OECD Integrity Review of Brazil 2025

Effective public control is at the heart of sound financial and non-financial management of public funds. At a time when governments across the world are operating under considerable financial constraints and are having to do more with less, public organisations are compelled to achieve value for money in an effective and financially responsible manner. Accordingly, the OECD Recommendation of the Council on Public Integrity calls on adherents to “apply an internal control and risk management framework to protect integrity within public sector entities” (OECD, 2017[1]). A public internal control system requires that institutions develop internal control policies and practices to support sound financial management, to ensure compliance with legislation and regulations, to safeguard assets, and to achieve organisational objectives.

In addition to an effective integrity risk management and internal control framework, a public administration system should have an internal audit function that is effective and clearly separated from operations, and a Supreme Audit Institution (SAI) that has a clear mandate and is independent, transparent and effective (OECD, 2017[1]). Regarding the latter, SAIs can also contribute to the implementation of internal control and risk management. Through their opinions on the regularity of financial statements; their assessment of whether government performance adheres to efficiency, economy, and effectiveness; and their determination of whether public entities comply with their governing authorities, SAIs are well-placed to provide the external oversight and insight to inform the effectiveness of internal control and integrity risk management.

Brazil is a vast country with a highly decentralised federative government. Brazil has consistently improved its risk management and internal control regulatory framework over the years, to align with international standards and good practice. Nonetheless, like many countries, Brazil struggles in implementing its regulatory framework. In practice, the overall effectiveness of the public control system is often undermined by weak governance, poor understanding of roles and responsibilities and a lack of accountability at the higher levels. Furthermore, although audit activities are prominent across all levels of government, co‑ordination between the various audit bodies requires strengthening. This is particularly relevant given the decentralisation of policies where federal, state and local governments are involved in policy design and service delivery and where multiple audit bodies at the national and sub-national levels are mandated to audit these policies at their respective level. To align practice to the regulatory framework, governance needs to be strengthened, roles and responsibilities clarified, and emphasis must be placed on establishing and reinforcing co-ordination across national and sub-national audit bodies.

This chapter looks into the Brazilian integrity risk management and audit framework and focuses in particular on the following three core elements:

• Supporting the implementation of risk management and internal control mechanisms.

• Improving the internal audit activity.

• Strengthening the external audit activity.

Effective implementation of risk management and internal control policies rely on many actors at governmental, institutional and individual levels. Clearly defining the role of each actor is therefore key. At the government level, public sector standards bodies ensure that government-wide risk management and internal control policies are consistent and harmonised. At the institutional level, risk management and internal control policies and processes provide management with reasonable assurance that the organisation is achieving its integrity objectives and managing its risks effectively. Finally, at the individual level, many standards call for the personal commitment of public officials to integrity and compliance with codes of conduct (OECD, 2020[2]). Typically, the responsibility for the implementation of government-wide risk management and internal control systems is shared among a variety of public sector organisations such as a central harmonisation unit, audit institutions and anti-corruption bodies (OECD, 2020[2]).

In Brazil, the Office of the Comptroller General of the Union (Controladoria-Geral da União, CGU) plays a central role in the country’s internal control system. Moreover, the Federal Court of Accounts (Tribunal da Contas da União, TCU), the nation’s Supreme Audit Institution (SAI), contributes to promoting the implementation of risk management and internal control and audit by providing an independent examination of whether the government’s undertakings align with the principles of economy, efficiency and effectiveness thereby providing the National Congress (Congresso Nacional) with information on integrity to hold the government to account.

The CGU plays multiple roles in the internal control system. The CGU is responsible for co-ordinating risk management and promoting public integrity across the Federal Executive Branch (for more information see Chapters 1 and 2). Furthermore, the CGU is overseeing the implementation of the centralised Federal Executive Branch disciplinary system (for more information see Chapter 5). The CGU also performs the central harmonisation function of the internal control system, as the CGU is responsible for regulatory guidance and technical supervision of the bodies that make up the system. The internal unit responsible for this is CGU’s Federal Secretariat for Internal Control (Secretaria Federal de Controle Interno, SFC). CGU’s SFC also provides an internal audit function for many of the federal public institutions. In 2003, Brazil centralised the internal audit function, which had previously been a separate function in every ministry, into a single body, the CGU (OECD, 2017[3]).

According to information provided by Brazil, the CGU provides this internal audit function for almost all ministries (government entities responsible for setting policy and providing oversight). A few exceptions include:

• The Presidency of the Republic, the Attorney General's Office of Union, the Ministry of Foreign Affairs and the Ministry of Defence, and respective sectoral units, where the internal audit function is the responsibility of Internal Control Secretariats (Secretarias de Controle Interno).

• In agencies (government bodies and entities responsible for performing a public function and who are accountable to ministries), internal audit operates at two levels: (1) Each agency maintains its own internal audit function through a Government Unit of Internal Audit (Unidade de Auditoria Interna Governamental) and (2), the CGU also conducts internal audits within these agencies, providing an additional layer of oversight.

At the subnational level, along with the Regional and Municipal Comptrollers of the Union, the CGU’s SFC is responsible for providing an internal audit function only for federal resources transferred to States and Municipalities.

Moreover, Special Internal Control Advisors (Assessorias Especiais de Controle Interno, AECI), most of whom come from the CGU, are assigned to ministries to advise management on internal controls. The AECI assume a Second Line role (see Figure 4.1 for the Three Lines Model) and support the Governance, Risk, and Internal Control Committees (Comitês de Governança, Riscos e Controle Interno). When these committees are established, they take on responsible such as ensuring compliance with laws and regulations, setting policies, supervising risk assessment activities and making recommendations to improve internal control and risk management systems (OECD, 2017[3]). In agencies, the Second Line function also exists but may vary in organisational structure from one agency to another.

With respect to the regulations underpinning the internal control and risk management system, Brazil has a well-established regulatory framework on internal control and risk management that is dispersed across multiple laws, decrees and normative instructions. The main ones are described in Table 4.1.

Brazil has aligned its regulatory frameworks on risk management and internal control with international standards. For example, the definition of internal audit, as stated by Joint Normative Instruction MP/ CGU 1 of 10 May 2016, corresponds to that of the Institute of Internal Auditors (IIA, 2023[4]). Furthermore, the Joint Normative Instruction’s stipulations for the risk management process align with the International Standards Organisation guidelines on risk management (ISO, 2018[5]):

• setting objectives in alignment with the mission and vision if the organisation

• identification of risks inherent to the activity of the organisation

• assessment of risk through qualitative and/or quantitative analysis

• response to risk (avoid, transfer, accept or treat)

• internal control activities to mitigate risks

• communication of information to enable decision-making

• monitoring to evaluate the quality of risk management and internal management controls.

The Normative Instruction 3 of 9 June 2017, which approves the Technical Reference for internal audit, outlines the Institute of Internal Auditors’ Three Lines Model (Figure 4.1). It states that the internal control structure of bodies and entities of the Federal Public Administration should adhere to this model to ensure clear responsibilities and co-ordinated and efficient action:

• The First Line is embodied by managers who are responsible for establishing and maintaining controls to support the implementation of public policies. They are also responsible for identifying, evaluating, controlling, and mitigating risks, guiding the development and implementation of internal policies and procedures designed to ensure that activities are carried out in accordance with the organisation's goals and objectives. To ensure their adequacy and effectiveness, internal controls must be integrated into the management process and designed in proportion to the level of risk being managed.

• The Second Line is also enacted by management with the purpose of ensuring that activities carried out by the First Line are executed appropriately. Second Line functions embody supervision and monitoring functions and are typically associated with risk management, compliance, quality verification, financial control, guidance, and training.

• The Third Line is represented by the internal audit activity that objectively evaluates governance, risk management, and internal controls with a view to providing opinions or conclusions in relation to the execution of the goals set out in the multi-annual plan. The Normative Instruction 3 of 9 June 2017 (the Brazilian federal public administration’s statutory instrument that provides for internal controls, risk management and governance) also stipulates that the independence of the internal audit activity should allow it to fulfil its responsibilities.

