Chapter 1. Strengthening the contributions of TCU to good governance in Brazil

TCU could further and more systematically integrate medium and long-term policy issues into its new risk-based approach to audit programming to ensure that its activities are responsive to society’s needs and aligned with TCU’s strategic plans.

Ongoing social, political and economic changes in Brazil create a challenging auditing environment, which places high demands on TCU to ensure its continued relevance and impact. Process to understand this environment should ultimately help to TCU to concentrate limited resources on critical, high-risk areas. TCU’s existing strategic documents provide a foundation for taking a longer-term, risk-based perspective in fulfilling its mission and objectives. As mentioned above, TCU’s strategic planning process includes scenario planning to ensure that the Strategic Plan, usually covering a 5 or 6 year period, enables TCU to remain relevant to society’s issues. However, TCU staff indicated that the implementation of the Strategic Plan is difficult in practice, and that annual plans are not always reflective of aims set out in either the Strategic Plan (6 year) or the External Control Plan (2 year).

According to TCU officials, one factor that complicates this issue is the increasing number of Congressional requests5 for supervisory activities made in-year in addition to, or in place of, those laid out in the 2-year External Control Plan or in the annual plans of SEGECEX secretariats. Such requests may come from Minister rapporteurs or Congress, the latter of which have been on the rise as a percentage of total activities in recent years (TCU, 2016c, d; 2015a; 2014a). Some SAIs face similar challenges. For instance, at the U.S. Government Accountability Office (GAO), required and requested audits comprise approximately 90% of its work (OECD 2016a). Ensuring impact and relevance for tackling key policy challenges meant effectively prioritising within its audit portfolio, in part, through discussions and consultation with Congressional requesters, while still maintaining autonomy in its audit programming and selection of auditees. Engaging requesters in advance, like the GAO, could help TCU to balance immediate priorities with medium and long-term goals.

Interviews with TCU staff suggest room for improvement in addressing challenges and emerging risks on an annual basis. The External Control Plan and Guidelines (“Diretrizes”) at the operational level inform the preparation of annual plans of each unit at the tactical level (TCU, 2016a). The annual plans are prepared at the secretariat level and include proposals for audits and initiatives, aligned with the Strategic Plan. According to TCU staff, approximately 90% of audits are proposed by the secretariats with the technical knowledge on the audit subject and the other 10% comes from requests, namely from Congress for supervisory proceedings. Secretariats make these proposals to TCU’s Ministers, who have an overarching view of all TCU’s activities and can consult rapporteurs formerly assigned to the sector or audit subject.

In interviews and workshops, TCU officials expressed concern that there is too much flexibility for annual plans of individual units to direct resources to areas without consulting internally or comparing to the work of other units. This can lead to overextension or lack of coherence between TCU units, which can ultimately undermine broader strategic objectives. In 2015, more resources were channelled towards certain objectives (e.g. objectives 4, 8 and 10, as described in Annex 1.A1) than had been originally anticipated, and would require readjustment in coming years if annual plans are to meet the objectives by 2021.

TCU is exploring the integration of a more rigorous risk-based approach to audit programming on an annual basis. TCU resolution (Res 269/2015, art 19) requires that audit programming involves the selection of audit topics to be based on risk criteria, materiality, relevance and opportunity, but this is not yet fully in practice (TCU, 2015c). TCU has launched an initiative to develop a methodology to comply with this regulation called Method for Selection of Objects and Control Actions (Método de Seleção de Objetos e Ações de Controle). In 2015, TCU began this by assessing whether it is addressing the most relevant issues through its audits.

TCU can build on these efforts to adopt risk-based approaches to make planning of programmes and resource allocation more systemically focused upon emerging risks and medium to long-term policy issues. Basing audit programmes on a risk-analysis will help to ensure (i) that TCU’s activities are based on cross-cutting policy issues and priorities for society; and (ii) resources are allocated in accordance with identified institutional priorities articulated in various plans. TCU has a broad scope of engagement across a wide variety of subject matter and governance functions, but it cannot provide complete assurance on government performance or compliance. A strategic, risk-based approach helps TCU to optimise the allocation of finite audit resources. Adopting more rigorous risk-based audit programming that focuses on risks to government and to society at an aggregate level could enable TCU to more closely align resource allocation to the most pressing needs.

