2. Integrity risk management in Thailand: Immediate challenges and areas for improvement
This chapter describes the national government’s efforts in Thailand to modernise risk management policies and practices for safeguarding integrity. This includes the work of the Comptroller General’s Department (CGD), the Office of the National Anti-Corruption Commission (NACC) and the Office of the Office of the Public Sector Anti-Corruption Commission (PACC), which play critical roles in supporting line ministries to build their knowledge, capacity and skills for managing integrity risks. The chapter offers recommendations for the Thai government to consider in three areas: 1) ensuring clarity of roles and making good governance a central theme; 2) improving risk assessments; and 3) enhancing monitoring and evaluation, as well as quality assurance assessments. These areas are not exhaustive with regards to the challenges and opportunities for improving control and oversight in Thailand more broadly, but they represent key priorities given the narrow scope of the chapter on integrity risk management.
In the past three years, Thailand has made legal and regulatory reforms that sought to modernise the internal control system in line with international standards, such as those established by the Committee of the Sponsoring Organisation of the Treadway Commission (COSO) and the Institute of Internal Auditors (IIA). By improving the legal and policy frameworks for internal control, risk management and internal audit functions, Thai policy makers have signalled the need to balance an enforcement-focused model with preventive approaches.
While recent reforms have aided in modernisation, the Thai government faces a number of challenges to implement reforms. The responsibility for facing these challenges is shared across the Thai government. One of the key institutions is the Comptroller General’s Department (CGD), which is the centralised internal audit function in the Thai government. As part of the reform process, the CGD took over key responsibilities for internal control from the State Audit Office (SAO). Other central bodies that are critical allies for the CGD in advancing internal control and risk management in government are the Office of the National Anti-Corruption Commission (NACC) and the Office of the Public Sector Anti-Corruption Commission (PACC). In addition, managers in government have many of the core responsibilities to implement recent changes to strengthen internal control and risk management for safeguarding integrity. For this reason, it is critical that these individuals on the frontlines understand the value of and benefits from internal control and risk management first hand.
This chapter elaborates on key challenges and recommends actions for the Thai government, particularly the CGD and managers in agencies, to further improve integrity risk management and assessments. The chapter focuses on the following overarching issues:
Ensuring clarity of roles and making good governance a central theme: While reforms are still fresh, risk assessments can be positioned as management tools for better governance as opposed to compliance exercises. Doing so requires improvements to standards and guidelines to ensure clarity of roles and responsibilities for managing risks and further demonstrating the value of risk management for everyday operations and control decisions. The CGD and other government-wide entities can help to advance this governance-oriented mindset, in particular, by demonstrating the value of risk management, control and audit for achieving policy goals, as well as means to demonstrate the government’s transparency and accountability to citizens.
Overcoming implementation challenges to better manage and assess risks: Thailand’s recent legal reforms have further codified the need for risk-based approaches, and there are existing tools to build on, including the Integrity and Transparency Assessment. However, the government faces new challenges for assessing integrity risks, particularly across levels of government, as it modernises its risk management policies and practices. The need for harmonising existing approaches and offering more guidance is a key issue facing the CGD, in addition to addressing gaps in capacity and knowledge for conducting risk assessments at national and regional levels.
Enhancing monitoring and evaluation, as well as quality assurance assessments: With several parallel efforts in Thailand to safeguard integrity and manage risks, effective monitoring and evaluation (M&E) is critical for ensuring an effective internal control system and the fulfilment of policy goals and objectives. The CGD developed a process for quality assurance assessments, which is a positive signal and recognition of the need for monitoring and evaluation (M&E) and continuous improvement of internal audit activities. The CGD can take additional steps to develop M&E plans concerning integrity risk management in particular, in line with the OECD’s Recommendation on Public Integrity.1
These areas represent critical, but not all, areas for improvement to advance integrity risk management in Thailand. Responses of Thai officials to OECD questionnaires and input during interviews focused largely on legal and policy concerns, given recent reforms. Therefore, recommendations and findings related to integrity risk management in practice are limited, including key issues such as managing and assessing risks at the provincial level and methodological considerations for risk assessments. Some of these issues may be be addressed in subsequent phases of co-operation.
Enhance the focus on integrity in standards and rules, and clarify roles and responsibilities within the internal control system
After the passage of new laws and standards in recent years, Thailand has developed a strong foundation for internal control, risk management and internal audit in the public sector. The State Fiscal and Financial Disciplines Act, B.E. 2561 (2018) applies to all public entities, including state-owned enterprises, and it stipulates that government entities should establish an internal control system in compliance with standards and rules prescribed by the Ministry of Finance (Section 79). The Act also defines managerial control and civil servants’ responsibilities related to internal control and risk management. To complement this Act, the CGD within the Ministry of Finance recently developed the Risk Management Standards and Practical Rules for State Agencies, B.E. 2562 (2019). It focuses on13 practical rules for risk management, which includes a general reference to the need of public institutions to conduct risk assessments.
The CGD is also responsible for setting internal audit standards, including the 2017 Internal Audit Standards and Ethics for Internal Auditing of Government Agencies, which draws from the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing. Other actors in government have developed additional materials related specifically to managing corruption risks. This includes central bodies like the NACC and the PACC, as well as individual line ministries, which produce their own frameworks and guidelines for managing integrity and corruption risks in the government’s daily operations.
The legal and policy foundation for the internal control system in Thailand, including managerial control, risk management and internal audit is extensive, but can also create confusion in the context of integrity and anti-corruption measures. First, corruption and fraud risks are explicitly addressed in internal audit standards, including the role of internal audit to assess such risks, but they are not directly addressed in the Rules. This sends a message that the management of fraud and corruption risks is the responsibility of the internal audit function. The CGD could amend the Rules to include a specific reference to integrity risks to avoid artificially separating this type of risk from the broader policies, practices and tools used to assess risk management in general. This would also reinforce the notion that corruption risk management is also the responsibility of managers within line ministries.