Finally, although not mentioned specifically, Decree Law 200 of 25 February 1967 outlines The Three Lines Model by describing the way in which control of activities of the Federal Administration should be exercised, and Law 13.303 of 30 June 2016 also stipulates the Three Lines Model.

The regulatory framework underpinning the internal control system in Brazil (Table 4.1) reflects the incremental process of strengthening the system over time and is a strong foundation on which to establish and maintain a robust internal control system.

However, interviews with stakeholders revealed confusion among public servants regarding the concepts of internal control and internal audit, as well as their respective roles and responsibilities. This confusion may be due to lack of awareness or training on the internal control framework. Additionally, the use of “control” as a broad term for encompassing both internal control and internal audit activities may be contributing to the misunderstanding.

The potential confusion is recognised in Article 2-XVI of the Joint Normative Instruction 1 of 10 May 2016, which describes the role of the Internal Control System of the Federal Executive Branch as evaluating the execution of government programmes through auditing and oversight but cautions that this should not be confused with internal management controls which are the responsibility of the bodies and entities of the Federal Executive Branch. Moreover, the TCU, in a 2016 Survey Report, also acknowledged the semantics of “internal control” and “internal control bodies” as problematic. It explained that “if ‘internal control’ is a procedure, an action, an activity, it makes no sense to use the expression ‘internal control body’. This is because each administrative activity has an internal control responsible for dealing with the risk that exists in the activity” (TCU, 2017[7]). The survey report also highlighted how the use of the term “internal control body” may give managers the impression that they are not responsible for internal control as there is a separate internal control body to do this. The survey report concluded that such “internal control bodies” would be better called “internal audit bodies” as they are responsible for evaluating internal controls (TCU, 2017[7]).

Furthermore, although the Three Lines Model is accurately described in some legislation (as previously detailed), it is not clearly defined in others. For example, Law 14.133 of 1 April 2021, the Bidding and Administrative Contracts Law (Lei de Licitações e Contratos Administrativos), correctly describes the First Line as the employees undertaking the government operation (bidding) but fails to correctly describe the second and third lines. Indeed, the Second Line is defined as the organisation’s internal control units or body, which according to stakeholders signifies internal audit, which is a Third Line function (Figure 4.1). Also, there is no mention of the Special Internal Control Advisors as stipulated in the Normative Instruction 3 of 9 June 2017 to assume the Second Line role. Lastly, although the Third Line includes the central administration’s internal control body that takes on the internal audit function, the Law also includes the Federal Court of Accounts in the Third Line. The Federal Court of Accounts is not part of the Three Lines Model (Figure 4.1) as the Three Lines are all accountable to the governing body of the organisation. The TCU is the Supreme Audit Institution of Brazil and as such an external assurance function that operates independently from the entity under review and is accountable to the public and the highest authority, the National Congress (INTOSAI/IIA, 2022[8]).

The CGU’s involvement in both internal audit and advisory roles has led to confusion among ministries regarding the delineation of responsibilities within the Three Lines Model. However, it is important to clarify that, in accordance with the Institute of Internal Auditors (IIA), the CGU does not perform the Second Line function. Within the federal public administration, the CGU — through the Federal Secretariat for Internal Control (SFC) — operates exclusively as the central body of the Internal Control System of the Federal Executive Branch, with responsibilities situated firmly in the Third Line. Its mandate includes independently evaluating the effectiveness of internal controls established by public entities and reporting directly to the highest executive authority and the National Congress. As it is not embedded within the organisational structures of audited bodies nor subordinate to their management, the CGU maintains the independence characteristic of a Third Line function.

Furthermore, public servants sometimes perceive the CGU as an external audit body, even though external auditing falls under the mandate of the TCU. For example, the internal audit web page of the National Civil Aviation Agency of Brazil (Agência Nacional de Aviação Civil, ANAC) refers to both the CGU and the TCU as external control bodies (“control” in this instance refers to “audit”) (ANAC, n.d.[9]). However, while being located outside, the CGU provides an internal audit function and sometimes in addition to an already existing internal audit unit within the public body. In such cases, the Normative Instruction 5/2021 from the CGU (IN SFC 5/2021) requires that the internal audit plans of the indirect administration must be sent to the CGU to prevent duplication. This apparent lack of clarity between external and internal audit could contribute to weaker implementation of internal control responsibilities and internal audit recommendations.

The CGU, as the central harmonisation unit, is well-placed to raise awareness and train public servants about the internal control system, including the differences between internal and external audit, by clarifying the players involved and defining and delineating each of the roles of the three lines model. Article 11 of the Joint Normative Instruction 1 of 10 May 2016 (MP/CGU 01/2016) lays this out as one of its principles: “When implementing internal management controls, senior management, as well as the organisation's employees, must observe the components of the internal control structure: (…) organisational structure in which responsibilities and delegation of authority are clearly assigned, so that the objectives of the organisation or public policies are achieved.” (Government of Brazil, 2016[10]).

Therefore, acknowledging that the use of the word “control” has a double meaning, the CGU could consider emphasising more clearly the difference between internal control and internal audit, for example based on the definitions provided on “internal audit” and “internal management control” in the Joint Normative MP/CGU 01/2016. A deeper understanding could lead to a shift in how public servants perceive roles and responsibilities to assume their rightful roles within the internal control system and that they understand what is expected of them by different actors. This could require strategic tactics based on change management theory and behavioural insights. In Brazil, there is sufficient authoritative direction and capacities to develop guidance and sensitisation materials to further support clarifying the differences between “control” and “audit” and the appropriate roles that individuals within the system should assume. This could significantly contribute to strengthening the impact of the internal control and internal audit framework.

The Joint Normative Instruction MP/CGU 1/2016 clearly outlines the Three Lines Model. In particular, it designates the responsibility for the implementation, maintenance and monitoring of internal controls on the basis of risk to the bodies and entities of the Federal Executive Branch, thus, constituting the First Line. All public agents responsible for conducting activities and tasks must also incorporate the operation of internal controls into their duties. Ownership for the internal control system is therefore placed inside an entity and under management responsibility (OECD, 2017[3]).

In line with the COSO Internal Control Framework (COSO, 2013[11]), the Joint Normative Instruction presents internal controls as a means to an end and not an end in itself. That is, it places internal controls within the context of attaining objectives and managing risk. Internal controls provide reasonable assurance that in striving to achieve an entity’s mission, the following objectives will be met:

• orderly, ethical, economical, efficient, and effective execution of operations

• compliance with accountability obligations (i.e., transparent and regular reporting)

• compliance with applicable laws and regulations

• safeguarding resources to avoid losses, misuse, and damage.

However, according to stakeholders, there is no clear distinction between different assurance roles (for example, internal audit, external audit, and control functions). These elements are not well understood (as described previously), and management has little awareness about their internal control responsibilities, nor do they believe that they are responsible for internal controls. Consequently, the value of internal control may often not be apparent to public managers and staff. Stakeholders also explained that within the Brazilian Federal Public Administration there is a weak culture of committing to the achievement of results and of conducting efficient operations. They described difficulty in determining the objectives and priorities of ministries, noting this as an impediment to internal control implementation. Furthermore, performance indicators are often not established to measure whether objectives have been met, or such objectives are not clear.

The lack of clear objectives and performance culture coupled with weak accountability and difficulty in measuring performance can undermine management’s understanding of the value of internal control and risk management. A public manager that is not aware of objectives and priorities and is not held accountable for achieving them may not feel the need to work towards those objectives or to manage risks that could threaten their achievement.