In addition, a systematic risk-based approach to audit programming can help ensure that short-term initiatives do not detract from TCU’s efforts to induce change in governance functions over the medium and long-term. Integrating a risk-based approach into individual audit programmes of units would serve to align TCU’s efforts across Secretariats, and would provide SEGECEX with a more robust and consistent framework to assess proposed annual plans of SEGECEX units. Moreover, the annual plans themselves would be geared more towards the most pressing, cross-cutting needs and highest risks in government. A risk-based audit programme would act as a guide when developing such plans and during internal deliberations on the scope and focus of the portfolio and individual audits.

TCU could also apply this more rigorous risk-based approach to the 2-year External Control Plans. Such systematic risk-based audit programming can contribute to the evidence-based use of resources and prioritisation of policy objectives that are forward looking. Risk-based programming provides a framework of analysis that TCU officials can refer to for internal agreement of audit priorities. Moreover, in addition to facilitating the selection of audits and allocation of resources, a risk-based approach to audit programming can aid SAIs in communicating its decision making internally and externally in order to ensure that salient issues are brought to the attention of managers and relevant stakeholders. This also helps to strengthen the transparency of the SAI and support its justification for any actions its takes. For practical implementation of a risk-based approach that integrates emerging and medium to long-term risks to society, TCU could first look to the general steps for developing a risk-based audit programme, as illustrated in Figure 1.2.

Figure 1.2. Steps for developing risk-based audit programming

Source: National Audit Systems Network (2014) ‘Planning for Audits of Official Control Systems’ Version 1, February 2014, http://www.livsmedelsverket.se/globalassets/produktion-handel-kontroll/vagledningar-ontrollhandbocker/vagledningar-och-information-fran-eukommissionen/risk-based-planning-for-audits-of-official-control-systems-february-2014

Figure 1.2 highlights the importance of “data and information” as inputs (stage 2.1) to risk-based audit programming, which can involve considerations of the national government agenda and priorities. Considering such information as inputs into its process can help to ensure that risks are reflective of emerging challenges and long-term policy goals. This would help TCU to be proactive in it is audit programming, going beyond auditing and oversight that is reactive to short-term challenges. To inform its risk-based programming, TCU can draw from its audits and evaluations for information about broader governance issues, as well as the obstacles for improving policies and programmes. Box 1.2 illustrates further the sources and activities for improving inputs into its risk-based audit programming for strengthening the insight and foresight offered by TCU’s audits.

Criteria for risks can be drawn from different sources and can change depending on the type of audit. For example, material errors in the accounts of the programme can be a main criterion for prioritising risks related to financial audits. For performance audits, criteria can focus more on elements of effectiveness, efficiency and economy, and the extent to which the policy or programme is achieving its goals. Time elapsed since the last audit, or the occurrence of major changes in the audited entity, are other examples of criterion. Use of criteria for assessing risks facilitates ranking of audit priorities, according to the perceived impact and probability of the risk posed by a particular audit subject. Box 1.3 provides examples from countries with risk-based audit programming.

TCU could ensure that audits integrate governance elements, and serve as a vehicle to collect information on broader governance issues and national goals that are systematic and cross-cutting.

In the last few years, TCU has invested resources into developing a more holistic view of governance, both horizontally across ministries and vertically between levels of government together with state audit institutions (Tribunals de Contas dos Estados, TCEs). For instance, SEGECEX has developed products that take a more holistic look at the functioning of a particular sector (e.g. Fiscobras and FiscSaude), and Secretary of Government Macro-Evaluation (Secretaria de Macroavaliação Governamental, SEMAG) co-ordinates inputs of different units for the drafting of the year-end opinion on the President’s consolidated accounts. In addition, TCU has conducted cross-cutting audits that assess the maturity of particular governance functions, such as the maturity of risk management across government (see Chapter 4), or the IT audit on integration of information technology across government. The latter was praised by Executive representatives consulted for this study for its usefulness in highlighting areas for improvement.