In addition, the CGD could amend standards or provide additional guidance to further clarify the role of the internal audit function for integrity risk management vis-à-vis managers. For instance, the Ministry of Finance’s internal audit standards note, “Internal audit operations must assess the likelihood of corruption, and methods of managing risks related to fraud” (Ministry of Finance, 2018[1]). They also include requirements for internal audit to report fraud to heads of government and the audit committee, if applicable. Yet, the Risk Management Standards and Practical Rules for State Agencies say the internal audit function should not be responsible for risk management. The Rules stipulate that the head of each government agency is responsible for appointing a lead for risk management, which can be an individual or a team. Interviews with Thai officials and responses to questionnaires confirmed that internal audit functions in government agencies are leading risk management activities in practice, including carrying out risk assessments.
The CGD can address this confusion and ensure consistency of its standards and guidance so that government officials know their roles and responsibilities within the internal control system. In particular, the internal audit function should not have the primary responsibility for managing and assessing integrity risks. The IIA’s Three Lines Model can be instructive for how the Thai government can define roles and responsibilities.2 This could include revising the 2017 Internal Audit Standards and Ethics for Internal Auditing of Government Agencies to make it clear that internal auditors should not be leading risk assessments. Integrity risk management is primarily the responsibility of managers (i.e. the first line), as Thailand’s own Practice Rules for Risk Management outlines. In addition, the CGD could consider improving self-assessment tools to further promote responsibility, accountability and the authority of managers with regards to internal control and risk management. For instance, the OECD SIGMA programme has developed guidelines for assessing the quality of internal control systems (Boryczka, Bochnar and Larin, 2019[2]). See Box 2.1 for an example of such a tool from the Netherlands (The Dutch Ministry of Finance, March 2018[3]).
The National Academy for Finance and Economy (NAFE) of the Dutch Ministry of Finance developed a self-assessment tool to improve public governance, focusing on financial management control (FMC) as a key component of public internal control. The NAFE developed an FMC assessment matrix as a practical tool to support assessments of FMC policies and practices at an institutional level, as well as to aid follow-up evaluations and actions to strengthen FMC. According to the NAFE, reasons for developing such tools include:
Key elements of FMC are in place, such as financial departments and reporting systems, but operational and implementation challenges remain (including those subsequently listed).
Second Line of Defence, i.e., risk management, oversight and monitoring are undeveloped.
Financial divisions do not support planning and control, except for control of the budget.
Lack of an entity-wide planning and control mechanism, as well as planning and control at the operational level.
Blurred lines of responsibility between the second and third lines of defence, i.e., between risk management and the internal audit function.
The NAFE’s FMC assessment matrix allows management to understand the design of their organisation assessed against good practice criteria, drawing from the European Union’s principles of Public Internal Financial Control (PIFC). Assessors must have excellent knowledge of PIFC, including managerial accountability elements. In addition to managers using the matrix as a self-assessment for their department, internal auditors can make use of the matrix during an entity-wide assessment of currently running FMC systems. Effective implementation of the self-assessment methodology, including completion of the FMC matrix, results in insights about possible actions to improve the FMC configuration and practices. The matrix and results can be shared with management and staff. The table below shows the header row of the matrix followed by an example of how each column can be populated. An actual matrix would include all key components of the internal control system, such as the internal audit function, as well as many other key variables and assessment impacts.
Finally, the FMC assessment matrix relies on the Institute of Internal Auditors’ Three Lines Model. In particular, according to this model, operational managers are the first line. They are responsible for implementing and maintaining effective internal control while assessing risks to operations and strategic objectives. The various oversight, risk management and compliance functions overseeing the operational management make up the second line. These functions are responsible for support, monitoring, oversight and control over the first line. The internal audit function is the third line, and it provides independent assurance on the functioning of the first two lines. Each of these three “lines” are reflected in the FMC assessment matrix, since they play distinct roles within the organisation’s wider governance framework.
Source: The Dutch Ministry of Finance (March 2018[3]), Good Financial Governance and Public Internal Control, Presentation to the OECD.
Unclear roles and responsibilities can undermine the independence of internal audit functions and lead to a compliance-oriented approach to risk management and internal control. Many agencies in Thailand’s government do not have experience in risk management, according to Thai officials. Addressing these issues at the early stages of Thailand’s efforts will help to avoid the institutionalisation of systemic and long-term challenges, and ensure that resources and training on managing and assessing risks are targeted at the right people.
Refine communication strategies to demonstrate the added value of risk management for safeguarding integrity and improving governance
The CGD, along with the NACC, the PACC and leadership of line ministries, can enhance future guidance and communications about risk management and control by having coherent messages that promote managerial ownership and risk management as a tool for better governance. In interviews with Thai officials, line ministries tend to view the risk management plan required by the CGD’s Risk Management Standards and Practical Rules for State Agencies as a compliance exercise. This 2017 Internal Audit Standards and Ethics for Internal Auditing of Government Agencies, which assigns corruption and fraud risk assessments to the internal audit function, only reinforces this perception.
Following recent reforms in Thailand, the integration of risk management into the operations of line ministries depends on how well managers understand and see evidence of the value of risk management for governance and the achievement of objectives. If managers do not see the value of risk management for making decisions and solving problems, they will have little commitment to integrate risk-based thinking into operations and therefore a risk-informed culture is unlikely to take root. The CGD, the NACC and the PACC can enhance guidance with positive messages that emphasise a perspective on risk management and control that is oriented towards good governance and achieving the results of policies and goals, rather than compliance with laws and standards. Similarly, they can communicate perspectives on risk assessments oriented towards solutions management, as opposed to check-the-box exercises.
