Strengthening Internal Control and Risk Management in Finland

This diagnostic chapter provides a review of the internal control function arrangements in the public sector (i.e. the Central Government level) of Finland, taking into consideration the inherent importance of internal control in the operations of public life and the government administrations.

The following section of this chapter presents the background to the internal control system, focusing on the environment and governance of the internal control at the Central Government level of Finland, as well as outlining the responsibilities and capabilities of internal control stakeholders to support the implementation of relevant internal control policies and practices. The third and fourth sections outline the key support and assurance roles, i.e., risk management and internal audit functions, necessary for the effectiveness and efficiency of the internal control framework. The fifth section presents the government-wide co-ordination and monitoring responsibility – central harmonisation function as well as the related roles.

This diagnostic chapter identifies challenges and areas for improvement in Finland’s internal control and risk management systems, laying the groundwork for actionable recommendations in the following chapter. While recommendations draw on OECD standards and international good practices to guide reforms, their implementation will be adapted by Finnish stakeholders to align with national priorities and systems, ensuring that the reforms are tailored for more effective and context-specific outcomes.

The key findings and insights highlighted in this chapter are drawn from several sources, including the results of the online interviews and discussions with key stakeholders (11 meetings in April 2024 with more than 30 stakeholders and 10 different groups), the desk research and analysis results of the “Effectiveness of Internal Control and Risk Management” dataset of the OECD Public Integrity Indicators (hereafter referred to as “Internal Control and Risk Management”), which reflects Principle 10 of the OECD Recommendation on Public Integrity (2024[1]). The OECD experts in co-operation with the Finnish Ministry of Finance, i.e., the Government Financial Controller’s Function (Ministry of Finance, n.d.[2]; n.d.[3]), analysed a survey of risk management stakeholders in Finland to gather their perceptions, experiences and suggestions for improving internal control environments. The survey, tailored to the Finnish Central Government and legal context, was conducted anonymously from January to February 2024, as a first follow-up of the previous risk management survey carried out in 2019 (Ministry of Finance, 2019[4]) by the Advisory Board on Internal Control and Risk Management (Ministry of Finance, 2021[5]), inviting all relevant stakeholders working in the public sector (central government level) to participate. 54 managers and internal auditors from the central administration responded voluntarily. The main results of the survey are presented in Annex 1.A. Analysis results of the relevant OECD Public Integrity Indicators for Finland are presented in Annex 1.B.

Following the adoption of the OECD Recommendation on Public Integrity in 2017 (OECD, 2017[6]), a Task Force of nine members from the Working Party of Senior Public Integrity Officials (SPIO, renamed to PIAC for Public Integrity and Anti-Corruption). developed the Public Integrity Indicators to measure the effective implementation of this recommendation. These indicators complement the OECD Public Integrity Handbook, providing policymakers and practitioners with data-driven insights into the preparedness and resilience of public integrity systems in preventing corruption, mismanagement, and waste. The framework, validated for piloting in 2019 and enhanced through expert consultations in 2020, enables evidence-based evaluations of anti-corruption reforms without ranking countries. Instead, it identifies actionable steps to strengthen integrity systems across executive, legislative, and judicial branches. Since 2021, three datasets have been released, covering principles related to strategic frameworks (P3), accountability in policymaking (P13), and internal control effectiveness (P10). These datasets assess regulatory and practical quality while capturing decentralised processes such as internal audits and risk management. Published data is accessible via the OECD Public Integrity Indicators Portal (OECD, 2024[1]) and informs relevant OECD publications, including economic surveys and integrity reviews.

Accordingly, the diagnostic chapter references the most relevant OECD Public Integrity Indicators, with a focus on those under Principle 10 “Internal Control and Risk Management”. These indicators are based on internationally recognised internal control and audit standards (such as COSO, INTOSAI, IIA, and ISO), as well as good international practice. The analysis of Finland's P10 data, completed in November 2023 and described below, has proven both timely and instrumental in drawing well-founded conclusions for this diagnostic. Moreover, the established relevance of the OECD Public Integrity Indicators makes their application to Finland’s administrative culture and practices particularly well-suited to provide meaningful and actionable insights.

Finland has been a key participant in the development of these indicators and has a delegate contributing to the Task Force on Public Integrity Indicators, alongside representatives from other countries, including Chile, France, Greece, and the United States. This collaboration has ensured that the criteria reflect not only international standards but also the practical realities of diverse administrative systems, including Finland's. By focusing on both regulatory safeguards (de jure) and their practical implementation (de facto), the indicators provide a balanced analysis of Finland's internal control, audit, and risk management frameworks. The data collection process, involving a wide range of public officials and institutions across Finland's executive and legislative branches, ensures the analysis is grounded in robust, primary data. Further, validation through interviews, surveys, and expert consultations regarding this diagnosis has confirmed that both the Principle 10 criteria and analysis results align with Finland's administrative culture, offering a reliable foundation for supporting national development efforts and enhancing public internal control and risk management systems.

The OECD engaged in discussions with Finland's Ministry of Finance regarding the diagnostic recommendations and conclusions, which are essential for developing the action plan and subsequent outputs. In co-ordination with the Ministry, the OECD proposed potential development priorities. In March 2024, during meetings at the OECD and subsequent online discussions, feedback and advice were gathered from the Ministry of Finance. Later, in July and August 2024, the Ministry consulted with country stakeholders and members of the Advisory Board on Internal Control and Risk Management to review and provide feedback on the draft diagnosis and its findings. Figure 1.1 shows that Finnish stakeholders recognise all OECD identified development areas as important, with “Ensuring Internal Audit Independence” and “Building Managerial Awareness” ranked as the highest priorities.

The range of rankings, from 3.2 to 6.5, reflects a moderate spread in stakeholder prioritisation of the OECD's key findings. This range suggests that, while all areas are recognised as important (with no scores below 3.2), there is a clear distinction in perceived urgency or value among them. The relatively high maximum score of 6.5 indicates strong consensus around certain top-priority areas, such as "Ensuring Internal Audit Independence”. Meanwhile, the lower end, at 3.2, shows that some recommendations are seen as less critical but still valuable, reflecting prioritisation rather than dismissal. This spread enables Finland to focus on the highest-impact areas while acknowledging that all areas require some level of attention, and to concentrate on implementing the recommendations in areas that matter most.

Prioritising the findings among respondents is vital to ensure the report focuses on the most relevant and pressing issues for the country. Actively involving stakeholders in this process by the Ministry of Finance fosters a sense of ownership and increases the likelihood that the recommendations will be effectively implemented, as they address the key concerns of those directly engaged. Such an approach also provides stakeholders with an opportunity to share their perspectives on the relevance and importance of further development needs.

Good public governance ensures transparency, fostering public trust and confidence, and allowing leaders to oversee activities more thoroughly and exercise more effective control (IIA, 2022[7]). A contemporary view of the internal control role, extending beyond compliance-oriented approaches, recognises the broader value that the function can add to an organisation. Organisations and their governance with an effective internal control system matter for productivity, the investment climate and spending efficiency government-wide. Internal control and risk management stakeholders should ensure accordingly that their efforts add value not only to individual organisations but also to the public at large. Moreover, high-level commitment raises awareness of integrity risks, fosters a government-wide vision of internal control, and enhances the implementation of control activities (OECD, 2020[8]). Nevertheless, the implementation gap in OECD countries’ integrity frameworks, where regulations and policies are not being implemented in practice, is significant (Figure 1.2) (OECD, 2024[9]).

The internal control function has significant potential to assist governments in addressing integrity challenges and can reliably ensure the achievement of the organisation's mission and objectives. In recent years, the internal control function in the public sector and its expectations have evolved significantly, driven by increased regulatory requirements, technological advancements, and a shift towards risk-based approaches. Enhanced system-based approach, integration with performance management, and fraud prevention measures have become key focus areas. Additionally, incorporating sustainability and resilience considerations, alongside heightened transparency and accountability, reflects a comprehensive approach to modernising internal control systems, ensuring they effectively mitigate risks and support optimal public sector performance (OECD, 2024[1]; 2020[8]).

The OECD Anti-Corruption and Integrity Outlook provides that across OECD countries, regulations on risk management and internal control address fraud and corruption risks in most cases. 70% of countries (including Finland) have issued guidelines on fraud and corruption prevention as part of their internal control systems, and 71% explicitly address these risks in their risk management framework (Figure 1.3) (OECD, 2024[9]).

In public sector organisations, implementing an internal control framework and related risk management is crucial for maintaining public integrity, enhancing transparency, mitigating risks, ensuring fiscal responsibility and improving overall governance and operational efficiency. Effective internal control and risk management policies and procedures decrease the likelihood of fraud and corruption while ensuring that governments function efficiently to deliver programs that benefit citizens. These policies and procedures ensure value for money and support informed decision-making (OECD, 2020[8]).

A more systemic understanding of what is effective and efficient is critical to addressing long-term and complex economic, social and environmental policy challenges. Effectively selecting the policy tools that bring value-for-money, and making strategic decisions, is not an ad hoc process and should involve consideration of evidence and analysis. However, in a resource-constrained environment, governments can face challenges in implementing a broader vision in the face of cross-governmental initiatives and varying policy priorities (OECD, 2016[10]).

The insights and challenges outlined in this report follow a theory of change based on internal control system requirements and a blend of relevant practices. This is connected to the challenge faced by many countries: transitioning from a reactive, compliance-based culture to a proactive culture of integrity aimed at systemic effectiveness and efficiency (OECD, 2020[11]). Such a culture consistently upholds and prioritises the public interest, providing reasonable assurance that adds value to public sector organisations and promotes the public good. This theory of change could employ a multi-directional approach at both systemic and technical levels to drive sustained improvements in Finland’s efforts to maintain an effective internal control function.

Since the 1990s, the internal control of central government finances of Finland has undergone significant reform. Budget statutes defined internal control as a responsibility of top management, making it integral to management, risk management, performance management, and accountability systems. By the early 2000s, basic requirements for internal control were included in budget statutes, but guidance and uniform policies were lacking (EC, 2014[12]).

In 2003, accountability reform further emphasised the importance of internal control, redefining criteria for accountability and performance, and merging financial reports for presentation to Parliament. Financial reporting structures were clarified, and an obligatory declaration on internal control and risk management was included. A government financial controller function has been created to ensure accurate reporting and internal control of government finances and to implement some of the central co-ordination of public internal control and audit roles (Ministry of Finance, n.d.[13]). Additionally, an advisory board on internal control and risk management and an internal audit function were established to co-ordinate and develop internal control and internal auditing (EC, 2014[12]).

According to the OECD, levels of public trust in Finland are currently among the highest in OECD countries (Figure 1.4). Nevertheless, there have been indications of a slow but steady decline of trust in government since 2007, alongside slower economic growth and comparatively low levels of productivity, i.e. by 2019, trust in government had declined by 12 percentage points from 76% in 2007. Addressing these challenges, including significant issues like climate change, biodiversity loss, and socioeconomic transformations (e.g., ageing populations, societal diversification, increasing wealth inequality), will necessitate both citizen support and trust (OECD, 2021[14]).

Based on Figure 1.4, it is evident that a significant portion of Finnish citizens feel that their government considers the interests of all citizens to some extent. However, to enhance this perception and further strengthen public trust, Finland should continue to develop its internal control framework. By doing so, the government can improve transparency, accountability, and effective decision-making in public administration. Strengthening these areas will help mitigate risks and ensure that the interests of all citizens are consistently prioritised in governance.