This work illustrates concrete steps TCU has taken to integrate governance elements into its audit and evaluation work; however, TCU has yet to consistently apply criteria that would facilitate comparability on systematic issues across audits over time. When audits are more intentionally geared towards identifying challenges and solutions for cross-cutting policy issues, it allows for easier tracking of improvements and it facilitate coherence among policies and programmes. Moreover, a systematic approach can provide better inputs to inform TCU’s risk-based audit programming. One step TCU can take is to synthesise issues raised across its work streams, products and services, such as audit reports, contract assessments, asset declaration analysis and fielding of citizen complaints. As part of this effort to address systemic, cross-cutting issues, TCU could further define what should be considered of “systemic importance” to ensure coherence between assessments on this issue, and communicate effectively across the organisation. TCU could make such audits cyclical, reviewing on a systematic basis that is pre-determined and planned for in TCU’s annual audit plans.

In addition, TCU could strengthen its approach to supporting good governance by more systematically looking upstream to policy formulation, implementation and evaluation of policies and programmes being audited – not simply to the results of policies and programmes. For instance, audits could further integrate criteria that hold government to account for improved governance and policy making (discussed further in Chapter 2 through 5 for specific governance functions). Moreover, opportunities remain for TCU to leverage findings from its variety of accounting and supervisory proceedings in order to highlight areas of importance to the CoG in the execution of their duties.

TCU’s own Framework to Assess Governance in Public Policies (2014) and Framework for Evaluation of the Centre of Government (2016) offers a starting point for further institutionalising its audits and evaluations of systemic issues. As a supplement to these frameworks, audit teams can look to the international principles promoted in subsequent chapters of this review. Further, OECD’s (2016) comparative review entitled “Supreme Audit Institutions and Good Governance: Oversight, Insight and Foresight”, maps international governance principles around key stages of policy making, which can serve as a reference tool for audit teams in developing audits that will better inform the maturity of governance (OECD, 2016a).

TCU could improve the coherence and effectiveness of its work on cross-cutting, high-risk governance issues by strengthening integration of audit teams and internal co-ordination mechanisms.

To better position itself for addressing cross-cutting issues that affect multiple government programs and policies, TCU could take steps to further integrate its work internally that touch on such issues. This could include: (i) reducing the level of fragmentation or siloes between audit units and (ii) optimising information-sharing and resources across audit activities. TCU officials highlighted the need for reducing siloes or fragmentation between department in order to avoid duplication and to ensure coherence of findings on similar topics.

TCU reorganised internally by relevant sectoral areas as part of the 2011-2015 PET. It created four thematic co-ordination offices in SEGECEX (social issues, infrastructure, development and essential public services). The reorganisation was aimed at greater specialisation of audit staff, enabling each new secretariat to better identify its own risks and relevant situations, as well as to better understand the models and tools of governance that are required for success in those domains (OECD, 2014b). According to TCU officials, the reorganisation is still a work in progress, and they highlighted siloes that still exist between staff.

To reduce siloes and strengthen coherence of work on cross-cutting issues, TCU could consider structural changes that focus on select whole-of-government challenges. These departments or teams can help to provide a horizontal view of cross-cutting governance and policy issues. For instance, TCU recently established, in early 2017, a new department of Institutional Relations on Fight Against Fraud and Corruption (Secretaria de Relações Institucionais no Combate à Fraude e Corrupção - SECCOR). The purpose of SECCOR is to develop, encourage, monitor, support and co-ordinate control actions to combat fraud and corruption, by strengthening the relationship between TCU and the other control and inspection bodies and entities, as well as capacity building for obtaining, analysing and processing information (Article 14) (TCU, 2017).

SECCOR provides a level of centralisation around a specific theme that arises across all SEGECEX secretariats. TCU could dedicate additional resources, or simply assign working groups with appropriate authority, to provide a centralised repository for other systemic issues (e.g. monitoring and evaluation across government with regards to the Sustainable Development Goals). This would also help to preserve institutional memory and build expertise related to long-term, systemic problems.

In addition, finding greater synergies across TCU requires effective mechanisms to stimulate information sharing and ensure consistency of findings. For example, TCU could consider integrating units’ annual work plans to facilitate information sharing between actors who have previously worked on different audits or themes, and have transferable expertise relevant to audit subject. Moreover, pooling the wealth of expertise in a more systematic way would help to build a broader view of policy challenges and solutions. For example, greater information sharing during the design of audit engagements between different specialists in TCU, such as those working on audits and investigators of public contracts, may enable TCU to flag worrisome trends or issues that can then help to shape the scope of a review. Similarly, for example, strategic interaction between those working on governance of health policies with governance of education policies could increase the likelihood that cross-cutting or systemic issues or vulnerabilities in government are more readily detected.