To build greater ownership, the role of managers within the Brazilian Federal Public Administration regarding risk management and internal control needs to be strengthened. To ensure appropriate implementation, roles and responsibilities should be clearly defined in an organisation’s internal control policy in alignment with the existing regulatory framework and international standards. The Joint Normative Instruction MP/ CGU 1/2016 is very clear on the Three Lines Model where management responsibility for internal control is explicitly stated. Therefore, senior management commitment to the development and performance of internal controls is key. COSO’s internal control framework asserts the importance of governance in maintaining a functional internal control system. This includes senior management oversight responsibility for management’s design, implementation, and conduct of the internal control system. Governance structures, reporting lines and appropriate authorities and responsibilities are also key principles of a healthy internal control system whereby responsibilities and duties are assigned at various levels of the organisation. This entails senior management establishing directives, guidance and control to enable management to understand and carry out their internal control responsibilities (COSO, 2013[11]). Training should also be incorporated to further build management capacity in the adoption of their internal control responsibilities.

The COSO framework further outlines that an organisation holds individuals accountable for the performance of their internal control responsibilities by establishing communication channels and other mechanisms, such as corrective action (COSO, 2013[11]). Furthermore, continuous monitoring is key not only to gauge employee performance but also to determine compliance with internal control and their overall effectiveness (Mendes de Oliveira et al., 2022[12]). Management accountability can be supported by a dedicated internal control reporting mechanism, which can provide a summary of self-assessments of internal control and risk management activities. Evaluation is a key component of a strong internal control system, as having an abundance of control mechanisms in place is not useful if performance is not monitored and corrective action is taken, if necessary. Within the context of fraud, poor internal control performance renders an organisation more susceptible, thus underscoring the importance of management responsibility for internal control (Mendes de Oliveira et al., 2022[12]).

To align the Brazilian public sector with best practice, management must take responsibility for internal control and be held accountable for its performance. Putting the right supports in place to empower management to gauge the performance of the system (such as through senior management oversight and continuous monitoring) and to take corrective action, when necessary, can strengthen the internal control system. Empowerment can be achieved also by influencing individuals with leadership qualities to incite change across the organisation (OECD, 2022[13]). As previously noted, a healthy and robust internal control system is only a means to an end. Thus, objectives should be defined and risks to achieving the objectives should be identified. These steps should precede and inform the development of internal control and the risk assessment process. Examples from other jurisdictions could be used as inspiration for Brazil (Box 4.1).

Similar to the internal control regulations, Brazil has a strong risk management framework. First, the Joint Normative Instruction MP/ CGU 1 of 10 May 2016 established the risk management process that aligns with international standards (as previously described). Second, Decree 9.203/2017 obligates all federal public entities to undertake integrity risk management (Table 4.1). Third, the Integrity, Transparency and Access to Information System of the Federal Public Administration (SITAI) is responsible for co-ordinating activities and establishing standards related to integrity, transparency and access to information within the federal administration (Table 4.1). The SITAI’s central body – the CGU – is responsible for, among others, guiding activities related to integrity risk management, while SITAI’s sectorial units are responsible for, among others, co-ordinating the management of integrity risks. Regarding integrity risk management, in September 2018, the CGU published a Practical Guide for Integrity Risk Management to assist all federal public administration bodies and entities with integrity risk management (CGU, 2018[17]). It followed the CGU Ordinance 1.089 of 25 April 2018 which established guidelines for federal bodies and entities to adopt procedures for structuring, executing, and monitoring their integrity programmes. Finally, the competence for promoting risk management has been formally established and attributed to the CGU’s SFC (Decree 11.824/2023). The SFC and SIP are required to work together in relation to promoting risk management, considering that SIP is responsible for the integrity risk management perspective.

Despite this robust framework for integrity risk management, a 2022 OECD report found that Brazil is still facing significant implementation challenges (OECD, 2022[13]). In fact, the weakness in the risk management system is long-standing. In 2014, the TCU conducted a survey in co-ordination with the Rui Barbosa Institute, the Association of Members of the Brazilian Courts of Accounts (Associação dos Membros dos Tribunais de Contas do Brasil, ATRICON), and 28 subnational audit entities (OECD, 2022[13]). The TCU assessed the maturity of risk management based on a set of criteria and found that close to 70% of federal organisations stated that the risk management process was not implemented and that 57% of federal organisations did not identify critical risks and therefore did not establish internal controls to mitigate them (TCU, 2015[18]). This has been further supported by Brazilian academia. A 2020 study on the risk management governance structures assessed 22 federal entities against 21 indicators, such as whether risk management committees were in place; whether committee members were trained, and whether committee minutes and reports were disclosed, among others. The performance of federal entities was varied, however, overall, it found that ministries had inadequate governance structures for risk management (Batista Vieira and Batista de Araujo, 2020[19]). And most recently, stakeholders noted that although most agencies had implemented a risk methodology and had struck a risk committee, that they were not effective.

The OECD Public Integrity Indicators on “Effectiveness of Internal Control and Risk Management”, which measure the strength of elements of the internal control system relevant to promoting integrity and preventing and combatting fraud and corruption, show that Brazil performs above the OECD average in most areas (see Table 4.2).

Brazil performs strongly in several areas related to internal control and risk management when compared with the OECD average, reflecting a robust regulatory foundation and broad institutional coverage. It also exceeds the OECD average in the regulatory frameworks for both internal control and internal audit, confirming that the legal and institutional bases for oversight are well established. Similarly, both Brazil and the OECD average score equally on the risk management framework.

Brazil also demonstrates stronger institutional coverage. It outperforms the OECD average in the coverage of central functions and in central reporting mechanisms, which suggests better coordination and oversight capabilities. In practice, Brazil shows greater integration of internal audit and risk-based approaches and more frequent use of integrity risk management in budget organisations, indicating a more proactive approach to addressing risk and promoting integrity. Brazil reports full coverage of national budget organisations by internal audit and has audited all these organisations within the past five years. These figures reflect a comprehensive and recent audit reach that surpasses OECD peers.

Despite these strengths, Brazil significantly underperforms in the implementation and follow-up of audit findings. The adoption rate and implementation rate of internal audit recommendations in Brazil are markedly lower than the OECD averages. This gap suggests that while Brazil has solid frameworks and coverage, the practical impact of internal audit activities is undermined by limited follow-through.

Overall, Brazil demonstrates stronger regulatory and institutional structures for internal control and risk management compared to the OECD average. It also excels in the scope and frequency of audits. However, the low rates of adoption and implementation of audit recommendations highlight a critical area for improvement. Enhancing the responsiveness to audit outcomes will be essential for Brazil to fully realise the benefits of its robust control systems.

There are multiple challenges to risk management implementation. Firstly, senior management support, which is critical to effective implementation of risk management, is often lacking. Stakeholders discussed having to persuade senior management of the importance of integrity issues and that the Centre of Government was completely disengaged. The CGU practical guide on risk assessment however asserts the importance of senior management commitment noting the following:

“Given that the responsibility for establishing, maintaining, monitoring, and improving internal management controls lies with the organisation's senior management, and these controls must respond to risks that may compromise organisational objectives, it is he/she who must respond when objectives are not achieved due to his/her failure to address risks that could occur and were neglected or undervalued. Therefore, risk management is also the responsibility of senior management. If there is no true adherence to the need for risk management, the involvement of senior management will not have the expected effects: generating convergence among the institution's various actors, allocating the necessary resources, involving people with knowledge and experience in the subject, etc. Therefore, when the leader of the organisation, despite wanting to comply with the provisions of the regulations, still does not feel convinced of the benefits of risk management, we suggest the adoption of measures aimed at expanding his/her knowledge in this regard and then realizing as it applies in real situations.” (CGU, 2018[17])

Another obstacle to effective integrity risk management, identified by stakeholders, is the resistance of public servants to discuss integrity issues; for example, managers were hesitant to use language such as fraud or nepotism. Furthermore, as mentioned above, managers often conflated the role of CGU as a support body in promoting integrity and its role as an audit body, which further added to the resistance to engage on integrity issues. A 2022 OECD report proposed the application of behavioural techniques as a means of disarming public managers and making them more amenable to engage in risk management. The risk management process of identifying and assessing risks to objectives and proposing mitigation measures, is heavily informed by those responsible for meeting those objectives. Cognitive biases and human error no doubt influence the risk management process, rendering it less objective. Hesitation to engage may be due to a lack of understanding about the process where individuals do not see the value in identifying risk or fear that their integrity is being questioned as opposed to identifying systemic integrity risks. Individuals may also want to avoid additional burdens or costs incurred by identifying mitigation measures (OECD, 2022[13]).

