Making internal audit count 31

audit teams within the Irish public sector, which can lead to challenges
due to a lack of real knowledge or understanding of the business or
operations of the public sector organisation.
Alignment of the internal audit function to the organisation’s
strategic plan is an indicator of internal audit maturity and ensures a
synergy between the work of the unit and the overall organisation. The
evidence suggests strong and deliberate alignment between internal
audit strategies and the organisation’s strategic plan across the Irish
public sector, with results tracking well ahead of global norms. Most
organisations operate to a three-year internal audit strategy, with
annual plans which are then updated once or twice per year. While
such strong alignment to the overall strategic planning mechanisms
can only be regarded as positive, the results of the study do raise a
concern over a potential disconnect between the internal audit
function and the implementation of the general risk-management
framework, characterised by the remarkably low level of respondents
(3 per cent) who indicated that their internal audit strategy is informed
by the corporate risk register. When compared to the global norms,
the contrast is particularly stark, with 85 per cent of respondents to
CBOK 2015 indicating that they employed a risk-based methodology
to develop their internal audit strategy.
Whereas a risk-based methodology is the primary driver in
developing an internal audit strategy in other jurisdictions, the Irish
public sector relies most significantly on requests from its audit
committee, analysis of its organisational strategy or business
objectives, and compliance or regulatory requirements. For those who
fully outsource their internal audit function, consultation with the
parent department is not a major factor (13 per cent) in developing
their internal audit strategy, whereas this is as high as 60 per cent
among respondents representing a partially outsourced model. A
consequence of the prevalence across the Irish public sector of
outsourcing the internal audit function to private firms is evident in
the high number of organisations that had limited knowledge of their
internal auditing procedures. The areas that the internal audit
function is most likely to review include the system of internal
financial controls, followed by review of operational matters, risk
management assurance/effectiveness and corporate governance.
The Three Lines of Defence Model, in which internal audit is
positioned as an independent and separate function in the third line of
defence, is considered by the IIA to be good practice from the
perspective of independent assurance. Management acts as the first
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 32

32 KEVIN DE BARRA

line of defence (owning the processes, controls and risks); various


support functions, including risk management, internal control and
compliance, are the second line of defence (monitoring the processes
as well as its risks and controls); and internal audit represents the
independent third line of defence. The evidence from this study
confirmed that almost two in every three organisations in the Irish
public sector currently follow the Three Lines of Defence Model. A
related, and much less encouraging, statistic, however, is that over
25 per cent of respondents were unfamiliar with this established
model. The levels of unfamiliarity with the Three Lines of Defence
Model, which were more pronounced in smaller organisations, are
concerning as they indicate a potential lack of understanding among
key stakeholders across the sector as to the very basis of the role of the
internal audit function.
The experience of the Irish public sector in relation to risk-
management processes and procedures is particularly positive.
Worldwide, less than half of public sector bodies with internal audit
functions also have formal risk-management processes and procedures
(Internal Audit Foundation, 2015). The Irish public sector is well
ahead of this global norm, as over 97 per cent of public sector bodies
have formal risk-management processes and procedures in place, with
almost 35 per cent having a formal enterprise risk-management
process with a chief risk officer in place. The study revealed interesting
insights as to the areas of responsibility of the internal audit function
related to risk management. Best-practice guidance from the IIA
proposes that the internal audit function should provide assurance on
risk management as a whole, not just on individual risks. Irish public
sector bodies were found to be operating ahead of the global norm in
this regard, with 65 per cent of Irish public sector bodies indicating
that their internal audit has responsibility for risk management as a
whole, as compared to the global average of 41 per cent. At almost 46
per cent, the percentage of internal audit units within the Irish public
sector who have responsibility for providing assurance on individual
risks is higher than the global norm, whereas with 32 per cent of
internal audit functions having responsibility for advice and consulting
on risk-management activities, the Irish public sector is severely
lagging behind the global norm of 53 per cent.
The application of a risk-based approach to auditing has been
commonplace for many years. The results of this study reveal an Irish
public sector underpinned by well-established and mature risk-
management processes; however, upon further investigation of the
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 33

