OECD Integrity Review of Jordan

The Jordanian integrity risk management, internal control and the audit framework is undergoing change. It is adopting an ex-post approach by strengthening independent oversight through the introduction of an internal audit function and the continued reinforcement of the Supreme Audit Institution (SAI); and it is in the early stages of implementing integrity risk management. This a critical juncture as the country launches ambitious plans to promote integrity and combat corruption (see Chapter 1). It is therefore important to design a control framework that is strong yet responsive to modernisation and pressure from citizens demanding accountability and transparency. A strong control framework assures efficiency and effectiveness of an organisation’s operations.

The OECD Recommendation on Public Integrity recommends that public sector organisations apply an internal control and risk management framework and to ensure effective oversight (OECD, 2017[1]). This is essential to safeguarding public integrity (OECD, 2020[2]). For example, an organisation’s ability to respond to risks that threaten its objectives is contingent upon its capacity for risk management. Risks confronting the Jordanian public sector can impact its ability to deliver services, to retain competent individuals and to safeguard its assets against fraud and corruption. Therefore, a robust risk management framework is crucial. It should be strategic, integrated entity-wide, and focussed on the achievement of objectives and decision-making (ISO, 2018[3]). The internal control system lays the foundation for risk management to support the achievement of integrity objectives as well as other strategic and operational objectives (OECD, 2020[2]). Its importance therefore cannot be understated. A healthy internal and external control environment will set the expectation for management and personnel to take ownership of risk management and ultimately set the tone for integrity. Box ‎5.1 provides a glossary of terms differentiating internal control concepts that may cause confusion.

This chapter looks into the Jordanian integrity risk management and audit framework and focuses in particular on the following three core elements:

• Implementing effective risk management as well as internal control and audit.

• Supporting the Internal Control System with the introduction of internal audit.

• Continue strengthening the external oversight provided by the Audit Bureau.

The Hashemite Kingdom of Jordan (Jordan) has established key objectives for public integrity and thus has committed to numerous actions to this effect. The 2022 Public Sector Modernisation Roadmap outlines key areas for improvement that align with a more robust control environment. This includes the identification of roles and responsibilities in the integrity, transparency and accountability system, a renewed focus on attracting, developing, and retaining competent leaders and employees and the identification of clear and applicable roles and responsibilities in the integrity, transparency and accountability system that enhances the discretionary and preventive role of internal control units. The National Integrity and Anti-Corruption Strategy (NIACS) 2020-2025 commits to creating a culture of integrity and transparency with strategic projects aimed at capacity development (JIACC, 2019[4]).

Many of the projects considered in the NIACS are relevant for internal control. This includes, in particular, the following projects:

• Project No. 3: Enhance the role of liaison offices/representatives of the Commission (JIACC) at the public administration.

• Project No. 5: Identifying and assessing risks.

• Project No. 7: Activating the role of the internal control units in combating corruption.

• Project No. 8: Building the capabilities of the public administration employees in the field of integrity and anti-corruption.

Furthermore, the Jordanian Integrity and Anti-Corruption Commission (JIACC), in collaboration with the NGO Al Hayat-RASED, launched the National Integrity Indicators (NII) project in August 2021 (see Chapter 2). The aim of the project is to “push public administration institutions to engage in real and concrete actions to combat and prevent corruption through their application of integrity standards” (RASED, n.d.). There are five National Integrity Standards (NIS) (JIACC, 2023[5]). The standard of accountability and the standard of good governance are of prime importance to risk management and internal control. Sub-criteria for the standard of accountability are: (1) Ensure that an internal control unit is in place and (2) Develop mechanisms to strengthen the role of the internal control units in the public sector. The standard of good governance sub-criteria includes risk and performance management, and a measurement indicator is “the extent to which internal controls are documented and compliance with its recommendations” (JIACC, 2023[5]).

In general, the responsibility for the implementation of risk management as well as internal control and audit across the public sector is shared among a variety of public sector organisations such as central harmonisation units, audit institutions and anti-corruption bodies (OECD, 2020[2]). The roles of such bodies include setting and harmonising internal control standards and policies; providing guidance and tools; evaluating government-wide efforts to safeguard integrity; and co-ordinating and standardising practices for reporting and responding to suspected integrity breaches for the public sector.

In Jordan, the Ministry of Finance, the Audit Bureau and the Jordan Integrity and Anti-Corruption Commission all play a key role in risk management and internal control within the public sector:

• Ministry of Finance (MoF). The Ministry of Finance is responsible for the Internal Control System according to the Internal Control Bylaw and therefore serves as the central harmonisation function. A central harmonisation unit is a body located within the executive branch and typically accountable to the Ministry of Finance that is responsible for internal control systems across the public sector. In Jordan, the Ministry of Finance has established a Central Internal Control Unit to oversee the compliance of the Internal Control Units (ICU) across the public sector. Furthermore, the Minister of Finance is responsible for forming a Central Committee for Internal Control Standards composed of multi-disciplinary members from government, academia, and the private sector. According to the Internal Control Bylaw, this Committee develops criteria for evaluating the performance of internal control units; it develops internal control policy, standards and procedures; and it builds institutional capacities of government departments and units.

• Internal Control Units (ICU). The Internal Control Bylaw stipulates that each department should establish an Internal Control Unit that undertakes internal control and internal auditing of the financial, administrative, and technical transactions in accordance with the provisions of this system. The mission of the ICUs is to preserve public funds and ensure their proper use. They must ensure the accuracy of financial information, verify the effectiveness and efficiency of financial operations in place, ensure compliance with legislation and financial policies, and oversee administrative and technical areas (Internal Control Bylaw). The units report annually on their financial audit plan and any other work, on an as-needed basis. The Minister of Finance must also submit a summary of the reports of internal control in government departments and units to the Council of Ministers on an annual basis.