The CGU could therefore assess their current risk management governance structure including responsibilities and reporting lines against best practice (such as the COSO Internal Control Integrated Framework (2013[11]) and TCU’s 2014 Basic Reference for Governance (2020[21])) to determine strengths and weaknesses in their governance structure. Identified issues such as the lack of senior management support or management hesitation to embody their risk management responsibilities should be met with solutions to rectify these weaknesses. One way to identify solutions is through an internal audit that can objectively assess the governance structure and risk management processes to develop recommendations for improvement (as noted in the next section).

In addition to ensuring that frontline managers and personnel with subject matter knowledge are involved in the process, behavioural insights should be used to create a conducive environment for the risk assessment process to take place. This would largely entail sensitisation of managers and personnel about integrity risk management as a first step, such as the way in which human cognitive bias can impact the process and proposing techniques to manage them. Acknowledging the origin of discomfort and working to disarm it should follow. This could entail communicating the risk assessment process in a depersonalised manner to focus on systems as opposed to individual action. This may reduce fear and allow personnel to participate fully in the process and not withhold information (OECD, 2022[13]).

To further institutionalise such efforts towards promoting integrity and managing integrity risks, the CGU could continue leveraging the Sectoral Units of the SITAI. They are located in all public institutions of the direct, autarchic and foundational federal public administration. Such units should be supported and empowered to play their role in the promotion, co-ordination and sensitisation. This includes ensuring that these units are matched with sufficient human, financial and other resources to allow them to fulfil their mandate.

Finally, as of January 2023, CGU’s SIP created the Public Integrity Community Platform (CIP) as a means of providing a channel for interaction and sharing of information, experiences and good practices in public integrity. The community is made up of managers and integrity teams from ministries, agencies and entities of the Federal Executive Branch and it operates within a virtual environment. It is a good initiative that can be further leveraged to facilitate communication and sharing of experiences and best practice to promote risk management culture and to identify common risks across all ministries.

An internal audit function is a critical component of an internal control system and to safeguard integrity. It provides independent, objective assurance and advice meant to add value by strengthening internal control and risk management (OECD, 2020[2]). The Brazilian federal public administration’s internal audit services are provided primarily by the CGU. Ensuring that its internal audit activity embodies the capacities required by international standards is key to providing value. CGU internal audit’s current capability permits it to provide internal audit services, however it should endeavour to continue building its capacity in line with international standards.

Establishing an internal audit function and undertaking assurance engagements is predicated on fundamental requirements being in place, namely independence of the audit activity and objectivity of auditors (CGU, 2017[22]). Additionally, the IIA’s International Standards for the Professional Practice of Internal Auditing endorse proficiency (knowledge, skills, and other competencies required of internal auditors to effectively carry out their professional responsibilities) and continuing professional development (IIA, 2017[23]).

Between 2006 and 2009, the Institute of Internal Auditors Research Foundation developed the Internal Audit Capability Model (IA-CM) for the public sector. The IA-CM is a tool that assesses an internal audit’s existing capabilities against the requirements to identify gaps.

The tool assesses the following key process areas of an internal audit activity at 5 capability levels:

• services and role of internal audit

• people management

• professional practices

• performance management and accountability

• organisational relationships and culture

• governance structure.

Once all key process areas associated with a capability level have been mastered and institutionalised within the internal audit activity, a given capability level is assigned (Table 4.3).

In 2022, the World Bank assessed the CGU’s internal audit activity to determine the accuracy of the CGU’s self-assessment of Level 2 of the IA-CM (Table 4.3). The World Bank’s assessment agreed with CGU’s self-assessment based on a review of documentation, systems, and procedures. The World Bank assessment also found that the internal audit activity was generally in compliance with the Institute of Internal Auditors Standards. It noted that the internal audit activity had undergone significant change stemming from the enforcement of Normative Instruction No. 3, of June 9, 2017. That Normative instruction had approved the new technical reference for the internal audit activity of the Federal Executive Branch which aligned with the International Professional Practices Framework of the Institute of Internal Auditors (IIA). Policies, practices, and processes were well documented in an internal audit manual and an audit management software to facilitate the planning, examination, and reporting of internal audit engagements was implemented. Adequate supervision was provided by the Internal Audit Committee, who reviewed and approved all the team's working papers. Other positive developments included internal manuals, training of auditors, the development of a new audit system and the establishment of a quality improvement system, Pro-Qualidade, which, advocated for the Internal Audit Capability Model (IA-CM) assessment. The assessment also noted that the CGU met most of the Level 3 key process areas.

Recommendations from the assessment included formalising training for auditors including making provisions for continuous professional development and monitoring whether training provided resulted in improved audit quality. The assessment also recommended that the CGU adopt measures to engage with managers to relay the importance of observing audit recommendations (World Bank, 2022[26]).

It is commendable that the CGU sought to undertake this assessment as a means of gauging its internal audit capacity. To progressively attain higher levels along the IA-CM continuum, the CGU should further reinforce its efforts to improve the capacity and competence of its internal audit function. It should focus on continuously measuring its performance to drive improvement. Establishing performance measures is critical in determining if an audit activity is meeting its goals and objectives (IIA, 2010[27]).

The standards promulgated by the IIA establish Standard 1300 on the quality assurance and improvement programme (QAIP) that covers all aspects of the internal audit activity, including its efficiency and effectiveness. The QAIP should include both internal and external assessments. Internal assessments should include (i) ongoing monitoring of the performance of the internal audit activity which is part of the day-to-day supervision, review, and measurement of the internal audit activity; and (ii) periodic self-assessments or assessments by other persons within the organisation with sufficient knowledge of internal audit practices (IIA, 2017[23]). Compliance with standards for internal assessment would require the internal audit activity to demonstrate a commitment to the use of proper performance indicators to measure, report on, and enhance performance.

Performance measures of the internal audit activity may be qualitative or quantitative in nature and may include measures such as:

• level of contribution to the improvement of risk management, control, and governance processes

• improvement in staff productivity

• increase in number of action plans for process improvements

• adequacy of engagement planning and supervision

• effectiveness in meeting stakeholders’ needs

• results of quality assurance assessments and internal audit activity’s quality improvement programmes

• clarity of communications with the audited entity and the board (IIA, 2010[27]).

As with the CGU, the United Kingdom (UK) government also has a centralised internal audit function; the Government Internal Audit Agency (GIAA). Created in 2015, the GIAA provides audit and assurance services across a wide range of central government entities (UK Government, 2016[28]). To determine how well the GIAA is delivering against its strategy, it has established a suite of key performance indicators to monitor overall organisational performance (Box 4.2). The GIAA measures its performance year over year and can use these results to inform future action for improvement. The CGU can model its performance measurement after the GIIA’s or seek similar examples from internal audit functions around the world.

Having an effective and efficient internal audit activity is particularly relevant in light of promoting integrity and tackling corruption, as fraud detection and mitigation is one of the defining components of any quality internal audit function (IIA, 2019[29]). Internal audit contributes to fraud detection and mitigation in a number of ways; by evaluating the potential for fraud and how the organisation manages fraud risk; by assessing the internal control system to determine whether it is effective against fraud; by undertaking detection strategies to uncover anomalies such as data mining and trend analyses; and by evaluating indicators of fraud and deciding whether further action is necessary or whether an investigation should be recommended (IIA, 2019[29]; 2019[30]).