Making internal audit count 33

risk-assessment information relied upon by the internal audit function,


as a foundation for their activities, cracks begin to emerge. The
experience of the Irish public sector diverges quite significantly from
the experience of internal audit functions worldwide, with the most
common approach for internal audit functions in the Irish public
sector being to rely upon a comprehensive risk-assessment performed
by management (61.1 per cent), and the second most common
approach being a focused risk assessment conducted by internal audit
(17.9 per cent). The divergence from the public sector global norm –
where less than 29 per cent of internal audit functions worldwide rely
on management’s risk assessments – may be related to the high
prevalence of outsourced service-providers, and perhaps points to a
reluctance by management to involve the private providers overly in
the management of risk. When considered alongside the earlier
finding that the corporate risk register is rarely used to inform the
internal audit strategy, it conveys an approach that views the internal
audit function as being a stand-alone function, and indicates a
potential widespread lack of integration between risk management
and the internal audit function across the sector.
In the Irish public sector 81 per cent of internal audit functions
perform risk assessments. While 28 per cent of these risk assessments
are deemed as continuous, and 37 per cent are undertaken on an
annual basis with periodic formal updates, this leaves 35 per cent of
internal audit functions that either are not considering how risks
change within the year or are doing so informally. The fact that more
than one in three internal audit functions in the Irish public sector are
not formally updating their risk assessments in some way over the
course of a year raises questions as to whether due diligence is being
effectively exercised. Within this cohort, it is interesting to note that
almost three-quarters have their internal audit function outsourced
wholly to a private firm. Having such a large cohort of organisations
within the Irish public sector whose internal audit functions do not
formally update their risk assessments begs the question as to whether
this activity is occurring elsewhere in the organisation, perhaps being
undertaken directly by management, or simply not happening at all.
Furthermore, stakeholders such as the audit and risk committee may
assume that emerging and changing risks are being considered by
internal audit in a timely manner, when this might not be the case.
Considering the example of 2020, where the operating environment
was heavily and very quickly impacted by an unexpected pandemic,
those who fail to undertake formal processes to update their risk
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 34

34 KEVIN DE BARRA

assessments may be exposed and will not be in a position to be


sufficiently nimble to react appropriately to changes.
The IIA considers the use of technology to be an indicator of
internal audit department maturity. Within the Irish public sector, less
than half of internal audit functions use specific software designed to
manage risk information, with the other half relying on spreadsheet or
database software to maintain their risk assessments. In this study the
Irish public sector was found to lag behind global norms in relation to
the use of technology to support internal audit processes, with only 5
per cent of internal audit functions using extensive technology across
the entire audit process, including data mining and analysis. Almost
one in three Irish public sector bodies – over 32 per cent – reported
using only manual systems and processes, which signals a general lack
of maturity of the internal audit function.
The overall level of development of quality assurance and
improvement programmes (QAIPs) within the internal audit function
of the Irish public sector is immature. At one end of the spectrum,
almost one-third (29 per cent) of public sector bodies have a well-
developed system in place; however, an equal number at the opposite
end of the spectrum have either no system or an ad hoc system in
place. The largest cohort (42 per cent) rests in the middle and deems
this function to be under development. QAIPs evaluate how the
internal audit function conforms to relevant policies, procedures and
standards, and are intended to enhance the quality and value of
internal audit services. Such programmes are a specific requirement of
the IIA standards, to which 87 per cent of Irish public sector bodies
claim to adhere. While the Irish experience is broadly in line with the
global norm, considering that so few bodies have a well-developed
QAIP in place, the real level of conformance to, or indeed
understanding of, the IIA standards amongst the Irish public sector is
called into question.
Ensuring that audit recommendations are enacted is one of the
greatest ways that an internal audit function can add value to an
organisation, but it is also one of the more challenging aspects of the
function in trying to bring about real change by providing ongoing
levels of scrutiny and follow-up in areas that are often, to a large
degree, outside of the function’s direct control. In the Irish public
sector, where the internal audit function is so often outsourced, the
responsibility to follow up on audit recommendations most frequently
rests with the business-process owners. Where the internal audit
function has a role in follow-up, this can often simply be a case of
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 35