In addition, messages about the value of risk management or assessments should avoid causal linkages to improvements in Transparency International’s Corruption Perception Index (CPI). For instance, in responses to the OECD’s questionnaire, respondents of the National Economic and Social Development Council (NESDC) indicated that most public sector entities realise the importance of risk management as a proactive measure to prevent corruption in Thailand, as well as “an essential tool for enhancing Thailand’s Corruption Perception Index”. Respondents added that the aim is for Thailand to rise in the CPI to become one of the “top twenty” in the world by the year 2030, in line with the Master Plan Under the National Strategy initiated by Prime Minister Prayuth Chan-Ocha’s government (Government of Thailand, 2017[4]). The Fraud Risk Management Plan for fiscal year 2019 of the (NESDC) makes a similar assertion. It directly links risk management to changes in the CPI by stating, “fraud risk assessment is a risk management tool that helps to raise the [CPI] score” (National Economic and Social Development Council of Thailand, 2019[5]).
The examples above signal a fundamental misunderstanding about risk management, risk assessments and their purposes, as well as the CPI. The CPI cannot be used to measure the performance of specific actions taken to address corruption or to mitigate risks, and raising the score should not be a policy objective. There is no causal linkage between day-to-day risk management and the CPI, since many factors contribute to the CPI and isolating the effect of risk management on public perception is unrealistic. In many countries, the CPI is used as an input for risk assessments that provide broad context about the environment. However, by linking integrity risk management to changes in the CPI, it creates the impression that the CPI can be a performance metric for the quality and effectiveness of integrity risk management and assessments at an institutional level. This also risks undermining the concept of risk management as a critical tool for managers to support decision making and drive results related to objectives. In the 2018 Integrity Review of Thailand, the OECD highlighted the limitations of using the CPI as a diagnostic tool and recommended different types of indicators for the government to evaluate anti-corruption policies. Box 2.2 provides additional insights on the CPI, its benefits and its limitations as a diagnostic tool.
The CPI score is a composite index combining at least three data sources per country. The confidence intervals are relatively large, and as a result, it is not possible to make scientifically reliable comparisons between countries with similar scores. Such large confidence intervals and the variability of measurements in other countries cast doubt on the reliability of the rankings: if a country falls a few places in the ranking, it may not, in fact, reflect a real deterioration in the conditions on the ground. Moreover, the CPI score is a national score, and does not reflect regional or sectoral trends and developments. The CPI is thus not suitable as a diagnostic tool. It is a perception index, and it is unclear whether fluctuating perception scores reflect real changes in levels of corruption, or simply general discontent or a response to media exposure of scandals. The CPI is not an appropriate tool for evaluating anti-corruption and integrity policies.
A balanced set of policy indicators could instead be considered, as a framework to replace the CPI as a policy target and as a measure of the progress of the anti-corruption policy. This new set of measurements could assess policy effectiveness, identify areas or institutions at risk, and inform policy planning. Specific indicators can be used to measure budget transparency, integrity in public procurement, efficiency of administrative processes, open government, as well as benchmarks related to organisational integrity, asset declaration systems and whistle-blower protection. Moreover, sector-specific indicators can be used to measure integrity in service delivery in health, education or in areas such as licencing or business creation. It may be assumed that these indicators will help improve the CPI score in the long run.
Source: OECD (2018[6]), OECD Integrity Review of Thailand: Towards Coherent and Effective Integrity Policies.
The CGD, NACC and PACC, as entities with government-wide responsibilities, can play a critical role in changing, or at a minimum, diversifying this message and promoting the added-value added of risk management. As discussed, this can include positive, governance-focused statements about the contributions of the results of risk management and assessments to an effective control environment. This could include messages about risk management supporting managers in making informed decisions to find solutions to mitigate risks related to organisational objectives, as opposed to raising the score in the CPI or addressing broad sets of environmental risks that are outside the purview of an individual line ministry.
Improve risk management guidance, including clarifying the purpose of different types of risk assessments
The Risk Management Standards and Practical Rules for State Agencies lay the foundation for a risk-based approach to governance and control in Thailand’s government. Additional guidance could help to educate agencies as to how to implement them to ensure consistency and harmonisation. Line ministries have wide discretion in how they apply the Rules, and there are at least three different risk assessments that agencies conduct, including the following:
1. Managers are responsible for a risk assessment at the entity level, which according to the new Rules, every government agency must conduct on an annual basis as part of their risk management plans. This type of risk assessment is in its second year of implementation. Laws and regulations do not require line ministries to submit the risk management plan or the results of the risk assessments to the Ministry of Finance. The format for documenting the risk analysis is left to the discretion of line ministries. Corruption and fraud risks are not taken into account as part of these risk assessments, as discussed.
2. The internal audit function carries out the second type of risk assessment. As noted, this role for the internal audit function is outlined in Ministry of Finance's regulations on standards and guidelines of internal audit for government agencies B.E. 2561 (2018), which state that the internal audit must assess and address fraud risks. (Ministry of Finance, 2018[1]).
3. The third type of evaluation is the Integrity and Transparency Assessment (ITA). The ITA is an evaluation that focuses on fraud and corruption in line ministries, as described in greater detail in the next section. Thai agencies have been conducting these evaluations since 2014. In the 2018 Integrity Review of Thailand, the OECD offered recommendations to improve the methodology, knowledge sharing and co-ordination of the ITA. To what extent the ITA or risk assessments fulfil the CGD’s requirements related to risk management in practice, as defined in the Rules, is unclear.