Internal audit is also positioned to add value to risk management processes and governance. The IIA standards specifically state that “The internal audit activity must assess and make appropriate recommendations to improve the organisation’s governance processes for: …Overseeing risk management and control.” The internal audit activity can determine whether risk management processes are effective by examining whether significant risks are identified and assessed, whether appropriate risk responses are selected and whether relevant risk information is communicated across the organisation to enable staff and management to carry out their responsibilities. The internal audit activity must also evaluate risk exposures relating to the organisation’s governance regarding the achievement of objectives, the reliability and integrity of financial and operational information, and the safeguarding of assets, among others (IIA, 2017[31]).

Given the centralised nature of the internal audit function within the Brazilian federal administration, CGU is well-placed to assess cross-cutting issues related to integrity across several ministries and agencies, such as the implementation of risk management, the effectiveness of the UGIs, and whether the governance structures are in place to support such initiatives. As previously described, the area of risk management within the federal public administration faces many challenges that impedes the process. Internal audit therefore can play a role in providing some direction on improvements that could be made.

Supreme audit institutions contribute to accountability and transparency by auditing public finances and operations. Through their work they may detect irregular conduct, poor performance, and identify potential indications of corruption and fraud (Newiak, Segura-Ubiergo and Aziz Wane, 2022[33]). Integrity is the responsibility of all public sector actors and thus requires the co-operation of strong institutions. The complementary functions of external audit and internal audit to provide assurance of efficiency and propriety is one such example of co-operation that may reinforce integrity. The TCU and CGU collaborate in certain areas, however, there remain opportunities to enhance this relationship. As providers of oversight and information on the proper and efficient use of public funds, it is incumbent upon these key players to co-ordinate their respective functions to maximise their collective impact.

As Brazil’s supreme audit institution (SAI), the Federal Court of Accounts (Tribunal de Contas da União, TCU) plays a vital role in ensuring oversight, foresight and insight for public policies, including integrity policies (OECD, 2021[34]). It is responsible for scrutinising the federal budget and resources, including federal funds transferred to states, the federal district, and municipalities. As part of its compliance and jurisdictional role, TCU promotes integrity and accountability in the public sector through its authority to issue sanctions and non-binding resolutions and by undertaking performance, financial, and compliance audits (TCU, n.d.[35]; OECD, 2017[3]).

Performance audits assess how well government is managing its systems, operations, programmes, and activities and recommends systemic improvements. Financial audits review the yearly public accounts of the federal government in line with constitutional provisions and international best practice and issue a non-binding opinion regarding the regularity of the account. Compliance audits are undertaken to verify that the use of public funds by organisations and entities to which federal resources flow adheres to laws and regulations (TCU, n.d.[35]). Given the nature of financial and compliance audits, where irregularities on public expenditure may be found, they may help to detect fraud and corruption. Audit findings are presented to parliament and made public (OECD, 2013[36]).

The TCU general website emphasises its role in corruption, noting that “The main concern of the Brazilian Federal Court of Accounts is the incessant fight against corruption, waste, and the misuse of federal resources”. Thus, highlighting the importance of conducting compliance audits, such as those carried out to scrutinise public works and to report their status to Congress (TCU, n.d.[35]). Stakeholders echoed that sentiment and noted that most of the audits undertaken by the TCU were compliance audits (versus performance and financial audits). In fact, the “Lava-Jato” case reportedly had its beginnings in a finding from a TCU compliance audit on Petrobras public works.

In marking the 10-year anniversary of the Anti-Corruption Law, the Minister of State of CGU espoused the need for joint action between the TCU and the CGU (TCU, 2023[37]). The TCU and the CGU collaborate on cases involving fraud and together also co-operate with other partners on a variety of anti-corruption initiatives (Box 4.3).

In addition to co-ordinating on integrity and anti-corruption initiatives, there is significant scope for CGU-TCU co-ordination on their respective assurance functions. The assurance services delivered by both TCU and CGU within the Brazilian federal public sector is considerable. The TCU, as the supreme audit institution, complements internal audits with its external audit function. Given such prominence placed on the audit function (be it internal or external), it would therefore beg the question of whether and how well these audits functions are co-ordinated. This is an area that requires attention for several reasons, not least being that the institutions responsible for assessing efficiency of government expenditure may themselves be conducting their activities in an inefficient manner. Furthermore, undertaking audits can be burdensome on audited entities given the added work of auditors requesting access to documentation and personnel. Thus, duplication can further constrain an audited entity’s already limited resources by placing demands that could have been prevented through co-ordination.

Stakeholders conveyed their concern about the lack of co-ordination between the TCU and the CGU, noting that there was sometimes duplication with TCU and CGU undertaking separate audits on the same subject matter within an entity. Although TCU stakeholders reasoned that, at times, duplication allowed the subject matter to be examined from both the internal audit and external audit lens, they acknowledged that unnecessary duplication occurred. According to the interviews conducted, this is largely due to TCU and CGU not harmonising their audit planning processes.

Notwithstanding this, Brazil’s regulatory framework makes some provision for co-operation between internal and external audit to avoid duplication:

• Chapter III of the Organic Law of the TCU stipulates that, in support of external control, the bodies that are part of the internal control system must carry out audits on the accounts of those responsible under its control, issuing a report, audit certificate and opinion. Therefore, the TCU and CGU co-ordinate efforts to render an opinion on the consolidated year-end government report, Accounts of the President of the Republic (Contas do Presidente da República) (OECD, 2013[36]).

• Article 18 of TCU Normative Decision 198/2022 determines that the bodies of the internal control system must communicate to the TCU, through the platform “Conecta-TCU” or by other means, information concerning audits, inspections, evaluations or verifications. The TCU may not use the results of these audits if the documents are not sent on time or the evidence is not deemed sufficient and appropriate.

• Articles 12 and 13 of the Normative Instruction No. 84/2020 of the TCU provides that the TCU must maintain constant communication with those responsible for the bodies and units that make up the internal control system of the powers of the Union, aiming at improving its actions in relation to audits of accounts.

There may be opportunities to conduct joint work which can serve the purposes of both internal and external audit (Box 4.4). Internal auditors will invariably consider controls over compliance with laws and regulations as part of their work. And this is of use to external auditors who may have to provide an opinion on the regularity of transactions and whether activities have been carried out in accordance with laws and regulations passed by a country’s parliament (INTOSAI, 2010[45]). Stakeholders at the TCU stated that in several TCU processes, the work of internal audit was used to inform their work, noting that evidence obtained through internal audit was critical for the external audit analyses. Stakeholders further noted their strategy to co-operate with internal audit through joint action and information exchange. They highlighted two secretariats (Deputy Secretariat for Strategic Information and Innovation and Secretariat for External Control of Consensual Solutions) who worked directly with internal audit bodies on anti-corruption and leniency agreements respectively.

Furthermore, stakeholders described a co-operation agreement between TCU and CGU spanning October 2021 to October 2026. Its purpose is to foster technical co-operation, provide mutual support, and exchange information and technologies. The agreement provides for various measures, including regular communication between teams responsible for the same entity to share resources, information, and results about the areas audited and to complement the results of the work performed. The agreement also provides for undertaking integrated actions of mutual interest. As part of this collaboration, the CGU has access to LabContas, a central repository of data and information developed by the TCU to facilitate cross-referencing of databases and advanced analytic solutions. This has strengthened information sharing between the two institutions.

Finally, the CGU has access to the Laboratory of Information on Control (LabContas), developed by the TCU as a central repository of data and information on control. It enables crossing of databases and offers data analytics solutions. Therefore, LabContas offers another opportunity for an effective sharing of the TCU databases with the CGU.

