Chapter 6. Improving internal control and risk management in Mexico City

6.2.1. Mexico City could draft a strategy for communications and capacity building to publicise the new guidelines for internal control, audits and interventions in public administration.

Mexico City has launched its own anti-corruption system through the Decree by which various provisions of the Organic Law of Public Administration of the Federal District are reformed and added (Decreto por el que se reforman y adicionan diversas disposiciones de la Ley Orgánica de la Administración Pública del Distrito Federal) published in the Official Gazette of Mexico City on 1 September, which gives the Comptroller-General of Mexico City (Contraloría General) a prominent role in internal control and audit as part of the anti-corruption system. Officials indicated that they have already had some positive results from their internal control system, with some assets and funds recovered and the government using recovered funds for designated programmes.

Mexico City’s internal control framework is regulated by Articles 105, 106, 108 and 110-113 of the Internal Regulation of the Public Administration of the Federal District (Reglamento Interior de la Administración Pública del Distrito Federal) and includes both vertical and horizontal co-ordination mechanisms. The Internal Regulation provides for auditors from the Comptroller-General of Mexico City to be attached to municipal public institutions. Only 28 of the 45 government entities have internal control units, and half of these internal control units have a complaints division that performs audits, resolves complaints and substantiates administrative or disciplinary proceedings. The other 14 internal units transfer files to the Directorate of Legal Affairs and Responsibilities if they discover any administrative irregularities in performing audits. The 17 public entities with no internal control units are assisted by the Directorate of Internal Control Units in Entities (Dirección General de Contralorías Internas en Entidades) to which cases of administrative irregularities are handed off. The Comptroller-General of Mexico City undertakes and oversees internal audits in accordance with a range of standards and guidelines, as outlined in Annex 6.A.

Officials indicated that the internal control system is established separately in each agency. In September 2017, a decree was passed issuing the Law on Audit and Internal Control of the Public Administration of Mexico City (Ley de Auditoría y Control Interno de la Administración Pública de la Ciudad de México). This assigns responsibilities to designated officials in the executive branch for internal control, risk management, and corruption and fraud. The Law modifies the allocation of responsibilities. Section 5 of this bill requires Mexico City government entities to adopt an internal control system that includes plans, methods, principles, norms, procedures and mechanisms of verification and evaluation on internal control. The guidelines established for staff on how to execute these new legislative requirements appear to be clear and consistent. On 8 January 2018, the guidelines for Audit, Internal Control and Interventions of the Public Administration of Mexico City (Lineamientos de Auditoría, Control Interno y de las Intervenciones de la Administración Pública de la Ciudad de México) were published in the Official Gazette of Mexico City.

The purpose of the Audit Guidelines is to regulate the planning and execution of internal audits, and the deadlines, procedures and forms that must be observed in practice. They are mandatory for the Secretariat of the Office of the Comptroller-General of Mexico City and its administrative units when carrying out internal audits.

The Internal Control Guidelines regulate the activities for the implementation and application of internal control. It also establishes the functions, activities and operations as well as the techniques and methods to be used for internal control within the Secretariat of the General Comptroller’s Office of Mexico City and its administrative units, as well as in the delegations or mayor’s offices, dependencies, parastatal entities and decentralised bodies of the public administration.

Lastly, the Guidelines for the interventions of the Public Administration of Mexico City refer to the visits, inspections, advisory services and other activities requested by the Secretariat of the Comptroller-General’s Office or its administrative units for special reviews, verifications and operations.

6.3.1. Mexico City could apply the principles of the “three lines of defence” model in refining the internal control framework.

The leading fraud and corruption risk management models used in OECD member and partner countries stress that the primary responsibility for preventing and detecting corruption rests with the staff and management of public entities. Such corruption risk-management models often have similarities with the Institute of Internal Auditors’ (IIA) “Three Lines of Defence” Model (Figure ‎6.1).

Figure ‎6.1. The “Three Lines of Defence” Model

Source: IIA (2013), “IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control”, Institute of Internal Auditors, Altamont Springs, Florida, p. 2, https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf.

