OECD Integrity Review of Kazakhstan

An efficient and consistent internal control and risk management system is essential for preventing corruption in public organisations and securing the financial soundness and accountability of the government. Principle 10 of the OECD Recommendation on Public Integrity (OECD, 2017[1]) proposes the establishment of an internal control and risk management system that includes:

• a control environment with clear objectives that demonstrate managers’ commitment to public integrity and public-service values and that provides a reasonable level of assurance of an organisation’s efficiency, performance and compliance with laws and practices

• a strategic approach to risk management that includes assessing risks to public integrity, addressing control weaknesses as well as building an efficient monitoring and quality assurance mechanism for the risk management system

• control mechanisms that are coherent and include clear procedures for responding to credible suspicions of violations of laws and regulations and facilitating reporting to the competent authorities without fear of reprisal.

In Kazakhstan, the internal control system is governed by the Law on State Audit and Financial Control. The law specifies that the internal control system consists of five elements, namely control environment, risk assessment, control procedures, information and communication, as well as monitoring and evaluation (Government of Kazakhstan, 2015[2]). In addition to the law, the Procedural Standards of State Audit and Financial Control define an internal control system as a set of policies, processes and procedures, norms of behaviour and actions of the object of a performance audit to respond appropriately to significant risks in terms of achieving the goals of efficiency, economy, productivity, and effectiveness.

Kazakhstan recognises that weak internal control and risk management is one of the main challenges in fighting against corruption in the public and quasi-public sectors. The 2022-2026 Anti-Corruption Policy Concept points out that state bodies and the quasi-public sector have a low interest in eliminating the conditions for corruption, and that the internal analysis of corruption risks has not yet become an effective tool. The document also points out that the control procedures for budget allocation are insufficient, and the overlap of state audit and financial control bodies is hampering the efficiency of the control system (Government of Kazakhstan, 2022[3]).

The 2022-2026 Policy Concept sets out a plan to secure the quality and objectivity of internal corruption risk analysis and develop external corruption risk analysis. This includes eliminating overlapping functions and strengthening the independence of the state audit and financial control bodies system. In support of the government’s efforts, this chapter reviews the current situation of internal control, risk management, internal audit and external oversight in Kazakhstan, and proposes recommendations to enhance those functions in accordance with international standards and best practices.

Internal control is a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance (COSO, 2013[4]). The Committee of Sponsoring Organizations (COSO) suggests five elements of internal control: control environment, risk assessment, control activities, information and communication, and monitoring.

• The control environment is a general element that affects the performance of organisational members, including ethical values and integrity, the leader's management style and philosophy, organisational structure and mission, and the manager's supportive attitude.

• Risk assessment is the stage to determine the appropriate level of response by identifying and analysing risk factors that may hinder the achievement of organisational goals.

• Control activities are procedures for preventing and reducing the identified risk factors, including division of duties, documentation, approval, and verification procedures.

• Information and communication refer to sharing and communicating information related to organisational operations with members of an organisation and external stakeholders so that an organisation performs their duties responsibly.

• Monitoring is the process of analysing and improving the effectiveness and weaknesses of an internal control system.

The Guidelines for Internal Control Standards for the Public Sector of the International Organization of Supreme Audit Institutions (INTOSAI) state that internal control activities should occur throughout an entity, at all levels and in all functions and that internal controls should include a range of detective and preventive control activities, can be used as the guideline for designing the internal control system (INTOSAI, 2004[5]) (Box 5.1).

Internal control is not a system or mechanism that exists separately within an organisation but a process that affects the decision-making and daily operation of the organisation. For internal control to be effective, the five elements of internal control should work together, and the regulatory frameworks should be implemented in the business process. It is essential to have guidelines and procedures for the implementation of the internal control framework, as well as well-defined roles and responsibilities of the staff of the organisation.

To operationalise the components of internal control set out in Kazakhstan’s Law on State Audit and Financial Control, the Committee on Internal State Audit could develop a set of practical guidelines. The criteria used by the OECD Public Integrity Indicators to assess the regulatory framework for internal control in the public sector can serve as valuable references for establishing such guidelines. These criteria are based on the COSO 2013 Internal Control–Integrated Framework, the Institute of Internal Auditors International Professional Practices Framework (IPPF) 2017, and INTOSAI Guidelines GOV 9100 and 9130. They cover the following elements (OECD, 2025[6]):

• Standards of conduct and ethical behaviour are published and apply to ministers, members of parliament, other political appointees, and civil servants.

• The definitions of internal control (IC) and internal audit (IA) in policy or regulatory documents are aligned with international standards.

• Regulations on internal control establish requirements for annual IC and IA reporting activities, specify the objectives of IC, and define managerial responsibilities regarding the implementation of IC and IA.

• Guidelines on fraud and corruption prevention are available and integrated into the internal control system.

• The regulations for implementing internal control apply to all central government institutions, including social security funds.

To establish an effective internal control system, it is essential that all members of the organisation have clearly defined roles and responsibilities. Managers and internal auditors have distinct functions, and it is important that each understands their respective role. One common challenge in building internal control systems is the lack of role clarity among organisational members (OECD, 2020[7]).

In the Kazakh public sector, both the internal and external auditors are responsible for monitoring the efficiency and transparency in the use of public finances. Internal audit involves analysing, evaluating, and verifying the performance and results achieved by the object of state audit, as stipulated in the documents of the State Planning System of the Republic of Kazakhstan. The audit also assesses the credibility and reliability of financial and management information, the efficiency of internal processes in organising activities, the quality of public services, and the preservation of state assets and subjects of the quasi‑public sector. (Government of Kazakhstan, 2015[2])

In addition to auditors, managers of budget programmes regularly monitor the budget and report the results to relevant authorities and the Supreme Audit Chamber (SAC). The results of the analytical report on the execution of the relevant budget shall be considered in the development or clarification of the relevant budget, the formation of a unified database of state audit and financial control, and the implementation of the preliminary assessment of the budget draft (Government of Kazakhstan, 2025[8]). Such shared responsibilities can pose challenges to the effective functioning of each role. Kazakhstan can strengthen its internal control system by clearly defining the roles of each stakeholder involved.

The roles of senior manager, business manager, risk manager, and internal auditor are well embodied in the Institute of Internal Auditors’ (IIA) Three Lines Model (Figure 5.1). According to the IIA, the first line of roles comprises operational management and personnel. Those on the frontline naturally serve as the first line of defence because they are responsible for maintaining effective internal controls and executing risk and control procedures daily. Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives. The second line of defence includes the next level of management — those responsible for overseeing business processes. This line establishes a risk management framework, monitors and identifies emerging risks, and reports regularly to senior executives (IIA, 2020[9]). The third line of defence is the internal audit function. Its primary role is to provide senior management with independent, objective assurance over the first and second lines of defence arrangements.

When applying the Three Lines Model to the public sector, there are several challenges to consider. One of the main obstacles is the complexity of many public sector operations, which often require a significant amount of co-ordination and collaboration between various departments and stakeholders. Additionally, the public sector operates in a highly regulated environment, which can further complicate matters. Despite these challenges, it is still possible to apply the Three Lines Model to the public sector with the right approach and mindset. This may involve engaging with stakeholders at all levels, developing clear and actionable plans, and leveraging technology and other resources to streamline operations and enhance transparency (IIA, 2022[10]).

The IIA recommends that specific factors be considered when applying the Three Lines Model to the public sector. Given the complexity of the public sector in terms of governance structures, stakeholders, and regulations, flexibility is necessary when utilising the model. To make the Three Lines Model approach effective, there does not need to be a strict separation between the roles of the governing body and management, which includes first and second-line roles. The model is principles-based and recognises the need for exchange and interaction among all key players. The allocation of roles and resources for any given entity must be based on its unique circumstances, priorities, and requirements. The multilevel character of government entities working together in a national framework with overlapping and complementary roles makes a strict separation impractical and unhelpful. It is crucial, however, that the independence of internal audit activities and external audit providers always be clear (IIA, 2022[10]). Box 5.2 shows specific examples of flexible applications in the public sector.

In addition to assigning roles and responsibilities related to risk management to line managers, it is crucial to provide them with opportunities to develop the skills required to perform these tasks. Such opportunities include training sessions, webinars, and awareness-raising activities. Communication and consultation with staff are also key steps towards securing input into the risk management process and giving staff ownership of the outputs of risk management. The Australian Government has developed guidance on building risk management capability in entities (Box 5.3), which could provide useful insights.

Risk management is an essential component of any organisation's internal control system. It involves the identification, assessment, and prioritisation of potential risks that could adversely affect the organisation's objectives and the development and implementation of strategies to mitigate or eliminate those risks. Effective risk management requires a comprehensive understanding of the internal and external factors that can impact an organisation's operations and the ability to anticipate potential risks before they materialise (OECD, 2020[7]).

Risk management can be a part of everyday internal controls within an organisation. However, in the public sector, other agencies may also be involved in risk assessment. This creates a governance structure where public organisations interact with various other agencies within the government beyond the entity level. In addition, conducting risk analysis with a particular emphasis, such as on corruption prevention, can also be effective. Over half of OECD countries (55 %) explicitly address integrity risks in their risk management frameworks (OECD, n.d.[12]).

In Kazakhstan, the analysis of corruption risks is divided into internal analysis conducted by the entity's own staff and external analysis conducted by a separate work group. The Anti-Corruption Service is involved in the operation of the corruption risk analysis system, including developing the methodological recommendations for conducting an internal analysis of corruption risks (Government of Kazakhstan, 2015[13]).

In Kazakhstan, internal analysis of corruption risks is carried out by a structural unit, a person, or a working group determined by the head of the subject of internal analysis of corruption. The purpose of corruption risk analysis is to identify corruption risks in regulatory legal acts affecting the activities of the units, as well as in the organisational and managerial activities of the unit. The analysis aims to reveal discretionary powers and norms that contribute to the commission of corruption offences regarding regulatory legal acts affecting the activities of the subdivision. The analysis covers issues related to personnel management, conflict of interest, provisions of public services, implementation of permitting functions, and implementation of control functions in organisational and managerial activities. The internal analysis of corruption risks is carried out in accordance with the recommendations based on the results of anti‑corruption monitoring or as determined by the head of the subject of internal analysis of corruption risk. This means that risk analysis is not conducted routinely, but only in areas where a particular risk has been detected.

The analytical report on corruption risks contains information on the identified corruption risks, recommendations for their elimination, and the timing of the implementation of the recommendation. The reports are submitted to the head of the subject of the analysis for consideration and adoption of measures. The reports are also supposed to be posted on the internet resources of the subject of the analysis to allow for public discussion of the results of the analysis.

In Kazakhstan, conducting an external analysis of corruption risks is up to the joint decision of the head of the authorised body for combating corruption and the head of the object of the external analysis. A joint decision is based on the results of anti-corruption monitoring, the initial appeal of the objective of the external analysis and the decision of the authorised body on its implementation, and instructions of the President, the Prime Minister, the Administration of the President, and decisions and recommendations of consultative and advisory bodies under the President.

External analysis of corruption risks is carried out by a working group established by a joint decision of the head of the authorised body and the object of external analysis. The work aims to identify corruption risks in two areas: i) regulatory legal acts affecting the activities of the units and ii) organisational and managerial activities of the units. Regarding regulatory legal acts, the analysis aims to reveal discretionary powers and norms that contribute to the commission of corruption offences. Regarding organisational and managerial activities, the analysis covers issues related to personnel management, conflict of interest, provision of public services, implementation of permitting functions, and implementation of control functions.

The purpose, scope, and evaluation method of external analysis of corruption risks are the same as the internal analysis. The difference between external and internal analysis is that the results of the external evaluation are submitted to the President, the Prime Minister, the presidential office, as well as advisory organisations under the President. External evaluation results are published on the websites of organisations and authorised bodies concerned by the analysis. In addition, the head of the evaluation target body should work with the authorised body to develop an action plan to eliminate the identified corruption risk factors within 10 days after the external evaluation result report is finalised. Authorised bodies are required to check the implementation of the recommendations after six months and publish the results of implementation monitoring on Internet resources.

External analytical reports include analysis of disciplinary practice, monitoring the fulfilment of the contractual obligation of contractors, conflict of interest, information systems, procurement procedures, the discretion of managers, external and internal control systems, and risk management systems. In addition, analytical reports include recommendations on administrative procedures, improvement of operation methods, revision of regulations, strengthening of supervision, and development of monitoring methods.

In the period 2020-2022, an average of 142 analyses were conducted per year, with an implementation rate of 84.7 % for recommendations based on the results of the external analysis of corruption risks. However, implementing recommendations related to legislative elaboration poses a challenge due to its duration, as the legislative process cannot be expedited by the government alone. It requires co-operation and efforts from various stakeholders.

To reduce the implementation duration of recommendations related to legislative elaboration from the external analysis of corruption risks, Kazakhstan could consider the following approaches:

• Prioritise legislative changes: Identify critical legislative changes that can help reduce corruption risks and prioritise their implementation. This approach ensures that the most important changes are implemented first, leading to a significant reduction in corruption risks.

• Streamline the legislative process: Work with relevant government agencies to simplify the legislative process, reduce bureaucracy, and implement electronic systems to speed up the process. This will help reduce the time it takes to pass new laws and improve the efficiency of the legislative process.

• Increase collaboration between stakeholders: Collaborate with relevant stakeholders, including government agencies, civil society organisations (CSOs), and the private sector, to identify and address legislative challenges. By working together, stakeholders can share knowledge and expertise to develop more effective legislative solutions.

• Monitor and evaluate progress: Regularly monitor and evaluate progress toward implementing the recommendations of the External Analysis of Corruption Risks. This will help identify areas where progress is slow and take corrective action to ensure that recommendations are implemented on time.

• Increase public awareness: Raise public awareness about the importance of implementing legislative changes to reduce corruption risks. This can involve public campaigns, media outreach, and educational programmes aimed at highlighting the negative impact of corruption and the benefits of implementing legislative changes to reduce it.

Establishing effective risk management system requires making sure that everyone knows their roles and responsibilities and setting up a team to assess integrity risks across the organisation. In the public sector, some staff have specific roles to manage integrity risks, but it is important that many people are involved. For example, line managers, risk managers, and internal auditors (known as the first, second, and third lines of defence) all have important roles in supporting the organisation’s goals through risk management and internal control.

It is also important to have ways to collect all the necessary information and to share findings and results. This helps to make risk management a regular part of the organisation’s work and encourages staff to take responsibility for the process (OECD, 2020[7]). In this regard project management is a core internal control mechanism to manage performance risks. Kazakhstan has established guidelines for the effective management and risk management of major national projects through the Rules for Implementation of Project Management, which received approval from Government Decree No. 358 on 31 May 2021. These guidelines outline the fundamental principles of project management, including the project management process, information management system, and the responsibilities of each manager. The rules prioritise proper risk management in project management to ensure the successful completion of national projects.

In addition to project management, heads of state bodies, organisations, and quasi-public sector entities face disciplinary action if they fail to prevent corruption among subordinates. State business entities must mitigate corruption risks through transparent decision-making, fair competition, conflict-of-interest prevention, business ethics, and anti-corruption initiatives. Quasi-public sector entities are required to establish independent anti-corruption compliance services that report to their board or supervisory body, with internal regulations defining their role and functions (Government of Kazakhstan, 2015[13]).

Public organisations in Kazakhstan could enhance their internal control measures by utilising an effective combination of its compliance and project management risk management mechanisms. International practices provide lessons to ensure more effective operational risk management. One is to establish a risk management system by moving away from fragmented risk management and integrating it into an internal control process that cycles through programme operations.

Risk management should be considered an integral part of the institutional management framework (OECD, 2020[7]). In the public sector, the operational concept of risk management must include the systems, processes and culture that help to identify, evaluate and treat risks in order to contribute to public sector entities achieving their performance objectives (OECD, 2013[14]). The first step in operational risk management is to establish the organisation's context and objectives and then identify the events that may affect the achievement of those objectives. An event that can have a negative impact is a risk. Risk assessment is a three-step process that begins with the identification of risks, followed by risk analysis, meaning the ability to understand each risk, its consequences, the probability of that outcome occurring, and the severity of each risk. The third step is a risk assessment to determine the tolerability of each risk and, therefore, whether it should be accepted or dealt with. The risk management cycle can be seen in Figure 5.2 below.

INTOSAI Guidelines for Internal Control Standards for the Public Sector provide information about the four steps in risk assessment process: risk identification, risk evaluation, assessment of the risk appetite of the organisation, and development of responses (Box 5.4). INTOSAI also emphasises that as governmental, economic, industry, regulatory and operating conditions are in constant change, risk assessment should be an ongoing iterative process. It implies identifying and analysing altered conditions and opportunities and risks (risk assessment cycle) and modifying internal control to address changes.

The internal audit function examines the adequacy and effectiveness of public sector organisations’ internal control systems, procedures, governance arrangements, risk management processes, and performance of operations. Therefore, internal audit can contribute not only to the achievement of financial objectives, but also to improved decision making and risk management in support of overall strategic and operational goals (OECD, 2020[7]). Supreme Audit Institutions, in turn, through external audits, have a role in strengthening internal control systems (OECD, 2024[16]).

In Kazakhstan, the internal audit function is governed by the Law on State Audit and Financial Control (Government of Kazakhstan, 2015[2]) and the Model Regulations on Internal Audit Services (IAS) (Ministry of Finance, 2015[17]). The statutes specify that the Internal Audit Service is independent in conducting internal state audit and preparing reports on the results of internal audit. The internal audit service may not be involved in works falling within the competence of other structural units of the central state body, departments of central state bodies, local executive bodies of regions, cities of republican significance, the capital, as well as in the preparation or execution of programmes and projects that are not related to its authority.

According to the above statute, the main purpose of the IAS is to assist the head of the state body in achieving the strategic goals and objectives of the state body, territorial development programmes, to provide the head of the state body with independent and objective information designed to ensure effective management of the state body, improve the efficiency of management and use of budget funds, assets of the state and quasi-state entities sectors based on the risk management system.

The Committee on Internal State Audit, Kazakhstan’s central harmonisation body, is responsible for co‑ordinating the internal audit functions. This includes developing and approving the model that should be followed for internal audit, providing methodological advice to the Internal Audit Services within each public institution, assessing the effectiveness of the internal audit functions, and setting out the suggestions for improvement of system of the state audit and financial control.

Many OECD countries have established a Central Harmonisation Unit (CHU) to co-ordinate the development, implementation, and maintenance of internal control systems across public administrations. Typically situated within the Ministry of Finance, the CHU is responsible for setting standards, providing guidance, and monitoring the effectiveness of internal control systems. This includes conducting annual assessments and reporting on the quality and functionality of internal control systems to the government (OECD, n.d.[12]). The OECD Public Integrity Indicators outline specific criteria related to the role of the CHU Kazakhstan can refer to these standards to strengthen the role of the Committee on Internal State Audit.

• One central government body (CHU) develops the IC and IA systems.

• Guidelines on assessing integrity risks have been issued within the last 5 years by the CHU or the central function for IC to all public sector institutions implementing IC.

• The CHU or the central IA function co-ordinates training and certification of internal auditors.

• The CHU has conducted a government-wide review on the IC and IA systems, annually during the last 3 years.

• The CHU promotes IC and IA methodologies based on international standards.

• A central function develops the IC system.

• A central function develops the IA system.

• A central function promotes IC methodologies based on international standards.

• A central function promotes IA methodologies based on international standards.

• The central function has conducted a government-wide review of the IC system, annually during the last 3 years.

• The central function has conducted a government-wide review of the IA system, annually during the last 3 years.

Internal audit bodies in the public sector can co-operate with and benefit from external audit bodies, particularly the supreme audit institution (OECD, 2024[16]). External auditors not only provide an objective and independent evaluation of the internal control system, but also have a large impact in establishing an efficient internal control system in that they also perform the role of monitoring the governing bodies of the organisation (IIA, 2022[10]). In this respect, SAI's evaluation of the internal control system and risk management can be said to be one of the effective means to improve the effectiveness of the internal control system.

In Kazakhstan, the Supreme Audit Chamber is the highest body of state audit and financial control. The Supreme Audit Chamber is not only responsible for developing and approving procedural standards for external state audit and financial control, but also plays a role in assuring that the government budget is being used effectively and policy goals are being effectively achieved. The role of external auditors also makes a critical contribution to good governance through assurance because they operate independently from the activity and entity under review.

The Supreme Audit Chamber is responsible for evaluating the activities of state audit and financial control bodies (Government of Kazakhstan, 2015[2]). According to the Supreme Audit Chamber’s Procedural Standard, its assessments are conducted through two methods: (1) a yearly cameral evaluation of all state audit bodies (excluding the Supreme Audit Chamber) based on information from audit commissions and the Internal State Audit Committee, taking into account reporting information analysis and the evaluation of the effectiveness of the internal audit services, and (2) a planned evaluation of audit commissions and the Committee on Internal State Audit, as well as its territorial divisions, based on the List of objects of state audit, excluding internal audit services (Supreme Audit Chamber of Kazakhstan, 2016[18]).

Kazakhstan has a legal framework within which state audit bodies, including the Supreme Audit Chamber and the other internal state audit bodies, can co-operate. According to Article 46 of The Law on State Audit and Financial Control, a Co-ordinating Council is formed between auditing bodies, and co-operation between auditing bodies takes place through this council (Government of Kazakhstan, 2015[2]). The Regulation on the Co-ordinating Council (Regulatory Resolution of the Accounts Committee for Control over the Execution of the Republican Budget dated 28 November 2015 No. 12-NK) establishes the goals, objectives, and powers of the Co-ordinating Council of State Audit and Financial Control Bodies (referred to as the Co-ordinating Council). It also outlines the procedure for the formation and organisation of the Coordinating Council's activities. During the Co-ordinating Council meetings, the results of the annual evaluation of the internal state audit body's performance of its audit functions are reviewed. Based on the review's findings, recommendations and proposals are made to enhance the effectiveness of the internal state audit system.

The Supreme Audit Chamber could consider the following approaches to enhance the implementation of its recommendations to increase the effectiveness of the internal state audit system (OECD, 2024[16]).

• Continuous monitoring and sustained external interest. Regular oversight of the internal audit function by the Supreme Audit Chamber can help to ensure that external auditor recommendations are implemented in an effective and timely manner. This can involve reviewing audit reports, assessing audit quality, and providing guidance and support to internal auditors. In this effort, the supreme Audit Chamber can be assisted by external stakeholders, for example oversight bodies, in maintaining pressure on management and overcome resistance to change.