• The Audit Bureau (AB). The Jordanian Audit Bureau is the Supreme Audit Institution of Jordan. Primarily, the AB undertakes compliance and financial audits, although in the last few years the AB has carried out some performance audits as well (European Commission, 2023[6]). The AB is also responsible for auditing the use of funds provided through international grants and loans. According to a Memorandum of Understanding between the AB and JIACC, the AB provides technical expertise to JIACC to investigate complaints and suspicions of corruption. AB officials also noted that they act on materially significant evidence provided by the public related to the misuse of public funds. Lastly, the AB has liaison officers located throughout all public sector departments. The Audit Bureau evaluates the ICUs, the internal control system, and recommends areas for their improvement (see below).

• Jordan Integrity and Anti-Corruption Commission (JIACC). The role of JIACC, described in detail throughout this OECD Integrity Review, also plays a role in risk management and oversight. Within its preventative function, JIACC undertakes corruption risk assessments in collaboration with ministries and institutions. Also, JIACC places liaison officers within departments and ministries to provide oversight; for example, liaison officers can attend procurement meetings and investigate adherence to national integrity standards and legislation (Integrity and Anti-Corruption Law 13). Amongst others, these liaison officers from JIACC have the task of helping to activate the Internal Control Units.

Risk management is fundamental to governance and to how an organisation is managed at all levels. It is integral to the creation, protection, and preservation of value (ISO, 2018[3]; COSO, 2013[7]). Within the context of the public sector, “value” refers to the proper management of public funds and serving the public interest (INTOSAI, 2019[8]). To support the achievement of its objectives, risk management equips an organisation to confront and control the myriad internal and external factors that can influence the fulfilment of its objectives.

Best practice posits that an effective risk management framework should be integrated across all organisational activities, it should be implemented by people at every level, and it should be supported by all stakeholders (ISO, 2018[3]; COSO, 2004[9]). Top management should demonstrate leadership and commitment to risk management (ISO, 2018[3]). For example, the Treasury Board of Canada Secretariat, has outlined in its Guide to Integrated Risk Management, the importance of articulating a vision for a supportive risk management culture. It further recommends that organisations “consider making a statement that clearly articulates the organisation’s objectives for integrated risk management activities and demonstrates a commitment to implementing integrated risk management throughout the organisation”. The guide also speaks to the allocation of appropriate resources (people and tools) for the design, implementation, and maintenance of the risk management approach (Treasury Board of Canada Secretariat, 2016[10]).

OECD interviews with public officials discussed Jordan’s current approach to risk management. All ministries and departments are required to have a Quality and Risk management unit. These units study “cases” to determine level of risk and present them to the Minister. Officials noted that the level of proficiency across these units was not uniform with some working well and others seeking to improve their capacity. More specifically, as of 2020, JIACC has undertaken to conduct risk assessments relating to corruption in the public sector. According to administrative regulations, teams from ministries and government departments (typically the Quality and Risk Management Units and legal experts) are formed to carry out corruption risk assessments. As part of this exercise, they work with an equivalent team at JIACC. Once risk mitigation measures have been identified and implemented, the ministerial teams and JIACC follow up to assess compliance. In this attempt to integrate the corruption risk assessment process throughout the public sector JIACC has made it mandatory that all public sector departments develop a risk management plan including a focus on corruption risks. More specifically, JIACC has issued memos to a few public institutions so that they may conduct their own risk assessments. The memo instructs that the corruption risk assessments be conducted by multi-disciplinary (technical, legal, and financial) and multi-level teams to ensure adequate coverage.

Although JIACC officials have described their risk assessment approach as new and are seeking to further develop capacity in this area, they have nonetheless developed an approach that consists of the following key steps: 1) identifying risks; 2) proposing a mechanism to address them; 3) putting this mechanism into practice; and 4) re-evaluating the change in the target sector (JIACC, 2021[11]). This aligns with some of the key elements of risk management best practice (Figure ‎5.1) that includes risk identification, risk analysis and risk evaluation. JIACC has proposed guidance and tools for risk assessment including a risk assessment matrix, a risk assessment guideline, an opinion survey on risks for corruption and a risk assessment report.

JIACC reported in its 2021 annual report that these risk assessments had resulted in recommendations for the public sector entities of interest. For example, JIACC’s risk assessments for the Jordan Customs Department found weak controls in procurement. Consequently, the studies recommended adherence to procurement legislation, the development of clear procedures for contract procurement, and the development of a conflict-of-interest policy for certain positions (JIACC, 2021[11]).

Although JIACC has taken the lead on undertaking corruption risk assessments and is encouraging other public sector actors to do the same, the overall risk management system in the Jordanian public sector remains immature and disjointed. There are over 200 departments and ministries, yet JIACC officials noted that it only has the capacity to undertake between 2-4 risk assessments per year. Conducting risk assessment in a piecemeal manner does not support an integrated approach to risk management and is not a comprehensive approach to supporting integrity. For example, communication and consultation methods for the collection, synthesis and sharing of information have not been established and there are no policies or plans to guide the overall process. Finally, there are reportedly weaknesses concerning the overarching commitment by senior leadership to adopting an integrated integrity risk management approach. For risk management to be effective, it should promote a continuous, proactive and systematic process that facilitates understanding, managing and communicating risk from an organisation-wide perspective (Treasury Board of Canada Secretariat, 2016[10]) (Box ‎5.2).

Regarding how risk assessment influences the design and implementation of internal controls, Jordan’s default is to attempt to eliminate all risk of fraud or wrongdoing (PEFA, 2022[12]). Although this may lead to a system of robust controls, the trade-off is that resources are used inefficiently and other areas that could benefit from additional resources are neglected. This is important because in an environment constrained by financial and other resources that is seeking to promote integrity and combat corruption, limited resources should be allocated to areas of greatest risk. A risk management framework and accompanying guidance can provide the direction and information on how to approach risk management and make decisions on resources (Box ‎5.2).

Therefore, to ensure a standardised and co-ordinated approach to risk management, the current risk management practices should be embedded within an integrated risk management framework that is ultimately in service of achieving the organisation’s objectives and in making informed decisions. This would entail senior management commitment, the assignment of clear roles and responsibilities and established means of co-operation among actors. Furthermore, an integrated risk management framework and guidance would require communication and consultation methods to facilitate information sharing and the receipt of feedback to make improvements. Effective risk management would necessitate codifying risk management practices into policies and tools such as risk assessment guidelines. An integrated risk management framework must also ensure that risk management is embedded within management processes such that it is a part of governance, leadership and is fundamental to how the organisation is managed at all levels.