The first line of defence is operational management and personnel. Those on the frontline naturally serve as the first line of defence, because they are responsible for maintaining internal controls and for executing risk and control procedures on a daily basis. Operational management identifies, assesses, controls and mitigates risks, guiding the development of internal policies and procedures and ensuring that activities are consistent with goals and objectives.

Senior managers are primarily responsible for managing risk and implementing internal controls, but all officials in a public organisation – from the most senior to the most junior – can play a role in identifying risks and deficiencies and ensuring that internal controls address and mitigate these risks. Every staff member should be encouraged to help develop better systems and procedures that enhance the organisation’s integrity and help it to fight corruption.

The second line of defence includes the next level of management, those responsible for overseeing delivery. These are responsible for establishing a risk management framework, monitoring, identifying emerging risks, and regular reporting to senior executives. The third line of defence is the internal audit function. Its main role is to provide senior management with independent, objective assurance over the first and second lines of defence arrangements (IIA, 2013[2]).

The external audit office and external regulators provide additional layers of defence. Although not officially part of the three lines of defence model, they are essential elements of the overall accountability and anti-corruption framework in the public sector.

Mexico City has elements of the three lines of defence model in its framework, but responsibilities overlap and the lines of defence are blurred. The Comptroller-General, for example, is responsible for internal controls as well as conducting and reviewing internal audit reports. This blurs the lines of defence, since auditors should not be put in the position of auditing internal controls that they themselves have implemented – since this would present a conflict. Mexico City could consider applying the principles of the three lines of defence model as it refines its internal control framework. This would ensure that responsibilities are appropriately separated and that management takes greater ownership over the everyday implementation of internal controls and the management of risk. The evolution of the French internal control system, which focuses on managerial responsibility, may provide some useful insight, as illustrated in Box ‎6.1.

6.4.1. Mexico City could create a system of accountability for procedural manuals to ensure they are consistent, regularly updated and reflect efficient procedures.

In Mexico City, each line ministry, delegation and government entity has its own procedure manuals, which are approved by senior management and registered with the Public Administration of the Federal District (Mexico City, 2014[5]) . The General Co-ordination of Administrative Modernisation (Coordinación General de Modernización Administrativa, CGMA) provides advice on the design of manuals and is responsible for determining if each manual meets basic requirements, but it does not provide oversight on the implementation (or regular update) of the manuals. Manuals are to be written in accordance with the state’s Technical Guide for the Manufacturing of Manuals of the Government of the Federal District, which provides guidance on content and formatting.

Senior management does not supervise the implementation of manuals. The implementation of manuals is thus not overseen except when they are subject to an audit. There was some indication that these manuals are created more to comply with requirements (and “protect” the government entity from negative findings if they were subject to an audit) than to serve as practical guidance for public officials.

Officials reported that they consider these procedure manuals to be a form of control, in that they outline the expected standardised procedures for key processes. However, they indicated that the manuals are complicated, contain irregularities and can make processes inefficient. They are not based on the government entity’s strategic vision, and they do not outline what should be done and why. Further, the manuals do not contain procedures for conducting risk assessments or undertaking internal control activities. As a result, the manuals are not systematically referred to for guidance in making key decisions. Mexico City could consider creating a system to ensure these manuals are consistent, are regularly updated and reflect efficient procedures.

6.5.1. Mexico City could clearly separate the lines of defence, with senior management, rather than internal auditors, charged with implementing risk management and designing and implementing internal controls.

Internal audit (the third line of defence) serves as a key control to detect corruption, but its main purpose is to provide objective assurance that risk management and internal controls (the first and second lines of defence) are functioning properly. An effective internal audit function also ensures that internal control deficiencies are identified and communicated in a timely manner to those responsible. Internal audit is also a necessary ingredient for effective accountability and better management. It helps hold officials accountable for their actions and to report on performance and management gaps. Institutional responses to negative audit findings and integrity breaches may strongly influence the institutional culture, the tone at the top and the overall effectiveness of the internal control framework.