As such, in addition to the legal provisions and meetings between TCU and CGU, there is already a fair amount of co-operation between both agencies and progress has been made. However, there is still some opportunity for improvement, given the duplications noted by stakeholders. Important areas can also be overlooked by both internal and external audit. Thus, the collaborative relationship between the TCU and CGU should be further strengthened. Both parties acknowledge the importance of such an improved co‑operation, which, in practice, may sometimes be difficult to implement.

In particular, stakeholders stated that there were no clear and detailed standards and guidelines to support the implementation of co-operation, to help manage risks that may arise during the implementation of co‑operation activities and to enhance the effectiveness of co-operation. SAIs and internal audit bodies in other countries co-ordinate in a variety of ways, as illustrated below (Box 4.5). Some good practices that Brazil may find of value are the adoption of internal control standards that provide guidance in cooperation, and in assigning one of the parties the task of minimising duplication, such as in the case of Poland. The standards could also provide guidance on TCU-CGU collaboration on the audit planning process which is critical to reduce duplication.

Brazil is a vast country with a complex government structure. In 1988, the Federal Constitution gave Brazilian municipalities equal standing with states and federative entities. Local governments are not subordinate to the federal government and municipalities are autonomous. Therefore, there are several actors with decision-making power operating at the three levels of government all striving to implement multi-level policies. This means that all levels of the Brazilian government share responsibilities for implementing policies related to healthcare, education, social security, welfare, housing, etc. Socio‑economic indicators in Brazil show long-standing regional disparities. And the delivery of important decentralised policies, such as those for health and education, to address such disparities is undermined by fragmented multi-level governance. Therefore, gaps and duplication in policy delivery undermine equitable policy delivery and promotes regional inequality.

This decentralised structure is mirrored in the external audit system that is composed of 33 audit institutions: courts of accounts (Tribunais de Contas, TC). There are 26 state court of accounts (Tribunais de Contas dos Estados, TCEs) for each of Brazil’s states. The federal district also has its own court of accounts. The TCE’s are financially independent and are fully autonomous and 23 of them also audit the municipalities within their states. According to information received from Brazil, there are currently three courts of accounts for the municipalities (Tribunais de Contas dos Municípios), which are bodies responsible for assisting the audit courts of their states through external control of the municipalities in the respective states: Pará, Goiás and Bahia. In addition, there are two municipal courts of accounts (Tribunais de Contas Municipais), which act as external control bodies for their respective municipalities, only: São Paulo and Rio de Janeiro.

Accordingly, this double decentralisation has given rise to fragmented multi-level governance and overlapping mandates within the audit system as shown in Figure 4.2. Audit institutions such as the TCs have an important mandate to oversee and provide assurance on the use of public funds to the legislative body and the public. However, the landscape of decentralised policies and external audit bodies’ overlapping mandates creates challenges for the TCs to provide independent oversight, insight, and foresight for the spending of public money and the performance of policies. TCs however are uniquely positioned to provide insight into the disparities of policy delivery, but only if they themselves are co‑ordinated and can draw on data across all levels of government to inform such territorial variation in socioeconomic conditions and policy outcomes (OECD, 2020[48]).

Some good practices are already in place to foster co-operation among these external audit bodies at different levels. Over half of the TCs have established conditions for collaboration, either in their organic laws, in internal rules, or in both instruments. In general, these legal provisions enable the audit institutions to enter into co-operation agreements with the TCU or other audit institutions to exchange information, improve the control system and train personnel, as well as to develop joint actions involving, for example, a transferring entity or receiving entity of public resources. Approximately 12 TCs establish specific conditions for signing co-operation agreements, approved by the plenary and/or by the president.

Most TCs have been involved in initiatives to exchange information between institutions. These initiatives include, for example:

• participation in initiatives and projects with structured communication flows and information sharing – such the National Strategic Information Network for the External Control (Infocontas)

• the Public Expenditure Watch (Observatório da Despesa Pública)

• the National Network of Public Indicators (Rede Nacional de Indicadores Públicos, INDICON).

Furthermore, the TCU utilises both joint and co-ordinated audits, by entering into bilateral agreements with both States and Municipalities for a pre-determined scope of audits. Cooperation agreements between the TCU and the different states and municipalities involved are detailed and list the audit scope, methodology, resources, planning, and the databases/information to be used. For example, in 2013 a co-ordinated audit on high school education included 90 auditors from the TCU working jointly with state and municipal audit staff (OECD, 2017[46]).

To further confront this challenge and to improve their performance, impact, and relevance, the TCs in collaboration with the OECD undertook Projeto Integrar (Project Integrate) in 2017 (TCU/IRB/Atricon, 2020[49]; OECD, 2020[48]). The aim of this project was to improve collaboration and foster more co-ordinated oversight of decentralised policies (OECD, 2020[48]).

The project resulted in three main recommendations:

• Collaboration and co-ordination among all external audit bodies. Establish and strengthen networks across the entire audit system. Knowledge and information sharing should focus on developing common approaches for audit prioritisation and selection.

• Collaborative strategic selection of audits based on evidence and risks. Systematise risk-based audit selection practices through use of data and evidence across the levels of government.

• Systematic assessment of multi-level governance factors in audits. Development of a policy-specific, multi-level governance assessment framework to plan and design audits.

As a result of this OECD-TCU initiative, in 2020 a Technical Cooperation Agreement was signed by the TCU, the Association of Members of the Brazilian Audit Courts (Associação dos Membros dos Tribunais de Contas do Brasil, Atricon) and the Rui Barbosa Institute (Instituto Rui Barbosa, IRB) for the formation of the Integrar Decentralized Public Policy Inspection Network (the Network). The expressed purpose of the agreement was to strengthen the co-ordination of the Brazilian external audit function and to contribute to the implementation cycle of decentralised policies in Brazil (Government of Brazil, 2020[50]).

In 2021, a Joint Ordinance was passed to approve the internal regulations of this new network. The internal regulations outlined the Network’s forms of co-operation between participants that include sharing and joint development of methodologies and enabling information exchange. The regulations also outline the organisational structure, which is made up of a Technical Committee to manage and supervise the Network (Atricon et al., 2021[51]). The Network must publish an annual work plan that contains the Network’s priority areas, its forms of cooperation, its planned actions and the TCs involved. The Network reports on activities carried out and results achieved through annual activity reports.

For example, the 2022 and 2023 activity reports reported on a co-ordinated audit to assess the Implementation of the “New Secondary School Education” (NEM). This national initiative, which was established by law in 2017, aimed to ensure access and retention of students in secondary education through the provision of technical and independent studies (Rede Integrar, 2023[52]). The initiative represents a decentralised public policy whose implementation depends on co-ordinated action between the federal and state governments. The audit entailed a multi-level approach whereby the TCU and 15 state TCs audited the Ministry of Education and the state Education Departments.

The TCs jointly undertook the planning and examination phases of the audit such as the development of the work plan, risk assessments, obtaining expert advice, refining the areas to assess, and preparing information collection instruments such as questionnaires and conducting school visits (Rede Integrar, 2022[53]). The TCs completed their individual audits in 2023, where they evaluated the implementation of the New Secondary School Education from the perspective of multi-level governance. The TCU audited the performance of the Ministry of Education as the co-ordinator of NEM across the public system and as the administrator of technical and financial assistance. The participating state TCs audited the performance of their respective state education departments in implementing NEM.

The majority of TCs identified opportunities for improvement related to planning, co-ordination, monitoring, and evaluation. For example, the TCU found that the federal Ministry of Education provided little technical assistance to the state education departments which in turn impacted the state departments’ abilities to implement the NEM, such as not being able to contract specialised consultants for assistance. The TCU also found that the Ministry of Education did not monitor the implementation of NEM due to poor monitoring mechanisms. This therefore prevented the Ministry from identifying weakness in the performance of the state education departments. For example, the Ministry of Education did not identify that a state education department had undertaken actions to implement NEM without having formalised a plan to guide its actions. Furthermore, the audit of that state department found poor effectiveness in implementing NEM.