The ITA is a core element of component Strategy 4, “Development of proactive corruption prevention systems system to counter corruption” of the National Anti-Corruption Strategy, Phase 3 (2017-2021)”. The ITA is an annual assessment at the organisational level across government institutions at national and regional levels. The assessment methodology was adapted from the Anti-Corruption and Civil Rights Commission of South Korea, and was then developed and integrated to match with the transparency indicator of the NACC. The NACC, along with the PACC, lead the implementation. The methodology consists of three surveys, which cover 10 topics, including corruption prevention.3
PACC officials communicated the development of a fourth approach, called a “Risk Assessment System,” for detecting corruption and misconduct in the public sector. The system envisions three levels—policy, ministerial/departmental and provincial. The system at the policy level entails developing polices and consistent criteria for fraud risk indicators, guided by the work of the NACC. At the ministerial or departmental level, the system involves designating ACOCs as the leads for carrying out fraud risk assessments related to service delivery, the use of authority, and budget spending and management of resources. Lastly, ACOCs would also conduct assessments at the provincial level, focusing on programmes with large budgets. At the time of drafting this report, the Risk Assessment System is in the conceptual stage and could not be assessed for effectiveness or harmonisation with existing efforts in terms of its design or implementation. The recommendations below take into account these four parallel efforts.
The CGD, in co-ordination with the NACC and the PACC, can offer further guidance that explains how each of these assessments fulfil risk management requirements established in the Rules, and specifically, to what extent risk assessments should focus on fraud and corruption risks given the parallel work line ministries do to conduct the ITA. In addition, as noted, the internal audit function should not lead risk assessments, in line with international standards, and this can include corruption and fraud risk assessments. Additional guidance from the CGD, the NACC and the PACC could address the following issues:
Clarify the strategic and operational importance of risk assessments, including an explicit reference to managing fraud and corruption risks. The CGD should communicate that the ITA should not be a substitute for risk assessments at an institutional or operational level that support managers to make decisions about control activities and mitigation measures, as required in the Rules. Separate from the ITA, risk assessments should take into account fraud and corruption risks that could affect the achievement of the agency’s objectives.
Clarify the roles and responsibilities specific to integrity risk management. This could include clarifying the roles and responsibilities of managers for risk management and internal control, as discussed in the previous section. In addition, it could include clarifications about the roles and responsibilities of the internal audit function, the NACC and the PACC, including its network of Anti-Corruption Centres, in the context of risk management requirements. Involving the latter can help to promote risk management at the regional level, which Thai officials highlighted as an ongoing challenge. Moreover, further CGD guidance could clarify the expectations of managers to co-ordinate and benefit from the internal audit function’s risk assessments as an input into their own risk management plans and activities.
Clarify the purpose and use of the results of the ITA relative to integrity risk assessments that managers or internal audit functions may conduct. The ITA serves as a comprehensive, high-level self-assessment tool and means for raising awareness about key integrity issues. However, it is not clear how the government uses the results of the ITA, and whether there are linkages between the ITA and ongoing risk management activities at an operational level. Moreover, any additional guidance or promotional materials that convey the importance of risk management and risk assessments should be cautious about creating causal linkages with Transparency International’s Corruption Perception Index (CPI), as described in the previous section. Instead, the guidance can reiterate the benefits of risk management as an approach for navigating uncertainty and driving policy results rather than a means for complying with regulations.
Additional guidance from the CGD can also serve as an opportunity to showcase positive examples across government related to risk management and internal control in the promotion of a race-to-the-top. For instance, every year, the NACC has awarded organisations in the public sector for their contributions and success in launching proactive measures to combat corruption and conduct the ITA, including a ranking of ministries that are top performers. In addition, each year the Office of the Public Sector Development Commission (OPDC) offers a Public Sector Excellence Award (PSEA). In 2017, the OPDC awarded a PSEA to the Department of Rural Roads in the Ministry of Transport for excellence in strategic planning and efficient implementation of the organisation strategy, which included effective risk management and internal control. Additional guidance can showcase such efforts to motivate improvements to integrity risk management and internal control, and more generally a culture of risk that promotes value-based, coherent risk management policies and practices.
Strengthen capacity and knowledge for assessing and managing risks at the regional level
Thailand is a unitary country with three levels to the state administration structure, including central, provincial and local administrations (see Box 2.3 for additional details). The CGD and other bodies, including the PACC and the NACC, have subnational offices that carry out the mandate of the institutions at the regional level. The CGD has 76 offices in the provinces. The ACOCs also have a presence in 76 provinces. In 2018, the OECD recommended the government of Thailand to increase the capacity of the ACOCs. Capacity remains an issue at the provincial level, not only for the ACOCs, but also for the CGD and line ministries with a regional presence, according to Thai officials. In particular, a key area for improvement highlighted by government officials is the capacity of local governments and regional representation of the CGD, the NACC and the PACC to implement reforms for improving integrity risk management and control.
The 1991 State Administration Act sets out three levels of state administration in Thailand: central, provincial and local. There are 76 provinces nationwide, each supported by a provincial office headed by a provincial governor. The provincial governor is appointed by the central government, except in the Bangkok Metropolitan Administration (BMA), where residents directly elect their governor. Governors are usually officials from the Ministry of Interior and are responsible for implementing central government policies. Provinces are then organised into 928 districts, with 7 416 sub-districts and 61 032 villages. The Ministry of Interior’s Department of Provincial Administration appoints the districts’ chief officers. Sub-district heads are generally chosen from among the village heads in each sub-district, and village heads are elected by their constituents. Both sub-district and village heads fall under the direct guidance and supervision of provincial governors and chief district officers, who are under central government control.
Thailand’s local administration is based on a two-tier system comprising 76 Provincial Administrative Organisations (PAOs), 2 441 municipalities, 5 333 Sub-district Administrative Organisations (SAOs), and two special Local Administrative Organisations (BMA and Pattaya City). PAOs function as the upper tier of the local administration and operate large-scale administrative duties and public services. Municipalities and SAOs constitute the lower tier and are responsible for small-scale duties. Municipalities govern urban areas, while SAOs govern rural areas. There are three types of municipalities: cities (50 000 inhabitants or more), towns (10 000 to 49 999 inhabitants) and townships (7 000 to 9 999 inhabitants).