Mexico City’s internal control structures do not clearly align with the three lines of defence model, as the Comptroller-General of Mexico City is responsible for implementing internal controls as well as undertaking and reviewing internal audit reports. In addition, the Comptroller-General of Mexico City holds regular meetings with internal control units to review the progress of the implementation of the audit plan and of other matters falling under their responsibility. This structure blurs the distinctions between the lines of defence. International standards note that it is preferable that the first and second lines of defence do not involve the internal auditors (third line of defence).

Typically, there is a clear separation between the internal audit function (the third line of defence) and the second line of defence, which consists of management oversight functions to ensure that first line controls are properly designed, in place and operating as intended. When senior management considers that it is more efficient for internal audit to also perform risk management, compliance or other second line of defence functions, it becomes difficult to clearly separate second and third lines of defence.

To avoid institutional conflicts of interest in such cases, public organisations must set up appropriate safeguards to ensure the effectiveness of the internal audit function is not compromised. For instance, if the internal audit is involved in second line of defence activities, the task of providing assurance on these activities must be outsourced either externally or internally to other departments. The internal audit function should not assume any managerial responsibilities concerning the matter subject to the audit. In such cases, the internal audit can facilitate and support the responsible actors, but should not assume ownership.

Likewise, should internal auditors uncover irregularities that suggest corrupt or fraudulent activities, the case should be forwarded to qualified investigators, whose duties will be to assess whether such fraudulent or corrupt acts have indeed taken place. Once again, to avoid any institutional conflicts of interests and to reinforce the internal control framework, auditors should not be responsible for leading internal investigations.

In Mexico City, internal audits are generally conducted by auditors from the Comptroller-General’s office who are posted to government entities’ internal control units. Although most Mexico City ministries and delegations have an internal control unit, only 28 of the 45 government entities have one. The Comptroller-General aims to send an audit team at least annually to entities that do not have an internal control unit.

The Comptroller-General does not conduct performance audits, but internal audits include a second phase that looks at control effectiveness. Effectiveness is thus not assessed in a systematic way, but only in areas where there was reason to trigger traditional audits. However, there appears to be confusion between the concepts of compliance audits and audits seeking to measure effectiveness, since most examples given by Mexico City officials pertained to the former rather than to the latter.

Public officials indicated during interviews conducted that internal controllers have sometimes been considered to be strict, lacking in perspective and overly focused on the implementation of procedure manuals (which are often out of date). Controllers were also seen to be lacking in the softer skills required to advise public officials on ethical dilemmas and difficult situations. Further, the perception among staff is that if they seek guidance, there is a chance they could be audited or punished. Some of those interviewed suggested that another unit could perhaps be responsible for providing ethics advice and training. This group could collaborate with the Internal Control unit, but remain separate.

6.5.2. Given Comptroller-General Guidelines require that the audit programme be based on priorities and a risk assessment, Mexico City could develop and implement a risk-based approach to internal audit topic selection.

In November 2011, the Comptroller-General published audit guidelines: General Guidelines for the Planning, Preparation and Presentation of Audit Programmes of the General Office of the Federal District. The guidelines state that one of the priorities of the Public Administration of the Federal District is to have a public administration that is modern, technologically innovative, with the faculties and resources necessary to meet citizen demands with efficiency, simplicity and without excessive procedures. The guidelines also outline specific objectives for internal auditors, such as:

• Develop audit programmes based on a proactive approach that integrates the results of the study on the objectives, priorities and needs of the government entity and the risk assessment and management, as well as strategic aspects dictated by the Comptroller-General;

• Support government entities in innovation, improvement and administrative modernisation, as well as in the development and diffusion of internal control schemes;

• Promote the achievement of institutional goals and objectives with efficiency, honesty and transparency and be a strategic contributor to the Public Administration of the District;

• Promote training programmes for Internal Comptrollers, so that they have current knowledge that allows them to achieve high-quality interventions.