For example, policy issued by the United States Office of Management and Budget (OMB), the central harmonisation function for the federal government, stipulates management responsibility for internal control and risk management (OMB, 2016[13]). The OMB Circular No. A-123 policy outlines risk management components, which aligns closely with the ISO 31000 Risk Management Process: risk identification, analysis and evaluation of risk, risk response, monitoring and review, communication and consultation, and reporting and recording risk information. The policy also describes the governance structure best suited to implementing risk management and it recommends that responsibility for risk management be shared from the highest levels of executive leadership to service delivery staff executing programmes. The policy further stipulates the development of a risk profile – an analysis of an entity’s risks to achieving its objectives and the identification of options for addressing those risks. Of note is the policy’s requirement for management to consider fraud risks (OMB, 2016[13]). This policy defines key risk terms such as risk tolerance and risk appetite and encourages the opening of communication channels to ensure the right information is obtained to inform decisions.

Finally, effective risk management cannot be implemented without skilled and competent professionals who can use systems and tools to undertake effective risk management processes. The Commonwealth of Australia’s risk management framework, for example, acknowledges that all staff have a role to play in risk management and that staff should be well-skilled, training and adequately resourced. Clear roles and responsibilities must be assigned, and staff should have the opportunity for ongoing development of their risk management competencies. Moreover, systems and tools are necessary to provide storage and accessibility of risk information. Systems and tools should be adapted to the needs of the organisation and should fulfil certain functions: the ability to store required data that will inform decisions; the ability to be modified to improve utilisation and functionality and the provision of timely and accurate information for communication to stakeholders (Commonwealth of Australia – Department of Finance, 2023[14]).

Clear roles and responsibilities are critical to ensuring that all actors understand how to address risk management and internal controls. Such clarity is important in defining how they coordinate with each other and in preventing gaps or duplication. The Institute of Internal Auditors’ Three Lines Model sets out a clear framework for the establishment of roles and the division of responsibilities for the management of risks and internal control (IIA, 2020[15]) (Figure ‎5.2). Under this model, three functions (lines) within the organisation are integral for effecting risk management and designing, implementing, and assessing internal control.

They are overseen by senior management and the organisation’s governing body:

• The first line constitutes management who is on the front line of operations. They are responsible for owning and managing risk and control.

• The second line consists of supportive functions such as financial control, risk management, compliance and quality management that are put in place by management. They are responsible for monitoring risk management and internal controls.

• The third line is internal audit. They are independent from management responsibilities and provide independent and objective assurance and advice to senior management on the effectiveness of risk management, governance and internal controls.

Management responsibility comprises both the first- and second-line roles where the first line role is directly responsible for operations and the second line role is complementary and focuses on risk (IIA, 2020[15]). Figure ‎5.2 provides a visual description of this framework, an international best practice. This is a sage approach, because management’s expertise in operations can be leveraged to design and implement controls that are risk-based, including around integrity and anti-corruption. Controls that are risk-based can be more preventive and detective in nature, and can complement the work of other actors, such as JIACC’s work in enforcement (Chapter 6). For example, putting in place a proper system for defence against fraud requires having an effective system of internal controls (IIA, 2019[16]). Internal controls include procedures such as requiring multiple signatures on high-value transactions or protocols such as requiring employees to take vacation time to prevent continual manipulation of records (IIA, 2019[16]). An internal control system that is effective against fraud and wrongdoing should target all aspects of the fraud triangle: financial pressure that cannot be solved through legitimate means; perceived opportunity to commit fraudulent activity without fear of being caught; and rationalisation that the fraudulent activity is somehow justified (ACFE, 2023[17]). Management is well-placed to identify the areas where the application of an internal control may be appropriate.

In Jordan, similar to many countries in the region (Box ‎5.3), the hierarchical and centralised structure of the public service currently makes it difficult for management to assume responsibility for both risk management and the design and implementation of internal controls (PEFA, 2022[12]). Thus, the first line is currently not assumed by management. Rather, the internal control units placed within each public sector entity assume this function. They are responsible for verifying transactions before they are incurred, such as checking payments before disbursement or reviewing salaries to ensure compliance with legislation (PEFA, 2022[12]). Stakeholders referred to these activities as ‘pre-audit’. Stakeholders also described the second line function, noting that financial controllers and financial inspectors were responsible for ensuring departments do not exceed their allocated budgets and examining issues deemed necessary for further inspection.

It would therefore be of value for the Jordanian public sector to consider how it may align its internal control system with the Three Lines Model to ensure clearly delineated roles amongst all actors. Implicating managers—those on the front lines of operations and service delivery—in managing risk and designing, implementing, and monitoring internal controls would align with best practice (Figure ‎5.2). This may be particularly beneficial for the Jordanian public sector, as the current approach to the design and implementation of controls is, as mentioned above, to attempt to eliminate all risk rather than assessing risk and tailoring controls in accordance with the significance of those risks. This has implications for the efficient use of resources and the effectiveness of current controls (this is described in further detail in below). The Ministry of Finance should develop and implement policies assigning the first line role to management.

Furthermore, assigning management responsibility for risk management and internal control creates communication channels with the governing body and the rest of the organisation on the achievement of objectives and risks that may threaten objectives (IIA, 2020[15]). Communication methods facilitate the sharing of information and feedback, which can further reinforce the capacity to identify risks and respond with effective internal controls.

Internal control represents the processes in place to provide reasonable assurance that an organisation’s objectives are being met. These objectives are efficient and effective operations, compliance with legislation and policies and timely and transparent financial and non-financial reporting (COSO, 2013[7]). Common internal controls include authorisation and approval procedures; spending limits; segregation of duties; reconciliations; system passwords; and ongoing monitoring and review. These processes also function to curb potential fraudulent behaviour (OECD, 2019[19]). Although internal controls can be broad, most countries have tended to focus on those related to the legality of spending (Ruffner and Sevilla, 2006[20]).