Provincial governors and chief district officers oversee local administrators to ensure central government policy directives are followed. This leaves limited discretion for PAOs, municipalities and SAOs to determine how funds are spent. However, the Decentralisation Act (1999) aimed to create institutional space for citizens to track and monitor the provision of public services and take part in decision making. In the following years, the direct election of local administrators has been gradually introduced. In 2014, local elections were temporarily suspended in the aftermath of the political crisis
Source: OECD (2018[7]), Multi-dimensional Review of Thailand (Volume 1): Initial Assessment.
In interviews, government officials highlighted ongoing challenges facing local administrative agencies to conduct risk assessments and establish effective internal control systems. Officials declared there was no guidance for provincial government entities. This has led to a wide variation and lack of coherence with regard to how local governments approach internal control and risk management. Across all provinces, capacity is low for implementing recent reforms.
The CGD can take the lead to address capacity issues and improve the coherence of approaches to internal control and risk management at the regional level. The aforementioned guidance can address this issue directly, with considerations and support that is tailored to the maturity levels of local administrations. The CGD is already conducting trainings for provincial government entities on risk management, according to officials. Further guidance can provide greater clarity as to how local entities can comply with new reforms. Going beyond that, guidance can add clarity and help to build capacity related to key areas communicated to the OECD in interviews, including: the roles and responsibilities of local government entities for managing risks; methodologies for assessing risks that are commensurate with skill levels and resources; and good practices for using the results of risk assessments.
Develop plans for monitoring and evaluation of internal control and risk management with a specific focus to safeguard integrity in government
International standards emphasise the need for governments to monitor and evaluate the internal control system, and in particular, to assess outcomes and update activities to improve fraud and corruption risk management (COSO, 2016[8]). The OECD’s Recommendation on Public Integrity also highlights the need for governments to build efficient monitoring and quality assurance mechanisms for safeguarding integrity in the public sector. Thailand’s regulations echo these standards. For instance, Thailand’s Risk Management Standards and Practical Rules for State Agencies say that heads of agencies should monitor and evaluate risk management activities to ensure the agency adheres to standards and the IIA’s Three Lines Model. In addition, government agencies are subject to reporting requirements to ensure they have internal control systems in place and consider risks.
Thailand’s reporting requirements include a a “Certificate of Internal Control Assessment,” which is a self-assessment report that indicates a public entity has assessed whether internal controls are compliant with the Rule of the Ministry of Finance on Standards and Internal Control Practice for Government Agency B.E. 2561 (2018). As part of this internal control assessment, line ministries must also highlight improvements to internal control activities based on perceived risks. This certificate is the only requirement for public entities to monitor, evaluate and report on M&E of the internal control system. There are other bodies that support these efforts, including a Committee within the CGD that consists of internal auditors as well as financial and compliance auditors of the State Audit Office (SAO). However, the primary responsibility for M&E of the internal control system is within line ministries, in accordance with Thailand’s standards.
In principle, the certifications and their underlying assessments can be useful mechanisms for monitoring and evaluating the internal control system in the Thai government. However, the quality and effectiveness of these efforts depend on the methodology, scope and frequency of monitoring, which is not prescribed and is therefore inconsistent from one line ministry to the next. The Certificates promote monitoring and evaluation of the general existence of an internal control structure, and to some extent risks, but there are more determinants of the quality of an internal control system beyond these factors. Box 2.4 provides an example from guidance produced for the United States Agency for International Development (USAID) as part of a toolkit for managers in the health sector, but with broader lessons that are applicable to self-assessment methodologies for internal control.
Engaging stakeholders across three stages of the self-assessment process
Employing a self-assessment methodology can help instil a level of ownership of both the review process and the findings. It can also aid with internal communication. Communication to internal stakeholders ideally takes place at three stages of the self-assessment process:
1. Design: An initial meeting or workshop with officials from throughout the organisation to launch the assessment is important in establishing transparent communication about the assessment process and potential results. The meeting/workshop should be designed to encourage feedback from participants on the assessment design, which would further increase buy-in from internal stakeholders. During this meeting, participants can be provided with talking points to share with their colleagues.
2. Implementation: During the self-assessment, the team should be prepared to engage with colleagues about internal controls. The review is an opportunity to engage a broad set of stakeholders on the importance of internal controls, factors that make a good internal control and the findings from the data collection effort. This is particularly important in assessing the difference between practice and policy.
3. Results: The results of the assessment need to be communicated clearly and transparently. Senior leadership should focus on prioritising the actionable steps to be taken to strengthen internal control weaknesses, and highlighting those areas where management systems or procedures are not working. Sharing broadly with other staff is important to build accountability for improving internal controls and management systems.
Overview of an output of a self-assessment process
Background - Detailing the context in which the assessment is taking place, major changes or initiatives to address internal controls, the scope and scale of the assessment, and the description of the departments and units being reviewed.
Objectives - Stating the rationale for the self-assessment and the intended use of the findings.
Methodology - Describing the specific scope of the assessment team, the justification for selection of the specific indicators, and the sampling methodology for data collection subnational and facility-level entities.
Strengths - Summarising the areas where internal controls are sufficient, and how that assessment was made.
Weaknesses - Detailing the areas where internal controls are insufficient or weak, and how that assessment was made.
Change over time - If the assessment is being completed regularly, identifying any significant changes, either positive or negative.
Next steps - Describing how the results of the self-assessment will be used to inform efforts to strengthen internal controls.
Source: Long, B. and J. Kanthor (2013[9]), Self-Assessment of Internal Control Health Care: A Toolkit for Managers.