Audit plans are to be linked to the entities’ objectives and are prepared by internal control units in each ministry or delegation. Officials indicated that the majority of internal audits are triggered by citizens rather than following a risk-based planning system. They do, however, use four criteria to prioritise audits: importance; presence; amount of funds; and pertinence. Risk analysis and prioritisation is important in the internal audit planning process to ensure resources are allocated to areas of greatest need and to ensure the greatest impact.

The new Audit and Internal Control Law of Mexico City of 2017 contains more guidelines for audit planning. It includes (Article 22) that the planning stage will consider, among other things, “the importance and risk of the operations of the public entity audited”. It also provides (Article 8) for audits to be performed at any time determined by the Secretariat of the Comptroller-General or its administrative unit, independent of the times included in the annual audit programme. It is beneficial to give auditors this independence to adjust their audit plan, as this allows for more timely review if issues or challenges come to light.

Mexico City could consider the approach taken by Mexico’s Supreme Audit Institution (Auditoria Superior de la Federación, or ASF). ASF’s strategic and operational agility, including its capacity to manage a high volume of audits, relies in part on the effectiveness of its audit programming, which it calls, the “Annual Programme of Audits for the Public Account” (Programa Anual de Auditorías para la Fiscalización Superior de la Cuenta Pública, or PAAF). The PAAF is ASF’s methodological framework for identifying the audits it will conduct for the duration of one year. The PAAF’s audit-programming processes take into account a number of factors, such as ASF’s technical and managerial autonomy, the relative importance of audited entities, the variation in the amount allocated in relation to the previous public account, audit history, and complaint or requests from the Chamber of Deputies. It also involves consideration of available resources, types of audits to be conducted, and staff experience (OECD, 2017[6]).

Individual audit units in ASF propose audits or studies for inclusion in the programming process. The units have some flexibility to define their programming methodology according to the nature of their duties, but they must comply with the provisions of the overall methodological framework. The PAAF incorporates a risk assessment to identify and select audit priorities, which includes quantitative and qualitative methodologies for scoring risks based on 16 risk factors, and making risk-based comparisons to prioritise work. Effective risk-based audit programming can be a useful approach for audit institutions to direct audit resources to areas it deems to be most critical, based on a predetermined set of criteria. Risk-based audit programming can contribute not only to economical use of resources, but also to the evidence-based prioritisation of policy objectives and the effective use of tax revenue (OECD, 2017[6]), p. 32.

6.5.3. Mexico City could strengthen mechanisms for internal control units to monitor implementation of audit recommendations.

Internal auditors indicated that there are no mechanisms for following up on the implementation of recommendations or for ensuring that negative cases do not repeat themselves. Auditors also indicated that there were sometimes issues with government entities interfering with audit findings. Audit recommendations are only effective if they are implemented. The SAIs for other OECD member countries have methods for following-up recommendations. For example, the Australian National Audit Office (ANAO) conducts a selection of follow-up performance audits each year to assess government entities’ implementation of performance audit recommendations from previous years. Australian government entities also have Audit Committees that meet regularly to, among other things, monitor the implementation of audit recommendations, and the ANAO can attend these meetings as an observer and/or request the meeting minutes.

In Canada, the office of the Auditor General of British Columbia, a sub-national audit office, has published follow-up reports based on self-assessments from audited government entities and conducted follow-up audits on a selected number of them (Box ‎6.2). Mexico City could strengthen processes to allow for the follow-up of recommendations, such as through a selection of follow-up audits or by organising annual self-assessments.

6.5.4. Mexico City could revise the audit planning process for the Comptroller-General to help increase its independence from the government.

The Office of the Comptroller-General is responsible for the audit, evaluation and control of the public management of the dependencies, delegations and government entities of the Government of Mexico City. The Comptroller-General sits within the organisation structure for the state-level Audit Office (Auditoría Superior de la Ciudad de México) and is appointed by the Head of Government, with the appointment ratified by the Legislative Assembly. The Comptroller-General does not have full independence to determine his own priorities and internal audit work plans. Greater independence would give the Comptroller-General greater credibility, which would, in turn, promote better outcomes.