One way to formalise such interactions is to employ «matrixed» audit engagements in a more strategic, systematic way. Matrixed engagements are where staff from different units work on the same audit. These audits often address cross-cutting or diverse issues that require a range of subject matter and technical expertise. Officials said TCU uses this approach, but in an ad-hoc manner. TCU could apply this methodology more systematically, as matrixed engagements allow joint development of criteria and indicators. This is also meant to ensure that work is not duplicated and that messages of TCU are consistent and coherent. More consistent use of matrixed engagements would help to overcome the challenges that teams often have in building a broad view of the audit objective, particularly on complex and cross-cutting audit subjects.

TCU could build capacity and knowledge for improving the extent to which audits identify emerging risks and challenges facing government and society.

The General Standards in Government Auditing (ISSAI 200) require that SAIs should develop and train their employees to enable them to perform their tasks effectively, and to define the basis for the advancement of auditors and other staff (INTOSAI, 2013b). How an SAI defines whether an auditor can do its work effectively can change. As discussed above, having a keen awareness of the emerging risks to governance and society should also necessitate a changing evaluation of the skill sets required to tackle such risks. ISSAI 200 further suggests that SAIs prepare manuals and other written guidance and instructions concerning the conduct of audits (INTOSAI, 2013b).

In addition to auditing manuals, such as TCU’s Performance Audit Manual (2010), TCU has recently developed frameworks for audit teams on cross-cutting subjects including assessment of public policies, IT, and Centre of Government, for audit teams to consider in conducting an audit. The frameworks have been welcomed for their promotion and dissemination of good practices and international principles, but there is uneven use of the contents across TCU. TCU could build on these efforts by strengthening their dissemination through trainings, and emphasising how to integrate key elements into individual audits. To the extent applicable, TCU could incorporate further guidance in various manuals (e.g. performance audit manual) and internal documents that are meant to aid auditors during the audit planning phase. The guidance could help auditors in a practical manner when evaluating issues that are potentially systemic, such as questions related to specific governance topics to consider when interviewing executive branch entities.

TCU provides its staff with ongoing training and development opportunities in line with international standards. Much of the course work is online. TCU staff pointed to the benefits of also having in person and more practical trainings on auditing methodologies. Finally, TCU has been promoting more active engagement by the academic community. There may be greater opportunities to tap into academic expertise, to better prepare future auditors and to establish agreements for the co-development of tools (surveys, research, apps, etc). Engaging the academic community can also bring different perspectives on cross-cutting governance issues.

TCU could further develop methods to generate and communicate a more aggregate measure of its financial and non-financial value and benefits to society.

To measure its own impact, TCU uses indicators and targets mapped out in the External Control Plan and Guidelines, and aggregates statistics based on individual activities. In 2015, TCU calculated its total potential benefit of its audit activities to be nearly 24 billion Brazilian Reais (BRL). TCU’s rate of return to the public was calculated at 13.4 BRL for every 1 BRL spent on TCU (TCU, 2015a). Such benefits are determined through the valuation of select activities, such as improvements in the economy, efficiency, efficacy or effectiveness of public entities (valued at approximately 235 million BRL in 2014), or the value of condemnations in 2015 (6.6 Billion BRL) (TCU, 2015a). These figures are made public in TCU’s annual report, along with others relevant to its performance and productivity, including the number of individuals convicted in debt or fraud, the value of condemnations, companies barred from public biddings and sentences pronounced.

While such indicators of TCU’s performance are beneficial for understanding the return on investment for taxpayers, TCU officials expressed concern that the discussion about TCU’s impact relies heavily on financial impacts. Indeed, TCU’s current processes for tracking recommendations and measuring a broader notion of impact faces many challenges, given the high volume of recommendations and the lack of a systematic process for measuring certain types of benefits. These benefits include the results of recommendations that focus more on governance issues and are elaborated on in performance audits. The benefits of SAIs can be generally categorised as follows:

• Quantified financial benefits, such as TCU’s return on investment measure of financial benefits divided by financial costs. Only a handful of SAIs are in practice of calculating such a figure, such as Costa Rica, the United Kingdom and the United States.