This example showcases the utility of assessing policy implementation from multiple angles to identify the root causes of findings. For example, poor oversight provided by the federal Ministry of Education contributed to poor implementation of the initiative by the state education department. Such findings can lead to strong recommendations and can also inform follow-up activities to verify whether the shortcomings found were addressed.

Other countries with similar external audit governance arrangements have also prioritised co-ordination across the system, as described below in Box 4.6, which includes good practices from Spain and Mexico regarding co-ordination across audit bodies. Note the Mexican example that co-ordinates both internal and external audit bodies, and also the Spanish example of audit institutions reviewing each other’s audit programmes to avoid duplication between internal and external audits.

In recent year, Projeto Integrar has made advances in fostering integrated action amount national Audit Courts. Noteworthy progress includes the consolidation of participatory planning processes and the growing involvement of subnational audit courts, which has enhanced collaboration across different levels of governance. However, significant challenges remain in effectively co-ordinating the collective actions of the various institutions involved, particularly given the vast geographical dimensions of the country and the diverse realities within each region. These disparities manifest not only in differing priorities regarding public policy needs and the subsequent monitoring requirements but also in variations in the organisational structures and resource availability across the Audit Courts.

These challenges are directly reflected in the Network’s annual planning process, which, while participatory, faces constraints in execution capacity. Although there have been improvements in the prioritisation process over the years, the ability to apply objective criteria for project selection remains a work in progress.

Using risk analysis as a basis for prioritising audit topics can be a good starting point (ref. 2018 OECD paper). For example, models such as the Australian Nation Audit Office’s multi-year audit planning approach could serve as a useful reference. This approach, as outlined in the 2018 OECD report, allows for structured, long-term prioritisation of audit topics, ensuring alignment with strategic national interests. Similarly, the United States Government Accountability Office’s High-Risk List methodology, where key national-level risk areas are identified and addressed through multiple co-ordinated audit, could provide a framework for strengthening prioritisation and resource allocation.

An important step toward institutionalising the Integrar Network internally was taken with the creation of the internal regulations of the TCU, particularly Ordinance-SEGECEX Nº 22 of June 15, 2023, which regulates the performance of the General Secretariat of External Control within the Integrar Network. While this represents progress in structuring the Network, broader institutionalisation across the various audit courts remains an ongoing challenge that requires further attention.

By further developing risk-based selection criteria and adopting best practices from international audit institutions, the Integrar Network could enhance its strategic planning process, improve the efficiency of audit resource allocation, and strengthen co-ordination among Brazil’s external audit institutions.

[24] ADB (2018), Capacity Development and Knowledge Sharing Initiatives (Internal Auditing in the Public Sector), Asian Development Bank, https://cfrr.worldbank.org/index.php/node/2416 (accessed on 7 December 2023).

[9] ANAC (n.d.), Internal Audit, National Civil Aviation Agency of Brazil, https://www.anac.gov.br/en/about-anac/departments/internal-audit (accessed on 6 December 2023).

[51] Atricon et al. (2021), Joint Ordinance No. 4/21 of 2 September 2021, Association of Members of the Courts of Auditors of Brazil, Rui Barbosa Institute, Federal Court of Accounts and National Council of Presidents of the Courts of Auditors, https://irbcontas.org.br/wpfd_file/portaria-conjunta-04-2021-_-ri-rede-integrar/ (accessed on 26 February 2024).

[19] Batista Vieira, J. and A. Batista de Araujo (2020), “Risk management in the Brazilian Federal Government: A ministerial analysis”, https://revista.enap.gov.br/index.php/RSP/article/view/4466/2856.

[40] CGU (2018), “CGU combate fraudes em contratações na Companhia Docas de São Paulo”, Comptroller General of Brazil, https://www.gov.br/cgu/pt-br/assuntos/noticias/2018/10/cgu-combate-fraudes-em-contratacoes-na-companhia-docas-de-sao-paulo (accessed on 18 February 2025).

[17] CGU (2018), Guia Prático Gestão de Riscos para a Integridade – Orientações para a administração pública federal direta, autárquica e fundacional, Comptroller General of Brazil, https://www.legiscompliance.com.br/biblioteca-digital/499-guia-pratico-de-gestao-de-riscos-para-a-integridade (accessed on 1 December  2023).

[22] CGU (2017), Implementation Guide for the Professional Practice of Government Internal auditing within the Brazilian Federal Executive Branch, Comptroller General of Brazil.

[38] CGU (2017), “Operação Research investiga desvios de recursos de bolsas de pesquisas na UFPR”, Comptroller General of Brazil, https://www.gov.br/cgu/pt-br/assuntos/noticias/2017/02/operacao-research-investiga-desvios-de-recursos-de-bolsas-de-pesquisas-na-ufpr (accessed on 18 February 2025).

[11] COSO (2013), Guidance: Internal Control - Integrated Framework, Committee of Sponsoring Organizations, https://www.coso.org/guidance-on-ic.

[50] Government of Brazil (2020), General Secretariat of the Presidency: Extract from Cooperation Agreement, Diàrio Oficial da União.

[10] Government of Brazil (2016), Instrução Normativa Conjunta No 1 de 10 Maio de 2016, Ministry of Justice and Public Security and Comptroller General of Brazil, https://www.gov.br/mj/pt-br/acesso-a-informacao/governanca/Gestao-de-Riscos/biblioteca/Normativos/instrucao-normativa-conjunta-no-1-de-10-de-maio-de-2016-imprensa-nacional.pdf/view (accessed on 25 February 2024).

[16] Government of Canada (2022), Health Canada - 2021-22 Departmental Financial Statements, https://www.canada.ca/en/health-canada/corporate/transparency/corporate-management-reporting/departmental-performance-reports/2021-2022-financial-statements.html (accessed on 20 January 2024).

[15] Government of Canada (2019), Guide to Ongoing Monitoring of Internal Controls Over Financial Management, https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32651§ion=html (accessed on 20 January 2024).

[14] Government of Canada (2017), Policy on Financial Management, https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32495 (accessed on 20 January 2024).

[4] IIA (2023), What is Internal Audit, Institute of Internal Auditors, https://www.theiia.org/en/about-us/about-internal-audit/#:~:text=What%20is%20Internal%20Audit%3F,and%20improve%20an%20organization's%20operations (accessed on 2 December 2023).

[6] IIA (2020), “The IIA’s Three Lines Model – An update of the Three Lines of Defense”, Institute of Internal Auditors, https://www.theiia.org/en/content/position-papers/2020/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense/.

[30] IIA (2019), “Fraud and internal audit – Assurance over fraud controls fundamental to success”, IIA Position Paper, Institute of Internal Auditors, https://www.theiia.org/en/content/position-papers/2019/fraud-and-internal-audit-assurance-over-fraud-controls-fundamental-to-success/.

[29] IIA (2019), “Fraud identification and deterrence – Part 1: Internal audit’s role in fraud risk management”, Industry Knowledge Brief, Institute of Internal Auditors.

[31] IIA (2017), International Professional Practices Framework (IPPF), Institute of Internal Auditors, https://www.iia.org.au/member-resources/factsheets/factsheet-ippf (accessed on 4 December 2023).

[23] IIA (2017), International Standards for the Professional Practice of Internal Auditing, Institute of Internal Auditors, https://www.theiia.org/en/content/guidance/mandatory/standards/international-standards-for-the-professional-practice-of-internal-auditing/ (accessed on 4 December 2023).

[27] IIA (2010), Measuring Internal Audit Effectiveness and Efficiency. International Professional Practices Framework - Practice Guide, Institute of Internal Auditors, https://www.theiia.org/globalassets/documents/content/articles/guidance/practice-guides/measuring-internal-audit-effectiveness-and-efficiency/practice-guide-measuring-internal-audit-effectiveness.pdf?ref=clarissalucas.com.