With increasing natural and human-made threats over the past decade, long-term planning and risk management have become essential government functions, although they are not yet universally institutionalised. To reinforce resilience in Finland, similar to challenges faced by other countries, several key aspects are crucial: Finland’s public sector has to continue building structures and capacities to influence socio-economic changes, develop actionable visions for a desirable future, and maintain high levels of trust. Additionally, foresight approaches should be systematically integrated into government decision-making and followed by appropriate responses (OECD, 2021[14]).

In this context, understanding the concerns of Finnish citizens is crucial, particularly those who may feel excluded. In 2019, health and social security (48%) and the environment and climate change (35%) were the top issues for Finnish people, far surpassing concerns about unemployment (15%), pensions (8.7%), or crime (2.8%) (Figure 1.5) (OECD, 2021[14]). Although addressing it (and the COVID-19 crisis) was the most urgent public policy challenge (Ministry of Social Affairs and Health, n.d.[15]; DG EMPL, n.d.[16]),1 understanding and monitoring such concerns is crucial from the internal control perspective to ensure that public policies are implemented and resources are allocated effectively and fairly, addressing potential gaps and vulnerabilities in governance.

According to the Ministry of Finance's December 2022 outlook review (Finnish Government, 2023[17]), the current structure of Finland’s general government finances, established under more favourable demographic and economic conditions, may not be sustainable in the medium to long term. Significant adjustments in spending and revenue are required to ensure sustainability, as well as regular reviews of spending, structures, and expenditures (EC, 2023[18]). Over the past decade, general government contingent liabilities surged to 27.1% of GDP by 2020, the highest in the EU. The National Audit Office of Finland2 noted significant variability in the risk levels of contingent liabilities and emphasised the need to limit overall risk exposure to government finances rather than setting numerical ceilings by instrument category. They recommended justifying any increase in contingent liabilities, conducting comprehensive risk assessments before commitments, submitting regular risk position reports, and setting limits on permissible risk to reduce total risk (OECD, 2022[19]).

Moreover, after a decline in 2021, the general government structural budget deficit rose by 0.6 percentage points to 1.4% of GDP in 2022, despite ending most COVID-19 support measures, and is projected to reach around 2% of GDP in 2023 and 2024 (Figure 1.6). The structural budget deficit over the projection period was around 1.8% of the potential GDP higher than before the pandemic (OECD, n.d.[20]; 2022[19]).

Effective internal control systems and sound governance practices are important for mitigating structural budget deficits and ensuring economic stability. In essence, internal control systems play a critical role in ensuring that expenditures are justified, risks are managed appropriately, and budgetary and other strategic objectives are met. They also provide a framework for accountability and oversight, essential for maintaining fiscal discipline and addressing inefficiencies.

Research and interviews carried out for this report showed a consensus amongst the majority of stakeholders, that although regulation or guidance has evolved, actual implementation needs to be strengthened. Furthermore, while the Ministry of Finance has broadly promoted public internal control and risk management knowledge, the implementation of internal control, risk management and internal audit functions is not receiving the recognition it deserves for its value, nor is it being treated with equal importance across government. Despite the growing number of good risk management initiatives and co-ordination at the Central Government level, managerial awareness and accountability are still perceived to be one of the major development areas for obtaining effective internal control functions. Furthermore, comprehensive central co-ordinating and monitoring actions are necessary to address systemic and institutional weaknesses that could facilitate the internal control system and related practices in the first place.

According to the OECD Anti-Corruption and Integrity Outlook: Country Fact Sheet 2024, despite the robust strategic planning and oversight by the Ministry of Justice and the National Audit Office of Finland, including the overall good progress in strategy and institutions on anti-corruption and public integrity, Finland needs considerate improvement in the implementation of corruption risk management, audit and internal control areas (Figure 1.7) (OECD, 2024[22]).

Measured against OECD standards on internal control, risk management and internal audit, Finland meets 60% of regulatory criteria but only 5% of practical criteria, compared to OECD averages of 67% and 33%, respectively (Figure 1.8).

While Finland has guidelines on fraud and corruption prevention, managerial responsibilities, and published standards of conduct for officials, its risk management framework lacks consistency and harmonisation across ministries and agencies due to the absence of a central harmonisation function.3 Despite high implementation rates of internal audit recommendations and full coverage by internal audit regulations, the lack of operational arrangements and standards for internal auditors, coupled with inconsistent external quality assurance, highlights significant implementation gaps (OECD, 2024[22]).

The OECD Recommendation on Public Integrity provides policymakers with a vision for a public integrity strategy, shifting the focus from ad hoc integrity policies to a context-dependent, behavioural, risk-based approach with an emphasis on cultivating a culture of integrity across the whole of society (OECD, 2017[6]). Furthermore, the OECD Public Integrity Indicators (PII) apply a mixed methods approach, drawing on both administrative data and big data provided directly by governments and surveys to measure key aspects of the implementation of the Recommendation (OECD, 2024[1]).

Internal control, risk management and internal audit systems of Finland were assessed in 2023 on PII Principle 10 “Internal Control and Risk Management” (Figure 1.9).

The research and analysis provide a diagnosis of the public internal control system in Finland recognising the key findings and insights that raise the following considerations for Finland looking forward:

• The major strengths of the existing internal control system include a robust risk management framework supported by comprehensive government-level guidance and co-ordination and effective central networking facilitated by the Ministry of Finance, which plays a crucial leading and facilitating role. Additionally, the system benefits from a high level of transparency, openness, a strong culture of trust, and the stability of the supervisory environment, providing a degree of predictability even amidst changes in the operating environment. Together, these factors enhance the overall effectiveness and reliability of internal controls. From a whole-of-government perspective, these elements are essential for fostering an integrated and cohesive approach to internal control by enhancing communication, facilitating the sharing of best practices, promoting collective efforts to identify and mitigate risks, and ensuring that internal control systems are robust, reliable, and aligned with broader governance objectives.

  Centralised activities in national financial management and other processes also represent a significant strength. This includes shared central government services such as financial and human resources management, Information and Communication Technology services, and other administrative functions. These shared services enable standardised administrative processes and systems, allowing for the efficient use of a common knowledge base in supervision and automation. A key advantage of these shared services lies in their ability to deliver uniform processes and generate consistent, reliable information, which strengthens oversight and enhances operational efficiency.

• The major weaknesses include the lack of comprehensiveness and outdated nature of regulations, insufficient managerial awareness, and fragmentation in practice. There are unclear roles and responsibilities, a lack of harmonised and co-ordinated approaches, and inadequate quality assurance and systemic accountability mechanisms. The internal audit function is unregulated, understaffed, and often ineffective in supporting internal control and risk management. There is a lack of harmonised quality assurance, leading to inconsistent internal control and risk management practices. Additionally, advisory boards are underutilised and lack a systemic proactive approach.

To address these challenges, this report recommends several key measures for improvement:

• Harmonising key internal control legislation: There is a need to review the primary internal control regulation to clearly define and standardise key definitions, roles, responsibilities, objectives, and internal audit arrangements. This will ensure a comprehensive and coherent framework that enhances the effectiveness of internal control, promotes the implementation of harmonised internal control policies and accountability, and supports the development of robust internal control systems across the Central Government, making it more precise, co-ordinated, integrated and comprehensive.

• Enabling a central harmonisation function and monitoring the quality of the internal control system: The current framework lacks a comprehensive central harmonisation function, regular government-wide reviews and comprehensive data on internal control and audits; organisations are also not required to report their activities to the Ministry of Finance. Thus, the role of the central harmonisation function in stronger government-level co-ordination, analysis, monitoring, and quality assurance is critical for the timely development of internal control and audit systems.

• Advancing the development of a comprehensive government-wide reporting mechanism: Central Government organisations are not required by the regulatory framework to report on internal control activities to the central harmonisation function (Ministry of Finance), limiting its ability to monitor, develop, and support internal control and managerial accountability, and resulting in a lack of relevant data to ensure timely feedback on key risks and support targeted, harmonised government-wide developments.

• Building managerial awareness: In many Central Government organisations, unclear roles and responsibilities of control and audit functions, compounded by a vague legal framework, lead to misunderstandings about internal control responsibilities, and assurance functions, resulting in the inadequate implementation of internal control and audit responsibilities.

• Considering the establishment of the national training scheme: The current practice lacks a training and certification system for new internal control and audit staff and their continuous education, and does not track how many auditors hold national or international certificates; there are no central initiatives to address the shortage of internal auditors or ensure necessary capabilities.

• Ensuring internal audit independence: The internal audit function is combined with other management or control functions, but it should be completely separated from internal control duties both in legislation and practice to provide independent, objective support through systematic assessment and consulting services over the governance, risk management and internal control.

• Optimising internal audit resources and considering establishing minimum internal audit staffing requirements: The current legal framework does not specify the size of internal audit units, leading to the dominance of small units, often with only one auditor, which is insufficient for effective auditing and meeting independence requirements. The Ministry of Finance could improve this by better grouping internal audit resources and adopting a more centralised approach, where appropriate, to ensure effective, efficient, and economical use of resources.

• Fostering assurance practices focusing on systemic assessments of internal control: Though legislation mandates internal audits to systematically assess the adequacy, effectiveness, and efficiency of internal control, in practice, they are often limited to compliance audits and do not fully support managerial accountability or effective internal control and risk management. The Ministry of Finance could leverage existing experiences to promote performance and systems-based auditing, enabling internal auditors to provide comprehensive assurance over internal control systems.

• Implementing internal audit quality assurance requirements: Quality self-assessment or external quality assessments are not performed regularly according to the regulations, and the Ministry of Finance (in its central harmonisation role) doesn’t monitor and co-ordinate the implementation of these requirements.

The diagnosis serves as a baseline for recommendations for designing a strategy and action plan and provides a foundation for developing objectives and priorities of the Ministry of Finance to further strengthen the internal control system (Ministry of Finance, n.d.[23]). The existing references to recommendations provided in the diagnosis are further detailed in Chapter 2 of this report.

Implementing many of the OECD's systemic insights could entail complex changes to current working practices and procedures. Chapter 2 provides detailed recommendations to guide senior management prioritise development actions and enhance the internal control system.

These recommendations may necessitate amendments to existing laws and regulations, adjustments to procedures, adequate resource investment, and a deeper understanding of the issues involved. Importantly, the recommendations are not intended to be implemented all at once. They can be introduced step by step over different time frames, enabling a phased and prioritised approach that supports manageable implementation, optimises resource allocation, and allows for the gradual development of capacity.

Finland aims to pursue internal control following the international COSO (n.d.[24]) standards, risk management in accordance with ISO 31000 (ISO, n.d.[25]), and the internal audit function following the standards set by the Institute of Internal Auditors (IIA) (2024[26]). The organisation of internal control is based on the Act and the Decree on the State Budget (Ministry of Finance, n.d.[27]). According to the Act, the implementation of internal control is led by the management, which is also responsible for its appropriateness and adequacy, considering that further continuous development of internal control and internal audit in the public sector is a never-ending process that needs constant support, monitoring, hard work and vigilance (Finlex, 1988[28]).

The OECD Public Integrity Indicator on the regulatory framework for internal control in Finland illustrates the values of regulations on internal control, where the country meets 9 out of 10 criteria (Figure 1.10) (OECD, n.d.[29]). This score surpasses the OECD average, positioning the country as a high performer in this category. The results emphasise Finland's strong adherence to internal control regulatory framework criteria and good practices, highlighting its commitment to maintaining robust governance and internal control systems according to international good practices. The only unfulfilled criterion stands for establishing annual internal control and internal audit reporting activities.