Above all, M&E should support public entities in obtaining a better understanding of implementation challenges or vulnerabilities on an ongoing basis. Managers in public entities can conduct M&E in regular intervals and incorporate the results into the reporting process for the Certificates. Risk assessments are not a substitute for M&E. The monitoring and review of risk management processes is a distinct activity from M&E and assessing the quality of internal control systems as a whole, even though these activities may inform each other. For instance, the results of fraud and corruption risk assessments (i.e. the perceived likelihood and impact of the effect of fraud and corruption on objectives) can be one of several factors that help manager’s to set priorities for broader M&E activities and quality assessments. Other considerations for prioritising M&E activities include the following:
objectives and the scope of activities of the public organisation
issues identified and recommendations of internal and external auditors
issues identified by the Ministry of Finance or CGD in their role of providing general oversight of the financial operations of line ministries
proportion of irregular expenditure within the overall budget of the public organisation (Boryczka, Bochnar and Larin, 2019[2]).
In the integrity context, the unit of analysis for M&E is not just individual risks, but other governance and institutional factors that determine the effectiveness of the internal control system. Specifically, M&E involves the systematic collection of evidence dealing with the design, implementation and results of the policies, controls and actions taken to manage fraud and corruption risks. Effective monitoring allows managers to adapt controls when issues arise, and evaluations can offer insights into an ongoing or completed activity, to support decisions about relevance, effectiveness and potential alternatives. The current M&E activities related to internal control and risk management help to promote awareness of this critical component of standards, like COSO and Thai’s own regulations, but the Certificate process facilitates a check-the-box exercise for line ministries. As a result, there is a danger of government officials perceiving internal control and risk management as compliance activities. In contrast, M&E should facilitate manager’s decisions and understanding of the effectiveness of the internal control system, based on evidence of how well measures to safeguard integrity are producing results and advancing organisational objectives.
Ensure the independence and objectivity of quality assurance assessments
As part of its monitoring and evaluation activities, the CGD developed a quality assurance assessment framework for the internal audit function in the public sector. The framework is structured according to international standards of the Institute of Internal Auditors (IIA) and the IIA’s International Professional Practices Framework (IPPF), as well as the Principle of Total Quality Management (TQM) and the Deming Management Cycle. It covers four main areas of activity of the internal audit function—governance, staff, management and process—as shown in Table 2.2.
Values for the assessment are attributed at three levels: at the “item” level, the level of the internal audit activity and the overall assessment results. The performance of each item is rated on a scale of 0 to 4, where 0 stands for no action taken and 4 for complete conformity with the established criteria. The points received for each item under the internal audit activity assessed (i.e. governance, staff, management, process) are calculated together to end up with an average score. In the end, the average score is weighted for each internal audit activity. All weighted average scores are added together to reach the overall evaluation score following again a scale of 0 to 4 (where 0-1.99 stands for “does not conform” 2-2.99 stands for “partially conforms” and 3-4 for “generally conforms”).
Thailand’s quality assurance process includes both quantitative and qualitative criteria depending on the content of each assessment. For example, item 4 on “Expertise in internal audit” uses mostly quantitative indicators such as the percentage of staff with more than 3 years’ experience in internal audit and the percentage of certified internal auditors. In comparison, item 8 on “Risk assessment for audit planning” focuses on qualitative indicators related to the risk assessment process, such as coverage of risk factors, use of risk assessment results for audit planning and ability to adjust risk factors depending on the circumstances (Comptroller General's Department, 2016[11]). Using mixed types of indicators is a recommended approach that helps capture and measure the various aspects contributing to the improvement of the internal audit function as a whole.
The CGD’s quality assurance assessment aligns with the goals set forth in IIA’s Standard 1300, Quality Assurance and Improvement Programme (QAIP), which states, “The chief audit executive must develop and maintain a quality assurance and improvement programme that covers all aspects of the internal audit activity” (IIA, 2017[12]) QAIPs help internal auditors to assess the efficiency and effectiveness of their work and identify areas of improvement. Moreover, they can facilitate a better understanding of risks and performance indicators, thereby aiding decision making and implementation of strategies, policies and procedures. The following are common focus areas of QAIPs:
Conformance with the definition of internal auditing, the code of ethics, and the standards, including timely corrective actions to remedy non-conformance.
Adequacy of the internal audit activity’s charter, goals, objectives, policies, and procedures.
Contributions to the organisation’s governance, risk management, and control processes.
Compliance with applicable laws, regulations, and other government standards.
Effectiveness of continuous improvement activities and adoption of best practices (OECD, 2018[13]).
The CGD’s Internal Audit Quality Assessment is described as a collection of information about the internal audit function of government agencies. The CGD identifies the government agencies participating in the quality assurance process. After receiving relevant notice, the heads of the participating government agencies inform the internal audit function, which is asked to complete a self-assessment form and provide all supporting documents and evidence. Examples of supporting documents used in the assessment include the annual audit plan, the code of ethics, audit reports, the internal audit charter and training plans. As a next step, the CGD assesses the quality of the internal audit function based on the established criteria and the evidence provided. During this process, the internal audit function of the participating agencies continues to support the CGD providing additional information and explanations, as necessary. Finally, the quality assessment results are analysed and reported to a committee that consists of CGD officials, as well as senior experts from the private sector, called the Public Sector Quality Assurance Committee.
As described, a key characteristic throughout Thailand’s quality assurance assessment of the internal audit function is the heavy involvement of the CGD itself. The CGD, as the central institution monitoring the internal audit function in the public sector, plays a key role in ensuring its quality. While the Public Sector Quality Assurance Committee certifies the results of the assessments, concerns about independence remain. An analogous approach is followed in some EU member countries (European Commission, 2014[14]), reflecting the tasks of central harmonisation units (CHUs) that are similar to the CGD. CHUs can go beyond overseeing, monitoring and advising public sector internal audit functions, and they may conduct external assessments of the internal audit activities of operational units. This practice has raised concerns with regards to the independence and “externality” of the CHU vis-à-vis the internal audit functions under assessment.
In 2012, the European Commission issued an opinion that stated if a CHU’s assessment is the only one carried out, it does not satisfy the requirements of IIA’s Standards.4 According to the Commission, despite being a distinct organisational structure, the CHU’s assessment should not be considered as both external and independent in line with Standard 1312, since the CHU provides the internal audit activity with assistance and professional guidance (European Commission, 2014[14]). To address this issue, the United Kingdom, for instance, completely outsourced its external quality assurance assessments, which are carried out by an independent contractor as described in Box 2.5 (U.K. HM Treasury, 2013[15]).
Internal audit functions at central, devolved and local government levels in the United Kingdom, apply a common set of Public Sector Internal Audit Standards based on the IIA’s global standards for the profession. Performance and audit quality are evaluated using a standardised approach, the Internal Audit Quality Assessment Framework.
The Framework is designed to focus on outcomes that improve the effectiveness of internal audit activity and as a result help institutions better meet public service delivery commitments. This tool is used in periodic self-assessments and in external reviews performed by assessors from outside the organisation to embed a common understanding of quality and continuous improvement. The Framework is divided into four key sections with measures of effective performance that go beyond compliance with professional standards:
Purpose and positioning: Does the function have a clear mandate, appropriate status and independence to perform its duties?
Structure and resources: Does the function have access to the relevant technical skills, adequate staffing and sufficient budget to deliver its mandate?
Audit execution: Does the function have adequate policies and processes in place to deliver its mandate effectively and efficiently?
Impact: Does the function have a positive impact on the organisation’s ability to deliver its objectives and foster good governance, risk management and control?
Statements of good practice for each measure serve both as a guide to reviewers in applying the Framework and as a roadmap for internal audit functions on specific actions to improve performance. The Framework provides a snapshot of overall effectiveness of the audit function and builds on the results of the most recent internal review to evaluate audit quality over time.
Independence and objectivity of external quality assessments
Internal audit functions are required to have their activity reviewed by an independent assessor at least once every five years. Independence is defined as not having an actual or perceived conflict of interest and not being a part of, or under the control of the organisation of the internal audit function. Audit and risk committees oversee selection of the independent assessment team and the scope of the review.
Source: UK HM Treasury, (2013[15]), Internal Audit Quality Assessment Framework; HM Treasury (2013), External Quality Assessment Specification; Relevant Internal Audit Standard Setters, (2017), Public Sector Internal Audit Standards: Applying the IIA International Standards to the UK Public Sector.
In addition to full external assessments, the CGD could consider other ways to improve the independence of its quality assurance assessments for the internal audit function. For instance, it could create firewalls within its institution to ensure dedicated personnel focus entirely on the quality assessments of the internal audit function. This could be part of or in addition to CGD’s own internal audit function. For instance, Peru’s Office of the Comptroller General (Contraloría General de la República, or CGR) uses an evaluation system for assessing the maturity of internal control components. The independence and “externality” of the evaluator are also crucial in this case. Currently, the CGR has a department of internal control that is primarily responsible for assessing the degree and maturity of the internal control components within public entities (OECD, 2017[16]). Thailand could consider a similar approach in order to further ensure the independence and objectivity of its assessments.
Enhance the focus on integrity in standards and rules, and clarify roles and responsibilities within the internal control system.
The CGD could amend the Rules to include a specific reference to integrity risks, linking to institutional objectives, to avoid artificially separating this type of risk from the broader policies, practices and tools used to assess risk management in general.
The CGD could amend standards or provide additional guidance to further clarify the role of the internal audit function (i.e. the third line) for integrity risk management vis-à-vis managers in government (i.e. the first line).
The CGD could consider improving self-assessment tools to further promote responsibility, accountability and the authority of managers with regards to internal control and risk management.
Refine communication strategies to demonstrate the added value of risk management for safeguarding integrity and improving governance
The CGD, along with the NACC, the PACC and leadership of line ministries, can enhance future guidance and communications about risk management and control by having coherent messages that promote managerial ownership and risk management as a tool for better governance.
The CGD, the NACC and the PACC can enhance guidance with positive messages that emphasise a perspective on risk management and control that is oriented towards governance and achieving the results of policies and goals, rather than compliance with laws and standards.
The CGD, the NACC and the PACC also can adapt messages about the value of risk management and risk assessments by avoiding causal linkages to improvements in Transparency International’s CPI. It is not possible to use the CPI as a tool to measure the performance of specific internal control or risk management activities.
Improve risk management guidance, including clarifying the purpose of different types of risk assessments
The CGD, in co-ordination with the NACC and the PACC, can offer further guidance that explains how each of these assessments fulfil risk management requirements established in the Rules to ensure consistency and harmonisation across entities. This can include additional guidance at the institutional level to demonstrate how risk assessments should focus on fraud and corruption risks, given the parallel work line ministries do to conduct the ITA.
Clarify the strategic and operational importance of risk assessments, including an explicit reference to managing fraud and corruption risks. Although CGD does not set the rules for the ITA, the CGD could communicate that the ITA should not be a substitute for risk assessments at an institutional or operational level, as required in the Rules.
Clarify the purpose and use of the results of the ITA relative to integrity risk assessments that managers or internal audit functions may conduct.
Use the guidance as an opportunity to showcase positive examples across government related to risk management and internal control to reinforce international standards and good practices, and promote a culture of integrity.
Strengthen capacity and knowledge for assessing and managing risks at the regional level
The CGD can take the lead to address capacity issues and improve the coherence of approaches to internal control and risk management at the regional level, including additional guidance and trainings that provide greater clarity and knowledge as to how local entities can better manage risks and comply with new reforms.