Making internal audit count 35

asking management to confirm implementation of recommendations,


without any formal testing. Several factors are potentially at play here,
and chief among them, without doubt, are questions of operating
models and resource allocation, but ultimately this points to myriad
challenges for an outsourced function to effect meaningful change
within the inner workings of an organisation. This approach dilutes the
potential value of the internal audit function, and points to an overall
lack of buy-in by the organisation, with the function being viewed as an
add-on, rather than being fully empowered to add real value. A further
challenge arises in that seeking to embed the internal audit function in
the ongoing operations of the organisation also risks spreading
resources too thinly, thus decreasing the overall value being added
elsewhere.
Access arrangements within organisations provide useful insight
into levels of transparency and trust, and a general sense of how
embedded the internal audit function is within the organisation. While
the results of the study were generally positive towards providing
unfettered access to the internal audit function to key documentation
and personnel, there exists a reluctance to make all documents/
personnel available all of the time. Overall, one-fifth (20 per cent) of
public sector bodies hold documents which they deem too sensitive to
share with internal audit, with smaller organisations (<75 staff) being
much more likely to deem documents to be too sensitive to share with
internal audit. This result points towards a lack of transparency
between public sector bodies, particularly smaller bodies, and their
internal audit function, which raises questions surrounding trust and
confidence.
Following a similar thread relating to transparency, regular
attendance by the head of internal audit at meetings of the public
sector body’s audit and risk committee was investigated as a potential
indicator of an open and well-functioning relationship between the
parties. The internal audit function was found to be represented at
between 76 and 100 per cent of audit and risk committee meetings in
over half of Irish public sector bodies. In almost one-quarter (24 per
cent) of cases, attendance falls to 0–25 per cent of meetings, with a
further 20 per cent attending 26–50 per cent of committee meetings.
When frequency of attendance at audit and risk committees was cross-
tabulated with the model of internal audit employed, it became
apparent that the closer the model was to in-house, the more frequent
the attendance at committee meetings. Assuming that regular
attendance by the internal audit representatives at meetings of the
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 36

36 KEVIN DE BARRA

audit and risk committee is a legitimate indicator of an open and well-


functioning relationship between the parties, the evidence suggests
that this relationship is affected by the model of internal audit function
employed.
This study revealed the internal audit activities believed to bring the
most value within the Irish public sector from the perspective of senior
decision-makers. Results were firstly mapped against the IIA’s ‘value
proposition’, which focuses on three core elements of value delivered
by internal auditing to an organisation – assurance, insight and
objectivity – and were then also compared to the results of CBOK
(Internal Audit Foundation, 2015). While it is not surprising to see
‘assuring the adequacy and effectiveness of the internal control
system’ topping the poll as the most commonly selected activity, the
margin of more than 21 percentage points between it and the second
most frequently selected option was remarkable. All of the top five
activities identified in this study as adding most value represent
assurance activities, which underscores the position of a higher
recognition among the Irish public sector of the value of assurance
activities relating to the internal audit function, with less importance
being placed on objectivity and insight activities.
The study discovered that 86 per cent of public sector bodies
monitor and review the effectiveness of their internal audit unit, with
the most common methods of measurement including ‘percentage of
audit plan complete’, ‘timely closure of audit issues’ and ‘completion
of mandated coverage’, which are also among the top-ranked
selections within the corresponding global study. Further analysis of
this topic reveals a distinct cause for concern, however, with over one
in five Irish public sector bodies indicating that no formal measures to
evaluate performance have been established. The absence of such
measures make it more difficult to conform to the relevant IIA
standards (‘1311: Internal Assessments’), which require the conduct-
ing of periodic assessments to evaluate conformance with the Code of
Ethics and the IIA standards, but more fundamentally these bodies
risk not knowing or understanding the quality of return on their
efforts.