In central government, internal control encompasses a range of procedures embedded within an entity’s operational processes, organisational structures, and methods. These procedures are designed to provide reasonable assurance regarding the legality of operations, the security of funds, operational performance, and the production of true and fair financial and performance information. As mandated by Section 24 b of the Budget Act (Finlex, 1988[28]), government agencies and public bodies are required to establish appropriate internal control arrangements for their operations and activities. Integral to internal control is risk management, which aims to identify, evaluate, and manage potential events that could affect the achievement of an organisation's objectives, which is a fundamental aspect of maintaining effective internal control (Finlex, 1992[30]; Ministry of Agriculture and Forestry, n.d.[31]).

The Act and the Decree on the State Budget are the primary legal acts which set forth the basic responsibilities for different actors within the internal control system and provide a foundation for the existing internal control and internal audit legal framework in the country (Table 1.1).

Interviews with various stakeholders of Finland revealed a few development areas for the existing primary regulation of internal control. They have noted the lack of uniformity in practices and understanding of related principles across administrative sectors, ministries, and agencies, resulting in prevailing inconsistencies. The key concepts are not defined, leading to an unclear link between internal control and risk management activities, with no clear separation of responsibilities of assurance functions. Internal audit often relies on individual skills and remains largely unregulated.

Furthermore, the Risk Management Survey (Annex 1.A) revealed that only 30% of respondents admitted that risk management is very visible in an organisation’s management system and actions, and only 57% noted that responsibilities are well-defined in their organisations. The survey data also indicated that risk management is integrated into the common functions of the organisation to varying degrees (see Annex Figure 1.A.10). High integration is observed in the preparation for disruptive situations (92.6%) and the planning and monitoring of operations and finances (77.8%). However, there are areas like the preparation of social policy where integration is much lower, with significant percentages of respondents either not seeing integration or being unsure. Overall, 58.4% of functions are integrated, but there is room for improvement in consistency across different areas.

As noted above, the results of the OECD Public Integrity Indicators (PII) analysis of Principle 10 for Finland on internal control regulatory framework indicate that the regulatory framework of Finland lacks annual internal control and internal audit reporting activities. During the interviews, stakeholders emphasised that annual internal control and internal audit reporting activities are crucial to the internal control regulatory framework because they could provide government-wide evaluations of the effectiveness and efficiency of internal controls. Effectively managed, these reports help identify systemic weaknesses, ensure better compliance, and promote transparency and accountability within the organisation. Regular reporting also facilitates continuous improvement by highlighting areas needing enhancement and tracking progress over time. Additionally, they assure stakeholders that risks are being managed appropriately and that the organisation’s internal controls are robust and reliable. The reporting is discussed in more detail in the fifth section.

Key stakeholders for internal control typically include senior management, who are responsible for establishing and maintaining the internal control system; the oversight institutions, committees (board of directors), who provide oversight and governance; risk managers, who identify and evaluate risks and implement controls to mitigate them; internal auditors, who assess and ensure the adequacy and functionality of the internal controls; and external auditors, who provide an independent evaluation of the internal control system's effectiveness and reliability (Box 1.1) (OECD, 2020[8]).

Top management within each organisation bears the primary responsibility for organising and ensuring the adequacy of internal control, much like they are responsible for achieving organisational objectives. This responsibility involves delegating tasks to various levels within the organisation, where sub-units are held accountable for their operations and associated risk management. According to Section 65 of the Decree, the final accounts report of an accounting office must include an assessment of the adequacy and appropriateness of internal control and related risk management, along with a declaration of its status and key development targets. This assessment should be genuine, systematic, extensive, documented, and approved by management (EU, n.d.[32]).

As a good practice, an introduction of the Advisory Board on Internal Control and Risk Management, operating under the Ministry of Finance, is essential for the interdepartmental co-ordination and development of internal control. The Government appoints the Advisory Board and its members for a three-year term. Chaired by the government controller general with the deputy controller general as vice-chair, the board includes representatives from all ministries, key sector partners, and experts in financial administration, public finances, management, financial supervision, and auditing, as needed (Box 1.2) (Ministry of Finance, 2021[5]; n.d.[13]).

Most OECD countries, including Finland, have necessary legislation requiring entities in the public sector to implement and monitor internal control and risk management policies. However, it is less common that countries have developed comprehensively the central functions to ensure coherence, methodological harmonisation, quality assurance and necessary oversight regarding the adequate implementation of these requirements throughout public institutions (OECD, 2017[33]; 2020[8]).

As provided in Table 1.2, internal control and risk management in Finland are governed by a diverse set of stakeholders, each contributing to financial accountability, transparency, and governance. The Ministry of Finance serves as the central authority, responsible for developing and implementing budget legislation. Within the Ministry, the Budget Department oversees statutes related to central government financial administration, ensuring their supervision and auditing. The Ministry also houses the Government Financial Controller Function, tasked with improving the quality and accountability of steering and reporting systems for central government finances while guiding and co-ordinating internal control activities. Supporting these efforts, the State Treasury, operating under the Ministry of Finance, manages government borrowing, cash asset investment, and debt risk management, while also issuing regulations on financial and human resource management as outlined in budget legislation.

Independent oversight is provided by the National Audit Office of Finland (NAOF), the Supreme Audit Institution reporting to Parliament. NAOF conducts financial, performance, and compliance audits and submits annual reports on central government accounts and governance. The governance of internal control and risk management is further supported by the Advisory Board on Internal Control and Risk Management, operating under the Government Financial Controller Function. This Board, established by the State Budget Decree, co-ordinates internal control and risk management activities and delegates specific tasks to its Risk Management Sub-Committee and Internal Audit Sub Committee. Additionally, the Prime Minister’s Office co-ordinates joint foresight activities across ministries and prepares the Government's annual report, while the Ministry of Justice leads anti-corruption efforts and facilitates the anti-corruption co-operation network. The Audit Committee of Parliament provides legislative oversight by monitoring the management of government finances and ensuring budget compliance.

Effective internal control and risk management policies rely on many actors at governmental, institutional and individual levels. Clearly defining the role of each actor is therefore key. Box 1.3 provides an example of the primary legal framework of Lithuania (Republic of Lithuania, 2002[34]). At the government level, public sector standards bodies, for example, ensure that government-wide internal control and risk management policies are consistent and harmonised. At the organisational level, internal control policies provide management with reasonable assurance that the organisation is achieving its integrity objectives and managing its risks effectively. Finally, at the individual level, many standards call for the personal commitment of public officials to integrity and compliance with codes of conduct (OECD, 2020[8]).

The auditee's level of understanding of internal control and internal audit, and co-operation is one of the important factors that determine the impact of internal control. There does not seem to be much resistance to internal control, risk management and internal audit in the Finland public sector. However, it is difficult to conclude that there is an active co-operation apart from the work of the Advisory Board. It was also noted that some managers tend to see internal control and audit as more of a hindrance than a help in improving the effectiveness of their operations. The OECD team has also noticed that some stakeholders perceive that the auditee was not co-operative with the audit and was passive in implementing audit recommendations. Stakeholders also highlighted weak managerial awareness and accountability government-wide. Additionally, the benefits of internal control are neither recognised nor valued, and assurance declarations lack consistency. There is also a pressing need for constant monitoring and support, clearer regulations and guidance, and more structured training besides the existing general training facility (Box 1.4).

In line with these observations, the survey reveals that only 33% of survey respondents in Finland were able to admit that personnel is very well aware of how to report on risks in an organisation. The survey also shows that risk management training for the organisation's personnel is most commonly implemented at the organisational level regularly, as reported by 48.1% of respondents (see Figure 1.11). However, only 3.7% implement it regularly at the administrative level, and 9.3% do so as needed. Notably, 16.7% reported that risk management training is not implemented at all, and 5.6% were unsure about its implementation. Overall, while there is substantial integration at the organisational and educational levels, there are gaps in regular administrative implementation and some areas where it is absent.

Good practice suggests a continuous focus on awareness raising and training activities for senior officials and managers, incorporating accountability tools that encourage them to take ownership of internal control in order to strengthen performance and achieve the objectives of their corresponding areas. To ensure the necessary developments of integrated internal control policies, management needs to regularly monitor the control environment and address emerging risks. Figure 1.12 below illustrates four basic stages of internal control and risk management integration in the governance systems of the organisation (OECD, 2021[35]).

Adequately established internal control policy and regular communication about the roles and responsibilities hold individuals accountable for the performance of internal control duties throughout the organisation. In the United States, circular A-123 of the Office of Management and Budget highlights the responsibility of the administration in the internal control area (Box 1.5).

Management must lead a supportive attitude towards internal control, illustrating the importance of integrity, ethical values and rules of conduct in their guidelines, attitudes and behaviour, through instructions, personal initiatives and examples (Box 1.6 and Box 1.7). In this context, the central harmonisation function could propose and empower public managers at various levels with initiatives, mechanisms, and tools for integrity. These tools could include sustained campaigns of external and internal communication featuring key messages from leadership about control objectives, specific guidance on risk areas, regular accountability reports on the implementation of internal control regulations, and sharing of best control practices (OECD, 2021[35]).

Internal audits also play an important role in helping organisations establish and maintain effective internal control and risk management structures and processes. To maximise their value, it is important to focus on developments in internal control, risk management, organisational performance, and effectiveness in achieving objectives. This requires comprehensive discussions with auditees on audit criteria. The Ministry of Finance could support these efforts by promoting a systematic and structured approach to raising managerial awareness and building sustainable capacities across management levels in governance, internal control, and risk management.

From a global perspective, OECD Public Integrity Indicators are important as they highlight how different countries align with OECD standards, promoting transparency, accountability, and integrity in public governance. Identifying best practices and gaps fosters international collaboration and knowledge-sharing, enabling countries to strengthen their internal control and risk management frameworks, which are crucial for fighting corruption, safeguarding public resources, and ensuring sustainable development.

As highlighted in Box 1.8, which provides an overview of a few selected countries, the Netherlands stands out as high performing country, excelling in both regulatory frameworks and practical implementation of internal control and risk management, while Sweden also surpasses the OECD average, particularly in the adoption of audit recommendations. The box further illustrates performance disparities, with countries like Canada excelling in regulations but struggling with practical implementation, and Denmark lagging significantly in both areas. Moreover, it underscores the importance of the central harmonisation role, as seen in the Netherlands, in fostering stronger internal control and audit frameworks.

Finland considers risk management as an essential component of internal control, encompassing the systematic and continuous identification, analysis, evaluation and monitoring of risks to ensure effective supervision, management of public activities, financial and operational stability, goal achievement, operational continuity, and the preservation of operating conditions (Ministry of Finance, n.d.[39]).

The development of the Central Government's risk management procedures has become increasingly necessary in recent years, particularly as the operating environment continues to evolve. Recognising this need, the Ministry of Finance established a working group in 2020 to lay the groundwork for enhanced risk management at the Central Government level. This initiative aimed to expand risk management beyond individual agencies to encompass the ministries' respective branches of government and the Central Government itself. The working group's report recommended integrating risk management more closely with the existing corporate governance system, ensuring that vital risk information is accessible for government decision-making (Ministry of Finance, 2021[40]).