Internal control systems fall into one of two camps: ex-ante and ex-post. Ex-ante controls are compliance oriented. Thus, the focus is placed on verifying that an action (such as a payment) is allowed and that all supporting documentation is in place before that action is undertaken (OECD, 2017[18]). Ex-post control, on the other hand, furnishes management with the freedom to allocate financial and non-financial resources, which is then checked after the fact (Ruffner and Sevilla, 2006[20]). The ex-ante approach places emphasis on legality and compliance while the ex-post approach places emphasis on performance. Typical ex-ante internal controls include spending limits and signing authorities, while that of ex-post are, for example, spending reports and internal financial audits (Ruffner and Sevilla, 2006[20]). OECD member countries over the years have gravitated towards an ex-post internal control system as government budgets have grown and greater emphasis has been placed on the performance of government versus compliance with the law. Technological advancements and decentralisation have also contributed to this reform (Ruffner and Sevilla, 2006[20]).

Jordan’s top-down budgeting structure requires strong ex-ante control as a means of ensuring that the government spends no more than it is allocated. Jordan’s internal controls focus on compliance with regulations and involve multiple layers of ex-ante review in the areas of finance and accounting, payroll and procurement (OECD, 2017[18]). These layers of review consisted of each department’s internal control unit, Ministry of Finance financial controllers and, ex-ante review by the Audit Bureau auditors (although this has lessened in recent years). This “heavy apparatus of control” is maintained by dedicating significant resources and procedures to layers of supervision for each expenditure transaction (PEFA, 2022[12]). The trade off from having a robust internal control system with extensive controls and inspection, is inefficiency. Furthermore, overreliance on the Ministry of Finance inspectors and to a lesser degree, the Audit Bureau, to detect irregularities may create a lack of accountability by absolving decision-makers of their responsibilities to ensure regularity and adherence to requirements. And directing significant resources to enforce strict compliance with regulations may impede the performance of systems and the delivery of services. Furthermore, the bureaucratic and hierarchical management style that currently characterises the Jordanian public sector may enable an ex-ante internal control system, but it can inhibit an ex-post internal control system. A key feature of an ex-post internal control system is that managers are delegated the responsibility to allocate resources, make decisions and manage risk which are then checked after the fact. (Ruffner and Sevilla, 2006[20]).

Present-day, Jordan finds itself in a similar situation as OECD European countries did years ago in transforming their internal control system from ex-ante to an ex-post (Ruffner and Sevilla, 2006[20]; PEFA, 2022[12]). As Jordan modernises, becomes more technologically savvy and continues to be a beneficiary of significant sums of donor funding, enhancing government performance becomes paramount, particularly considering Jordan’s commitments to integrity and anti-corruption. However, there continues to be numerous controls and inspection activities, such as in payroll control, non-salary spending, and strong internal controls within the Government Financial Management Information System (GFMIS) (PEFA, 2022[12]). Despite this, there are areas where internal control is weak due to lack of automation or the standardisation of processes, particularly at the municipality level. Interviews with Jordanian officials also noted internal control disparities across the public sector and internationally accepted accounting principles were not applied equally.

Therefore, efforts should be made to reinforce those controls by standardising processes and automating where necessary, as some ex-ante control is important, particularly in a top-down budget environment. It is therefore incumbent on the Ministry of Finance to ensure that the current internal control system is not open to undue risk by maintaining key controls and reinforcing those that are weak. Key to this transition though would entail assessing the trade-off of applying burdensome internal controls and the limited benefit obtained from the risks mitigated by those controls. This should be followed by relinquishing those controls for which there is little benefit and too high a cost in maintaining it. This goes hand-in-hand with decision-makers adopting a healthier risk appetite as they empower managers to take responsibility for internal control and risk management and place greater reliance on internal and external audit. Managers therefore should be empowered and provided with relevant training to assume responsibility for internal control and risk management.

As it moves towards ex-post control, the Jordanian public sector must recognise that such a reform is not without risks and challenges for which the system must be well equipped to handle. There has been noteworthy progress with the partial retreat of external audit (the Audit Bureau) from ex-ante control and the introduction of internal audit (see next section) role. The challenge that remains, however, is to maintain key internal controls that safeguard against fraud and wrongdoing and relinquish those that are costly, onerous and afford minimal benefit. This can liberate resources that can be allocated towards more effective internal controls as well as the establishment of internal audit.

A key feature of the ex-post system is the independent assurance and advice provided by an internal audit function. Internal audit provides an assessment of how well internal controls are functioning and can be instrumental in fraud detection and mitigation (IIA, 2019[16]). For example, management is well placed to implement internal controls that target fraudulent activity. In turn, internal audit can support management in this function by identifying potential fraud risks and suggesting internal controls that target all three aspects of the fraud triangle (IIA, 2019[16]).

Recent achievements in the development of internal audit, according to Jordan’s Public Financial Management Strategy 2022-2025, have included the development of an internal audit approach, a special methodology to assess the internal control system, and internal audit documents such as a charter and procedure manual. The Ministry of Finance’s Internal Audit Charter includes a definition of internal audit that aligns with international standards. An audit charter asserts the independence of the internal audit function, its unrestricted access to information and personnel, and the freedom to determine its scope of work and when and how it reports its findings (IIA, 2017[21]).

Stakeholders noted the attempt in recent years to change the profile of internal control units, using the terms ‘pre-audit’ and ‘post-audit to describe 1) ex ante: verifying transactions prior to them being incurred and 2) ex-post: the retroactive assessment of controls, respectively. The current initiative to transition internal control units from ex ante to ex post has generated some resistance among stakeholders. Firstly, stakeholders noted that removing the internal control units from an ex-ante (‘pre-audit’) function to assume an ex-post or internal audit function (‘post audit’) would result in the loss of public funds, because the internal control units perform a critical function of verifying transactions before they are incurred and at times verify the transaction after the fact. Stakeholders also noted that complete coverage of all administrative processes to ensure controls were applied was still lacking, therefore the system could not afford to remove the internal control units from ex ante control. Adopting ex-post control would ensure that the party responsible for internal audit was independent from management functions such as applying internal controls.