Significance and implications of the findings


The study set out to understand how the internal audit function is
executed in practice in the Irish public sector. It also sought to provide
insights into whether the role of the internal audit function, as
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 37

Making internal audit count 37

currently executed, is perceived to add value, provide sufficient


assurance or drive continuous improvement.
The results of this study paint a picture of an Irish public sector in
which the internal audit function is largely outsourced to a small pool
of private firms. Most value is placed by senior decision-makers on the
assurance activities undertaken by the internal audit function, with less
importance given to objectivity or insight activities. Results indicate a
lack of familiarity among senior decision-makers as to the procedures
in place within their own internal audit function, but also a lack of
familiarity with recognised standards and best practice, which is most
notable in the fact that over 25 per cent of public sector bodies are
unfamiliar with the established Three Lines of Defence Model.
Due perhaps in part to the prevalence of outsourcing and an
associated deficiency of a well-developed knowledge or understanding
of the business or operations, the function can often be disconnected
from other aspects of the organisation. This disconnect and lack of
understanding is a double-edged sword. On the one hand, senior
decision-makers might not have sufficient respect for, or
understanding of, how the internal audit function could be used to
realise meaningful value. On the other hand, the internal auditors,
being outsourced and isolated from other parts of the organisation, do
not have sufficient knowledge of business operations or sufficient
influence to insert themselves fully in the inner processes of the
organisation. Practical challenges present as a result of this disconnect,
and frequently the responsibility to follow up on audit recommenda-
tions rests solely with the business process owners. Often the only
follow-up undertaken by the internal audit function is to ask
management to confirm implementation of recommendations,
without any formal testing. This can be perceived as a tick-box
exercise, which does not add tangible value and serves to reduce
further the credibility of the internal audit function. An even more
concerning finding, however, is that in over one-quarter of public
sector bodies the responsibility to monitor the implementation of
corrective actions rests with the audit committee, a committee which,
due to its being deliberately removed from day-to-day operations, is
unlikely to be in a position to ensure that audit recommendations are
effectively and appropriately followed through.
While access to key documentation and personnel is generally quite
good, there exists a reluctance to make all documents or personnel
available to the internal audit function all of the time. Overall,
one-fifth (20 per cent) of public sector bodies hold documents
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 38

38 KEVIN DE BARRA

which they deem too sensitive to share with internal audit, with
smaller organisations – those with fewer than 75 staff – being much
more likely to deem documents to be too sensitive to share with
internal audit.
Risk-management processes are well established and mature across
the sector; however, the evidence suggests that these processes have
not been well integrated with the internal audit function, and are
viewed as stand-alone or divorced functions, a consequence of which
is that obvious synergies are not being exploited. This is most clearly
portrayed in the extremely low level (3 per cent) of public sector
bodies whose internal audit strategy is informed by the corporate risk
register. This finding corroborates the findings of Coetzee (2016), who
investigated the contribution of the internal audit function to risk
management in the South African public sector and found that
internal audit functions fail to incorporate the risks of the organisation
appropriately into internal audit-engagement plans. The results also
present a cause for concern as to whether due diligence is being
effectively exercised, with more than one in three internal audit
functions in the Irish public sector not formally updating their risk
assessments in some way over the course of a year.
The Code of Practice which introduced an emphasis on an overall
system of internal control, replacing the more traditional focus on the
system of internal financial control, has been in place since 2016;
however, the evidence suggests that the primary concern of the
internal audit function remains focused on the system of internal
financial control. Use of technology is not being optimised by the
public sector in relation to its internal audit function, with only 5 per
cent of internal audit functions using extensive technology across the
entire audit process, including data mining and analysis. Furthermore,
almost one in three Irish public sector bodies use only manual systems
and processes, which signals a general lack of maturity of the internal
audit function. Use of technology is further developed, however, in
relation to risk management, but is far from being optimised. While
some bodies have begun to use specific software designed to manage
risk information, most still rely on spreadsheet or database software to
maintain their risk assessments. An appropriate focus on the
incorporation of QAIPs within internal audit functions has not been
achieved across the sector. While 86 per cent of public sector bodies
monitor and review the effectiveness of their internal audit unit, there
is a tendency for this to be undertaken in an informal manner, with
over one in five having no formal performance measures established,
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 39