These efforts resulted in the fulfilment of all the OECD PII criteria for the risk management framework indicator. Figure 1.13 indicates that the risk management framework for Finland scored 5 out of 5, aligning with the best performers. It surpasses the OECD average, demonstrating a well-regulated risk management system. This suggests a robust and comprehensive framework guidance for identifying, analysing, and managing risks within an organisation (OECD, n.d.[41]).

By standardising risk information collection across ministries, a comprehensive risk picture can be formed, facilitating proactive management of emerging phenomena. A key proposal ended up with the creation of a risk management sub-committee under the Advisory Board on Internal Control and Risk Management, which has been consolidating efforts across ministries and guiding practical implementation.

The necessity for unified and comprehensive risk management at all administrative levels is underscored by recent challenges, such as the global pandemic. While risk management has been part of administrative guidance, its application varies across branches, highlighting the need for a cohesive approach. In this context, effective risk management is crucial for the legal and efficient operation of the government, safeguarding public welfare, and supporting the strategic objectives of the Government. The Act and the Decree on the State Budget provide a framework for internal control and risk management, mandating that agencies ensure proper internal controls, manage risks and report significant risks (Figure 1.14). These regulations emphasise the management's responsibility in organising and maintaining adequate risk management practices (Ministry of Finance, 2021[42]).

As a proactive tool, risk management not only mitigates threats but also enables the adoption of new models and services, ensuring continuity and operational efficiency across government activities. The working group has provided proposals aimed at enhancing cross-administrative co-operation and sharing best practices, aligning with the broader public administration strategy to strengthen risk management capabilities. Accordingly, the group produced the risk management handbook for the Central Government administration in 2023. This handbook outlines the general reference framework for risk management within the state administration's operating environment and the core functions of the Government, incorporating international standards like ISO 31000, ISO 22301, and the COSO framework while offering practical implementation procedures, assessment methods, and comprehensive appendices with regulatory bases, guidelines, glossaries, and further useful recommendations (Ministry of Finance, 2023[43]).

To facilitate continuous growth and development, the risk management handbook suggests a maturity-level approach in the form of a capability maturity model to provide a structured framework for assessing and improving an organisation's risk management practices (Figure 1.15). It could enable organisations to benchmark their current risk management capabilities, identify gaps, and systematically enhance their processes. This structured approach ensures continuous improvement and the ability to manage and mitigate risks in a dynamic operating environment effectively (Ministry of Finance, 2023[43]).

Nevertheless, interviews with various stakeholders highlighted several practical weaknesses in the current risk management framework. There is significant variability in practices and understanding of risk management principles across different ministries, and agencies, leading to inconsistencies and confusion. The linkage between risk management and internal control activities is still unclear, with both areas suffering from a lack of resources and inadequate separation of responsibilities. Many staff members perform multiple roles, weakening the focus on risk management and contributing to low awareness and understanding of adequate objectives. The stakeholders have also noted that the maturity level of risk management is still low in some agencies and ministries. Maturity level is usually higher where there is a full-time risk management officer. Strong second line officers can have stronger influence on risk management practises.

Similarly, the survey revealed that risk management being included in job descriptions for only 40.7% of respondents as their main activity and for 59.3% as part of broader responsibilities is not ideal because it suggests that risk management is not given the dedicated focus it requires (Figure 1.16). When treated as one of many duties, risk management may not receive the necessary attention and resources, leading to superficial implementation and potential oversight of critical risks. This lack of dedicated focus can undermine the effectiveness of risk management practices, as employees juggling multiple responsibilities may struggle to thoroughly identify, assess, and mitigate risks.

Moreover, according to the survey results, just only 52% agreed that risk management principles have been defined in their organisation as a risk management policy following the Ministry of Finance guidance. The survey data also revealed that risk management challenges include a lack of systematic procedures for dealing with risks, with only 7.4% of respondents addressing risks immediately, 61.1% dealing with them periodically, and 29.6% discussing risks informally without a structured approach.

Accordingly, the OECD Public Integrity Indicator on risk management in practice in Finland shows that none of the criteria are fulfilled (Figure 1.17).

The lack of fulfilment of any of the practice criteria highlights several weaknesses in Finland’s risk management framework. These include the absence of regular risk assessments, unclear roles and responsibilities for risk management, insufficient documentation and reporting systems for risk assessments, and inadequate separation of integrity risk management from internal audit or legal functions. Additionally, there is a failure to identify and address both inherent and residual risks, internal and external risks, and current and emerging integrity risks. Finland (together with some other countries, Table 1.3) also lacks a systematic examination of existing controls and necessary changes, a structured approach to risk scoring and prioritisation, comprehensive guidance documents on managing integrity risks, and regular reviews by the internal audit function.

Countries fulfilling most of the criteria of this indicator could demonstrate several strengths in risk management practices (Box 1.9), collectively contributing to a robust and resilient risk management framework, promoting organisational integrity, accountability, and operational efficiency. Regular risk assessment exercises ensure continuous identification and evaluation of potential risks, while clear roles and responsibilities for risk management ensure accountability and adherence to regulatory frameworks across budget organisations. Systematic documentation, such as risk profiles or registers, provides a structured approach to tracking and managing risks. Comprehensive risk identification, including both inherent and residual risks, as well as internal, external, current, and emerging risks, ensures a thorough understanding of the risk landscape. Assessing existing controls and determining necessary changes help maintain and improve the effectiveness of the control environment. Regular reviews by the internal audit function of risk management policies and processes ensure ongoing effectiveness and alignment with best practices.

During the interviews the stakeholders pointed out that the existing risk management legislation and key concepts should be better defined. Moreover, the benefits of risk management are not widely recognised or valued, and there is a notable absence of regular assurance practices over the effectiveness of risk management. Existing guidance is often too theoretical and lacks practical feedback. The role of the Advisory Board remains ambiguous in risk management, and discussions around the subject appear often to be not concrete. The overall awareness and visibility of risk management are weak, and there is a shortage of staff with clear, dedicated responsibilities. Interviewees also outlined that implementation in practice is often superficial, focused on compliance rather than genuine integration into decision-making processes. Moreover, many of them indicated that the regulatory framework is outdated, lacking clear definitions and specific guidelines for managerial accountability. A more structured approach to training, clearer and more detailed regulations and a centralised harmonisation function would be beneficial to address these issues.

In addition, the Ministry of Finance recently reported that state agencies have not yet explicitly defined anti-corruption operating principles and practices. While procedures for internal control and risk management have been instructed, they lack precise determination regarding the activities, various functions, and processes under the responsibility of these entities. This is compounded by insufficient awareness of the manifestations of corruption. The internal control procedures outlined in the financial regulations of state agencies mainly focus on financial risks management, without systematically addressing the risks of abuse of influence. Consequently, circumstances, areas of risk, and manifestations of corruption have not been systematically identified and evaluated (Ministry of Finance, 2023[47]).

To address the highlighted issues in the country's risk management framework, the Ministry of Finance could consider enhancing legislation and clarifying key concepts to ensure that all stakeholders share a common understanding and framework, as well as increasing recognition of risk management benefits through awareness campaigns and by illustrating its value to organisational effectiveness. Implementing regular assurance practices to evaluate the effectiveness of risk management could also ensure continuous improvement and accountability. Clarifying and communicating the specific roles and responsibilities of the Advisory Board in risk management could provide concrete and actionable insights. Improving overall awareness and visibility through targeted training and awareness programs is necessary. Integrating risk management into decision-making processes will move beyond superficial compliance and make it a fundamental part of strategic and operational activities. Finally, enabling a centralised harmonisation function could ensure consistency and coherence in risk management practices and more systemic approach across different sectors and organisations.

According to Section 70 of the State Budget Decree, internal auditing is organised at the discretion of each ministry’s or agency’s management, considering internal control needs and EU law requirements (Finlex, 1992[30]). It may be conducted internally or outsourced, based on justified needs identified through internal control procedures. Internal audits aim to assess the appropriateness and adequacy of internal controls and fulfil auditing duties set by management, following common standards and recommendations. International professional standards for internal auditing have not been directly incorporated into legislation as only general standards and recommendations have to be taken into account. Rules for internal auditing procedures and their organisational status are established by the respective government agency or public body and must be reported to the relevant ministry and the National Audit Office. A model for internal audit regulation (statute) is available for agencies to adapt to their specific needs (Ministry of Finance, n.d.[48]).

This provision and the available national guidance acknowledge the international internal audit standards and recognise the role of internal audit in promoting good practice and taking a proactive, constructive approach rather than one narrowly focused on control. In this context, effective internal audit units add value to the organisation by focusing on governance, control and risk management processes (1.18(IIA, 2024[49]).

The Vision 2035 report (IIA, 2024[50]) highlights the transformative trajectory of the internal audit profession as it adapts to technological advancements and the evolving expectations of organisations. A key focus is the integration of advanced digital technologies, particularly artificial intelligence (AI), which is becoming a cornerstone in areas such as procurement, recruitment, production, and quality control. Whilst 74% of internal auditors agree that AI is critical for the future, only 52% are currently engaged in AI-related activities. This gap underscores the need for internal audit to not only adopt new technologies but also to audit these emerging systems effectively. By being involved in the early planning stages of technology implementation, internal auditors can ensure systems are designed with appropriate authorisations and controls, mitigating risks before they arise. The report emphasises the importance of proactive involvement to address risks such as cybersecurity threats, data integrity, and privacy issues introduced by technology.

According to the Vision 2035 report, the profession is also experiencing a shift in its focus and required competencies. With 56% of auditors predicting a significantly different profession by 2035, there is an increasing demand for skills beyond traditional financial and compliance audits. Internal auditors are expected to expand their expertise to areas such as sustainability reporting, stakeholder impact analysis, and non-financial asset management. This evolution necessitates a fundamental rethinking of training and recruitment, with an emphasis on AI, technology, and advisory capabilities. Adaptability and learning agility have become critical competencies, enabling auditors to act as trusted advisers in managing risk, culture, and innovation. To remain relevant, internal audit must develop competency frameworks, enhance mentoring and training opportunities, and collaborate with other functions to build a diverse skill set. Vision 2035 envisions a future where internal auditors drive organisational change by providing foresight, independent assurance, and holistic advice, leveraging their expertise to meet the needs of an increasingly complex and dynamic business environment. The report also provides that half of the respondents (50%) identified being misunderstood or undervalued as the greatest challenge for the profession, while 45% highlighted the need for greater support from leadership and stakeholders (Figure 1.19).

Nevertheless, according to the interviews with different stakeholders, the roles and responsibilities of different control and audit functions are still not clear for managers in many Central Government organisations. The stakeholders have noted the prevailing misunderstanding in the Central Government and confusion about the different control and audit concepts (versus internal control, internal audit, risk management), the roles of assurance functions, including the value of internal control and internal audit. For example, it was outlined that the current regulation doesn’t specify the definitions and responsibilities. This lack of clarity in the legal framework may further lead to misunderstandings when interpreting the laws and methodologies and poor implementation of internal audit activities.

In addition, the stakeholders emphasised that the internal audit function exhibits practical weaknesses, primarily due to a variety of non-systemic and incoherent practices, an inconsistent understanding of principles, and inadequate regulation, relying the internal audit function heavily on personal skills. It is usually managed by individuals performing multiple duties, resulting in weak awareness and clarity on what constitutes adequate internal control and risk management.

