4. Strengthening the internal control model and the effective implementation of risk management in the State of Mexico

The State of Mexico should improve the efforts to develop a regulatory framework that is the basis of everyday and real compliance with internal control

The State of Mexico has a solid regulatory framework to promote an appropriate control environment oriented to public integrity. The Standard Model of Internal Control (Modelo Estándar de Control Interno) sets the goal for internal control to provide reasonable assurance in achieving objectives and goals of the institution within the categories of operation, information, compliance and safeguard. It also notes that the control environment is the foundation that provides discipline and structure in order to achieve an effective internal control system and provides that the head, the administration and the government body, as the case may be, should keep a control environment that supports control by displaying an attitude of support and commitment, exercising the surveillance responsibility, setting up structure, liability and authority, demonstrating commitment with professional competence and establishing the structure for accountability. The State of Mexico also has legal standards and plans in a series of fundamental matters for the control environment, such as the development goals, administrative responsibility, ethical and behavioral obligations, and financial control, among others.

A control environment must, in addition to being built formally, facilitate a real control environment. It is one of the challenges that public institutions and States face. Latin America has a long tradition of legal rules and formalities throughout its history, which usually do not go hand in hand with coherence between the regulatory and factual reality. The indicators of rule of law in these countries are low, where Mexico in 2018 shows a percentile rank of 27.4/100, well below Brazil (44.2/100) and Chile (83.7/100). In this context, during the OECD field mission, the robustness of the new regulation, which arose under the National Anticorruption System, was evident, including that related to internal control, as well as the existence of a formal and routine compliance culture, in many cases dissociated from the purpose of such regulations.

Several responses to the questionnaire for the OECD Review on Public Integrity in the State of Mexico, regarding the existence of strategies, policies, mechanisms and systems to promote and guarantee public integrity, referred to identifying regulations, organisational structures and formal activities such as regular meetings, without aiming at the development of dynamic elements for control. The existence of a series of mechanisms that contribute to the control environment was confirmed, but also that they are not conceived as an expression of the Control Environment or that they are managed as legal tools that must comply with a formal result for each determined period. In this context, the regulatory framework does not contribute enough to daily and real compliance with internal control.

The State of Mexico would benefit from developing mechanisms, tools and systems that foster, facilitate and assess compliance with the regulatory framework objectives, in such a way that the Control Environment, through a set of active instruments, creates a culture of fulfilling expectations, regarding both the objectives and the means used by public institutions and their staff to achieve such objectives. A Control Environment is composed of a series of standards, processes and structures that are the foundation to perform internal control. Such standards, processes and structures should help the organisation to demonstrate commitment with integrity, attract competent officials aligned with the objectives, and hold individuals accountable for their internal control duties. However, this does not only depend on mandatory legal rules, but should also translate into policies, messages, guidelines and active mechanisms to promote an organisational integrity culture. Furthermore, for such an effort to be sustainable, the focus should be adopted in all the State interactions with citizens and beneficiaries of the State of Mexico, allowing them to participate in the application of an appropriate Control Environment, especially through a greater knowledge of their rights and applicable regulations, and also through the adoption of civil values and the use of mechanisms that involve them in the protection of public resources.

Internal control is a process that connects all the personnel in institutions, not only a group of persons in charge.

Internal control is defined by COSO as a process, executed by the board of directors, the senior management and other personnel of the entity, designed to provide reasonable assurance regarding the achievement of operational, information and compliance objectives of the organisation. Internal regulations of the State of Mexico follow the same definition, emphasising that internal control is a process and setting specific roles for a series of stakeholders in the process: head of the institution, internal control co-ordinator, liaison of the Institutional Internal Control System, officials in charge of administrative units/processes, auditing body, liaison for risk management, and the Institutional Performance and Control Committee (Comité de Control y Desempeño Institucional, COCODI). However, the design following this concept is operational and seeks to guide the key responsible officials about how to execute internal control, clarifying the steps that must be carried out. This concept of the process, considered alone, is present in many organisations of all kinds.

The State of Mexico is no exception to this phenomenon, which is present in the organisational culture of most of its ministries and auxiliary bodies. Both conceptually and operationally, the regulations on this matter have identified the most important stakeholders and elements of the internal control process in a series of five steps, which may induce personnel to think that internal control is just a sequence far from their usual duties and which is encapsulated in the exclusive roles of a set of individuals. This belief fosters a disconnection of the personnel, and of an important part of managers and heads of area, with their roles in the implementation and permanent operation of an internal control system.

In particular, the function of COCODI and the Internal Control Bodies (Órganos Internos de Control, OIC) is not being fully understood, since the organisational culture of ministries and auxiliary bodies have the notion that control is a task outside the personnel’s duties. This belief is added to the complexity of a system operated by several specialised stakeholders in their control tasks. Other stakeholders, who perform control functions, add to the ones mentioned before, specifically in COCODI: COCODI’s Chair, liaison of the committee, executive member and members of the committee. This entire framework entails a complexity that hampers the appropriation of control by personnel who are not assigned a role as part of the stakeholders of the internal control system and COCODI.

In consequence, the State of Mexico, through the Office of the Comptroller-General of the State of Mexico (Secretaría de la Contraloría del Estado de México, SECOGEM) ), could adopt a working line oriented towards raising awareness in all the personnel about the role that belongs to them, in the corresponding organisational levels, in the control function. Along with this, it could call the attention to key measures that every institution could promote in order to develop a control environment based on integrity, in such a way that the participation of multiple units of each institution in its promotion is fostered. This type of measure can be seen in Box 4.1, which provides examples taken from documents of the European Union on the matter.

It is critical to achieve the appropriation of by public officials

If internal control is seen from an organisational and dynamic perspective, it works as a system, that is, a set of elements that operate in such a way that what happens in one of its elements affects the rest, and vice versa. The COSO Report (COSO, 2013[3]) emphasises the importance that each one of the five components and their principles are present and fully operating. This means that the components and principles are formally established, usually applied in the operations of the institution, and in a comprehensive way, that is, jointly interacting. These operation characteristics of the Internal Control-Integrated Model (Modelo Integrado de Control Interno) mean that it needs to work systematically and allows a better understanding of the importance of the statement that control is a responsibility of all the personnel, especially the senior management.

In fact, internal control should not be conceived as a series of periodical meetings in the year, held by specialised stakeholders to discuss topics difficult to understand, under some sort of bureaucratic routine that is kept in formal minutes and records, but that does not affect the organisation. If control is conceived as an uninterrupted activity of the different units in their corresponding decision levels, aimed at ensuring compliance with organisational objectives within a framework of respect for rules and policies, it is easier to convey to the personnel the contribution that each unit can make, within the scope of their responsibilities and resources. The senior management in each entity, and intermediate authority levels, should be aware of the systemic character of internal control, about the impact caused by the control measures of a unit, or their omission, on the rest of the organisational units and in institutional results, and the need for an appropriate use of the internal control mechanisms. For instance, France’s internal control system is centered on the responsibility of managers and assigns the programme manager with the task to draft the specific objectives and launch the operational execution (Box 4.2).