Making internal audit count 39

which puts these bodies at great risk of failing to understand the


quality or outcome of their efforts.
While the picture painted here may appear to be one of a function
that is under-used, under-resourced and at times under-valued, and
one that competes for management prioritisation against myriad other
priorities, it is noteworthy that this is not the view expressed by senior
decision-makers within the sector. In fact, an overwhelming majority
of respondents – over 91 per cent – agree that the internal audit
function adds value to their organisation. Board chairpersons appear
to place most weighting on the function’s understanding of operations
and organisational complexities, along with the function having the
right mix of skills and competencies, whereas, in general, CEOs have
a more practical leaning, linking the value of the function more closely
to the internal audit function’s capacity to evaluate systematically the
effectiveness of internal controls, risk management and corporate
governance. While the internal audit function is seen as a major tool
to provide assurance and increase the effectiveness of risk
management, control and governance processes, surprisingly, the
evidence from this study reveals that the function is being
underexploited by not being viewed or used as a primary driver of
continuous improvement across the organisation. This finding is
significant as it so clearly jars with the academic literature and
practitioner guidance, in that it even conflicts with the accepted
definition of the function.
It is evident from the research that the internal audit function as
currently executed is not viewed as a catalyst for ongoing improvement
throughout the organisation. Furthermore, the evidence suggests that
the function is sometimes not viewed as a trusted partner, but as a
stand-alone function that is not well integrated into the workings of
the organisation. In considering the issues presented, an obvious
question arises as to whether the typical model applied across the
sector, whereby the function is outsourced to one of a small pool of
private firms, is creating inefficiencies or is serving to prevent or
hinder the function’s progress. As these private firms are competitors
of one another, there is no incentive for them to share learning, or to
work together in a coordinated fashion to identify emerging patterns
and trends that might be of benefit to other agencies. We now know
that there is a high degree of overlap between the topics reviewed by
the internal audit functions across the public sector, so it would appear
to make sense from both an efficiency and a consistency point of view
for these overlapping matters to be reviewed by the same team, using
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 40

40 KEVIN DE BARRA

a standardised methodology, rather than the current disparate


approaches. Individual public sector organisations consume around
fifty days of internal audit activity per year. If we assume a blended
daily rate based on current market trends, this leads to an annual cost
per organisation of somewhere in the region of €50,000 inclusive of
VAT. With 127 organisations in this study, the spend across this sector
is in the region of €6.5 million per annum. Pooling the resources of
the sector and seeking a solution from the market that would provide
a single provider with a standardised methodology might seem a
feasible option, but this hands over control to just one market entity
and reduces competition, thereby shrinking the pool of suitable
providers when the contract comes up for renewal. The greatest
challenge to this option, however, is that it requires buy-in from across
the sector and is administratively burdensome, in that it would require
a high degree of coordination with no current nominated ‘owner’ for
this coordinating role.
An alternative proposal would be for a decision to be taken by
central government that the public sector should go it alone and adopt
a strategy that aims to discontinue its reliance on the private market to
provide its internal audit function. The public sector currently has one
body tasked with undertaking the external audit function to agencies
on behalf of the state – the C&AG. In a similar way, it would be
technically feasible to establish a new state agency, which could adopt
a single audit methodology and deliver professionally robust, high-
impact audit and advice that gives objective information and insight,
and drives improvement. A similar model has been in operation in the
UK since 2015, and now provides services to over 75 per cent of
central government, which includes 13 departments and over 120
arm’s-length bodies. The primary benefit of this approach would be
that one agency working across government would provide
unparalleled access, and a stand-alone agency would be best placed to
develop the expertise and the relationships required to provide better
insights and better outcomes for its clients (the public sector bodies)
and their customers (the Irish public). This approach would also
engender greater trust, which would perhaps improve the identified
issues surrounding information-sharing and transparency.
A single agency tasked with providing internal audit would have a
line of sight across the entire sector, which would allow for the prompt
identification of emerging patterns and trends. If such information
were analysed strategically and communicated effectively, it could
provide benefits right across the public sector, by sharing lessons
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 41