The absence of a systemic approach and quality assurance for internal audit points to systemic structural and functional weaknesses. Additionally, interviewees mentioned that because internal audit is not mandatory, resources are scarce, there is no robust training and certification system for public internal auditors and internal audit functions are often isolated and manager-dependent. To address these challenges, a comprehensive update of regulations, clearer definitions, structured training programs, and a centralised harmonisation approach are needed to enhance the effectiveness and integration of internal audits across the public sector.

The OECD experts recognise Finland's challenges faced by small internal audit units in organising external quality assessments. While Finland’s legislation mandates adherence to professional standards, including quality assurance, it is important to ensure that quality assurance mechanisms are adaptable to varying capacities of internal audit units.

External quality assurance remains a critical component for enhancing credibility, independence, and efficiency in internal audit functions. It ensures compliance with national requirements and professional standards while meeting public expectations for quality and reliability. For smaller units, tailored solutions such as periodic peer reviews integrated with other co-ordinated quality assurance activities could be considered. Additionally, shared services co‑ordinated by the Ministry of Finance, in alignment with Finland's practices and ensuring cost-effectiveness, could provide the necessary support while maintaining objectivity and alignment with professional standards. Finland could further explore scalable approaches to quality assurance, balancing the capacity of internal audit units with qualitative expectations, to strengthen the integrity and effectiveness of its internal control framework.

Accordingly, the PII analysis results of Principle 10 of Finland demonstrate that only two criteria for the internal audit regulatory and practice indicators are fulfilled (Figure 1.20).

Not meeting the specified criteria might include a lack of established internal audit units throughout the public sector and insufficient staffing with fewer than two auditors. Additionally, it may signal that less than 85% of internal audit staff lack adequate training and certification, reports are not submitted directly to the managing body, and audit plans do not incorporate data from entity-wide risk registers or include integrity-specific objectives. Furthermore, it may be an outcome of the conditions where the regulatory framework fails to specify operational arrangements and ensure the independence and direct access of the internal audit function to senior management, potentially leading to conflicts of interest or misinterpretation of the primary internal audit objectives and value internal auditors could bring (Table 1.4).

To strengthen Finland's internal control framework, there is a critical need to transition from the current compliance-focused approach to a more systemic and performance-based assessment model. While compliance audits dominate the work of internal audit units, adopting a system-based approach would enable internal auditors to better support organisational efficiency, strategy implementation, and achievement of objectives. The Ministry of Finance in its central harmonisation role could play a pivotal role in this transition by developing and promoting practical tools such as standards, manuals, checklists, and tailored guidelines to aid implementation. Capacity-building initiatives and phased implementation will be essential, especially for smaller audit units with limited resources, to gradually expand their scope to include performance auditing. Although performance audits are currently conducted by external auditors, integrating this methodology into internal audits would significantly enhance their effectiveness and impact. Prompt action to prioritise systemic assessments could provide more valuable insights and strengthen Finland’s governance and public sector performance.

Finland's internal audit framework pursues organisations to identify structures and processes that assist the achievement of objectives and facilitate effective governance and internal control according to the IIA’s Three Lines Model (IIA, 2022[7]) (Figure 1.21). Following the model, management should be responsible for identifying and managing risks, and each employee contributes to successful risk management within an entity. Alongside risk management functions, managers are responsible for the day-to-day managing of fraud and corruption risks – which includes ensuring that internal controls are in place and functioning – and more generally, for preventing and detecting fraud and corruption risks. The third line represents an internal audit function that provides independent assurance that internal control and risk management processes are effective (OECD, 2020[8]). Internal audit work includes identifying and evaluating significant exposures to risk contributing to the improvement of risk management and control systems and maintaining effective controls by evaluating their effectiveness and efficiency and promoting continuous improvement.

Nevertheless, a few stakeholders have noted that internal audit activities are frequently involved in performing various control, inspection and risk management duties. Similarly, the survey results showed that internal audit in some organisations is regulated under the risk management policy, or that internal audit is part of some control tasks.

Moreover, the National Audit Office of Finland (NAOF) has emphasised in several reports that although all ministries in Finland employ internal auditors, hiring one is not mandatory. Additionally, NAOF reports noted that internal auditors in Finnish ministries do not have an unequivocal right to directly audit the agencies subordinate to the ministry (Ministry of Finance, 2018[51]). In 2023, the Ministry of Finance additionally emphasised the importance of internal audit's independence and its role in assessing integrity risks. It guided internal auditors to analyse the significance of corruption risks and the effectiveness of measures to prevent them (Ministry of Finance, 2023[47]).

The current legal framework does not specify the size of internal audit units, resulting in the prevalence of small units, often with only one auditor, which is insufficient for effective auditing and meeting independence requirements. Moreover, a small one-person internal audit unit involves a significant amount of work, which would on a pro-rata basis be significantly reduced if resources were centralised or more rationally organised. Such limited capacity weakens internal control systems and related risk management, reducing the effectiveness of oversight and accountability and potentially leading to undetected risks and inefficiencies within public sector operations. Consequently, the overall integrity and performance of public institutions may be compromised, undermining trust and transparency.

The OECD experts have identified several challenges associated with the use of service providers for internal audit functions in Finland. Outsourcing is a widespread practice due to its cost-effectiveness compared to maintaining in-house internal audit units. However, stakeholders raised concerns about the quality of service providers’ audits, including the qualifications of their personnel and the scope of their work. In many cases, a lack of continuity can hinder co-operation from auditees and limit the effectiveness of the internal audit process.

During the interviews, stakeholders highlighted that reliance on outsourcing often leads to a lower level of assurance, poor quality management, and limited audit scope, typically confined to financial compliance. Service providers may lack the in-depth knowledge and expertise of an in-house internal audit unit, which is critical for providing comprehensive assurance. Furthermore, they may face challenges in understanding the organisation's culture, internal processes, and risk management framework, ultimately reducing their ability to align audit services with organisational goals.

The risks associated with outsourcing internal audit services could include insufficient human resource commitment and limited understanding of the organisation's internal culture and business processes. Additionally, the lack of regular communication with management and insufficient knowledge-building about the internal control environment may weaken the overall effectiveness of the internal audit function.

According to the Global Internal Audit Standards (IIA, 2024[26]), outsourcing internal audit services does not absolve an organisation of its responsibility for maintaining an effective internal audit activity. The chief audit executive, whether employed internally or through a service provider, remains accountable for conformance with the standards, including the establishment of a quality assurance and improvement program. Moreover, the organisation’s leadership retains oversight responsibility to ensure the effectiveness of the internal audit function, regardless of whether the work is performed internally or outsourced.

To address these challenges, the Ministry of Finance could play a pivotal role in considering harmonised regulations for outsourcing internal audits. These regulations could define quality expectations, scope requirements, and minimum standards for human resource inputs in contracts with service providers. Ensuring that service providers meet these criteria would help mitigate risks associated with quality and limited assurance. Additionally, the Ministry could introduce mechanisms to monitor and evaluate the performance of service providers, ensuring alignment with internal audit goals and objectives.

For smaller organisations that frequently rely on service providers, the Ministry of Finance could prioritise measures to ensure adequate quality levels, value addition, and effective implementation of internal audit functions. This could include capacity-building initiatives, the development of quality control frameworks, and the inclusion of specific contractual provisions to enforce quality assurance and compliance with global standards, which could enhance the effectiveness and reliability of outsourced internal audit services while maintaining the integrity and effectiveness of its internal control systems.

Determining the optimal size of an internal audit unit is a complex task that necessitates strategic planning and consideration of multiple factors. A larger team of auditors can offer significant advantages, such as reducing errors in risk assessment, enhancing audit quality, increasing competencies, amplifying the assurance impact, and maintaining audit objectivity. However, the costs associated with employing multiple auditors can be substantial, particularly for smaller entities, where expenses may outweigh the benefits. Thus, balancing these benefits against the costs is essential for effectively sizing an internal audit unit.

The IIA states that making the decision whether to create a centralised or decentralised internal audit activity, the organisation should consider the advantages and disadvantages of each option to decide which model is best suited for the organisation’s current stage of maturity and political environment (IIA, 2024[49]). It provides that economy and efficiency are key benefits of the centralisation of internal audit function, while improved effectiveness, as a result of being closer to the entity, is the key benefit of decentralisation.

Under the decentralised approach internal auditors are close to the business operations under review, which can help forge relationships that result in candid dialogue about risk and controls (Hayes, 2018[52]). Box 1.10Lithuania, for example, under the second structural public internal control and internal audit reform streamlined a decentralised system into a partly centralised internal audit model in 2020. The Law on Internal Control and Internal Audit of Lithuania defines that centralised internal audit units must be established in ministries and municipalities (Republic of Lithuania, 2002[34]). Taking into account the organisational structure of the organisation, the scope and importance of the functions performed, the number of subordinate organisations and other specific features of activities, an internal audit service may be established by a decision of a Minister at the organisation carrying out activities in the area of management assigned to the Minister.

In some countries, a complete centralised internal audit function has been implemented to maximise the benefits of having a large, unified audit team rather than multiple small teams in separate organisations (e.g. Belgium,4 UK). The United Kingdom’s Government Internal Audit Agency is an example of a centralised internal audit entity that has dedicated integrity objectives, as outlined in Box 1.10.

Finland does not provide structured training and qualification exams for internal auditors. Although various actors in Finland provide training related to internal auditing, there is no national certification programme specifically tailored to public administration. The Government Financial Controller's Function plays a co‑ordinating role in organising internal auditing training, addressing the need for standardised professional development in this field.

In Finland, there are no specific certification procedures tailored exclusively for internal auditing in the public sector. Additionally, the legislation does not mandate authorisation or certification for internal auditors in the Central Government. This absence of formal certification requirements highlights a gap in standardised competency benchmarks for internal auditors. Some interviewees mentioned that current training programmes and workshops for internal auditors are beneficial to continue development of the practical skills, nevertheless, a national training module and the certification system, specifically oriented to the peculiarities of the public sector, would add value for building necessary internal audit capacities in the public sector.

Nevertheless, authorisation and certification procedures exist for public sector auditors in Finland, with the JHT-specialisation examination being particularly suitable for auditors of municipalities, cities, parishes, universities, and central government. The Auditor Oversight Unit of the Finnish Patent and Registration Office (PRH), which has been responsible for auditor oversight since 1 January 2016, conducts annual auditor examinations, oversees the quality of auditing, maintains registers of auditors and examinations as outlined in the Finnish Auditing Act (Finlex, n.d.[53]), and leads the general direction and development of auditing (PRH, n.d.[54]). Additionally, the PRH serves as Finland’s authority for international co-operative oversight activities.

Moreover, financial audit studies are offered, for example, through the University of Tampere’s Master's Degree Programme in Financial Audit and Evaluation, as well as through universities of applied sciences and other vocational programs. These study modules also include courses on internal auditing (Tampere Higher Education Community, n.d.[55]).

Finland stakeholders have considered that a basic internal audit training qualification, which may involve formal assessments through professional examinations, whether in full or in modules, could be an effective way of motivating internal auditors and ensuring that the training is focused. It follows, therefore, that the existing process needs to be fully tied in with achieving government training qualifications. Therefore, the Ministry of Finance could consider evaluating long-term initiatives to improve access of internal auditors to comprehensive training, specialised courses and certification in the fields of internal audit (Box 1.11).

The existence of an audit committee has recently become an essential feature of good corporate governance models for the public sector and an aid to the provision of an effective system of internal control. If properly constituted, the audit committee could at least provide support to the internal auditor and furthermore help in ensuring independence and support in sensitive cases, possibly involving undue pressure and directions from public entity management.

