Internal control and risk management are the policies, processes and actions used to manage integrity risks such as fraud, corruption and abuse. A strong internal control system should also include internal auditing to evaluate the strength of the internal control system, and a robust risk management framework to help organisations identify and respond to corruption risks. Internal control, internal audit and risk management support public sector organisations in their efforts to be less vulnerable to fraud and corruption and to achieve their policy goals and objectives, comply with regulations, manage risks, and use resources responsibly. They play a crucial role in preventing misuse of public funds and maintaining the efficiency and integrity of public services, and in turn may increase trust in public institutions (OECD, 2024a).
OECD countries have strong regulations on internal control, internal audit and risk management to counter corruption risks. According to the OECD Public Integrity Indicators, OECD countries on average fulfil 76% of the standard criteria for regulations on internal control and risk management, and 55% of those for internal audit. Eight countries fulfil all the criteria for internal control and risk management regulations: Costa Rica, Estonia, Lithuania, Mexico, Slovenia, Spain, Sweden and the United States. Lithuania is the only country that fulfils all the criteria for internal audit regulations.
Despite their strong regulations, the effectiveness of OECD countries’ internal control, risk management and internal audit processes could be improved in practice. Standard criteria for strong practices include ensuring internal control and internal audit systems are developed by a central function, and the inclusion of integrity risks in public organisations’ risk assessments. OECD countries on average fulfil 33% of these criteria on practices for internal control and risk management, and 27% for internal audit. Lithuania performs most strongly on practice, fulfilling 77% of criteria for internal control and risk management, and 67% for internal audit (Table 12.2).
Integrity risk management policies and processes provide reasonable assurance to management that a public body is achieving its integrity objectives and managing its risks effectively. Integrity risk management regulations and policies adopted at the central level of government are not consistently applied across line ministries and agencies. Although 21 OECD countries have regulations requiring risk assessment frameworks to address public integrity risks, only 6 have carried out recent risk assessments across all ministries and agencies. These are Australia, Ireland, Lithuania, Latvia, Poland and Portugal (Figure 12.5).
Internal audit is most effective when it has sufficient coverage of key risk areas within the public budget. It offers assurance on the effectiveness of internal control systems and can contribute to fraud prevention by identifying vulnerabilities and strengthening controls. Regulation and practice vary significantly across OECD countries. On average, while internal audits cover 82% of OECD countries’ national budget organisations, only 62% of them have been internally audited in the last five years (Figure 12.6). Four countries have full coverage both in legislation and in practice: Ireland, Mexico, the Netherlands and Türkiye. Six countries have full coverage in legislation but have not internally audited all entities in practice: Greece, Latvia, Lithuania, Portugal, the Slovak Republic and Slovenia (Figure 12.6).