To illustrate the difference between internal controls and internal audit, Figure ‎5.3 provides an overview of a generic cash payments cycle (i.e., the process followed by an organisation to pay a vendor for services rendered or products delivered once an invoice has been submitted to the organisation). This process spans three separate divisions to ensure the segregation of duties, an important control against fraud. Each division is identified according to its appropriate “line” from the “Three Lines” model described in Figure ‎5.2. To ensure that the payment is legitimate, the procurement unit will match the vendor invoice to the document issued by the purchasing department for fulfilment by the vendor. Once the two documents line up and the invoice is approved, a second check is undertaken by a controller prior to instructing the treasurer to make the payment. In this generic scenario, the function of internal control units, as described by stakeholders in Jordan, would likely entail verifying the transaction before it is made, thereby acting as the 2^nd line. Note that an internal audit function would not participate in this process at all to safeguard its independence.

Indeed, internal audit provides an independent and objective assessment; this is incompatible with direct involvement in the implementation of controls or undertaking risk management. This nuance is particularly important within the context of the Jordanian public sector where the internal audit function has been assumed by internal control units who are also responsible for ensuring controls were implemented. Successful implementation of an internal audit function necessitates safeguarding its independence where it reports directly to the head of the organisation and is independent of management duties.

As already mentioned, stakeholders in Jordan conveyed that internal control units played a critical role in the implementation of controls, particularly in light of fraud. Stakeholders noted that in some government departments, internal control units were directly involved in approving spending and thus were at the heart of operations. Furthermore, stakeholders emphasized the inherent conflict and impediment to independence if internal control units were expected to assume responsibility for applying internal controls while also undertaking the internal audit function. If internal control units are to assume responsibility for internal audit, they cannot also be charged with implementing internal controls, and therefore alternative arrangements would have to be made to re-establish the internal control function once held by the internal control units. This would entail amending the Internal Control Bylaw to distinguish the responsibility of internal control (management), from the responsibility of internal audit (an independent entity within the organisation). This arrangement could result from a cleavage of the existing internal control units where one half of the unit is now responsible for the internal audit function that reports directly to the head of the organisation (to assure independence) and has the capacity to undertake this work and the other half retains the original role of implementing internal controls. In addition, managers should be implicated in applying controls with support from the second line such as compliance or inspection departments. It is the prerogative of the Ministry of Finance on how it decides to move forward, nevertheless separating the internal audit function from that of implementing internal control should remain at the forefront of its decision-making.

Despite the resistance of some stakeholders to internal control units assuming the internal audit function, internal control units have been adopting this function in the last few years. In fact, the Audit Bureau assessed some internal control units in 2022 for fiscal year 2021. The assessment revealed weaknesses in audit skills, internal audit standards and methodology, and highlighted impairments to independence. Additionally, a 2023 evaluation of 131 internal control units by the Audit Bureau assessed about 60% of them as being weak. Stakeholders noted however that additional training was being provided in response to these results (see next section that describes the potential impacts of this form of assessment on the Audit Bureau’s independence).

Furthermore, the 2022 report on Public Expenditure and Financial Accountability found that there remained areas for improvement regarding the internal control units’ continued focus on compliance as opposed to assessing overall performance and outcomes (PEFA, 2022[12]). Internal audit should add value by identifying areas where controls are weak or lacking or conversely highlight good practices adopted to curb fraud and corruption. Therefore, using internal audit simply to ensure compliance with regulations does not take advantage of the potential of internal audit to improve the effectiveness of controls. Consequently, there are opportunities for capacity building and training of internal control units to raise their level of proficiency in line with international standards, if internal control units are expected to assume the role of an internal audit function.

Supreme Audit Institutions (SAI) are public bodies that operate at arm’s length from government and report to Parliament. This ensures their independence as they undertake objective assessments of the performance of governments in responsibly and effectively spending public funds and in delivering required services and programmes to their citizens. SAI’s will undertake financial audits to determine whether the government’s financial statements are reflective of an organisation’s financial performance. Compliance audits, assessing the legality of transactions, and performance audits, assessing the efficiency, effectiveness, and economy of activities, programmes, and operations, are also undertaken by SAIs.

The chief hallmark of a SAI, such as the Audit Bureau in Jordan, is its independence. This precondition allows the Audit Bureau to objectively assess government’s management of financial and operational activities and to communicate these results to taxpayers and their representatives in Parliament. An SAI’s independence has many facets including security of tenure and legal immunity of the head of the SAI, in addition to financial and administrative autonomy (INTOSAI, 2007[22]). In the area of anti-corruption activities, SAIs can have an impact where their independence is respected and where they have sufficient capacity and resources to undertake their work (Schöberlein, 2019[23]).

Jordan’s constitutional and legal framework makes provisions for the independence of the Audit Bureau. The Constitution of 1952 stipulates that the law shall provide for the immunity of the head of the SAI. Since coming into force, the Audit Bureau Law has been amended several times to incrementally reinforce the Audit Bureau’s independence (European Commission, 2023[6]).

The current Audit Bureau Law 28 specifies the Audit Bureau’s independence in the following ways:

• Article 2 stipulates the Audit Bureau’s financial and administrative independence.

• Article 2 further states that the President prepares the Audit Bureau’s annual budget and sends it to the Prime Minister for inclusion in the general budget in accordance with established procedures.

• Article 5 stipulates that the head is appointed by royal decree based on the recommendation of the Council of Ministers. This appointment is communicated to the House of Representatives. The head cannot be removed, transferred, forced to retire or have disciplinary penalties imposed except with the approval of the House of Representatives, if the Council of Ministers is assembled. If the Council of Ministers is not assembled, the King, based on their recommendation can remove, transfer, force to retire or have disciplinary penalties imposed on the head of the Audit Bureau. In this case, the Prime Minister will brief the Council of Ministers once they have assembled.