The responsibilities of committees may include reviewing, overseeing, and providing independent assurance to the governing body on internal control systems, anti-fraud and corruption frameworks, and the comprehensiveness and reliability of assurances related to risk management and control environments. They may also evaluate performance management frameworks, ensuring alignment with government oversight. Additionally, audit committees can support the internal audit function by reviewing audit results, monitoring the implementation of management action plans, and ensuring the independence, professionalism, and objectivity of internal audit activities.

There are no audit committees in Finland and the Ministry of Finance could consider how an effective audit committee mechanism could function in ministries and other public bodies in order to become an essential supporting element of internal control and good corporate governance. These committees should not be a substitute for management’s responsibility for mitigating the risks (Box 1.12).

The committees shall monitor and assess the arrangements in place to provide comprehensive and reliable assurance on financial and performance reporting responsibilities, the system of internal control, risk oversight and management. This involves identifying assurance needs and the most appropriate tools to meet these needs, as well as potential assurance gaps or overlaps and ways to address them; and whether the existing framework will provide the sufficient, relevant and reliable assurance that the organisation needs to avoid surprises and to enable early decisions and actions to be taken on risk and control issues (OECD, 2021[35]).

Effective oversight, assurance, and risk management are critical for ensuring transparency, accountability, and good governance within the Central Government. A comprehensive mapping and review of existing capabilities across government departments can identify gaps and areas for improvement. This process could assess the need to establish clear regulations for the central (inter-departmental) advisory board, facilitated by the Ministry of Finance, considering the existing Advisory Board arrangements and practices (discussed in the second section of the report). Such a board could play a pivotal role in enhancing governance, risk, and control processes across the Central Government as well as promoting an effective internal audit and strong culture for integrity. Its responsibilities could include providing consistent guidance on internal control and audit practices, and promoting robust internal control systems that support better decision-making and accountability. The board could also serve as a key mechanism for ensuring a co-ordinated and harmonised approach to internal audit across departments, addressing systemic challenges and building a foundation for continuous improvement.

In addition to the central advisory board, establishing audit committees within ministries can significantly enhance the effectiveness of internal controls and risk management in the Central Government. These committees could provide oversight of internal control systems, financial and performance reporting, risk management frameworks, and anti‑fraud and corruption prevention measures. Moreover, their role in reviewing the comprehensiveness and reliability of assurances would contribute to a more robust control environment.

To ensure their effectiveness, the framework for the establishment and operation of these committees could be developed in consultation with key stakeholders. The committees would need to operate with a clear mandate and appropriate authority to oversee and assess the adequacy of internal control systems, risk management practices, and compliance with regulations. Furthermore, they could serve as a platform for fostering accountability and promoting a culture of continuous improvement across ministries.

To build a cohesive and effective oversight framework, it is essential to engage with stakeholders from various government departments and agencies. Discussions could focus on identifying needs and developing an applicable framework for audit committees and the central advisory board.

Internal audit effectiveness hinges on its ability to cover a significant portion of the public budget, providing assurance on internal controls and deterring fraudulent activities. Legislation and practice vary widely across OECD countries: some achieve full coverage both in law and practice, others only in law, and some do not extend coverage to the entire public budget. Many countries lack the necessary data to assess coverage comprehensively (Figure 1.22). The value of internal audit units depends on public sector managers acting on auditors' recommendations, with high implementation rates in countries where this is centrally monitored, indicating management's willingness to improve based on audit insights.

A country that fulfils the PII criteria for internal audit regulation and risk-based practice can possess significant strengths, enhancing its internal control and risk management systems. Such strengths include a diverse range of practices and a solid understanding of internal audit principles, ensuring well-regulated, multi-person internal audit units with clear roles and responsibilities (Box 1.13). This creates a structured environment for effective internal audits, promoting professionalism and objectivity; moreover, regular quality assurance practices and a certification scheme ensure high audit standards and consistency across the public sector. This systemic approach improves governance, accountability, and transparency, ultimately enhancing the efficiency and effectiveness of internal control systems. Additionally, strong managerial awareness and the integration of risk management into decision-making processes further bolster the overall integrity and performance of public institutions.

The Ministry of Finance could enhance the internal audit system by reviewing and updating the legislation and establishing internal audit units across all public sector agencies, ensuring the service has at least two auditors. It would also be advisable to implement structured training and certification for internal audit staff to ensure they are adequately qualified. Audit reports should be directly submitted to the managing body and audit plans should draw on data from entity-wide risk registers, including integrity-specific objectives. Furthermore, the regulatory framework should clearly specify operational arrangements and ensure the independence and direct access of the internal audit function to senior management to prevent conflicts of interest and enhance the effectiveness of internal audits.

The Ministry of Finance could also consider a review of current legislation aiming to harmonise and clarify the relevant definitions and to distinguish the assurance roles and corresponding responsibilities. It could also explore ways to educate managers at all levels, on the responsibilities regarding the establishment and development of internal control systems and procedures, as well as on the role and added value of modern internal audit functions, and how to make the best use of this assurance and advisory service.

To enhance the public internal control framework in alignment with internationally accepted standards, a central harmonising function is vital to spearhead these efforts. In essence, it is responsible for co‑ordinating and monitoring the internal control implementation throughout the country and promoting a consistent and effective internal control environment across the public sector. Accordingly, central harmonisation strengthens the lines of assurance by standardising practices and policies, ensuring consistent internal control and risk management, and facilitating co-ordination between management, risk control functions, and internal audits in the Central Government (Figure 1.23).

As described above, key actors in defining and implementing central government steering in Finland include the Ministry of Finance, the State Treasury, and the Prime Minister's Office. Within the Ministry, the Government Financial Controller's Function co-ordinates internal control and related risk management. According to the State Budget Act, the duties of the Controller in Finland include ensuring that the Government's annual report provides accurate and sufficient information and making key financial data available for decision-making. It steers, co-ordinates, and develops financial statement reporting, internal control, and evaluation activities, offering advice and proposals for improvement. It also co-ordinates the internal control of EU funds managed by Finland.

The State Treasury issues regulations on accounting, payment transactions, financial statement preparation, and other financial administration activities and procedures for agencies, public bodies, and off-budget central government funds. The Prime Minister's Office is responsible for developing the management practices of the Government and its ministries. It also oversees the Government's overall co-ordination of preparedness, which includes contingency planning, disturbance management, emergency conditions, and related communications in central government.

This institutional setup supports internal control development efforts in Finland, nonetheless, the PII analysis results of Principle 10 of Finland indicate that the central harmonisation function hasn’t been fully established in Finland (Figure 1.24).

Based on interviews with various stakeholders in Finland, several weaknesses in the existing central co-‑ordinative practices were noted. These include the absence of quality assurance mechanisms for internal control and audit, as well as the undervaluation of risk management benefits. The role of the Advisory Board remains ambiguous, with limited concrete discussions and low visibility. Overall, there is a pressing need for more structured internal control training, updated regulations, and a centralised harmonisation approach (facilitating stronger government-level co-ordination) to ensure clarity, consistency, and effective implementation across the public sector.

Nevertheless, stakeholders highlighted several major strengths that support internal control and risk management, including openness, transparency, and trust within the prevailing administrative culture. Additionally, the emphasis on co-operation and the utilisation of networks is regarded as a significant factor. From a whole-of-government perspective, these elements are essential for creating an integrated and cohesive approach to internal control, enabling different entities to work together effectively. They enhance communication, facilitate the sharing of best practices, and promote collective efforts to identify and mitigate risks, ensuring that internal control systems are robust, reliable, and aligned with broader governance objectives.

As mentioned in the previous sections, the Advisory Board on Internal Control and Risk Management, appointed by the Government, monitors and assesses internal control and risk management across the Central Government, taking initiatives for their development. Nevertheless, the stakeholders during the interviews mentioned that these duties are not very visible in practice.

The central harmonisation function is vital for ensuring a cohesive and effective internal control framework. By being responsible for developing and promoting methodologies based on internationally accepted standards, the function ensures consistency and best practices across public sector institutions. Regular reviews of the internal control and audit functions help maintain their completeness and effectiveness. Additionally, issuing formal guidelines on managing integrity risks ensures that all institutions are aligned in their approach to safeguarding integrity, ultimately enhancing the overall governance and accountability within the public sector (OECD, n.d.[66]). Moreover, the PII analysis results show that a strong harmonisation function is a statistically significant predictor of stronger internal audit practices (Figure 1.25).

According to good EU practice the central harmonisation function also includes (Boryczka, Bochnar and Larin, 2019[67]):

• Monitoring internal control implementation aspects, ensuring compliance and quality assurance checks on whether its recommendations are being properly carried out and recommending how to overcome any bottlenecks in the implementation of the adopted policies.

• Analysing the annual internal audit and management internal control reports, which facilitate the reporting role of the central harmonisation function to the highest governmental authorities on the progress of internal control throughout the public sector.

• Supporting hiring and nomination of internal auditors and key responsible personnel for internal control; taking part in audit committees.

• Co-ordinating the establishment of sustainable training facilities for the professions and improving the relevant administrative capacities.

• Ensuring close co-ordination and co-operation with the supreme audit institution, professional private organisations (e.g. local IIA) and academic circles.

Accordingly, the presence of a central harmonising body ensures the development and promotion of methodologies based on international standards, fostering consistency and best practices (Box 1.14).

The survey data on risk reporting within organisations highlights its critical relationship with internal control systems, co-ordinative mechanisms and effectiveness of harmonised standards and practices across organisations in Finland (Figure 1.26). Nearly half (46.3%) of organisations have established organisational models with regular reporting mechanisms, which are essential components of robust internal control systems. These models ensure that risk is systematically monitored and managed, reinforcing overall organisational stability and accountability. Another significant portion (31.5%) employs different models but maintains consistent reporting, indicating that even with varied approaches, regular risk communication is a key element of their internal controls. However, 18.5% of organisations rely on ad-hoc reporting, suggesting potential gaps in their internal control systems due to the lack of a structured approach. Notably, a very small fraction, approximately 1.8%, have no reporting system, and a similar percentage (1.9%) are uncertain about their reporting practices. Similarly, the survey implemented in 2019 showed that in the majority of ministries (9), cross-administrative risk assessment was at a satisfactory or weak level (Ministry of Finance, 2019[4]). This lack of regular reporting can indicate weaknesses in their internal control systems, potentially exposing these organisations to higher risks. Overall, the data suggests that while most organisations recognise the importance of regular risk reporting as part of their internal controls, there remains a segment that could improve their practices to enhance organisational resilience and risk management.

The survey data on risk reporting and its integration with internal control systems and internal control reporting reveals a diverse landscape of practices among organisations and the need for coherent harmonisation (Figure 1.27). A significant portion of organisations utilise manual methods such as spreadsheets, particularly for goals, operating environment, and foresight (59.3%) and risk identification/recording (51.8%), indicating a reliance on traditional, albeit potentially less efficient, reporting tools. However, there is a noticeable trend towards adopting separate programs and integrated/automated systems, especially in areas like situation picture, reporting, and visualisation (38.9% and 5.5%, respectively) and safety and deviation notices (31.5% and 14.8%, respectively). This shift suggests a gradual move towards more advanced and efficient internal control systems.