The Mexican Institute for Competitiveness (IMCO) and the Centre for Economic and Administrative Sciences of the University of Guadalajara (CUCEA) found that lack of autonomy is a weakness among superior state audit offices in Mexico. OECD’s work with supreme audit institutions (SAIs) helps to illustrate one of the practical effects that this lack of independence has on accountability. In a survey of ten leading SAIs, OECD explored ways in which SAIs contribute to the policy cycle, including formulation, implementation and evaluation of policies and programmes. The findings suggest that SAIs require autonomy and flexibility to engage across the policy cycle at their own discretion (OECD, 2016[8]). Applying this to Mexico, external factors that limit the independence of audit offices are likely to result in less extensive contributions to policies and programmes, and therefore to limit the uptake of their work by the executive branch.

The International Organization of Supreme Audit Institutions (INTOSAI) has published a number of documents – including INTOSAI GOV 9100: Guidelines for Internal Control Standards for the Public Sector – that stress the importance of independence for internal and external auditors (see Box ‎6.3).

6.6.1. Mexico City could implement a systematic risk management framework to strengthen the internal control framework.

Mexico City’s framework and supporting legislation, which was valid until 1 September 2017, did not include a systematic risk management strategy, an essential element of the second line of defence and of an effective internal control framework – particularly in relation to combating fraud and corruption. The Public Administration's Internal Control Guidelines (Lineamientos de Control Interno de la Administración Pública de la CDMX), issued on 8 January 2018, created a risk management system. Its implementation will be challenging for Mexico City and will require political commitment from senior management of the units.

Good governance practices among OECD countries indicate that risk management must be considered an integral part of the institutional management framework rather than managed in isolation. Risk management should permeate the organisation’s culture and activities in such a way that it becomes the business of everyone within the organisation.

Operational risk management begins with establishing the context and setting an organisation’s objectives. It continues by identifying events that might have an impact on reaching them. Events with a potentially negative impact represent risks. Risk assessment is a three-step process that starts with risk identification and is followed by risk analysis, which involves developing an understanding of each risk, its consequences, the likelihood of those consequences, and the severity of the risk. The third step is risk evaluation, which involves determining the tolerability of each risk and whether the risk should be accepted or treated. Risk treatment is the process of adjusting existing internal controls, or developing and implementing new controls, to reduce the severity of the risk to a tolerable level (Figure ‎6.2).

Figure ‎6.2. Risk management cycle according to ISO 31000:2009

Source: Adapted from ISO 31000:2009 (ISO, 2009[14]).

The process of establishing context and assessing and treating risk is linear, while communication and consultation, monitoring, and reviewing are continuous. Monitoring and reviewing helps identify new risks and reassess existing ones when there are changes in the organisation’s objectives or in its internal and external environment. This involves scanning for possible new risks and learning lessons about risks and controls from an analysis of successes and failures (OECD, 2013[15]).

An effective risk management framework is essential to managing public fraud and corruption. The US Government Accountability Office (GAO) has established a risk management framework for managing fraud risks in federal programmes. Its practical ongoing practices and activities are outlined in Box ‎6.4.

6.6.2. Mexico City could set up the risk management framework by assigning clear responsibility for managing risk to senior managers, providing risk management training for staff and updating risk management systems, tools and processes.

After a risk management framework is developed, it needs to be put into effect. Appropriate and accurate risk management information needs to be collected, senior management need to be assigned clear responsibility for the ongoing management and monitoring of risk, and all staff need to be aware of the risk management framework and how to incorporate risk management into daily work and decision-making.

Appropriate and accurate risk information is essential for operating a risk management framework. Without it, effectively assessing, monitoring and mitigating risk would be difficult. Information to support risk management can derive from a number of internal and external sources, depending on the programme or area of work. A consistent approach to sourcing, recording and storing risk information will improve the reliability and accuracy of the information needed.

For a risk management framework to function effectively, responsibility for specific risks needs to be clearly assigned to the appropriate senior managers. These managers need to take ownership of the risks that could affect their institutional objectives, use risk information to inform decision-making and actively monitor and manage their assigned risks. These managers should also be held accountable to the executive through regular reporting on risk management, including on successes, lessons learned and areas that could be improved.