Making internal audit count 41

widely to allow work streams and operational units that have not been
audited to learn from the experience of those that have. The shared-
services approach would also lead to enhanced career-development
opportunities within the public sector internal audit function, and over
time might address the current failing of the internal audit function to
develop a good understanding of the business operations of the
individual agencies. The downside of such an approach would be that
individual organisations might have less autonomy to tailor the
approach adopted to suit their individual requirements, and this
approach does not necessarily help to overcome the challenge of the
function being seen as separate, stand-alone or divorced from other
internal units. Similarly, such an approach might make individual
organisations and their audit and risk committees feel that they were
moving from being policy-makers to policy-takers in relation to
internal audit, that they were no longer driving this function, but
rather that their internal controls were being subjected to external
assessment.
Establishing a new agency to provide internal audit services across
the public sector might also give rise to practical issues. Given the
current buoyant market for employees from auditing backgrounds in
the private sector, it might prove difficult to source and retain strong
talent. According to Mubako (2019, p. 532), the practice of out-
sourcing has been fuelled by an increase in the demand for internal
auditors worldwide, and Sanglier (2015) suggests that the demand for
internal auditors has risen significantly while the number of candidates
seeking roles in internal audit has fallen. Also, given that so many
public sector bodies rely on the internal audit function to provide
assurance in relation to submissions that are driven by the same
statutory deadlines, it might be challenging to manage capacity in a
way that addresses the inevitable peaks and troughs in demand over a
calendar year. In executing its external audit function, the C&AG
relies on the private market to address temporary capacity demands
driven by shared statutory deadlines across the entire sector, with a
number of external audits for recent financial years being outsourced
to private firms. In doing so, the C&AG is drawing from the same
resource well and the same small pool of private firms currently
servicing the internal audit needs of the sector. Similar capacity
challenges would likely arise if a new agency were established for
internal audit.
Finally, the question of cost-benefit analysis arises. Considering
that the single agency model would not be on the basis of profit
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 42

42 KEVIN DE BARRA

maximisation, and assuming that the current model is costing the state
in the region of €6.5 million per year, it would be reasonable to
assume that centralisation would bring with it economies of scale,
which might achieve lower operational costs. With a starting base as
low as €6.5 million, and bearing in mind that it would require the
coordination and buy-in of up to 127 organisations, with the
accompanying administrative burden and change management
transformational processes this would entail, a back-of-an-envelope
exercise would quickly dismiss this to be a non-runner. Potential
savings would be extremely limited and almost insignificant in the
context of the totality of the collective annual budgets. Furthermore,
it is worth noting that while the internal audit activity can be
outsourced, the literature and professional guidance reminds us that
the associated responsibilities cannot be successfully devolved to an
external party. The other alternative to outsourcing is that agencies
would establish their own internal units to satisfy their internal audit
requirements, but with the average consumption currently at only fifty
days per annum, this is not a feasible option, as it would not merit
hiring specific talent to staff the function. Splitting the role, whereby a
staff member is part-time internal auditor while also having other
responsibilities elsewhere in the organisation, would also be
problematic as it would erode the objectivity and independence
required for the role.
Having considered, and dismissed, the alternative options, the most
viable option available is to continue with the current model, whereby
the function is directed by the organisation, but the service is provided
by the open market, albeit by a very small pool of competitors. To
continue with the current outsourced model does not mean that it
cannot be improved, and the results of this study give food for thought
for practitioners and senior decision-makers across several areas
relevant to maximising the performance and impact of the internal
audit function. Key areas of focus should include the appropriate
integration with risk-management processes and the application of a
risk-based approach to internal auditing transparency and informa-
tion-sharing, ensuring that audit recommendations are appropriately
enacted and improving the use of technology. The final area for
decision-makers and practitioners to reflect on is arguably the greatest
challenge relevant to the internal audit function, and is not unique to
the public sector, and that is how to leverage audit findings for
enterprise-wide improvements. Decision-makers and practitioners
alike must begin to understand that a preoccupation with assurance
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 43

Making internal audit count 43

can be to the detriment of the other value-add functions that internal


audit can deliver. The real value of the internal audit function lies not
as a divorced function but in its integration within the organisation to
share enterprise-wide learning and become a primary driver of a
permanent culture of continuous improvement.