Concerning the protection of the head of the Audit Bureau, the law confers immunity from prosecution resulting from the normal discharge of the head’s responsibilities. However, the law is silent on a set appointment term for the head of the Audit Bureau. A pre-determined and fixed term that is sufficiently long would allow the head to discharge their responsibilities with confidence (INTOSAI, 2007[22]). This is particularly important as the Audit Bureau is modernising to align their practices with international standards and to raise the profile of the Audit Bureau (as described below). Furthermore, although approval must be sought from the House of Representatives to remove, transfer, force to retire or impose disciplinary penalties, the initial appointment is not subject to their approval as the royal decree is informed solely by the Executive. Jordan could therefore consider that the House of Representatives be included in the decision to appoint the Head of the Audit Bureau to ensure a participatory and open process.

The Mexico Declaration of SAI independence asserts that SAIs should have sufficient resources to fulfil their mandate and the Executive should not control or direct access to these resources (INTOSAI, 2007[22]). However, the current law allows for the scrutiny of the Audit Bureau’s budget by the Ministry of Finance (European Commission, 2023[6]). This interference could potentially impede the Audit Bureau’s work as there is the opportunity for the Executive to deny the Audit Bureau the resources necessary to carry out its mandate. The Audit Bureau’s financial independence should therefore be strengthened by preventing the influence of the Executive on its proposed budget.

Another means by which an SAI exercises its independence is in the administration of its human resources. This allows the SAI to recruit the manpower it deems suitable to carry out the work of the institution and to determine appropriate pay scales. In the past, the Audit Bureau had typically obtained its personnel through the centralised public sector human resources service. Stakeholders have noted that co-ordination with this centralised service limits the independence of the Audit Bureau in the recruitment of its staff. This is reflected in the Audit Bureau’s 2021-2023 Strategic Plan that identified the Audit Bureau’s financial and administrative independence and legal immunity as a weakness. The latest proposed amendments to the Audit Bureau law were in 2022, and there are plans to further amend the law as stated in the 2024-2027 operational plan, including incorporating a provision to follow up on recommendations.

An SAI enjoys its independence by determining the scope of the work that it undertakes, by having unfettered access to documentation and personnel and by publicising freely the results of its assessments (INTOSAI, 2007[22]). The Audit Bureau has the latitude to determine its scope of work as it sees fit and has the power to audit all government departments, ministries, municipalities, universities and companies in which the government owns 50% or more of its shares. The Audit Bureau also audits international grants and loans. With regard to accessing information, Audit Bureau stakeholders noted that they sometimes encountered difficulty in obtaining documentation from audit entities either in a timely manner or even at all. Stakeholders felt that this was due to a lack of accountability and recourse. Increased engagement with audit entities about the Audit Bureau’s work, its legal mandate and ability to hold government to account may compel audited entities to be more cooperative. A stakeholder engagement strategy might be useful in this case. See the section below on stakeholder engagement for more details.

Finally, the type of work undertaken by the Audit Bureau as well as where it does its work can also impact the Audit Bureau’s real or perceived independence. As mentioned above, the Audit Bureau undertakes assessments and provides recommendations to the internal control units, which may be useful to promote improvement in their performance and may foster coordination and cooperation between external and internal audit. However, this form of assessment more closely resembles management advice and feedback, but it is more appropriate for the Audit Bureau’s work regarding internal control and internal audit to be undertaken within the context of an audit. This may be an acceptable interim measure to facilitate the development of internal control units that do not yet exhibit the maturity and proficiency to undertake their internal audit functions, particularly in light of its past ex ante functions. However, it can infringe on the Audit Bureau’s independence and objectivity where the Audit Bureau is perceived as being responsible for improving the internal control units’ weaknesses; which is a management function.

The Audit Bureau should therefore transition away from this advisory work and fully embrace its role as an independent assurance provider. Instead, the Ministry of Finance, in its central harmonisation role, should provide guidance and oversight to internal control units to build their capacity and promote their independence. The Audit Bureau can add value through both financial and performance audits where it can assess the internal control system and/or the internal audit function (as described in Box ‎5.4).

Furthermore, Audit Bureau stakeholders mentioned that the majority of their auditors were located in the spending units of other departments as opposed to Audit Bureau premises. While this was likely due to the Audit Bureau’s past role in ex ante control of departments, its retreat from this function over the years begs the question of why as many auditors continue to reside at departments to which they do not belong. This can impede the Audit Bureau’s independence as auditors are perceived as belonging to the departments that they audit. This arrangement may also hamper auditor objectivity as they are tasked with auditing those with whom they are co-located. This arrangement may also complicate internal communication within the Audit Bureau and the harmonisation of audit approaches. The Audit Bureau should therefore reconsider this arrangement, by scrutinizing how auditors located in departments impact the Audit Bureau’s independence and by considering the potential benefits of relocating auditors to Audit Bureau premises.

The Audit Bureau has undertaken many initiatives and improvements over the last several years to strengthen its capacity. Of note is the Audit Bureau’s involvement in Twinning Projects funded by the European Commission, where the focus has been to modernise by adopting audit software and computer assisted auditing techniques. Other areas identified for capacity building include implementing quality assurance processes for the audit process and implementing a risk-based approach for audit selection (European Commission, 2023[6]). The Audit Bureau should continue to modernise its audit processes through the adoption of IT and to align its methodology with international best practice.

Although the Audit Bureau focusses primarily on undertaking financial and compliance audits, it also undertakes performance audits, but to a lesser degree (European Commission, 2023[6]). Compliance audits are valuable, in that they reveal where there are non-compliances with regulations and processes, and they provide recommendations to curb such non-compliance. Thus, they can play a role in helping to reinforce the internal control system (INTOSAI, 2019[24]). Compliance audits, however, are limited in their ability to showcase whether an overall system is working effectively or efficiently, which is what a performance audit can do. For example, a performance audit will assess whether the systems and processes in place to safeguard a procurement process are working well, while a compliance audit will assess whether there is conformance with procurement regulations. Although both are beneficial, performance audits are more likely to speak to transparency and fairness of the procurement process, while the compliance audit would not have this level of insight (INTOSAI, 2019[25]). Therefore, performance audit can be effective within the context of promoting integrity and controlling anti-corruption. Box ‎5.5 provides an example of the findings of an Australian performance audit on procurement.

Typically, the head of a Supreme Audit Institution has a legal mandate to exercise their discretion in undertaking performance audits. For example, Canada’s Auditor General Act affords the Auditor General broad powers to “call attention to anything that he considers to be of significance and of a nature that should be brought to the attention of the House of Commons”. This would include any cases where money has been expended without due regard to economy or efficiency or where there have been no established measures to report on the effectiveness of programmes. The Australian Auditor General Act also affords the Auditor General similar discretion. The Act states that the Auditor General “may at any time conduct a performance audit of commonwealth entities and companies” where a performance audit is described as a review or examination of any aspect of the operations of a body.

Although the Audit Bureau has undertaken performance audits, they have focussed primarily on environmental issues and there has been little coverage over the delivery of main public services (European Commission, 2023[6]). As the internal control system matures and transitions to an ex-post system, the Audit Bureau can leverage its growing capacity for performance audit to assess the efficiency and effectiveness of the internal control system. Performance audits can provide the insight into root causes of system failures or inefficiencies. Thus, a performance audit can facilitate the necessary action to address these issues from their point of origin.

Furthermore, the Audit Bureau enjoys a co-operative relationship with JIACC through a memorandum of understanding that promotes exchange of information and technical expertise. The Audit Bureau can further strengthen that relationship by targeting its performance audits on areas of mutual interest such as procurement or financial management at the municipality level. Providing insight into root causes of corruption may complement the work of JIACC in prevention, detection and enforcement. The Audit Bureau should therefore continue to strengthen its capacity to undertake performance audits and consider undertaking performance audits in areas of interest to both JIACC and the Audit Bureau.

Given a SAI’s role in helping to ensure transparency of government operations and holding the government to account for its stewardship of public funds, it is crucial to have the trust and the attention of the legislature and the public (INTOSAI, 2016[26]). To be effective, SAIs require a supporting institutional context, such as parliamentary oversight of its work (Schöberlein, 2019[23]). In OECD interviews with the Audit Bureau, officials expressed that the Audit Bureau was seen as a trusted institution in the eyes of the public, often due to their work in uncovering corruption.

However, there is also limited understanding by stakeholders about the full scope of the Audit Bureau’s work and its role in accountability. Audit Bureau public officials conveyed to the OECD during interviews that it publishes one annual report containing a summary of each audit completed. Audit Bureau officials further described that when the annual report is published and sent to Parliament, Parliamentary sessions are covered by the media. The Audit Bureau’s annual report submitted to the legislature has been described as lacking simplicity and not being user-friendly, however (European Commission, 2023[6]). Moreover, the 2021 Public Expenditure and Financial Accountability report found that legislative scrutiny of the Audit Bureau’s audit reports were delayed and few hearings to discuss audit findings were held. This represents an opportunity for the Audit Bureau to reconsider how it engages with the legislative and other stakeholders, including how it presents its findings and explore whether to publish the full audit reports to increase accountability of audited entities. Principle 6 of the Mexico Declaration of SAI Independence states that SAIs are free to publish and disseminate their reports once formally tabled or delivered to the appropriate authority.

The Audit Bureau may therefore want to consider developing a stakeholder engagement strategy. This could entail defining the various means by which information is communicated to diverse audiences, including the public, who according to international standards, are entitled to access the full reports. Exploring alternative communication tools to convey key messages could be of value, such as the use of visual depictions (infographics). Box ‎5.6 shows some examples from Canada.

The Audit Bureau could also consider formalising its relationship with the legislature by proposing more frequent hearings to discuss audit findings. On the one hand, the Audit Bureau could aim ensuring its audit findings are communicated in a simplified yet engaging manner, for example by applying a behavioural lens to strengthen communication between the SAI and stakeholders (OECD, 2022[28]). On the other hand, it could proactively engage public stakeholders in sensitisation initiatives to inform them on its work and in turn, stakeholders could be invited to provide input into work that they would like to see the Audit Bureau conduct (OECD, 2016[29]). Exploring innovative ways to engage civil society and citizens could be an option for the Audit Bureau to obtain buy-in and allow citizens to better understand the importance of the Audit Bureau’s work. For example, social audits can be a powerful accountability tool and a hands-on way to engage citizens in the fight against corruption. The experience of involving youth into auditing in Peru could be a further inspiration on how to actively involve stakeholders (Box ‎5.7).

A 2024 OECD report on increasing the impact of European supreme audit institutions through external engagement found that 77% of SAIs participating in a survey confirmed that they cooperated with non-governmental organisations, civil society organisations, and other non-institutional stakeholders during their audits. Engagement may take a number of forms such as one-way communication through the provision of information or two-way communication through consulting stakeholders for input when selecting audits, planning and drafting audit reports and developing citizen complaint mechanisms. This type of engagement may contribute to external stakeholders’ ability to hold the government to account (through information-sharing) as well as contributing to the SAI’s ability to select meaningful audits (OECD, 2024[30]).

[17] ACFE (2023), Fraud 101: What is Fraud?, Association of Certified Fraud Examiners, https://www.acfe.com/fraud-resources/fraud-101-what-is-fraud#:~:text=Donald%20Cressey%2C%20a%20criminologist%20whose,As%20Dr (accessed on 25 March 2024).

[31] CGR (2023), Informe Ejecutivo de Gestión 2022. Memoria Institucional., Contraloría General de la República del Perú, Lima, Peru.

[14] Commonwealth of Australia – Department of Finance (2023), Commonwealth Risk Management Policy – Risk Toolkit: Element 8: Risk Management Capability, https://www.finance.gov.au/government/comcover/risk-services/management/risk-management-toolkit/element-8-risk-management-capability (accessed on 4 September 2024).

[7] COSO (2013), “Internal Control - Integrated Framework”, https://www.coso.org/Pages/ic.aspx (accessed on 11 September 2017).

[9] COSO (2004), COSO Enterprise Risk Management -- Integrated Framework, http://www.aicpastore.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990015/PC-990015.jsp (accessed on 1 August 2017).

[6] European Commission (2023), Twinning Fiche: Strengthening the Capacities of the Audit Bureau (AB) of Jordan, European Commission, EU funded project.

[15] IIA (2020), The IIA’s Three Lines Model. An update of the Three Lines of Defense., The Institute of Internal Auditors, Lake Mary, USA, https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf (accessed on 19 January 2024).

[16] IIA (2019), Fraud Identification and Deterrence Part 1: Internal audit’s role in fraud risk management, The Institute of Internal Auditors, https://www.theiia.org/en/content/articles/industry-knowledge-brief/2019/fraud-identification-and-deterrence-part-1-internal-audits-role-in-fraud-risk-management/ (accessed on 25 March 2024).

[21] IIA (2017), International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, http://theiia.org/globalassets/site/standards/mandatory-guidance/ippf/2017/ippf-standards-2017-english.pdf (accessed on 4 September 2024).

[8] INTOSAI (2019), INTOSAI-P 12 The Value and Benefits of Supreme Audit Institutions: Making a difference to the lives of citizens, AuditInternational Organisation of Supreme Audit Institutions (INTOSAI).

[25] INTOSAI (2019), ISSAI 300 - Performance Audit Principles, International Organisation of Supreme Audit Institutions (INTOSAI), https://www.issai.org/pronouncements/issai-300-performance-audit-principles/#:~:text=ISSAI%20%2D%20300%20%2D%20Performance%20Audit%20Principles&text=c.,control%2C%20materiality%20and%20documentation)%3B (accessed on 4 September 2024).

[24] INTOSAI (2019), ISSAI 400 - Compliance Audit Principles, International Organisation of Supreme Audit Institutions (INTOSAI), https://www.intosai.org/fileadmin/downloads/documents/open_access/ISSAI_100_to_400/issai_400/ISSAI_400_en_2019.pdf (accessed on 4 September 2024).

[26] INTOSAI (2016), How to increase the use and impact of audit reports – A guide for Supreme Audit Institutions, Capacity Building Committee of the International Organization of Supreme Audit Institutions (INTOSAI) , Vienna, Austria, https://www.intosaicbc.org/download/increase-use-and-impact-of-audit-reports-eng/ (accessed on 11 April 2024).

[22] INTOSAI (2007), INTOSAI P-10 Mexico Declaration on SAI Independence, International Organisation of Supreme Audit Institutions (INTOSAI), https://www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_1_u_P_10/INTOSAI_P_10_en_2019.pdf (accessed on 4 September 2024).

[3] ISO (2018), ISO 31000:2018: Risk management Guidelines, https://www.iso.org/standard/65694.html (accessed on 12 September 2018).

[5] JIACC (2023), National Integrity Standards in the Public Sector, Jordan Integrity and Anti-Corruption Commission (JIACC), Amman, Jordan.

[11] JIACC (2021), Annual Report: 2021, Jordanian Integrity and Anticorruption Commission, Amman, Jordan, https://www.jiacc.gov.jo/ebv4.0/root_storage/en/eb_list_page/english_report_2021.pdf (accessed on 16 February 2024).

[4] JIACC (2019), National Strategy of Integrity and Anti-Corruption 2020-2025, https://jiacc.gov.jo/EBV4.0/Root_Storage/AR/EB_Blog/JIACC_Strategy_2020-2025_English.pdf (accessed on 16 February 2024).

[30] OECD (2024), “Increasing the impact of supreme audit institutions through external engagement: Compendium of European experiences with developing effective relationships between SAIs and non-governmental stakeholders”, SIGMA Paper, No. 69, OECD SIGMA - Support for Improvement in Governance and Management, Paris.

[28] OECD (2022), Enhancing the Oversight Impact of Chile’s Supreme Audit Institution: Applying Behavioural Insights for Public Integrity, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/1afdc85e-en.

[2] OECD (2020), OECD Public Integrity Handbook, OECD Publishing, Paris, https://doi.org/10.1787/ac8ed8e8-en.

[19] OECD (2019), OECD Integrity Review of Mexico City: Upgrading the Local Anti-corruption System, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264306547-en.

[18] OECD (2017), Internal Control and Risk Management for Public Integrity in the Middle East and North Africa, OECD Publishing, Paris, France, https://www.oecd.org/gov/ethics/corruption-risks-internal-control-mena.pdf (accessed on 25 March 2024).

[1] OECD (2017), “Recommendation of the Council on Public Integrity”, OECD Legal Instruments, OECD/LEGAL/0435, OECD, Paris, http://www.oecd.org/gov/ethics/Recommendation-Public-Integrity.pdf.

[29] OECD (2016), Progress in Chile’s Supreme Audit Institution: Reforms, Outreach and Impact, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264250635-en.

[13] OMB (2016), OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, United States Office of Management of Budget, Washington D.C., USA, https://www.whitehouse.gov/wp-content/uploads/2017/11/Circular-a-123.pdf (accessed on 11 April 2024).

[12] PEFA (2022), Hashemite Kingdom of Jordan - 2021: PEFA Assessment in Jordan, PEFA Secretariat, Washington, D.C., US, https://www.pefa.org/node/4518 (accessed on 23 March 2024).

[20] Ruffner, M. and J. Sevilla (2006), “Public Sector Modernisation: Modernising Accountability and Control”, OECD Journal on Budgeting, https://doi.org/10.1787/budget-v4-art11-en.

[23] Schöberlein, J. (2019), What works in anti-corruption programming – Lessons from the Middle East and North Africa (MENA) region, Transparency International, Berlin, Germany.

[27] The Office of the Auditor General (2023), Commentary on the 2022-2023 Financial Audits, https://www.oag-bvg.gc.ca/internet/English/parl_oag_202310_00_e_44330.html.

[10] Treasury Board of Canada Secretariat (2016), Guide to Integrated Risk Management, Treasury Board of Canada Secretariat, Ottawa, Canada, https://www.canada.ca/en/treasury-board-secretariat/corporate/risk-management/guide-integrated-risk-management.html (accessed on 19 July 2024).