Capacity-building efforts at the regional level can focus on key areas identified during the review, including 1) clarity about the roles and responsibilities of local government entities for managing risks; 2) methodologies for assessing risks that are commensurate with skill levels and resources; and 3) good practices for using the results of risk assessments.
Develop plans for monitoring and evaluation of internal control and risk management with a specific focus on safeguarding integrity in government
The CGD and line ministries could enhance M&E to better understand implementation challenges and vulnerabilities in the integrity system on an ongoing basis. Managers in line ministries can conduct M&E in regular intervals and incorporate the results into the reporting process for Certificates.
When conducting M&E, the CGD and line ministries can focus on assessing governance and institutional factors that determine the effectiveness of the internal control system in addition to risks. This additional element can help to ensure that M&E is not just a check-the-box exercise with risk assessments.
References
[2] Boryczka, M., D. Bochnar and A. Larin (2019), “Guidelines for assessing the quality of internal control systems”, SIGMA Papers, No. 59, OECD Publishing, Paris, https://dx.doi.org/10.1787/2a38a1d9-en.
[11] Comptroller General’s Department (2016), Criteria for quality assurance of internal audit in the public sector.
[8] COSO (2016), Fraud Risk Management Guide, Committee of Sponsoring Organizations of the Treadway Commission, https://www.coso.org/Pages/Purchase-Guide.aspx (accessed on 13 September 2020).
[14] European Commission (2014), Public Internal Control Systems in the European Union Quality Assurance for Internal Audit, https://ec.europa.eu/budget/pic/lib/docs/pic_paper3_en.pdf.
[4] Government of Thailand (2017), Master Plan under the National Strategy on Anti-Corruption and Misconduct.
[10] IIA (2017), International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors Research Foundation, https://na.theiia.org/standards-guidance/Public%20Documents/IPPF-Standards-2017.pdf.
[12] IIA (2017), Quality Assessment Manual for the Internal Audit Activity, The Institute of Internal Auditors Research Foundation, https://global.theiia.org/standards-guidance/topics/Pages/Quality-Assessment-Manual.aspx.
[9] Long, B. and J. Kanthor (2013), Self-Assessment of Internal Control Health Care: A Toolkit for Managers, United States Agency for International Development, Health Finance & Governance Project, Abt Associates Inc., https://www.hfgproject.org/toolkit-ministries-health-work-effectively-ministries-finance/.
[1] Ministry of Finance (2018), B.E. 2561: Internal Audit Standards and Ethics for Internal Auditing of Government Agencies.
[5] National Economic and Social Development Council of Thailand (2019), Fraud risk management plan for fiscal year 2019.
[13] OECD (2018), Internal Audit Manual for the Greek Public Administration, OECD Public Governance Reviews, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264309692-en.
[7] OECD (2018), Multi-dimensional Review of Thailand (Volume 1): Initial Assessment, OECD Development Pathways, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264293311-en.
[6] OECD (2018), OECD Integrity Review of Thailand: Towards Coherent and Effective Integrity Policies, OECD Public Governance Reviews, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264291928-en.
[16] OECD (2017), OECD Integrity Review of Peru: Enhancing Public Sector Integrity for Inclusive Growth, OECD Public Governance Reviews, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264271029-en.
[3] The Dutch Ministry of Finance (March 2018), Good Financial Governance and Public Internal Control, Presentation to the OECD.
[17] The Office of the National Anti-Corruption Commission (2019), Integrity and Transparency Assessment, https://itas.nacc.go.th/file/download/113259.
[15] U.K. HM Treasury (2013), Internal Audit Quality Assessment Framework, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/204214/internal_audit_quality_assessment_framework.pdf.
Notes
← 1. Principle 10 of the OECD’s Recommendation on Public Integrity focuses on the following objectives: 1) ensuring a control environment with clear objectives that demonstrate managers’ commitment to public integrity and public-service values, and that provides a reasonable level of assurance of an organisation’s efficiency, performance and compliance with laws and practices; 2) ensuring a strategic approach to risk management that includes assessing risks to public integrity, addressing control weaknesses (including building warning signals into critical processes) as well as establishing an efficient monitoring and quality assurance mechanism for the risk management system; 3) ensuring control mechanisms are coherent and include clear procedures for responding to credible suspicions of violations of laws and regulations, and facilitating reporting to the competent authorities without fear of reprisal.
← 2. As of April 2020, the IIA is the process of revising its Three Lines of Defense Model, including changing the name to the Three Lines Model and considering its applicability to the public sector. See the IIA’s website (http://bit.ly/39Y3QT1) for additional information.
← 3. The three surveys conducted for the ITA include the following: 1) the Internal Integrity and Transparency Assessment, a self-assessment to gather employees’ perceptions about organisational culture and management; 2) the External Integrity and Transparency Assessment, an external survey focused on organisational reputation and stakeholders’ perceptions about performance; and 3) the Open Data Integrity and Transparency Assessment, an evidence-based survey that assesses the organisation’s open data activities through reviews of websites and online publications. In general, the ITA covers 10 topics for each organisational assessment, including: 1) performance effectiveness; 2) efficiency and transparency of performance budgeting; 3) legitimacy and use of powers; 4) efficiency and integrity for use of public assets and properties; 5) effectiveness of corruption mitigation measures; 6) quality of operations; 7) communications effectiveness; 8) effectiveness of performance improvement; 9) transparency of public data; and 10) corruption prevention (The Office of the National Anti-Corruption Commission, 2019[17]). The Integrity and Transparency Assessment System (ITAS) supports the data collection for the ITA to ensure timely and consistent assessments across entities.
← 4. Opinion of 13 November 2012 of the Commission’s Directorate-General for Budget addressed to the CHUs of (potential) candidate countries, qualifying European Neighbourhood Policy countries and delegates in the Public Expenditure Management Peer Assisted Learning (PEMPAL) organisation.