The State of Mexico also faces this challenge. According to the response of the State of Mexico to OECD’s questionnaire, one of the main challenges to integrate control in the day-to-day activities of the State’s institutions is the belief that internal control processes are considered as a mere formality and a bureaucratic burden, and not as a tool to promote integrity and improve performance.

The State of Mexico could strengthen, through instructions, plans and training by the Ministry of Finance and SECOGEM, the awareness and advice tasks to the personnel regarding their corresponding roles in each level, to the officials and leadership of critical and support areas, in the application of actions to identify risks, control execution and information. Special attention could be given to the need to appropriate key staff in the implementation and development process of an internal control system. Integrating internal control in the Administration’s everyday activities requires an effort aligned by the Ministry of Finance, which exercises planning duties and follows up on goals and training of the state government’s personnel, and SECOGEM, which is in charge of enhancing internal control and government evaluation.

Key personnel in the current implementation stage includes the positions of heads of substantial and supporting areas. This staff is in an intermediate position between senior managers and the rest of the personnel. It is a segment of persons who know the corresponding areas and their operations, understand their risks and are close to decision making regarding the control of everyday activities. Until this moment, they fulfill a central and technical role in the system’s operation, participating in the elaboration of institutional projects of the matrix and risk management map, and the risk management working programme (Programa de Trabajo de Administración de Riesgos, PTAR), and eventually the COCODI.

After an initial implementation stage of the internal control system in most ministries and auxiliary bodies, it is convenient to proceed to the identification of those institutions that are in conditions to move to a further implementation stage, focusing the awareness raising and training activities on senior levels and managers, incorporating tools so that these stakeholders take ownership of control, with the aim to strengthen their performance and fulfil the goals of their corresponding areas, in an integrity and accountability environment. It is necessary in this stage to ensure the impact of the internal control system in the planning and decision making by managers, in order to achieve the integration of internal control and risk management.

Figure 4.1 below illustrates four basic stages of internal control integration and the risk management processes in the governance and management systems of the organization.

Figure 4.1. The basic stages of internal control integration

Source: OECD.

The State of Mexico, through the co-ordinated action of the Ministry of Finance and SECOGEM, could also evaluate other mechanisms, such as the drafting of clear profiles regarding those who have critical responsibilities in the control system and the applicability of administrative responsibility rules due to omission of control, as a way to promote a more integrated and effective vision of the model, and also to strengthen the accountability of these senior positions regarding the performance of their areas. This is the aim of Principle No. 5 of the Internal Control Framework of the COSO Report (COSO, 2013[3]), as it stresses the importance of enforcing accountability through the establishment of mechanisms by the management and directors in order to communicate and hold individuals accountable for the performance of internal control responsibilities throughout the organisation, and implement corrective actions, if necessary. Furthermore, the principle promotes assessing the performance of such responsibilities, and offering prizes or disciplinary actions, as required. In the United States, circular A-123 of the Office of Management and Budget highlights the responsibility of the administration in the internal control area (Box 4.3).

The visible commitment by managers should go beyond the minimum set in regulations

Since the operation of an internal control system requires the commitment of top management, and the Control Environment set in the State of Mexico’s rules requires that the heads and management bodies demonstrate commitment, especially through the example on values, philosophy and operative style, the State of Mexico could evaluate the tools used by managers to demonstrate their commitment towards public integrity, improve the verification of such commitment and enable them to go beyond the minimum formal compliance set in the rules.

Creating and maintaining a control environment is the basis to achieve an effective internal control system and the State of Mexico should adopt measures to ensure the minimum required in the regulations, allowing the full application to the model set in the Agreement on Provisions and the Administrative Manual regarding Internal Control for ministries and auxiliary bodies of the Government of the State of Mexico (Acuerdo sobre Disposiciones y el Manual Administrativo en material de Control Interno para las dependencias y organismos auxiliaries del Gobierno del Estado de México). Along with this, the State of Mexico could adopt measures that actively promote the overcoming of such minimum level, especially by those who make public decisions and must lead a management at the service of citizens.

The OECD Recommendation of the Council on Public Integrity, when addressing the development of a public integrity culture, indicates that countries should “support managers in their role as ethical leaders by establishing clear mandates, providing organisational support (such as internal control, human resources instruments and legal advice) and delivering periodic training and guidance to increase awareness of, and to develop skills concerning the exercise of appropriate judgement in matters where public integrity issues may be involved”. As indicated in the Agreement on Provisions and the Administrative Manual regarding Internal Control, “the supporting attitude of heads, management and the governing body can be either a driver or an obstacle for internal control.”

In order to be drivers, public managers must lead a supportive attitude towards internal control, illustrating the importance of integrity, ethical values and rules of conduct in their guidelines, attitudes and behavior, through instructions, personal initiatives and the example. This commitment and attitude, also called “Tone from the top”, is a display of the political willingness from senior management to do things right. The top management’s leadership, which is indispensable in internal control, should be channeled through clear messages about the management’s tone towards the entire organisation. To the extent that such tone is visible, it can lead to a favorable momentum towards compliance by the personnel with the objectives and goals of each public institution and create more legitimacy towards citizens. In this sense, SECOGEM could propose and empower public managers, in their different levels, initiatives, mechanisms and additional tools for integrity, to facilitate overcoming the minimum standards expected. These could include sustained campaigns of external and internal communication with key messages from the direction about control and integrity objectives, specific guidance on the risk areas in a sector or entity (receiving gifts, merit in hiring procedures, management of conflict of interest with suppliers, etc.), rewarding good control practices, recognising ethical leaders in middle management, among others.

The State of Mexico should strengthen training in internal control and public ethics, and take it to all the public officials

Training is the basic tool to facilitate alignment of the officials’ personal objectives with the objectives of their public institutions, and provide them with knowledge and tools to develop an effective and efficient activity oriented towards the common good, thus, the mechanisms to ensure a sufficient level of contribution to the control environment should be explored. The State of Mexico could adopt measures that expand the coverage and depth of training functions regarding control and public ethics, since one of the main challenges detected to integrate the internal control components and processes with the administration of daily activities in public institutions of the State of Mexico, is the prevalence of personnel with insufficient skills and knowledge about internal control, standards and tools (according to the responses given to OECD’s questionnaire). Although SECOGEM carries out constant training work in public institutions, it does not have enough staff and resources to reach the more than 200 thousand public officials who need such training every year. Additionally, there is not any public offer for training on integrity in the State of Mexico to allow sufficient compliance with the set objectives, and programmes and budgets for training in control and public ethics in ministries and auxiliary bodies are not anticipated.

The function of staff training is a permanent duty of States, oriented towards a continuous search to adhere the personnel to the interests and values of each public institution, and at the same time is an essential instrument of capacity building and specialisation for the staff to improve the effectiveness, efficiency and quality of services provided to citizens. As the ILO states, “it is increasingly recognised that the capacities and skills of persons, investment in education and training, are the key to economic and social development. Qualifications and training increase the productivity and income, and facilitate everyone’s participation in the economic and social life.”