[45] INTOSAI (2010), ICS – INTOSAI GOV 9150 – Coordination and Cooperation between SAIs and Internal Auditors in the Public Sector, Professional Standards Committee, International Organization of Supreme Audit Institutions, https://www.psc-intosai.org/library/ics-intosai-gov-9150-coordination-and-cooperation-between-sais-and-internal-auditors-in-the-public-sector/.

[8] INTOSAI/IIA (2022), “Applying the Three Lines Model in the public sector: A joint paper”, International Organization of Supreme Audit Institutions and Institute of Internal Auditors, https://www.theiia.org/globalassets/site/content/articles/applying_the_three_lines_model_in_the_public_sector.pdf.

[5] ISO (2018), ISO 3100, Risk management – Guidelines, Second Edition 2018-2, International Standards Organisation.

[12] Mendes de Oliveira, D. et al. (2022), “How do internal control environments connect to sustainable development to curb fraud in Brazil?”, Sustainability, Vol. 14/9, p. 5593, https://doi.org/10.3390/su14095593.

[41] MPF (2023), “Após denúncia do MPF, sete envolvidos em contrato irregular no Porto de Santos (SP) viram réus”, Public Prosecutor’s Office of Brazil, https://www.mpf.mp.br/sp/sala-de-imprensa/noticias-sp/apos-denuncia-do-mpf-sete-envolvidos-em-contrato-irregular-no-porto-de-santos-sp-viram-reus (accessed on 18 February 2025).

[33] Newiak, M., A. Segura-Ubiergo and A. Aziz Wane (2022), “The role of supreme audit institutions in addressing corruption, including in emergency settings”, in Good Governance in Sub-Saharan Africa: Opportunities, International Monetary Fund, Washington, DC, https://doi.org/10.5089/9781513584058.071.

[47] OECD (2024), “Enhancing co-operation between internal and external auditors: Towards a well-co-ordinated and strengthened public sector audit to ensure public accountability”, OECD Public Governance Policy Papers, No. 67, OECD Publishing, Paris, https://doi.org/10.1787/0d4976ed-en.

[13] OECD (2022), Modernising Integrity Risk Assessments in Brazil: Towards a Behavioural-sensitive and Data-driven Approach, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/ad3804f0-en.

[34] OECD (2021), Strengthening Public Integrity in Brazil: Mainstreaming Integrity Policies in the Federal Executive Branch, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/a8cbb8fa-en.

[48] OECD (2020), Auditing Decentralised Policies in Brazil: Collaborative and Evidence-Based Approaches for Better Outcomes, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/30023307-en.

[2] OECD (2020), OECD Public Integrity Handbook, OECD Publishing, Paris, https://doi.org/10.1787/ac8ed8e8-en.

[3] OECD (2017), Brazil’s Federal Court of Accounts: Insight and Foresight for Better Governance, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264279247-en.

[46] OECD (2017), Mexico’s National Auditing System: Strengthening Accountable Governance, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264264748-en.

[1] OECD (2017), Recommendation of the Council on Public Integrity, OECD, Paris, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0435.

[36] OECD (2013), Brazil’s Supreme Audit Institution. The Audit of the Consolidated Year-end Government Report, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264188112-en.

[20] OECD (n.d.), OECD Public Integrity Indicators (database), OECD, Paris, https://oecd-public-integrity-indicators.org/ (accessed on 14 February 2025).

[25] PEFA (2022), Stocktaking of Public Financial Managmeent Diagnostic Tools – Global Trends and Insights, Public Expenditure and Financial Accountablity, https://www.pefa.org/node/5240 (accessed on 4 December 2023).

[44] Rede de Controle da Gestão Pública (n.d.), Homepage, https://www.rededecontrole.gov.br/ (accessed on 18 February 2025).

[52] Rede Integrar (2023), Fiscalização de Políticas Públicas Descentralizadas. Relatório Annual de Atividades.

[53] Rede Integrar (2022), Fiscalização de Políticas Públicas Descentralizadas. Relatório Annual de Atividades.

[37] TCU (2023), “TCU celebra 10 anos da Lei Anticorrupção em evento da Controladoria-Geral da União”, Federal Court of Accounts, https://portal.tcu.gov.br/imprensa/noticias/tcu-celebra-10-anos-da-lei-anticorrupcao-em-evento-da-controladoria-geral-da-uniao.htm (accessed on 25 February 2024).

[43] TCU (2021), “Conheça os resultados do Programa Nacional de Prevenção à Corrupção”, Federal Court of Accounts, Brazil, https://portal.tcu.gov.br/imprensa/noticias/conheca-os-resultados-do-programa-nacional-de-prevencao-a-corrupcao (accessed on 18 February 2025).

[21] TCU (2020), Referencial Básico de Governança organizacional para organizações públicas e outros entes jurisdicionados ao TCU, Federal Court of Accounts, https://portal.tcu.gov.br/imprensa/noticias/tcu-publica-a-3-edicao-do-referencial-basico-de-governanca-organizacional.htm (accessed on 8 December  2023).

[54] TCU (2020), Relations with External Audit Bodies, Federal Court of Accounts, https://www.tcu.es/tribunal-decuentas/en/relaciones-externas/relaciones-institucionales/relaciones-con-ocex/index.html (accessed on 24 January 2024).

[42] TCU (2019), “TCU, em parceria com outros órgãos de controle, detecta fragilidade no combate à fraude e à corrupção em Mato Grosso do Sul”, Federal Court of Accounts, https://portal.tcu.gov.br/imprensa/noticias/tcu-em-parceria-com-outros-orgaos-de-controle-detecta-fragilidade-no-combate-a-fraude-e-a-corrupcao-em-mato-grosso-do-sul (accessed on 18 February 2025).

[39] TCU (2017), Deflagrada segunda fase da Operação Research, Federal Court of Accounts, Brazil, https://portal.tcu.gov.br/imprensa/noticias/deflagrada-segunda-fase-da-operacao-research (accessed on 18 February 2025).

[7] TCU (2017), Survey Report - Judgment No TC 011.759/2016-0, Federal Court of Accounts, https://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A25EABAA93015EBEA525695384 (accessed on 3 December 2023).

[18] TCU (2015), Risk Management: Public Governance Survey, Federal Court of Accounts, https://portal.tcu.gov.br/biblioteca-digital/gestao-de-riscos-levantamento-de-governanca-publica.htm (accessed on 3 December  2023).

[35] TCU (n.d.), Auditing, Federal Court of Accounts, Brazil, https://portal.tcu.gov.br/english/auditing (accessed on 4 December 2023).

[49] TCU/IRB/Atricon (2020), Projeto Integrar: Propostas para o fortalcimento do controle externo de políticas públicas descentralizadas, Federal Court of Accounts, Rui Barbosa Institute and Association of Members of the Courts of Auditors of Brazil, https://portal.tcu.gov.br/publicacoes-institucionais/cartilha-manual-ou-tutorial/projeto-integrar-propostas-para-o-fortalecimento-do-controle-externo-de-politicas-publicas-descentralizadas (accessed on 5 December 2023).

[32] UK Government (2023), Annual Report and Accounts 2022/23, Government Internal Audit Agency, https://www.gov.uk/government/publications/giaa-annual-report-and-accounts-2022-2023 (accessed on 5 December 2023).

[28] UK Government (2016), Annual Report and Accounts 2015/16, Government Internal Audit Agency, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/534352/160629_Annual_Report___Accounts_GIAA_2015-16-FINAL__Web_PDF_.pdf (accessed on 7 December 2023).

[26] World Bank (2022), World Bank Report Validating CGU’s Internal Audit-Capability Model Level 2, World Bank, Washington, DC, https://www.gov.br/cgu/pt-br/assuntos/noticias/2022/11/cgu-recebe-certificacao-no-nivel-2-do-modelo-ia-cm-pelo-banco-mundial/relatorio-banco-mundial-validacao-cgu-iacm-nivel-2.pdf/view (accessed on 4 December 2023).