• Quantifiable non-financial benefits, such as the results that are deduced from perceptions surveys of auditees about the impact of SAIs’ work on their institution.

• Qualitative benefits that cannot be quantified, which capture broader outcomes such as improving accountability or accuracy of performance indicators in government.

As part of nuancing its external control activities to longer-term impact on society, TCU could review its current monitoring approaches to assess its usefulness in providing a more aggregate picture of its overall benefits to society. Adopting a broader view of TCU’s impact, which includes quantifiable non-financial benefits and qualitative data, could offer a more realistic picture of TCU’s contributions to good governance and areas for improvement. TCU could expand beyond reporting on individual interventions, outcomes of its monitoring (monitoramento) and financial benefits, in order to better measure and communicate the value of governance related activities. Measuring and communicating benefits can be difficult and costly. It requires the capacity to make reliable, credible, complete, and accurate estimations. It also requires careful liaison with audited entities to ensure that benefits are not overstated. TCU can improve its chances of effective impact measurement and communication by considering its approach to this early in the audit planning process.

TCU could strengthen the coherence of its recommendations on governance-related issues, emphasising analyses of previous recommendations made to the Centre of Government.

ISSAI 12 stipulates that SAIs should enable those charged with public sector governance to discharge their responsibilities in responding to audit findings and recommendations and taking appropriate corrective action (principle 3) (INTOSAI, 2013a). The ability of an SAI to ensure take-up of its recommendations depends largely on the quality and clarity of recommendations. Equally important is the coherence between recommendations made to the same entity or on the same thematic topic or programme. Further, ISSAI 12 calls for SAIs to be a model organisation through leading by example. If TCU is to encourage coherence, communication and co-ordination in the Executive (Chapter 2), it too should be applying the same principles in the execution of its duties.

As mentioned, TCU has a system to track and manage recommendations. According to TCU officials, TCU could improve its mechanisms to ensure that recommendations are coherent with one another. The coherence has been challenged by the previously high number of recommendations. Since 2012, TCU has decreased the number of supervisory proceedings (fiscalizações) including audits and, as a result, reduced the number of associated non-binding recommendations to auditees (TCU, 2015a). This progression is welcomed by some TCU staff, who noted that even the current number of recommendations is unmanageable and does not facilitate easy tracking of their impact. As coherence between policies and programmes of government are important to avoid waste, duplication, fragmentation and overlap, so too is it important that SAIs are issuing messages to auditees that are, at least, non-conflicting.

One way TCU could promote greater coherence in its recommendations is to assess previous recommendations made to the Centre of Government (CoG), and then clarify any inconsistencies internally and externally. The CoG has a critical role to play in co-ordinating and overseeing the implementation of government-wide initiatives. As such, it is equally critical that TCU’s messages to the CoG, about the performance of the Brazilian government, are coherent and non-conflicting. Guidance to the CoG from TCU should be clear and support the CoG in discharging its critical functions. Such an analysis could discern the degrees of synergies, overlaps or contradiction between recommendations made in previous years. Enabling entities to discharge their responsibilities and take-up TCU’s recommendations relies on their clear understanding of those recommendations.

The analysis of coherence of recommendations could be replicated in particular thematic areas or for specific institutions, for particular laws, against which new recommendations could be checked in real-time. This would help to pacify TCU concerns, expressed by some officials, about the quality of outcomes and recommendations of governance-related work, which is a newer area of work relative to TCU’s other supervisory and accounts proceedings. For instance, an independent study of the implementation of the U.S. Government Accountability Office’s (GAO) recommendations analysed over 40,000 GAO recommendations from 1984 to 2014 using text analytics. Such a longitudinal analysis was facilitated by the GAO’s consistent and persistent approach to quantifying agency compliance. The study hypothesised that audits related to the GPRA and Modernization Act of 2010 (GPRAMA), which establishes a framework for taking a crosscutting and integrated approach to improve government performance, would result in recommendations that were more difficult for agencies to implement than others. The findings showed that recommendations related to GPRAMA had, in fact, a 2% higher success rate [in terms of agencies’ implementation] than recommendations unrelated to the GPRAMA (Deloitte, 2015).