More than a third of public sector organisations do not have fully effective risk management mechanisms

18 December 2013

New research from the Chartered Institute of Internal Auditors (IIA) suggests that well over a third of public sector organisations still do not have effective mechanisms in place to manage risk.    

The Heads of Internal Audit of 42% of central government departments and 37% of local government organisations rated their own organisation's awareness of the risks facing it and the effectiveness of its processes to manage them as 'in the early stages', 'in development' or even 'non-existent'. 

The IIA warns that, at a time of major restructuring, a large proportion of the public sector may be unnecessarily vulnerable to serious financial or operational failures, without adequate arrangements in place to spot potential dangers and put plans in place to minimise their impact.

Internal auditors help organisations to manage the wide range of risks facing them, including for example: financial and fraud risks; data security risks; and health and safety risks. They help the board and management identify and address risk management, internal control and corporate governance issues before they become a problem.

The IIA points out that effective internal audit can play a key role in supporting public sector boards and management in reducing the recurrence of major public sector scandals such as the problems in organisational culture that jeopardized patient care at the Mid Staffordshire NHS Trust, or the poor governance that resulted in a flawed bidding process for the West Coast Mainline franchise.  However, the National Audit Office was last year critical* of standards of internal audit in central government, saying that it was patchy and offered poor value for money.

Since then, the Institute, working alongside standard setters in the public sector has launched the first ever unified nationwide Public Sector Internal Audit Standards, introduced in April 2013.  

However, the IIA's research highlights that these Standards are not yet being fully adhered to in some areas of local government. For example, the new Standards advise that the appropriate reporting line for Heads of Internal Audit in public sector organisations is to the audit committee, with administrative reporting to the chief executive. But 28% of Heads of Internal audit in local government said their teams report to the Chief Financial Officer (CFO).  The IIA says that this could create a conflict of interest, potentially limiting internal audit's ability to be completely objective in fulfilling its scrutiny of financial controls, which also fall into the remit of the CFO.

Cuts to some public sector internal audit budgets are also an issue. According to the IIA's survey, 24% of public sector Heads of Internal Audit said they expect to see budget reductions in the next year compared to fewer than 10% in the private sector.

Dr Ian Peters, Chief Executive of the IIA comments: "The public sector is undergoing huge structural reorganisation at the moment, and with restructuring invariably comes new and changed risks.  This makes the poor ratings on the management of risk given by many public sector Heads of Internal Audit to their own organisations a matter of serious concern. Whilst Heads of Internal Audit understand they cannot be immune from the drive for greater efficiency, the ability of the profession to respond to these challenges is being constrained by a lack of resources."

The IIA's research also reveals that public sector Heads of Internal Audit are allocating less time to supplier risk than those in the private sector, despite the increased levels of outsourcing of public sector activity. 

Just 12 per cent of public sector organisations' Heads of Internal Audit said that outsourcing was one of the top risks that they devote time to, compared to 37% in the private sector. 

The IIA points out that the outsourcing of public sector projects to private sector contractors has recently resulted in some high profile  problems, such as the controversy over the administration of 'Fit to Work' benefits assessments by Atos Healthcare, and the failure of G4S to provide adequate security staff for the Olympics forcing the organisers to call on the army.

Dr Ian Peters added: "The private sector is generally aware of the risks of outsourcing - if a supplier fails to deliver on price, quality and deadlines that can wreak significant financial and reputational damage."

ENDS

 

View the full research report, Governance and Risk 2013