The lack of a sufficient and permanent training offer for the personnel of ministries and auxiliary bodies about integrity, accountability and control could seriously limit the implementation of the set of reforms born after the State Anticorruption System, as well as the development of sustainable policies of cultural change towards integrity and efficiency in the State.

In consequence, the State of Mexico should redesign, based on a diagnosis and attainable objectives, training programmes, channels and tools that allow achieving, within a reasonable timeframe, a complete coverage of the personnel, as well as, first and foremost, of the critical areas regarding legal and ethical compliance, such as procurement operations, hiring personnel, regulatory decision making, use of public resources, and delivery of state benefits and allocations, among others. For this purpose, support can be found in information and communication technologies and online courses, in training by competences methodologies, and in practical learning strategies. It could also identify partners for the medium and long term in the public, private and university sector, at state, federal and international level, which would allow providing sustainability to training initiatives and introducing complementary specialisation activities.

SECOGEM could take more advantage of its information system to advise the government

The information system implemented by SECOGEM provides, under certain conditions, a high capacity to advise the government at the highest level and in the different sectors, about internal audit, internal control and integrity. The Government of the State could have, for instance, timely and consolidated reports on risks that could affect performance in key areas of policy and the State Development Plan, as well as strategic recommendations on control objectives, interinstitutional co-ordination and institutional and technological strengthening at the state level. These reports could inform in a consolidated and timely manner about strategic goals and objectives at risk, the factors that affect and the proposals for corrective measures. These reports could be aimed at the highest authority in the Executive Branch, and to the heads of Ministries if applicable, for strategic and political decision making of the government.

However, for SECOGEM to take advantage of the potential of audit and internal control structures of the administration, as well as its information system, compliance with certain conditions should be ensured. One of them is information security. Nowadays, information is key for the governance of any business, company or institution, and information systems affect organisational management. In virtue of this, SECOGEM must ensure that the information and its systems have the characteristics of confidentiality, integrity and availability, unique to a management system of information security, as defined in ISO 27.001 on information assets security.

Especially important for decision making based on control information is the integrity of information, so that both the latter and its process methods and systems are exact and complete. This implies that the audit information should comply with quality standards, and that the information on internal control and risks should be safeguarded through processes executed by the internal audit as a technical opinion independent of the management areas. Hence the importance of the independence of OICs regarding internal audit, which should be pursued following the Three Lines of Defense model, where the internal audit’s role is assurance, being thus excluded from tasks belonging to management, as will be analysed in sub-section “The separation of roles and tasks in three lines of defense can help to clearly define functions and responsibilities” in Chapter 4.

Another condition to take advantage of the potential of audit and internal control structures is having the capacity to produce high-value analyses for management. This has to do with SECOGEM acquiring and developing the capacity of strategic and value analysis for government’s management, in such a way that the government top management has valuable input to achieve better performance at the service of the population. This analysis capacity can be supported on learning centers or universities in the State or in federal references with expertise in formulating strategic analysis. The agreements signed by SECOGEM with several public, private and academic institutions such as the Autonomous University of the State of Mexico (Universidad Autónoma del Estado de México, UAEM), the Executive Secretariat of the National Anticorruption System (Secretaría Ejecutiva del Sistema Nacional Anticorrupción, SESNA), the General Attorney’s Office, the State Institute for Transparency, Access to Information, and Personal Data Protection of the State of Mexico and Municipalities (Instituto de Transparencia, Acceso a la Información Pública y Protección de Datos Personales del Estado de México y Municipios, INFOEM), the Supreme Audit Institution of the State of Mexico (Órgano Superior de Fiscalización del Estado de México, OSFEM) and 66 municipalities, for instance, should translate into projects to strengthen the institutional and strategic capacity, with financing incorporated in the budget and short-term results.

Risk management should be an integral part of institutional management

Governance practices in OECD countries indicate that risk management should be considered an integral part of the institutional management framework, instead of being applied in isolation. Risk management should permeate the organisation’s culture and activities, in such a way that it matters to everyone who works in it. Informed employees who can recognise and fight corruption have more possibilities of identifying the situations that can undermine institutional objectives and those of the area under their responsibility.

In the public sector, the operational concept of risk management must include the systems, processes and culture that help to identify, evaluate and treat risks in order to contribute to public sector entities achieving their performance objectives (OECD, 2013[8]). The first step of operational risk management is setting the context and the objectives of the institution. Then, identifying the events that could affect the achievement of such objectives. The events that could have a negative effect are risks. Risk assessment is a three-step process that starts with identifying the risk, then comes the risk analysis that implies the capacity to understand each risk, its consequences, the probability that such consequences occur, and the seriousness of each risk. The third step is risk assessment in order to determine the tolerance of each risk and, therefore, if the risk should be accepted or treated. The risk management cycle can be seen in Figure 4.2 below.

Figure 4.2. The risk management cycle

Source: Adapted from ISO 31000:2009 Risk Management.

In each national and organisational context, risk management should develop its own identity. This is carried out, initially, through adapting the Internal Control Framework to the characteristics, limitations, and possibilities for action of each context. However, for risk management to gain depth and ownership, the officials in charge and directors should be provided with practical guidance and tools that facilitate risk management, including integrity risks. The State of Mexico has a regulatory and organisational base that would allow it to achieve a greater level of identity, especially in public managers.

Risk is defined as the possibility of an event occurring and negatively affecting the achievement of objectives. According to the Internal Control-Integrated Model (COSO, 2015[9]), risk assessment involves an iterative and dynamic process to identify first, and evaluate afterwards, the risks in achieving the organisational goals, so that a definition of which risks can be tolerated is set. In this way, risk assessment is the basis to determine how risks will be managed. The final purpose is to prevent risks from materialising, which affects the achievement of the organisation’s objectives and goals.

Interviews and meetings of OECD’s work team during the missions to the State of Mexico provided conclusive information about a distorted idea of risk among the personnel and managers, which hampers or inhibits the identification of relevant risks, including fraud and corruption. According to this background, the staff could eventually not be able to identify relevant risks in their operations and processes, since this would imply that mistakes are being made in the management of their areas. The distortion would derive from a false identity between risk and error by public officials, which would prevent them from identifying risks – future and uncertain events – for the fear of determining or reporting neglects and shortcomings – current and real events. This type of distortion affects the proper operation of internal control processes in ministries and auxiliary bodies. It must be warned that any risk omitted cannot be anticipated or mitigated, creating spaces conducive to inefficiencies and, eventually, corruption. This way, the State of Mexico, through SECOGEM, could include raising awareness among the personnel in its guidelines and working plans, especially for directors and managers, about the concept of risk, its different types, and the advantages of identifying it as a preventive and preemptive mechanism, which contributes to achieving the results of each area and the institution, particularly with regards to integrity risks.