Staff should be made aware of the risk management framework and key requirements through training and awareness-raising activities. Communication and consultation with staff is also a key step towards securing input in the risk management process and giving them ownership of the outputs of risk management. Informed employees who can recognise and deal with corruption risks are more likely to identify situations that can undermine the achievement of institutional objectives. Australia has developed guidance on building risk management capability in government entities, which provides useful insights (Box ‎6.5).

6.7.1. Mexico City could provide further training on ethics and integrity for internal auditors.

Internal auditors also play a key role in reinforcing a culture of integrity and accountability in the organisation. They act as agents of change, assessing the control environment as part of their assurance mandate, and motivating management to address flaws and inefficiencies in the effectiveness and the maturity of the control environment.

A key element for maintaining an effective internal control environment is ensuring the merit, professionalism, stability and continuity of audit staff. Public entities should develop mechanisms to attract, develop and retain competent individuals with the right set of skills and ethical commitment to work in the control and audit area. Training, certification and the improvement of auditing and investigative competences help enhance the effectiveness of the third line of defence, as it reinforces the credibility of the auditor.

The new Law of Audit and Internal Control for the Public Administration of Mexico City, issued on 1 September 2017, provides for a certification process for internal controllers, as well as for specific conditions that such officials should meet (Articles 16-17). Moreover, the Comptroller-General provides that a number of training activities on ethics, integrity and conflict of interest were undertaken by the School of Public Administration (see Chapter 3). The content of the training courses offered to public officials does refer to ethics, but it is often more theoretical than practical. Courses that provide more examples and are tailored to the specific responsibilities of public officials would strengthen the overall awareness-raising strategy. Higher-level efforts to address the issue of weak professional expertise and capacity of internal comptrollers could include developing customised training modules in co-operation with the National School of Public Administration, training centres located in relevant ministries, audit institutions, professional associations and universities.

The Comptroller-General and internal controllers provide some training to operational staff. They conduct some ethics awareness-raising activities (although there is no legislative requirement to do so) and are available to provide public servants with guidance and advice. However, as noted, staff have the perception seeking guidance might expose them to audit or punishment. It would thus be convenient for this function to be carried out by a unit responsible for advising them to prevent conflict of interest and corrupt acts from arising.

The Comptroller-General (in particular, the Dirección de Coordinación general de Evaluación y Desarrollo Profesional) emphasises induction training and contacts government entities to ensure that training has been organised to raise the awareness of new staff of ethics, conflict of interest, security and integrity. Some officials indicated that these training materials are often out of date. The level of training provided varies from entity to entity and is dependent on the initiative of the local internal controller.

Establishing an effective internal control framework

• Mexico City could draft a strategy for communications and capacity building to publicise the new guidelines for internal control, audits, and interventions in the public administration.

Adopting the “three lines of defence” model

• Mexico City could apply the principles of the “three lines of defence” model in refining the internal control framework.

Establishing internal control measures

• Mexico City could create a system of accountability for procedural manuals to ensure they are consistent, regularly updated and reflect efficient procedures.

Refining the role of Internal Control Units and strengthening the independence of the Comptroller-General

• Mexico City could clearly separate the lines of defence, with senior management, rather than the internal auditors, charged with implementing risk management and designing and implementing internal controls.

• Given that Comptroller-General guidelines require that the audit programme be based on priorities and a risk assessment, Mexico City could develop and implement a risk-based approach to internal audit topic selection.

• Mexico City could strengthen mechanisms for internal control units to monitor implementation of audit recommendations.

• Mexico City could revise the audit planning process for the Comptroller-General to help ensure greater independence from the government.

Implementing a risk management framework

• Mexico City could implement a systematic risk management framework to strengthen internal control.

• Mexico City could set up the risk management framework by assigning clear responsibility for managing risk to senior managers, providing risk management training for staff and updating risk management systems, tools and processes.

Reinforcing the professionalism of internal auditors

• Mexico City could provide further training on ethics and integrity for internal auditors.