Despite this progress, the high percentages of organisations in Finland that do not use or have not implemented these systems, such as for protected values and asset listings (44.5%) and costs and effectiveness (48.1%), highlight significant gaps. The averages and medians reflect moderate overall adoption, with averages around 2.0 and medians mostly at 2.0, except for higher averages and medians in protected values, asset listings, and costs and effectiveness, indicating areas with greater challenges. Overall, while many organisations are advancing towards more sophisticated internal control reporting mechanisms, the reliance on manual methods and the presence of non-implementation in several critical areas indicate room for substantial improvement. Enhancing these systems could lead to better harmonised risk management, improved accuracy in reporting, and stronger internal controls.

In Finland, there are no separate arrangements for internal control reporting; instead, it is integrated into the performance guidance processes. The status and development needs of internal control are reported according to existing authority relations to various parties and to those who are accountable. Accordingly, the PII analysis results of Principle 10 of Finland demonstrate that only one criterion of the central reporting indicator is fulfilled (Figure 1.28).

According to the Section 65 of the State Budget Decree, the annual report included in the financial statements of the accounting unit must provide an assessment of the appropriateness and adequacy of internal control and risk management, along with a management statement on the state of internal control and its essential development needs. An evaluation framework, largely based on the COSO framework, supports this assessment, offering a tool for evaluating internal control and risk management across government agencies.

The National Audit Office of Finland (NAOF), as an independent Supreme Audit Institution operating in affiliation with Parliament, with its role defined in the Constitution of Finland, conducts financial, performance, and compliance audits for all government agencies and submits an annual report on central government accounts and the Government's annual report.

NAOF has consistently emphasised the importance of thorough internal control assessments in organisations, stipulating that Ministries and agencies must include an evaluation of internal controls in their financial statements (Ministry of Finance, 2018[84]). NAOF has noted that the Ministry of Finance, the State Treasury, and the Government Financial Controller's Function should focus more on the functioning and organisation of internal control as an integral part of central government financial administration. They stressed that as internal control and risk management are defined within the development of processes, functions, and information systems, these elements should consistently be incorporated into the planning and renewal of operations, as well as legislative improvements. Moreover, supervisory procedures for implementing internal control should be designed to be pre-emptive and integrated as automated components of the information systems, with their effectiveness ensured through thorough testing (VTV, 2017[85]).

According to the legislative requirements, the steering ministry must issue an annual statement on the final accounts of accounting offices and extra-budgetary State funds, addressing performance, reporting appropriateness, and necessary measures for improvement. This statement is shared with the Ministry of Finance, NAOF, and the State Treasury, and published on the Treasury's public website. The Government's annual report to Parliament, mandated by the Government Act and State Budget Act, includes information on central government risks and a summary of each ministry's administrative branch (Box 1.15).

In a comprehensively developed systems, the central harmonisation function is responsible not only for the development and promotion of harmonised internal control legislation and methodologies, but also for networking, co‑ordination and monitoring of the application of the relevant internal control and internal audit policies (Box 1.16). For this purpose, the central harmonisation function should have adequate rights, tools and relevant data, comprising the whole public sector. Therefore, the Ministry of Finance could consider reviewing the regulatory provisions that define internal control accountability and reporting mechanisms and establishing a system of performance measurement for quality assurance.

It is important to ensure that through its monitoring role the central harmonisation function is supporting the necessary sustainable development. In addition, the central harmonisation role could also ensure an adequate self-assessment mechanism and adding value through an external review. For example, the performance measurement of the central harmonisation function could include the assessment on the impact of the systemic recommendations on how to overcome any bottlenecks in the implementation of the adopted policies and whether its recommendations are being properly carried out.

Table 1.5 provides a comparative analysis of internal audit and internal control reporting practices among 27 OECD countries, based on the PII analysis results. One strength is the commitment to transparency, evidenced by several countries making their central reports publicly available. However, a weakness is that several countries do not provide public access to these reports, suggesting a lack of transparency that could hinder public trust, external oversight and most importantly necessary developments for internal control systems. Additionally, the publication of summary statistics on internal control is robust in some countries, indicating proactive risk management. On the other hand, many countries lack these publications, reflecting weaker self-assessment mechanisms. Effective internal audit systems are seen where there is a high rate of implementation of audit recommendations, while inefficiencies are indicated by low implementation rates in other countries. Moreover, the existence of dedicated sections on integrity, fraud, or anti-corruption in audit reports signifies a strong focus on these areas, whereas their absence in several countries suggests a neglect of anti-corruption measures, potentially exposing them to higher risks of fraud and corruption.

Addressing the aforementioned weaknesses is essential for enhancing public trust, improving internal controls, and fostering a culture of accountability and integrity. Moreover, the absence of published summary statistics on internal control and audit activities hinders the ability to track improvements and manage risks effectively. Overall, the figure highlights a mixed landscape of internal control practices, with some countries demonstrating robust measures while others need to address significant gaps to enhance their internal audit and control systems.

With reference to Table 1.6, an external review of the internal control framework is essential for maintaining robust and reliable systems within an organisation. When conducted by a supreme audit institution (SAI), this assurance benefits from the institution's independence and objectivity. SAIs are legally mandated to access all necessary information, ensuring comprehensive and unbiased evaluations. Their reports, often made public, enhance transparency and accountability, increasing public trust in the internal control framework. Additionally, SAIs adhere to international auditing standards and possess specialised expertise, enabling them to identify weaknesses effectively and recommend significant improvements. Nevertheless, in less than half of OECD countries SAI reviews regularly internal control systems.

Central harmonisation functions, on the other hand, play a critical role in ensuring consistency and standardisation across internal control frameworks within governments or large organisations. By conducting government-wide monitoring and oversight, it helps standardise practices and promote uniformity, ensuring that policies and regulations are implemented correctly across all departments or units. Independent organisations offer a fresh perspective and specialised expertise in internal control and risk management. Their external assessments bring credibility and confidence to the internal control framework, instilling trust among stakeholders, regulators, and the public. Including summary statistics of auditing and risk management activities in internal control reports, as well as tracking progress towards policy objectives, ensures a comprehensive and quantitative assessment of the internal control system. This data-driven approach facilitates monitoring performance, identifying trends, and making informed decisions.

In conclusion, an external quality review of the internal control framework is vital for ensuring its effectiveness and reliability. Whether conducted by a supreme audit institution, a central harmonisation function, or an independent organisation, each type of review brings unique strengths to the development process. These assessments provide critical insights, ensure compliance with standards, and promote transparency and accountability (Box 1.17).

The desk research and interviews with different stakeholders revealed that the Ministry of Finance has not enough capacity to ensure government-wide coverage, including actual data analysis, systematic and regular monitoring and quality assurance. Stakeholders also stressed the importance of strengthening government-level activities and cross‑sectoral reviews to promote comprehensive risk management and effective internal control. Although the state of risk management has improved, it varies significantly across different administrative sectors, ministries, and agencies. Therefore, all administrative sectors need to make sufficient efforts to develop their internal control and risk management practices.

As provided in previous sections, the development approaches in Finland are progressing and have achieved many development objectives. However, additional efforts may be necessary to keep standards, guidance, and advice current with evolving best practices and to ensure the co-ordinated implementation of the legal framework across the entire public sector. To this end, it may be beneficial to review primary legislation and ensure that administrative capacities are sufficiently strengthened to support new objectives.

[44] Australian Federal Register of Legislation (2017), Public Governance, Performance and Accountability Act 2013, Australian Government, https://www.ag.gov.au/integrity/counter-fraud-and-anti-corruption.

[58] Australian Government (n.d.), Audit Committees (RMG 202), Department of Finance, https://www.finance.gov.au/publications/resource-management-guides/audit-committees-rmg-202.

[67] Boryczka, M., D. Bochnar and A. Larin (2019), “Guidelines for assessing the quality of internal control systems”, SIGMA Papers, No. 59, OECD Publishing, Paris, https://doi.org/10.1787/2a38a1d9-en.

[24] COSO (n.d.), Guidance, Committee of Sponsoring Organizations, https://www.coso.org/guidance-on-ic.

[16] DG EMPL (n.d.), Homepage, European Commission’s Directorate-General for Employment, Social Affairs and Inclusion, https://ec.europa.eu/social/BlobServlet?docId=25947&langId=en (accessed on 15 May 2024).

[18] EC (2023), 2023 Country Report - Finland, European Commission, https://economy-finance.ec.europa.eu/document/download/dd9f5637-4d9a-4c2e-a255-138647daad35_en?filename=ip250_en.pdf.

[12] EC (2014), Compendium of the Public Internal Control Systems in the EU Member States 2014, Directorate-General for Budget, European Commission Publications Office, https://commission.europa.eu/publications/compendium-public-internal-control-systems-eu-member-states-2014_en.

[87] EC (2014), Compendium of the Public Internal Control Systems in the EU Member States 2014 – Estonia – Public Internal Control, Directorate-General for Budget, European Commission Publications Office, https://data.europa.eu/doi/10.2761/45689.

[46] EFV (2025), Risikomanagement und Versicherungspolitik (Risk and Insurance Policy), Swiss Federal Finance Administration, https://www.efv.admin.ch/efv/de/home/themen/finanzpolitik_grundlagen/risiko_versicherungspolitik.html.

[88] ESV (2013), Ordinance (2000:605) Concerning the Annual Reports and Budget Documentation, Swedish National Financial Management Authority, https://www.esv.se/contentassets/827db7e731934fff82f9254a72cd5ee4/ordinance-concerning-the-annual-reports-and-budget-documentation.pdf.

[80] ESV (n.d.), Financial Management, Swedish National Financial Management Authority, https://www.esv.se/english/financial-management/.

[82] ESV (n.d.), Internal Audit - ESV Forum, Swedish National Financial Management Authority, https://forum.esv.se/styrning/internrevision/.

[83] ESV (n.d.), Rapport - Internrevision och intern styrning och kontroll 2022, Swedish National Financial Management Authority, https://www.esv.se/contentassets/06d61ebc3c0b46c1bf1edbd042a6cee4/2022-24-internrevision-och-intern-styrning-och-kontroll-2022.pdf.

[81] ESV (n.d.), The Agency’s Management’s Internal Governance and Control - ESV Forum, Swedish National Financial Management Authority, https://forum.esv.se/styrning/intern-styrning-och-kontroll.

[32] EU (n.d.), Finland - Public Internal Control, European Union, https://publications.europa.eu/resource/cellar/5d6be42e-f34a-11e6-8a35-01aa75ed71a1.0001.01/DOC_1.

[93] FASAB (n.d.), Federal Financial Reports, United States Federal Accounting Standards Advisory Board, https://fasab.gov/resources/federal-financial-reports/.

[38] FERMA (2014), European Confederation of Institutes of Internal Auditing Guidance on the 8th EU Company Law Directive, Federation of European Risk Management Associations, Brussels.

[30] Finlex (1992), Decree on the State Budget 1243/1992, Ministry of Justice, https://www.finlex.fi/fi/laki/ajantasa/1992/19921243#L9P71.

[28] Finlex (1988), State Budget Act 423/1988, https://www.finlex.fi/fi/laki/ajantasa/1988/19880423.

[53] Finlex (n.d.), Finnish Auditing Act, https://www.finlex.fi/en/legislation/translations/2015/eng/1141?utm_source.

[17] Finnish Government (2023), “Expenditure and revenue structure needs significant adjustments to improve general government finances”, https://valtioneuvosto.fi/en/-/10623/expenditure-and-revenue-structure-needs-significant-adjustments-to-improve-general-government-finances.