• Training and development. Providing training and development opportunities for internal auditors can help to build their skills and knowledge, which in turn can enhance the effectiveness of the internal audit function. This can help to ensure that the organisation is better able to respond to external auditor recommendations.

The Korean supreme audit institution’s evaluation on internal audit activities in the public sector could be an example of how the SAI could contribute to enhancing internal audit and internal control system. The Board of Audit and Inspection (BAI) of Korea evaluates the performance of internal audit activities and audit results, and examines whether internal audit bodies observe auditing standards, codes of audit practice, etc., when performing their duties. If deemed necessary, it recommends internal audit bodies to improve audit practices and to amend relevant rules and regulations. In cases where internal audits are considered to be well-conducted, the entities concerned may be exempt from being audited by BAI as long as there are no issues regarding the settlement of accounts (Box 5.5).

Establishing an annual audit plan is an essential procedure to improve audit efficiency. The Supreme Audit Institution could prevent overlapping audits by co-ordinating audit plans with the internal audit body and other audit bodies in advance through the annual audit plan. his co-ordination not only ensures efficient use of audit resources but also allows audited entities to anticipate audit activities, thereby improving transparency and preparedness, and contributing to the overall effectiveness of the national audit system. In addition, the annual audit plan should be established and updated through risk analysis of the organisation and business to be audited. To efficiently establish an annual audit plan, it is necessary to have an effective risk analysis tool and audit selection criteria.

Kazakhstan's Rules for External State Audit and Financial Control (Normative Resolution of the Accounts Committee for Control over the Execution of the Republican Budget dated July 30, 2020) have specific regulations on audit plans. According to Chapter 2 of the above regulation, the Supreme Audit Chamber is required to prepare an annual list of audit objects and conduct an audit based on the list. Also, according to Article 18 of The Law on the State Audit and Financial Control, the formation of the list of objects of state audit is intended to be based on and quantify risk management systems (Government of Kazakhstan, 2015[2]).

The Supreme Audit Chamber released the List of objects of the State Audit Account Committee for 2022 in December 2021, and according to the above plan, 37 objects of state audit are to be carried out in 2022. The plan above presents audit target institutions, audit types, brief audit objectives and audit period. The Supreme Audit Chamber uses a risk management system which utilises several approaches for the selection of audit objects and subjects. Firstly, risks and their criteria are formed using reporting data from state audit objects and other sources of information about their activities. Secondly, the system automates the processes of collecting, processing, and storing information while ensuring the correctness of the data received. Thirdly, risk assessment is based on the use of qualitative and quantitative methods. Fourthly, criteria are determined based on the potential and real causes of risks. Lastly, appropriate response measures are developed and adopted based on the degree of risks of the object and subject of the state audit.

The risk criteria identified through this system contain optimal conditions for identifying the greatest probability of occurrence of risks for the state audit bodies based on their assigned functions and powers at the republican and local budget levels. A risk register is also filled in, including the name, impact, probability, risk level, and risk assessment indicators.

The Risk Management System consists of four stages: preliminary, basic, intermediate, and final. In the preliminary stage, information is collected from financial, budgetary, accounting statements and other official sources about the activities of state audit facilities for risk assessment. In the basic stage, a risk register is drawn up, risks and criteria are identified, and risk assessment is conducted based on qualitative and quantitative methods. A risk matrix is formed, and risks are ranked by degree of importance. In the intermediate stage, the results of risk assessment are obtained, and output forms are registered in the context of objects and subjects of state audit, criteria, priorities, risk groups, and response measures. In the final stage, appropriate response measures are taken based on the level of risk.

Furthermore, when forming the list of objects of state audit, the Supreme Audit Chamber reflects various factors as follows:

• the instructions of the President of the Republic of Kazakhstan

• recommendations of the Parliament of the Republic of Kazakhstan

• proposals of law enforcement and special state bodies

• proposals of the Supreme State Audit Bodies of foreign countries on conducting joint and parallel audit activities

• appeals of individuals and legal entities on the organisation of audit activities at certain objects of state audit, inefficient spending of budget funds and assets, or inefficient implementation of documents of the state planning system and budget investments

• results of monitoring the mass media about violations during the formation and expenditure of budget funds and assets, the implementation of documents of the State Planning System and budget investments.

The Supreme Audit Chamber performs risk analysis using various quantitative and qualitative indicators, forming an annual audit plan based on this. Creating an audit plan based on risk analysis can help allocate audit resources efficiently and yield more impactful results. However, there could be potential challenges that might arise when conducting risk assessments and selecting audit objects. Some of the most significant challenges include (OECD, 2018[20]):

• Lack of reliable data: Risk assessments and audit object selection rely on accurate and up-to-date data. However, obtaining reliable data can be challenging, particularly in cases where data sources are incomplete, inconsistent, or unreliable.

• Unclear risk criteria: Another challenge is developing clear criteria for assessing risk. In some cases, risk criteria may not be well-defined or may be difficult to apply in practice.

• Limited resources: Conducting risk assessments and selecting audit objects can be resource-intensive, requiring significant time and expertise. Limited resources can pose a challenge, particularly in cases where the organisation has many potential audit objects or risks to assess.

• Bias: Risk assessments and audit object selection can be influenced by personal biases or institutional factors, such as pressure to focus on certain areas or reluctance to address sensitive issues.

• Lack of stakeholder input: Input from stakeholders, such as management or employees, can be valuable in identifying potential risks or audit objects. However, obtaining input from stakeholders can be challenging, particularly if there is a lack of communication or trust between different parties.

Dealing with the challenges involved in conducting risk assessments and selecting audit objects can involve several strategies. Some possible approaches include:

• Improving data quality: Organisations can work to improve data quality by investing in better data collection methods, verifying data sources, and ensuring data consistency across different systems.

• Developing clear risk criteria: To address the challenge of unclear risk criteria, organisations can work to develop clear and consistent criteria for assessing risk. This can involve consulting with stakeholders and experts to ensure that the criteria are well-defined and applicable in practice.

• Prioritising resources: Given limited resources, organisations may need to prioritise their efforts and focus on areas of highest risk or greatest potential impact. This can involve using risk scoring or other methods to rank potential audit objects or risks.

• Mitigating bias: To avoid bias, organisations can use objective criteria and standards for risk assessment and object selection. They can also involve multiple stakeholders in the process to ensure that different perspectives are considered.

• Seeking stakeholder input: Organisations can actively seek input from stakeholders by establishing communication channels and building trust with different groups. This can involve conducting surveys, holding focus groups, or using other methods to gather feedback.

The publication of audit reports is one of the most useful means to increase the reliability and impact of audit results. The purpose of public audit is not only to provide audited entities with useful information about internal control, corruption risk management, and budget execution but also to provide citizens with objective and independent information about government activities. Publication of audit reports provides opportunities for new policy discussions to a wider range of stakeholders and serves as an opportunity to spark social discussions. Audiences of audit reports include not only the executive branch, but also the parliament, civic groups, and the public. Most SAIs publish their audit reports. According to the INTOSAI Global Survey 2020, over 70 % of SIAs publish at least 80 % of their audit reports, and only about 12 % of SAIs do not publish audit reports (INTOSAI IDI, 2021[21]).

Kazakhstan has detailed regulations for the preparation, approval and disclosure of audit reports. According to the Rules for External State Audit and Financial Control (Normative Resolution of the Accounts Committee for Control over the Execution of the Republican Budget dated July 30, 2020), the auditors draft a report after completing the audit, which is finalised upon chamber approval. Chapter 6 outlines disclosure procedures, requiring reports to be published online unless marked as confidential. However, communication challenges often arise due to technical language and complex presentation. Misinterpretation is also a risk, as stakeholders may selectively highlight findings. To address this, the SAC should proactively engage with civil society and consider issuing accessible summaries for significant audits.

The Netherlands Court of Audit’s case could be a good practice that shows how SAI could effectively communicate with citizens. The Netherlands Court of Audit conducted an audit of Design, Build, Finance, Maintain, and Operate (DBFMO) contracts, a form of public-private partnership used in building and infrastructure projects. The government estimated that these contracts would save €800 million in total. To effectively communicate the complex topic, the Court of Audit utilised images and infographics in their report (Figure 5.3), briefings, presentations, and website. They also conducted a webinar to share their findings with local audit offices and audit committees, answering questions about the opportunities and risks of DBFMO contracts. (EUROSAI, 2014[22])

Budgeting is the strategic allocation of resources to achieve the government's goals within public finance limits. The budgeting process reflects each government entity's objectives and goals while enabling the central control organisation to co-ordinate and collaborate from a whole-of-government perspective. Each government entity makes efforts to justify budget allocation, and the budget authority plays the role of co‑ordinating this at the government-wide level. Supreme audit institutions contribute to more efficient use of public finances by auditing budget execution and providing opinions on budget formulation based on their audit findings (OECD, 2019[24]).

In many OECD countries, SAIs play a critical role in the budget process. The activities of SAIs include auditing the effectiveness of the procedures in place for managing, monitoring and overseeing financial allocations, including the compliance and consistency of in-year budget reallocations, and the adequacy of in-year budget execution reports (OECD, 2016[25]).

The Supreme Audit Chamber plays a critical role in the budget control system. According to the Law on the State Audit and Financial Control (Art. 25) state audit bodies are required to monitor recommendations in audit reports and may collect information on the implementation of audit recommendations. According to Articles 44 and 45 of the Law, the Supreme Audit Chamber is required to submit a report on the government's budget execution results to the Parliament every year and is required to receive a report on the budget execution results from the government and submit its opinions (Government of Kazakhstan, 2015[2]).

Article 29 of the Law gives the external audit body more specific powers in relation to budget procedures. These provisions provide useful opportunities to incorporate internal control and audit findings into the budget. To further strengthen these procedures and following good practices in OECD countries such as Korea (Box 5.6), the Supreme Audit Chamber and audit commissions could carry out a subsequent assessment during the state audit of the implementation of the law on the budget for the reporting fiscal year. Such assessment could help determine the compliance of the actual indicators of budget execution with the indicators approved by the relevant law on the budget, the completeness and timeliness of the execution of budget indicators, annual reports on budget execution, budget reporting of budget administrators’ programmes in order to establish the legality of budget execution, reliability of accounting and reporting, efficiency of use of budget funds, state assets.

An audit begins with a risk analysis but ends with a follow-up and evaluation of the results of implementing the recommendations. INTOSAI includes follow-up to audit recommendations as an integral part of the audit process. Follow-up monitors whether the audited entity is taking appropriate action on issues raised in the audit, and additional audits may be required if audit recommendations are not fully implemented (INTOSAI, 2019[26]).

Kazakhstan has a well-established legal framework for the follow-up of audit findings. According to the Rules for External State Audit and Financial Control (Normative Resolution of the Accounts Committee for Control over the Execution of the Republican Budget dated July 30, 2020), after the audit recommendations are finalised, the audited entity should establish implementation plans and periodically conduct monitoring activities on the implantation to report to the Supreme Audit Chamber or the Audit Commission. The Supreme Audit Chamber or Audit Commission evaluates the implementation results and posts them to the Integrated Information System (IIS). The results of the monitoring are reported quarterly to the President and Parliament of Kazakhstan, and an annual report is generated to prevent violations. This is encouraging, considering insights from the OECD Public Integrity Indicators showing that where implementation of internal audit recommendations is measured, they are generally implemented (OECD, 2024[27]).

In addition to its current follow mechanism, the Supreme Audit Chamber also could improve the implementation of its audit recommendations by adopting following approaches.

• Dialogue with audited entities: engage in dialogue with audited entities to ensure that their recommendations are properly understood, and to discuss any obstacles to implementation.

• Reporting: report on the status of implementation of audit recommendations, including any areas where progress has been made, as well as any issues that remain unresolved.

• Capacity building: provide capacity building support to audited entities to help them address the issues identified in audit recommendations, such as providing training or technical assistance.

• Collaboration: collaborate with other stakeholders, such as parliamentarians or CSOs, to advocate for the implementation of audit recommendations and to increase public pressure on audited entities to take action.

Digitalisation requires governments to innovate, moving away from the status quo and promoting more responsive, accountable, agile, and efficient operations. This change entails fostering a culture of innovation that allows employees and organisations to experiment, learn, and develop. As public sector culture evolves to meet changing needs and enhance flexibility and productivity, all stakeholders need to remain aware of the ever-evolving risks. Being data-driven, digitalisation will lead governments towards data optimisation. This involves improving and developing methodologies for data collection, collation, analysis, and dissemination.

Digitalisation is also providing important opportunities for public sector auditing (OECD, 2024[28]). For instance, many SAIs acknowledge the advantages of employing technology to enhance their audit quality and influence. The COVID-19 pandemic has amplified this advantage. SAIs that already had technological capabilities have managed to fulfil their duties efficiently. As governments progress in technology use, creating advanced systems, and looking into inventive tools and solutions like artificial intelligence and data analytics, it is crucial for SAIs to also equip themselves sufficiently to offer necessary supervision.

The United States’ Government Accountability Office (GAO), Australian National Audit Office (ANAO), European Court of Auditors (ECA), and the National Audit Office of the United Kingdom (NAO) have all increased their capacity in science and technology analysis to better meet the growing need for information on these issues. The GAO, for example, established a new science, technology assessment, and analytics team to support lawmakers on topics such as artificial intelligence and quantum computing. Similarly, the ANAO created its Systems Assurance and Data Analytics Group to increase the quality and productivity of its audit work. The ECA has established the ECALab to explore new ideas in audit and the NAO has invested in its in-house IT capability to make greater use of technology in its audit work. These institutions are increasingly using sophisticated IT-based methods and analytics for specific audit purposes (World Bank, 2021[29]).

In Kazakhstan, the Supreme Audit Chamber is currently aiming to minimise on-site audits and reduce in‑ person involvement through digitalization. The SAC has built an information system capable of remotely collecting audit evidence data and is using it to analyse public procurement plans and budget execution status. The SAC aims to expand the use of data analytics and reduce field audits.

Despite all the opportunities and advantages in the use of digital technologies in audit, SAIs encounter three primary hurdles when adapting to the increasingly advanced IT resources available for auditing governments and other public entities.

• devising techniques and procedures to audit fast-evolving digitalisation in government, such as, cloud-based accounting, management information systems, and the growing digitalisation and automation of government and public sector processes

• capitalising on the opportunities that IT offers for conducting more efficient audits and developing audit procedures that amplify an SAI's effectiveness and result in more consequential audit outcomes

• securing the resources, experience, and expertise necessary to develop, implement, and utilize audit data analytics and IT-based audit tools and procedures.

Based on the above-mentioned peer SAIs’ experiences, the Supreme Audit Chamber could undertake the following actions to enhance its IT-based audit capacity.

• establishment of an IT-based audit strategy and roadmap at the organisational level

• inducing organisational culture change and leadership support for the activation of IT audits

• setting up a dedicated department or operating a task force to develop and support IT-based audits

• recruitment and training of IT audit specialists

• providing training programmes tailored to the level of auditors’ experience

• building equipment needed for IT-based audits, such as remote meeting equipment, data analysis and management systems

• establishing a legal basis and information protection framework for IT-based audits.

As government organisations become more interconnected and share more resources, ensuring data security, privacy, and accessibility becomes more intricate. Hence, the urgency for these organisations to implement robust information security measures is escalating. When auditors access, store, or process this information for audit tasks, the same level of information security risk exists and must be thoroughly managed.

The absence of a well-established information security programme can expose an organisation to increased risk. This could jeopardise the organisation's operations, its ability to meet its overall objectives, and its reputation. As the potential, complexity, and role of IT expands, information security becomes increasingly critical in IT audits. It is an essential aspect of an organisation's operations because vulnerabilities in information security can lead to significant harm. Potential impacts of these weaknesses can include (INTOSAI, 2022[30]):

• violations of legal and regulatory requirements

• fines, compensations, reduced sales, and costs for repairs or restorations

• decreased effectiveness or efficiency in a project, programme, or service provided by the organisation

• loss or theft of computer resources, assets, and funds

• unauthorized access to, and the disclosure, modification, or destruction of sensitive information

• hacking and potential ransom demands

• disruption of operations supporting critical infrastructure, national defence, or emergency services

• damage to the organisation’s reputation or finances due to incidents

• use of computer resources for unauthorised purposes or to launch attacks on other systems

• damage to networks and equipment.

In this regard, the Data Protection Statement of the European Court of Auditors provides an example of how auditors process personal data when working on audits, reviews and opinions. The statement describes how ECA process and protect personal data as part of their work, particularly in terms of i) requesting and collecting data and information; ii) analysing the data and information we have collected; and iii) reporting on the results of their work. Furthermore, the statement clearly reveals key aspects of data protection (European Court of Auditors, n.d.[31]).

• responsibility for handling data

• rules that govern the use of personal data

• the auditors’ right of access to information and its legal basis

• sources of personal data (directly collected by auditor from the data owner, or obtained from an auditee or another party)

• types of personal data to be processed

• purpose of data collection

• duration of data archiving

• scope of staff or parties who has access to data

• security measure to safeguard data

• data owner’s rights and contact information.

In addition to general data protection statement, the document also includes data protection statements for remote meetings as shown in Table 5.1, which can be considered by Kazakhstan Supreme Audit Chamber for remote audit meetings.

[11] Australian Government (2018), Risk Management Toolkit - Element 8: Risk Management Capability, Australia Ministry of Finance, https://www.finance.gov.au/government/comcover/risk-services/management/risk-management-toolkit/element-8-risk-management-capability (accessed on 13 December 2022).

[19] BAI (2022), BAI Highlights Annual Report 2021, Korean Board of Audit and Inspection, https://www.bai.go.kr/proactive/ebook/baiengbook/BAI.vol1/content/index.html (accessed on 30 November 2022).

[4] COSO (2013), Guidance - Internal Control - Integrated Framework Principles, Committee of Sponsoring Organizations, https://www.coso.org/guidance-on-ic.

[31] European Court of Auditors (n.d.), Data Protection Statement-General.

[22] EUROSAI (2014), Sharing Good Practices among Supreme Audit Institutions, European Organization of Supreme Audit Institutions.

[8] Government of Kazakhstan (2025), Budget Code of the Republic of Kazakhstan, https://zan.kz/ru/Document/Detail?ngr=K2500000171&langId=2&dateEdition=2025-03-15&SearchText= (accessed on 3 June 2025).

[3] Government of Kazakhstan (2022), Anti-Corruption Policy Concept of the Republic of Kazakhstan for 2022-2026, https://www.gov.kz/memleket/entities/anticorruption/documents/details/412521?lang=en.

[13] Government of Kazakhstan (2015), Law on Combating Corruption of Republic of Kazakhstan, https://adilet.zan.kz/rus/docs/Z1500000410 (accessed on 8 December 2022).

[2] Government of Kazakhstan (2015), Law on State Audit and Financial Control, https://adilet.zan.kz/eng/docs/Z1500000392 (accessed on 30 January 2025).

[10] IIA (2022), Applying the Three Lines Model In the Public Sector, Institute of Internal Auditors, https://www.theiia.org/globalassets/site/content/articles/applying_the_three_lines_model_in_the_public_sector.pdf (accessed on 30 November 2022).

[9] IIA (2020), The IIA’s Three Lines Model, Institute of Internal Auditors, https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf.

[30] INTOSAI (2022), WGITA-IDI Handbook on IT Audit for Supreme Audit Institutions, Working Group on IT Audit, International Organization of Supreme Audit Institutions.

[26] INTOSAI (2019), ISSAI 100 Fundamental Principles of Public Sector Auditing, International Organization of Supreme Audit Institutions.

[5] INTOSAI (2004), Guidelines for Internal Control Standards for the Public Sector, International Organization of Supreme Audit Institutions, https://www.issai.org/pronouncements/endorsed-as-intosai-gov-9100/.

[21] INTOSAI IDI (2021), Global SAI Stocktaking Report 2020, International Organization of Supreme Audit Institutions Development Initiative.

[17] Ministry of Finance (2015), Model Regulation on Internal Audit Services, Ministry of Finance of the Republic of Kazakhstan, https://adilet.zan.kz/rus/docs/V1500012544 (accessed on 30 November 2022).

[23] Netherlands Court of Audit (n.d.), Contract Management in Relation to DBFMO Projects, http://iniciativatpa.org/wp-content/uploads/2014/09/reports-netherlands.pdf.

[6] OECD (2025), The OECD Public Integrity Indicators, https://oecd-public-integrity-indicators.org/indicators/1000055/subindicators/1000361 (accessed on 27 May 2025).

[27] OECD (2024), Anti-Corruption and Integrity Outlook 2024, OECD Publishing, Paris, https://doi.org/10.1787/968587cd-en.

[28] OECD (2024), Enhancing auditing of public service continuity plans in Poland: Best practices for internal audit functions, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/e9c682b7-en.

[16] OECD (2024), “Enhancing co-operation between internal and external auditors: Towards a well-co-ordinated and strengthened public sector audit to ensure public accountability”, OECD Public Governance Policy Papers, No. 67, OECD Publishing, Paris, https://doi.org/10.1787/0d4976ed-en.

[7] OECD (2020), OECD Public Integrity Handbook, OECD Publishing, Paris, https://doi.org/10.1787/ac8ed8e8-en.

[24] OECD (2019), OECD Good Practices for Performance Budgeting, OECD Publishing, Paris, https://doi.org/10.1787/c90b0305-en.

[20] OECD (2018), “Using Risk Assessment in Multi-year Performance Audit Planning”, OECD Public Governance Policy Papers, No. 53, OECD Publishing, Paris, https://doi.org/10.1787/bc8b7a21-en.

[15] OECD (2017), OECD Integrity Review of Mexico: Taking a Stronger Stance Against Corruption, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264273207-en.

[1] OECD (2017), Recommendation of the Council on Public Integrity, OECD, Paris, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0435.

[25] OECD (2016), Supreme Audit Institutions and Good Governance: Oversight, Insight and Foresight, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264263871-en.

[14] OECD (2013), OECD Integrity Review of Italy: Reinforcing Public Sector Integrity, Restoring Trust for Sustainable Growth, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264193819-en.

[12] OECD (n.d.), OECD Public Integrity Indicators, OECD, Paris, https://oecd-public-integrity-indicators.org/ (accessed on 1 December 2023).

[18] Supreme Audit Chamber of Kazakhstan (2016), Procedural Standards of External State Audit and Financial Control.

[29] World Bank (2021), Supreme Audit Institutions’ Use of Information Technology Globally for More Efficient and Effective Audits, World Bank, Washington, DC, https://documents.worldbank.org/pt/publication/documents-reports/documentdetail/461071634537328252/supreme-audit-institutions-use-of-information-technology-globally-for-more-efficient-and-effective-audits.