It would be convenient that SECOGEM also develops, among its technical instruments, clear and shared concepts about what is a risk, in such a way that at least public officials in charge of their identification, and internal auditors in their assurance function, have a common and concrete guiding framework about conducts and different phenomena that could affect the objectives of their organisations. The concept of risk is generic, so that, in the risk identification stage, officials should be provided with concrete risk categories, including integrity risks. In this point, SECOGEM could contribute to a better understanding of the concept of integrity risk through technical manuals that include non-ethical practices and corruption crimes catalogues, based on the local experience and the existing records about administrative and criminal liability in the public sector. In addition, such manuals and training activities could be strengthened through examples based on real events regarding the adverse effects for the population resulting from a lack of timely identification of integrity risks in ministries and auxiliary bodies. It is highly relevant to show public officials the direct relation between their work in controlling and preventing corruption, and the satisfactory delivery of state goods and services for the population, that is, between their ethical performance and the citizens’ well-being.

If officials do not take ownership of risk, the management will not be capable of addressing control deficiencies

Taking ownership of risk by officials is critical for the appropriate treatment of deficiencies in the internal control system. According to the Internal Control-Integrated Model (COSO, 2013[3]), the organisation should identify the risks in achieving the objectives and analyse which ones should be managed, while the organisation itself should choose and develop control activities that contribute to mitigating risks until reaching acceptable levels. In the State of Mexico, this task is assigned by law to a series of institutional stakeholders, among which are the head, the internal control co-ordinator, liaisons of the internal control system, and officials in charge of administrative units/processes. In the facts, due to a lack of knowledge about this matter from many participants in this structure, the OIC ends up in a position of participating in the identification of risks and controls, or complementing those that they consider to be incomplete risk assessments.

Despite the greater knowledge that the members of the internal audit function of OICs may have regarding risks and controls, this should not be a task of internal audit or whoever carries out those duties, but a job of the persons in charge of managing the areas in their different levels. Officials should perform these activities at the operational level and at the cross-management levels. The fact that the officials responsible for management are the ones who perform both tasks, without the OIC replacing their analyses and decisions, would help them taking ownership of risk, and for such officials to see a direct relationship between risks, control activities and performance in their working areas, which is essential to encourage the achievement of objectives and institutional results. The State of Mexico could take actions to ensure that those who manage organisations identify and treat risks, taking ownership of the possibility that adverse phenomena materialise for the goals set, but also of political, technical and operational solutions aimed at avoiding or mitigating risks.

One way to ensure ownership is incorporating the concept of the Three lines of Defense in the control environment and organisational practices. According to the Three Lines of Defense Model, “the first line of defense owns the risk and defines the design and execution of the organisation’s controls to respond to such risks” (Anderson and Eubanks, 2015[10]). The first line of defense is performed by operational managers, who “develop and implement the risk management and control processes of the organisation”. These include internal control processes designed to identify and evaluate significant risks, carry out planned activities, identify inappropriate processes, address failures in control, and communicate to the main stakeholders about each activity.” The Internal Control-Integrated Framework COSO describes the necessary components, principles and elements for an organisation to efficiently manage its risks through the implementation of internal control. Within this Framework, “persons in the first line of defense have significant responsibilities related to the sections of risk assessment, control and communication or information activities” (Anderson and Eubanks, 2015[10]).

Incorporating personnel with managerial training in tasks related to direction and control contributes to better risk management and control activities

The strategic use of risk management is facilitated when the heads and directors have managerial training and skills. In such cases, managers easily understand how the internal control system supports the achievement of the proposed objectives and take risk management reports and plans as useful tools to achieve better performance of their areas and of the institution. As OECD has confirmed in its studies on internal control in Latin American countries, the absence of a professional managerial career in public institutions limits the strategic use of risk management.

Thus, the State of Mexico could consider this aspect in the profile definition processes for the internal control structure, in personnel hiring and promotion processes, as well as in tasks of technical support to directors and heads. In the long run, the State of Mexico should consider the implementation of reforms that increase the proportion of professional managers in the public function.

Advancing information and communication about risks and control activities among the most interested institutional stakeholders

The fourth element of COSO’s Internal Control-Integrated Model is control information and communication. According to this model, relevant information should exist, obtained, produced and used for decision making on control. The operational managers should have relevant information on risks to use it in their everyday management activities, apply operational controls and communicate it internally, and, if applicable, externally. On the other hand, managers who horizontally supervise controls (legal, financial, quality, and others) in order to determine if these work in the way expected, should also access timely information for their supervision, so that they can evaluate and communicate risk and control deficiencies to the organisation’s senior management.

The Three Lines of Defense Model offers clear guidance about the separation of roles among those who manage operationally and apply controls (first line of defense) and those who supervise, monitor and eventually, design, implement and modify control and risk processes of the organisation (second line of defense). In this sense, the relevant information on risks and control activities for decision making should flow in a timely fashion and through clearly established channels in ministries and auxiliary bodies of the State of Mexico. The implementation in management of the Three Lines of Defense Model could be a practical and flexible support to promote control communication between the first and second lines of defense, as well as to the senior management of each organisation and the state control body.

On the other hand, it is seen that at an institutional level, there is a disassociation between control decisions by the senior management, which arise from the risk management process, and audit decisions taken by the internal audit structure, where the Heads of OICs and SECOGEM participate. This relative disassociation is more evident in the planning and selection process of audits, where the OICs’ Heads and their personnel carry out their own risk analyses and propose the audits, assessments and inspections to be performed; this proposal, after and through the regular channels, is approved by the Deputy Secretary for Control and Evaluation. From the field interviews, a difference of opinions arose between the OICs’ Heads regarding the risk analyses applied at the institutional level, showing that there would eventually exist two visions about risks, including corruption risks, at the institutional level. This possible divergence, produced by the control system’s design and the audit function, could be an opportunity to encourage internal discussions between the second and third lines of defense, encouraging the ownership of risk identification by the managers.

Data and macro data analysis (Big Data) could be used by the State of Mexico to support a preemptive risk-based approach to fight fraud and corruption

Risk management greatly depends on the capacity and knowledge of the personnel who is devoted to it, but also on the quality of data used in the identification and assessment of risks, the evaluation of the effectiveness of existing controls, and the identification of corruption patterns and historical trends (Box 4.4). To the extent that operational, management and control data have become more accessible in the State of Mexico, possibilities open for internal auditors, the officials in charge of identifying and managing risks, and specialists to work collaboratively to identify data flows that can be monitored and analysed to detect inconsistencies, patterns and anomalies.

SECOGEM and competent ministries should consider relying upon data analysis and incorporating tools, such as digital forensic analysis, data mining, matching data and relevant correlations search in order to improve the quality of their risk management tools and techniques. Risk maps, matrixes and templates, better grounded and based on evidence, lead to more effective mitigation policies.

Forensic Data Analytics (FDA) can be a valuable ally in preventing and detecting fraud and corruption, using the information available in government databases. It allows the identification of significant patterns and correlations in existing historical data, in order to predict events and evaluate the different reasons that motivate fraudulent activities. One of the greatest challenges in this matter is the fact that government databases do not have equivalent designs, they have different formats, and many of their data lack structure and, therefore, are difficult to combine and evaluate. In most public entities, data exist in structured (databases, simple or more sophisticated) and non-structured formats (emails, text processing documents, multimedia, video, PDF files, spreadsheets and social media). The forensic analysis techniques for non-structured data can convert unprocessed data into formats to be used to produce evidence-based information to prevent or detect fraudulent and corrupt practices. Even today, it is possible under a Big Data approach to work with gaps and unclean data, managing the uncertainty risk, since unlike some decades ago, today it is not necessary to turn to representative samples, but it is possible analyse all the data about specific types of operations or phenomena.

The report of the Association of Fraud Examiners identifies the supervision and proactive analysis of data as one of the most effective instruments for corruption control, reducing the losses attributable to corruption and the scope of corruption schemes. Moreover, ACFE’s 2016 report underscored that 36.7% of the organisations victim of fraud or corruption, which were using the proactive supervision of data and data analysis and techniques as part of their programmes to fight fraud, suffered 54% less losses and detected frauds in half the time, compared to organisations that did not use this technique.

Then, the State of Mexico can take advantage of the new possibilities of information analysis for decision making, the most precise identification of risks and the possibility of process redesign and new control techniques. These tools can be very valuable when focusing on integrity risks and, under a progressive development approach, would give a broader scope and depth to the results of control.

Further tapping into the information that the State of Mexico has to strategically safeguard integrity

The State of Mexico has robust systems of budgetary institutional information, planning and follow-up of goals, as well as, for instance, systems to process information on citizen requests and reports, which allow different levels of disaggregation. There is still potential in the use and quality of data and information for control, not only for ministries and auxiliary bodies, but also for the state executive. This information is necessary to warn about situations that may jeopardise the goals and objectives of each ministry and auxiliary body, as well as to issue recommendations to overcome or mitigate them. It is highly relevant that the Government of the State grounds its control measures and integrity policy development on evidence.

A strategic contribution can be provided by horizontal and recurrent risk analyses, which illustrate risk sources and patterns in ministries, auxiliary bodies, and in sectors, particularly regarding fraud and corruption. The State of Mexico has information that has allowed asserting that priority areas to strengthen integrity and prevent corruption are public procurement, human resources, financial resources, material resources, auditing, information technologies, internal control, transparency, vehicle procedures and services, public security and access to justice. Also, according to the figures of the Attention System of the State of Mexico (Sistema de Atención Mexiquense, SAM), sectors and procedures where corruption costs are higher include education, citizen security, health, finance, access to justice and transportation. The operations and processes where such costs are higher are public procurement, acquisitions, licenses and permits, human resources and administration of movable goods and real estate. On the other hand, those sectors where there is less corruption incidence, according to SAM, are those where there are no direct services for citizens or where processes are automated.

In spite of having data and information, the State of Mexico does not have integrated diagnoses on integrity risks, corruption crimes and serious administrative offences analysing the public-private interactions and sectors most affected by the incidence of corruption, and identifying good practices for their prevention and prosecution. The State of Mexico could prioritise sector and horizontal diagnoses, since it has the platforms and capacities to link systems, match data in different levels, and identify correlations and patterns, especially connected to the characteristic risks of a horizontal process, sector or group of institutions, particularly in those sectors that are more affected by corruption. Such analyses, which go beyond the institutional scope, could be developed by SECOGEM in the Executive branch or by OSFEM.

In addition, under a co-operation scheme with civil society or within the framework of open government, universities, think tanks and specialised civil society organisations could become allies for risk analysis, including integrity risks that could affect state public policies. A co-operation of this type can contribute to an informed and participative discussion, based on evidence, within the State Anticorruption System, in such a way that citizen perspectives also strengthen the solution proposals.

Indeed, the State of Mexico should use technologies to strengthen congruence between control mechanisms and their results. Control mechanisms of the State of Mexico should be congruent and jointly contribute to manage control activities, providing valuable information for assessment and decision making. Choosing and developing control activities through technologies is a real possibility, which can contribute to the coherence of control mechanisms. In this sense, the State of Mexico has control and information systems that can integrate more, with a preventive approach especially regarding integrity risks, and based on technologies. The targeted use of technology would allow preparing and processing massive flows of data coming from registries, databases and information systems, which could be used to create knowledge and intelligence on management, risks and control in such a way that would not be possible manually, given data complexity and volume.

Among the control and information systems that can be used are those related to reports, suggestions and recognitions (SAM), access to information (SAIMEX), reports (SESAEMM), citizen complaints (Citizen complaint system of CEMER), State personnel (Public officials directory), public procurement (COMPRAMEX), administrative responsibilities (Integral Responsibilities System, SIR), mandatory information of obliged entities (IPOMEX), State suppliers (Registry of Suppliers and Service Providers), and refused companies (black-listed companies bulletin), among others. The use of technology to integrate databases can advance control management and governance of state policies.

Fostering interinstitutional collaboration and the use of technologies by citizens strongly complements the internal control systems and provides more legitimacy to entities facing corruption risks

The work of analysis and intelligence about corruption crimes in the State could be strengthened. Although the Prosecutor’s Office (Fiscalía) accesses the risk maps produced by ministries and auxiliary bodies, interchange and analysis relations could be established among specialised units of the prosecutor’s office and expert staff in internal audit (OICs) and administrative research of the sectors most affected by public integrity risks, also including processes such as procurement and sectors that, according to the international and national experience, are more prone to corruption risks. This way, risks, risk factors and vulnerable areas can be outlined in more detail, as well as an agreement on interaction channels and evidence assurance within the administrative and criminal research framework. This co-operation would not only benefit investigative work, but also the preventive function of OICs, to the extent that it would allow them to identify the variables present in the criminal cases of corruption, which had not been considered in audits.

Concerning public integrity, today possibilities open for the design of technology-based tools for citizen control. This can be done by opening public data for reuse by citizens, for instance, to detect risks of conflicts of interest and eventually report corruption acts, through the exchange of information on public budgets, public procurement and contracts for works, asset and interest declarations, decision-making positions, political finance, recurrence of irregularities and crimes in institutions. Formulating an explicit policy aimed at the use of Big Data (2015 Recommendation of the OECD Council on Good Statistical Practice) but under the Open Data approach, would promote the participation of civil society in the democratic production of anticorruption knowledge with citizen perspective and value. In this matter, numerous initiatives are being developed in other countries, incorporating civic technology tools.

The Fiscal Observatory in Chile, for instance, is an initiative of two civil society organisations and a university to make available online and interactive information for citizens about the national budget of the Chilean State, as well as applications to follow up the monthly execution of state expenditures, including procurement processes at national and municipal levels. This way, citizens and learning centers can access timely information on public resources and their expenditure at different disaggregation levels (Figure 4.3).

Figure 4.3. Detailed public information on the national budget of the Chilean State based on open data

State expenses by ministry in 2018

Source: Chile’s Fiscal Observatory.

Information about control mechanisms can increase the strategic decision-making capacity of the government and the Anticorruption System of the State of Mexico, if adequately integrated

SECOGEM has the potential to be a catalyst stakeholder of the Executive’s diverse initiatives to promote public integrity, and a key co-ordinating agent. It has the organisational structure, technical orientation and functions that would allow it to strategically advise the government about the consolidated status of preventive and detective anticorruption activity in the Executive, aimed towards the design of integrity strategies and policies in each one of the sectors.

SECOGEM’s reports should be characterised by a high level of value added to state data and information, an overview of the status of preventive and detective anticorruption elements, and the incorporation of citizens as recipients of state activity. This way, the government would have valuable information for the design of strategies to tackle corruption risks through the targeted and orderly articulation of regulatory, operative, financial and staff tools. Furthermore, with this information the State Government could consolidate integrity policies in ministries, beyond the application of norms and the organisation of structures, allowing a better use of mechanisms and new tools to promote integrity and fight corruption. For this, it would be necessary for the State Government to require and develop capacities in SECOGEM, on the one hand, for the generation and use of information about integrity coming from diverse state institutions and, on the other hand, for the analysis and drafting of strategic reports for decision making at the highest level. For example, the Treasury Board of Canada and the Chilean Council for General Government Internal Auditing have functions and capacities to strategically advise the Government (Box 4.5 and Box 4.6).

The components of this type of information integration could include, preferably, quantitative and qualitative information about:

• objectives and resources of the State of Mexico’s Government at the service of citizens

• the conditions for institutional internal and external control

• the conditions for citizen control on state public institutions

• the expected improvement of citizen services as a result of prevention and detection of corrupt activities.

Another aspect that presents an opportunity is greater co-ordination of objectives and activities of external control, especially those implemented by OSFEM, and those of internal control, co-ordinated by SECOGEM. External and internal audits are different in their ex post and ex ante modalities, and in their purposes, but have ultimate goals, important contact points, and opportunities for complementarity. SECOGEM could strengthen its role, in the framework of the State Audit System, by promoting a greater standardisation of processes, programmes and rules, co-ordination of the control and audit actions, and a co-operative analysis for decision making, seeking the alignment of objectives, interests and opportunities of internal and external control.

The separation of roles and tasks in three lines of defense can help to clearly define functions and responsibilities

The most detailed distinction about the role and contribution of the internal audit function in complex entities is usefully developed by the Three Lines of Defense model. Understanding and implementing this model in each public institution would help differentiate the OICs’ tasks and roles and those of the other officials responsible for managing the implementation of the internal control system in each ministry and auxiliary body. The Three Lines of Defense model helps to improve the understanding of risk and control management by defining tasks and responsibilities. The main concept of the model is that “under the supervision and guidance of the senior management and the governing board, three separate groups (or lines of defense) are needed inside the organisation to effectively manage risk and control.”

Each group’s (or “lines”) responsibilities are:

• Taking ownership and managing risk and control (first line operative management).

• Supervising risk and control to support management (senior management implements the functions of risk, control and compliance).

• Providing independent assurance to the governing board and the senior management about the effectiveness of risk and control management (internal audit).

This way, each of the three lines has a different function inside as part of the general government framework of the organisation (Figure 4.4). When each one effectively fulfills its assigned role, the probability that the organisation succeeds in achieving its general objectives increases.

Figure 4.4. The Three Lines of Defense Model

Source: (Anderson and Eubanks, 2015[10]).

According to the model, the first line of defense is the owner of the organisation processes, whose activities create or manage the risks that might contribute or prevent achieving the objectives. This includes facing the right risks. In the ministries and auxiliary bodies of the State of Mexico, the Three Lines of Defense Model is technically unknown; however, auditors understand the need for a role separation and try to contribute to developing control ownership in the first and second lines of defense. In the State of Mexico, the first line of defense should be constituted by public officials and areas that directly manage the operations in each one of the ministries and auxiliary bodies. These officials are the ones who should take ownership of the risk, and define the institution’s control design and execution, in order to respond to risks.

The second line of defense is conceived to support management, providing knowledge, excellence in processes, and management supervision, along with the first line, helping to guarantee effective risk and control management. It would be convenient that the functions of the second line of defense in ministries and auxiliary bodies are separated from the first line of defense, but likewise under the control and guidance of senior management. The second line should essentially consist of a supervision or monitoring function regarding the units that operate the organisation processes and manage risks. The units that should usually assume this defense line are the ones responsible for the missional processes of the organisation; but, additionally, it is convenient that the control and support units are part of this second line too, for example, those of planning, finances and budget, management control and legal control. In this sense, the State of Mexico could take measures to advance greater clarity in the personnel of public institutions about the functions associated with risk management and control. Along with this, it could evaluate the correspondence that might exist between the COCODI members’ profiles and the integration of a second line of defense, in order to implement the Three Lines of Defense model, strengthening the fundamental guidelines of the Internal Control-Integrated Framework model of the State of Mexico.

The third line of defense provides assurance to senior management and the governing board, verifying that the efforts made in first and second lines are consistent with expectations. Thus, the third defense line is not conceived to perform management functions, so that its objectivity and independence from the organisation are protected. In the ministries and auxiliary bodies of the State of Mexico, such assurance task should be clearly established as a function of OICs, and in the level of the state Executive, as SECOGEM’s function. It is the OICs that should, in their audit function, provide assurance to the head and the governing body about the effectiveness of risk management. A clear separation between the third and second line is not incompatible with supervision and self-evaluation tasks carried out by, for example, a head of unit, about the functioning of an element of the internal control system in an area of the organisation. Such a task can and must be carried out by the head of an administrative or business unit to evaluate the presence and functioning of one or more internal control system components, applicable to his processes or unit, its operation and sufficiency. Moreover, this activity can respond to many reasons, such as the decision about a new strategy, changes of plans and methods, or others and, in that sense, it is destined to strengthen internal control as a complementary activity to internal and external audits and to the assurance function. In the State of Mexico, training and guidance on internal control to units in charge of processes could encourage them to perform timely evaluations about internal control components related to relevant risks; promoting risk ownership and control, at the same time that it would emphasise the separation of functions according to the Three Lines of Defense model, and it would relieve the internal audit function of OICs from providing support and assurance.

The implementation of the Three Lines of Defense also requires to clarify that senior management and the governing board have important responsibilities in the application of the model

According to this model, although neither senior management nor the governing body are considered parts of any of the three lines, they both have the responsibility of establishing critical elements for management, such as organisational objectives and high-level strategies to achieve such objectives. Likewise, they should establish government structures to better manage risk. Regarding internal control, senior management should also take care of the system selection, development and evaluation. The implementation of this model would strengthen the understanding of each head and governing body about the support that the internal control system provides to good governance and institutional performance, and would help to raise awareness about their responsibility in the implementation and development of the internal control system, and about the due separation of functions in risk control and management. In this line of objectives, SECOGEM could be constituted as an advisory unit, at the highest level of the Government of the State of Mexico, providing guidance to the system and model.

The internal audit function should reach the highest possible independence from management, so that it can provide an objective opinion and greater reliability for decision making to senior management and interested third parties

The independence of the internal audit function has special characteristics in public entities. On the one side, independence must be framed within the set of legal and institutional arrangements, at federal or state levels, that characterise the form of governance in each country, and within each one. INTOSAI has agreed international standards for Supreme Audit Institutions (ISSAI) and in ISSAI 10 (INTOSAI, n.d.[14]) it approved criteria for the audit standards focused on defending the independence of external audit in public administration. While such criteria, contained in the Lima Declaration, are aimed towards promoting greater independence of the external control public agencies, their rules are equally valid for promoting the independence of the internal audit function concerning risk managers. ISSAI 1, in paragraph number 2 of Article 3, on internal and external control, warns, “internal control bodies necessarily depend on the head of department, in whose organisation they were created. Nevertheless, they should possess functional and organisational independence to the possible extent, in light of the corresponding constitutional structure.”

Taking this background into account, the internal audit system of the State of Mexico constitutes a mixed model, consisting of an internal audit of the state government, which is external to ministries and auxiliary bodies of the State of Mexico. This design ensures a reasonable level of independence of the OICs, which perform the internal audit function, vis-à-vis the heads of each organisation in which they carry out their function. Building on such independence, the State of Mexico could strengthen the awareness of heads and public directors regarding the assurance work of the internal control system, carried out by OICs, so that they recognise OICs as allies in the audit and internal control evaluation duties. For such purposes, it would also be convenient to avoid OICs performing tasks that are specific to the first line or those that are specific to the units that should implement the internal control system. One way of doing it is reducing their interventions in potentially auditable management actions, such as procurement, supervision and inspection processes. In that sense, it would be pertinent to evaluate the convenience of modifying or clarifying Article 49 of Law of Administrative Responsibilities of the State of Mexico and Municipalities, which empowers SECOGEM and the OICs to supervise the execution of public procurement procedures. Supervision is a task that is specific to line heads and should be carried out by them, their control systems or mechanisms, in a way that managers and heads are responsible and accountable for the control work inherent to their positions. Likewise, it would be convenient to reduce or eliminate the participation of OICs in verification actions that shift away from the independent nature of the audit. That is the case of the so-called “Inspections”, which are not relevant quantitatively concerning the total actions of the OIC’s audit function and that did not demonstrate to have a precise definition among the interviewees in the OECD field mission. Such definition varies from monitoring actions of previous audits to verification of facts specific to a line of control (first or second defense line).

Likewise, the interviews carried out by the OECD mission, revealed that some directions and management units send requests to OICs to carry out verification actions about the performance of the line personnel under their charge, in face of the difficulties they find for the personnel to follow their obligations or instructions. The independence of the auditor’s judgement should be protected, avoiding engaging them in management, and clearly assigning those tasks to the corresponding personnel, which should be held accountable for their performance and the existing obstacles.

Internal audit can be an advisory function at the highest level

Additionally, OICs’ internal audit function should move towards demonstrating the value of its tasks and reports for heads and governing boards, as well as for managers. The audit function cannot act on the line, but it should be capable of offering advice and support for improved decision-making in the different levels of each organisation. As clearly stated in ISSAI 100 (INTOSAI, 2019[15]) about fundamental public sector audit principles, “public sector audit is essential, since it provides legislative and supervision bodies, officials in charge of governance and public in general, with independent and objective information and assessments regarding the administration and performance of policies, programmes or government operations.”

Even though a series of factors help the auditor’s information to be valuable for public officials and the government, it is highly necessary that auditors consider the following audit principles of the public sector: a) materiality during the entire audit process; b) preparing the documents to provide a clear understanding of the work performed, the evidence obtained and the conclusions reached; and c) establishing an effective communication, especially with the administration and the officials in charge of governance. The development of this internal audit capacity to advice regarding relevant issues should be promoted by SECOGEM, through a strategy of greater value-added of internal audit, which includes tools to raise awareness in senior management, training of auditors, evaluation of the quality and contribution to governance of its products, and user perception about the contribution of audit information to the achievement of objectives, goals and rules.

OICs can help to prevent corruption through integrity audits

The regular use of integrity tests or audits is an opportunity for the State of Mexico to rely on a valuable tool to ensure that the policy framework, control mechanisms, and integrity systems are effectively used by the several units in charge and that they are being applied following methods that guarantee their effectiveness, efficiency and quality.

This would be particularly relevant regarding mechanisms on citizen participation, access to information, reports and whistleblower protection, human resources management, including control processes prior to hiring officials, prevention of conflicts of interest, verification of asset declarations, disciplinary control of managers, and post-public employment restrictions; as well as control mechanisms for integrity in public procurement and the granting of licenses, transfers, subsidies and state benefits. OICs are allies in the evaluation of tools to prevent corruption, given that they can carry out audits on the quality of such mechanisms and their effective use, and issue an independent opinion with recommendations for their enhancement. For example, in the United Kingdom, the internal audit contributes to detection of fraud and corruption (Box 4.7).

The independence and role of internal auditing contributing to the internal control system is an objective that the State of Mexico should permanently pursue through measures aimed at improving the performance and integrity of internal auditors

The professionalisation of the internal audit work strengthens the independence of the auditors' determinations, since they base their opinions on recognised standards, methodologies and techniques, and comply with the internationally recognised auditing standards. International auditing principles for the public sector establish general principles that auditors should follow, including: a) ethics and independence of the auditor; b) professional judgement, due diligence and skepticism; and, c) quality control. Internationally accepted practices on audit quality (such as those established in the International Standard on Quality Control, ISQC 1) include the need for organisations to have policies and procedures on audit quality, including monitoring the audit and having policies and procedures to promote an internal culture based on the recognition that quality is essential in the performance of audits. Likewise, it defines as an element of a quality control system that the organisation establishes policies and procedures designed to provide reasonable assurance that the work is performed in accordance with professional standards and regulatory and legal requirements, and that the issued reports are appropriate. In addition, regarding the review of quality control, it warns that the organisation should establish policies and procedures that require reviewing quality control of the work to provide an objective evaluation of the relevant determinations taken by the work team and the conclusions reached when formulating the report. For example, the Office of the Comptroller General of Canada has developed the Internal Audit Competency Profiles and Dictionary (Box 4.8) and Slovenia established the TIAPS programme (Box 4.9).

In this same sense, but from the training perspective, there is not a sufficient offer for training and specialisation in the field of auditing in the State of Mexico. Therefore, it would be advisable for the Government of the State of Mexico to evaluate long-term initiatives to improve access of internal auditors to training, specialisation and certification courses in the fields of internal audit, forensic audit, financial audit, information technology audit and use of technologies for control and auditing, among others.

Thereupon, it is advisable that the State of Mexico, through SECOGEM, strengthens its role as the governing body on internal audit, through technical strengthening plans and ensuring the professionalisation of auditors and the quality of audits. For that purpose, it may be highly convenient to operationalise agreements, in this regard, with the Superior Audit Office of the Federation (Auditoría Superior de la Federación, ASF), OSFEM, and the Association of Public Accountants of Toluca.

Regarding other measures associated with the conditions of employment and remuneration, the international anti-corruption treaties signed by Mexico obliged the country to adopt a series of measures, which, in terms of internal auditing, take full effect. The Inter-American Convention against Corruption binds the party states to consider the study of measures to prevent corruption, taking into account the relationship between an equitable remuneration and probity in the public service (Article III, section 12). In a more direct sense, the United Nations Convention Against Corruption, signed in Mérida in 2003, binds the party states to adopt systems for recruiting, hiring, retention, promotion and retirement of public employees, based on principles of efficiency and transparency and on objective criteria such as merit, fairness and capability; include adequate selection and training procedures for public office holders who are considered especially vulnerable to corruption; promote appropriate remuneration and fair salary scales, taking into consideration the economic development level of the party state; and promote education and training programmes that allow them to meet the requirements for correct, honorable and due performance of their functions and provide them with specialised and appropriate training to be more aware of inherent corruption risks in the performance of their duties.

Another important measure to strengthen internal auditing and auditor independence in the State of Mexico would be establishing a transparent and merit-based system for entry, promotion, remuneration, and appointment of auditors, incorporating, as a relevant variable, fair remuneration according to the responsibilities of their role and position. This set of measures, applied progressively, would strengthen the performance and independence of auditors and, consequently, the internal control system and integrity in the State of Mexico.

Internal control, risk management and internal audit at the municipal level need to be redesigned, developing human resources and having access to technical support

According to INEGI, in the 125 municipalities of the State of Mexico there are 16 187 608 inhabitants, where 87% is urban population. Municipalities have a budget of approximately USD 2 billion per year, and represent, approximately, a little more than a third of the 295 000 public employees in the State. Municipalities are divided into three groups, according to their size. The reality and limitations of most of them and their city halls are very different. Within this diversity, there are some conditions for the performance of municipalities that affect their capacity to control and prevent corruption. The Municipal Management Law of the State of Mexico (Ley de Gestión Municipal del Estado de México) is outdated and there is no civil service career at the municipal level. This implies a high turnover of personnel, which often does not have sufficient competences for an effective performance. As a whole, there is a challenge in hiring and training human resources at the municipal level, which represents a structural weakness for the implementation of appropriate control environments and for the fulfilment of municipal objectives.

Regarding the implementation of internal control systems, the heads of the control units who were interviewed stated that the municipalities are carrying out internal control evaluations based on state regulations, since OSFEM has made it mandatory at that level. However, the challenge of incorporating the Institutional Internal Control System at the municipal level is greater than at the state level. According to the Office of the Comptroller of the Legislative Body, municipalities with less than 150 000 inhabitants (103 of the existing 125 municipalities) have a low level of maturity of their Institutional Internal Control Systems (SCII). According to OSFEM and the Office of the Comptroller of the Legislative Body, internal control in the municipalities is weak and the factors that affect its greater or lesser level of implementation are the institutional design of the system, the size of municipalities, incentives for control, capacity building and training. One of the main aspects that affect this situation is the low degree of independence of the heads of the municipal control units, due to the low professionalisation of the position and their dependence on mayors.

An evaluation of the conditions and incentives for internal control and the audit function at the municipal level would make it possible to develop reforms, including legal ones, to update municipal management and control structures, implementing current guidelines and practices in this area. A modern management and control design should be aimed at ensuring that municipal decision-making bodies have high-value information to meet municipal goals and objectives and that internal audit information is based on an independent professional and technical opinion. On the other hand, according to the interviewed municipal comptrollers, control at the municipal level is still associated with the tasks of control units, at the same time that these units are used to supervise tasks, and sometimes to evaluate internal control, replacing the second control line. Internal regulation, raising awareness and training are required for the separation of roles on internal control and risk identification, including fraud and corruption. The Three Lines of Defense model provides simple and practical guidelines to facilitate the understanding and separation of roles in tasks of control and assurance. Its implementation would improve the understanding of control among municipal personnel and authorities and allocate audit tasks to system assurance.

At the municipal level, auditing is more challenging than at the state level. All the municipal comptrollers interviewed reported that the internal audit function in their charge does not have enough personnel and that the assigned officials generally do not have sufficient skills and knowledge for good audit performance. They also drew attention to the lack of training on control for municipal staff, and the lack of sufficient resources for their audit work, including the use of their own vehicles and personal computers, which represents a risk of control by itself. The use of technologies for auditing is still a widespread challenge at the municipal level and, in addition, there is a lack of IT auditors.

In this sense, OSFEM is a state benchmark in terms of control and, given its scope and powers, can become the guide and support that municipalities require in terms of control and audit. As a guide, OSFEM could contribute to the strategic liberation of control actions at the municipal level and become a consolidating institution among federal, state and municipal control approaches. For example, encouraging co-ordinated actions by the Office of the Comptroller of the Legislative Branch and OSFEM to implement SCIIs in municipalities, strengthening the control environment and, eventually, enforcing responsibilities for omissions of control and accountability. Likewise, it has the capacity to support the monitoring of the implementation of the SCII in the municipalities and the technical strengthening of the municipal control units. It could detect those municipalities and municipal control units that can become benchmarks and establish rankings, while identifying those municipalities that, due to their characteristics, are most vulnerable to corruption, in order to focus audit efforts and follow them up and serve as technical support to municipal control units. This type of actions can be supported from the State Audit System, differentiating activities focused on co-ordinated audit from those aimed at technical support and training, the latter organised in a plan to strengthen capacities.

Taking into account the geographical dispersion of municipalities and their lack of resources and personnel in terms of control, it is highly recommended that the support provided by OSFEM to municipal control units expands, incorporating training, technical tools, monitoring, and IT systems. These should be aimed at facilitating and efficiently separating the control and audit functions in the municipalities and at strengthening the integration of control efforts between OSFEM and the municipalities, through plans and additional resources focused on strengthening capacities and technical monitoring. In addition, OSFEM could conduct a pilot project for the municipalities to share audit services, in order to manage control resources between municipalities and according to areas of common interest to them.

Another initiative that could strengthen the discussion, guidance and training of municipal comptrollers regarding management and control is the establishment of an open association or entity without political affiliation, which would bring together the municipalities of the State of Mexico. An association like this would facilitate the accumulation and management of the demand for institutional strengthening of all municipalities and all municipal control units, as well as the eventual allocation of state or municipal funds. An initiative of this type could be an incentive for universities and training centers in public management, planning, control, audit and prevention of corruption, to produce an offer for capacity-building, training and research that, in the long term, solves the weak training of personnel at the municipal level.