[92] GAO (n.d.), Homepage, United States Government Accountability Office, https://www.gao.gov/ (accessed on 15 May 2024).

[86] Government of Canada (2024), Policy on Financial Management, https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32495.

[69] Government of Canada (2023), Directive on Internal Audit, https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32533.

[70] Government of Canada (2023), Guide to Internal Control Over Financial Management, https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32649.

[68] Government of Canada (n.d.), The Risk and Compliance Process, Management Accountability Framework, https://www.canada.ca/en/treasury-board-secretariat/services/management-accountability-framework.html.

[57] Government of Canada (n.d.), Understanding the Application Process: Job Opportunities, Internal Audit Recruitment and Development Program, https://www.canada.ca/en/treasury-board-secretariat/corporate/understanding-application-process.html.

[63] Government of Latvia (n.d.), Internal Audit Policy, https://www.fm.gov.lv/en/internal-audit-policy.

[59] Government of the Netherlands (n.d.), Auditdienst Rijk, https://www.auditdienstrijk.nl/ (accessed on 15 May 2024).

[65] Government of the Slovak Republic (2022), Metodické usmernenie sekcie auditu a kontroly Ministerstva financií SR č. MF/006646/2022-1411 k finančnej kontrole, https://www.mfsr.sk/files/archiv/34/20220922_MU_financna_kontrola.pdf.

[64] Government of the Slovak Republic (2015), Act 357 of 10 November 2015 on Financial Control and Auditing and on Amendments to Certain Laws, https://www.mfsr.sk/files/archiv/55/357_2015_20220301_EN.pdf.

[52] Hayes, C. (2018), “Centralized vs. decentralized audit functions”, Internal Auditor, Institute of Internal Auditors.

[26] IIA (2024), Global Internal Audit Standards, Institute of Internal Auditors, https://www.theiia.org/en/standards/.

[49] IIA (2024), Global Practice Guide: Building an Effective Internal Audit Function in the Public Sector, 2nd Edition, Institute of Internal Auditors, https://www.theiia.org/en/content/guidance/recommended/supplemental/practice-guides/global-practice-guide-building-an-effective-internal-audit-function-in-the-public-sector/.

[50] IIA (2024), Internal Audit: Vision 2035 - Creating Our Future Together, Institute of Internal Auditors, https://www.theiia.org/globalassets/site/foundation/latest-research-and-products/vision-2035-report.pdf.

[7] IIA (2022), “Applying the three lines model in the public sector”, Institute of Internal Auditors, https://www.theiia.org/en/content/articles/2022/applying-the-three-lines-model-in-the-public-sector/.

[25] ISO (n.d.), ISO 31000: 2018 - Risk Management - Guidelines, https://www.iso.org/iso-31000-risk-management.html.

[31] Ministry of Agriculture and Forestry (n.d.), Financial Rules of the Accounting Unit of the Ministry of Agriculture and Forestry (KPY 440), https://mmm.fi/en/publications.

[47] Ministry of Finance (2023), Julkisten valvontaviranomaisten roolit, riippumattomuuden turvaavat rakenteet, toimintatavat ja työkalut korruptionvastaisessa toiminnassa : Selvitys, https://julkaisut.valtioneuvosto.fi/bitstream/handle/10024/165266/VM_2023_86.pdf?sequence=1&isAllowed=y.

[43] Ministry of Finance (2023), Risk Management Handbook for Central Government Actors, http://urn.fi/URN:ISBN:978-952-367-633-6.

[5] Ministry of Finance (2021), Advisory Board on Internal Control and Risk Management 2022-2024, https://vm.fi/hanke?tunnus=VM156:00/2021.

[40] Ministry of Finance (2021), Development of Government-level Risk Management: Working Group’s Final Report, http://urn.fi/URN:ISBN:978-952-367-529-2.

[42] Ministry of Finance (2021), Valtioneuvostotasoisen riskienhallinnan kehittäminen - Työryhmän loppuraportti, https://julkaisut.valtioneuvosto.fi/bitstream/handle/10024/163184/VM_2021_28.pdf?sequence=1&isAllowed=y.

[4] Ministry of Finance (2019), The Current State of Risk Management in Government Agencies, Funds and Public Enterprises: Summary of the Results of the Risk Management Survey, http://urn.fi/URN:ISBN:978-952-367-046-4.

[51] Ministry of Finance (2018), Valtionhallinnon riskienhallinta ja toimintojen jatkuvuus, https://www.vtv.fi/app/uploads/2018/12/10092013/VTV-Tarkastuskertomus-20-2018-Valtionhallinnon-riskienhallinta-ja-toimintojen-jatkuvuus.pdf.

[84] Ministry of Finance (2018), Valtiontalouden tarkastusviraston vuosikertomus eduskunnalle 2018, https://www.vtv.fi/app/uploads/2018/09/06155752/VTV_Vuosikertomus-eduskunnalle_2018_K192018vp.pdf.

[13] Ministry of Finance (n.d.), Coordination of Internal Control and Risk Management, https://vm.fi/sisaisen-valvonnan-ja-riskienhallinnan-koordinointi.

[23] Ministry of Finance (n.d.), Development of Internal Control and Risk Management, https://vm.fi/sv/utveckling-av-den-interna-kontrollen-och-riskhanteringen.

[48] Ministry of Finance (n.d.), Internal Audit, https://vm.fi/sisainen-tarkastus.

[27] Ministry of Finance (n.d.), Internal Control and Risk Management, https://vm.fi/hallintopolitiikka/sisainen-valvonta-ja-riskienhallinta.

[2] Ministry of Finance (n.d.), Management and Organisation, https://vm.fi/johto-ja-organisaatio.

[39] Ministry of Finance (n.d.), Risk Management, https://vm.fi/riskienhallinta.

[3] Ministry of Finance (n.d.), Valtiovarainministeriön organisaatio, https://vm.fi/documents/10623/1214660/Organisaatiokaavio-2023-hein%C3%A4kuu-fi.pdf/204a453a-68d7-0581-2cc5-5e446e97d7dd/Organisaatiokaavio-2023-hein%C3%A4kuu-fi.pdf?t=1706767190466.

[15] Ministry of Social Affairs and Health (n.d.), National Service Reform: Reform of the Content and Operating Methods of Health and Social Services, https://stm.fi/en/national-service-reform.

[62] NBA (n.d.), HRA, Nederlandse Beroepsorganisatie van Accountants, https://www.nba.nl/tools/hra-2023/.

[9] OECD (2024), Anti-Corruption and Integrity Outlook 2024, OECD Publishing, Paris, https://doi.org/10.1787/968587cd-en.

[22] OECD (2024), Anti-Corruption and Integrity Outlook 2024 – Country Notes: Finland, OECD, Paris, https://www.oecd.org/en/publications/anti-corruption-and-integrity-outlook-2024-country-notes_684a5510-en/finland_efb29cf6-en.html.

[1] OECD (2024), OECD Public Integrity Indicators (database), https://oecd-public-integrity-indicators.org/ (accessed on 15 May 2024).

[21] OECD (2022), Economic Outlook (database), OECD, Paris.

[19] OECD (2022), OECD Economic Surveys: Finland 2022, OECD Publishing, Paris, https://doi.org/10.1787/516252a7-en.

[14] OECD (2021), Drivers of Trust in Public Institutions in Finland, Building Trust in Public Institutions, OECD Publishing, Paris, https://doi.org/10.1787/52600c9e-en.

[35] OECD (2021), OECD Integrity Review of the State of Mexico: Enabling a Culture of Integrity, OECD Publishing, Paris, https://doi.org/10.1787/daee206e-en.

[11] OECD (2020), Government at a Glance: Latin America and the Caribbean 2020, OECD Publishing, Paris, https://doi.org/10.1787/13130fbb-en.

[8] OECD (2020), OECD Public Integrity Handbook, OECD Publishing, Paris, https://doi.org/10.1787/ac8ed8e8-en.

[33] OECD (2017), Government at a Glance 2017, OECD Publishing, Paris, https://doi.org/10.1787/gov_glance-2017-en.

[37] OECD (2017), OECD Integrity Review of Mexico: Taking a Stronger Stance Against Corruption, OECD Publishing, Paris, https://doi.org/10.1787/9789264273207-en.

[6] OECD (2017), Recommendation of the Council on Public Integrity, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0435.

[10] OECD (2016), Supreme Audit Institutions and Good Governance: Oversight, Insight and Foresight, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264263871-en.

[66] OECD (n.d.), Coverage of Central Functions to Implement Internal Control and Internal Audit, OECD Public Integrity Indicators, OECD, Paris, https://oecd-public-integrity-indicators.org/indicators/1000055/subindicators/1000364.

[41] OECD (n.d.), Effectiveness of Internal Control and Risk Management, OECD Public Integrity Indicators, OECD, Paris, https://oecd-public-integrity-indicators.org/indicators/1000055?country1=AVG&country2=FIN.

[20] OECD (n.d.), Finland Economic Snapshot, OECD, Paris, https://www.oecd.org/economy/finland-economic-snapshot/.

[29] OECD (n.d.), Regulatory Framework for Internal Control, OECD Public Integrity Indicators, OECD, Paris, https://oecd-public-integrity-indicators.org/indicators/1000055/subindicators/1000361?country2=FIN&country1=AVG.

[36] OMB (2016), OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control (Revised 07/15/2016), United States Office of Management and Budget, https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-17.pdf.

[91] OMB (2004), OMB Circular A-123 - Management’s Responsibility for Internal Control, United States Office of Management and Budget, https://obamawhitehouse.archives.gov/omb/circulars_a123_rev.

[54] PRH (n.d.), Auditor Oversight, Finnish Patent and Registration Office, https://www.prh.fi/en/auditoroversight.html.

[56] Republic of Croatia (n.d.), Basic Training, https://mfin.gov.hr/highlights-2848/central-harmonization-unit/internal-audit/professional-training/basic-training/2893.

[71] Republic of Lithuania (2023), Vidaus kontrolė ir vidaus auditas, https://finmin.lrv.lt/lt/veiklos-sritys/vidaus-kontrole-ir-vidaus-auditas/#nav-lang.

[45] Republic of Lithuania (2021), 1K-195 Dėl Vidaus kontrolės įgyvendinimo viešajame juridiniame asmenyje, https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/f9f898a1bb0911ea9a12d0dada3ca61b/asr.

[34] Republic of Lithuania (2002), IX-1253 Republic of Lithuania Law on Internal Control and Internal Audit, https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/e5725040e37e11ea869e86e74cfea363?jfwid=bkaxmyl6.

[72] Republic of Lithuania (n.d.), Summarized Information on the Functioning of Internal Audit Services in Public Legal Entities, https://finmin.lrv.lt/lt/veiklos-sritys/vidaus-kontrole-ir-vidaus-auditas/apibendrinta-informacija-apie-vidaus-audito-tarnybu-veikima-viesuosiuose-juridiniuose-asmenyse/.

[73] Republic of Slovenia (n.d.), Budget Supervision Office, https://www.gov.si/en/state-authorities/bodies-within-ministries/budget-supervision-office/.

[74] Republic of Slovenia (n.d.), Division for Internal Control of Public Finances, https://www.gov.si/drzavni-organi/organi-v-sestavi/urad-za-nadzor-proracuna/o-uradu/sektor-za-notranji-nadzor-javnih-financ/.

[79] Republic of Slovenia (n.d.), