​When Boards Are Surprised, Who's at Fault?

Regular readers of my blog understand the emphasis I place on internal audit's role in helping organizations achieve their objectives. It is integral to the Definition of Internal Auditing and is at the core of what we do as professionals. No matter where we perform our duty as internal auditors, serving the organization must be ingrained in our DNA.

There is a large part of the internal audit community where this is particularly and peculiarly so: the public sector. There are unique challenges for public-sector auditors that relate to serving organizations that, in turn, serve the public and public good. Among the most selfless men and women in our profession are those in public service.

The IIA is keenly aware of this and has published a new practice guide, Unique Aspects of Internal Auditing in the Public Sector, which delves into the singular differences that public-sector auditors must cope with and offers important guidance.
 
I know firsthand the challenges and rewards of auditing in the public sector. Indeed, the first 25 years of my career were with the U.S. Army and the U.S. Postal Service, two organizations whose tasks were fundamental to the protection and survival of our nation and its economy. Talk about serving the public good!

During that time, I learned valuable lessons about working in the public sector, many of which were shared in my most recent book, The Speed of Risk: Lessons Learned on the Audit Trail. Most of those lessons revolve around understanding the public sector, internal audit's role in risk governance, and the importance of remaining true to our ethics. The new IIA guidance addresses these areas admirably. I'll share here some highlights from the guidance while encouraging you to download it to get the complete picture.

Understanding the Public Sector

The public sector encompasses governments and publicly controlled or publicly financed agencies. This brings in a significant number of auditors working at the federal, state/provincial, and local levels around the world. What's more, as governments increasingly turn to the private sector to support public works, internal auditors in those private-sector organizations must develop a fundamental understanding and commitment to public-sector ideals and aims.
From the guidance: "The main feature that distinguishes organizations as public sector is that they are mandated to serve, protect, and promote the public good, rather than to create shareholder profit, as in the private sector."

Two additional key aspects must be considered and embraced. From the guidance:Because government funds come from citizens, citizens in democratic political systems typically have rights to hold public officials and organizations accountable for how the funds are spent.

Good governance involves monitoring whether goods, services, and programs are implemented as intended, executed with effectiveness and efficiency, and achieve stated goals and whether compulsory powers are exercised appropriately.

Internal Audit's Role in Risk Governance

Risks in the public sector directly affect the public, adding a level of urgency to getting risk governance right. In recent years, no single risk exemplifies this better than cybersecurity. Cyber breaches that expose private data, malware hacks that slow the operation of public business, and ransomware attacks that can waste limited public resources can have a devastating impact on public services and the public good.
This places great pressure on public-sector internal auditors to perform effectively and efficiently to mitigate risks that can lead to poor service delivery, waste, and fraud. An added challenge is supporting effective risk governance in a political environment.

Politics can influence funding for internal audit activities, manipulate the work of internal audit, and even threaten the continued existence of the internal audit function. Other aspects of politics include, but are not limited to:Election cycles and changes in political administrations.Jurisdictions that do not recognize or acknowledge the International Professional Practices Framework (IPPF).A lack of a clear, independent dual-reporting structure.Resource constraints and limitations.

Limited access to information necessary to conduct internal audit's work.

Public-sector internal auditors must be aware of realities in a political realm and focus on building relationships, understanding, and boundaries that help protect their independence and objectivity. A valuable tool to achieve this is the internal audit charter, which can clarify internal audit's role and responsibilities, identify best practices and working conditions, establish the IPPF as the preferred framework for internal auditors, and establish checks to limit political influence.

Remaining True to Our Ethics

The guidance identifies four concepts fundamental to ethics in the public sector: integrity, accountability, transparency, and equity. The first three should be familiar to practitioners in public and private settings. However, equity is a concept that is unique to the public sector.

From the guidance: "Equity involves the fairness and responsibility with which public-sector officials exercise power and apply resources entrusted to them by the public. It involves the concepts of opportunity for all citizens and may measure not only inputs and outputs of policy but also outcomes."

This aspect of ethics is closest to the concept of serving the public good, and it manifests itself in ways that can be measured and audited. The guidance offers the example of laws, regulations, and policies that specify practices to encourage inclusion and fairness in human-resource practices (e.g., hiring, salary administration, termination) and procurement practices.

Public-sector entities are held to a higher standard to "demonstrate their efforts to promote equity, through processes, documentation, and evidence to defend their choices," according to the guidance. It goes on to list areas where internal auditors may evaluate equity, including examining service costs, service delivery, law enforcement and regulatory power, and exchange of information with the public.

The work of internal audit is frequently complex and multifaceted, and guidance from a trusted and knowledgeable source helps us to manage that. In reviewing this new, valuable tool, I am reminded of the admirable work IIA volunteers and staff perform to develop important and timely practice guides, and I'm happy to offer a public shoutout for that work.