Conclusion
This study set out to explore how the internal audit function is
executed in practice in the Irish public sector. The research findings
address an identified gap in the literature and offer a practical
contribution to knowledge, by providing a comprehensive account of
how the internal audit function is currently being executed across a
broad range of public sector bodies in the Republic of Ireland whose
purpose, size and structure vary greatly.
Among the most significant findings from this research is the
evidence that the function is not viewed by its most key stakeholders
as a primary driver of continuous improvement within their
organisations, which causes its real-world implementation to conflict
with its very definition. This finding conflicts with the accepted
definition of internal auditing, and identifies a disconnect between the
real-world practice of internal audit function and the relevant
academic literature, public policy and practitioner guidance.
The study shows widespread adoption of outsourcing of internal
auditing services across the sector. Having considered the various
resourcing models currently employed, along with further potential
models from other jurisdictions, the author concludes that the practice
of outsourcing the internal audit function to a small pool of private
firms is here to stay.
Overall, the research shows both some of the strengths of internal
audit practice in the Irish public sector and also some of the
opportunities, related both to structures and to practices, to enhance
internal audit practice to add greater value to the activities of public
sector bodies in Ireland.

Further information
This article stems from research undertaken as part of a Doctorate in
Governance, which was supervised by Professor Colin Scott and Dr
Michael Mulreany. For further information in relation to this research
study, please see De Barra (2022).
04 De Barra article.qxp_Vol. 71 No. 4 19/12/2023 19:08 Page 44

44 KEVIN DE BARRA

References
Coetzee, P. (2016). Contribution of internal auditing to risk management:
Perceptions of public sector senior management. The International Journal
of Public Sector Management, 29(4), 348–64.
De Barra, K. (2022). Understanding the internal audit function in the Irish public
sector. Dublin: Institute of Public Administration.
Department of Public Expenditure and Reform. (2011). Public service reform
plan 2011–2013. Dublin: The Stationery Office.
Department of Public Expenditure and Reform. (2012a). Internal audit
standards. Dublin: The Stationery Office.
Department of Public Expenditure and Reform. (2012b). The public spending
code. Dublin: The Stationery Office.
Department of Public Expenditure and Reform. (2014). Public service reform
plan 2014–2016. Dublin: The Stationery Office.
Department of Public Expenditure and Reform. (2016a). Code of practice for
the governance of state bodies. Dublin: The Stationery Office.
Department of Public Expenditure and Reform. (2016b). Ireland’s open
government partnership national action plan 2016–2018. Dublin: The
Stationery Office.
Department of Public Expenditure and Reform. (2018). Internal audit
standards for government departments and offices. Dublin: The Stationery
Office.
Department of Public Expenditure and Reform. (2019). Update of the Public
Spending Code (PSC), guidelines for the use of public private partnerships
(PPPs) and related rules. www.gov.ie/en/circular/716f16-update-of-the-
public-spending-code-psc-guidelines-for-the-use-of-pub/
Institute of Internal Auditors. (2011). Supplemental guidance: Public
sector definition. https://global.theiia.org/standards-guidance/Public per
cent20Documents/Public per cent20Sector per cent20Definition.pdf
Internal Audit Foundation. (2015). Internal Audit Common Body of Knowledge
global practitioner survey 2015. [Electronic data set received in April 2021.]
Internal Audit Foundation.
Mubako, G. (2019). Internal audit outsourcing: A literature synthesis and
future directions. Australian Accounting Review, 29(3), 532–45.
Sanglier, T. C. (2015). The versatile auditor. Internal Auditor, 72(4), 41–5.
Selim, G., & Yiannakas, A. (2000). Outsourcing the internal audit function:
A survey of the UK public and private sectors. International Journal of
Auditing, 4(3), 213–26.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy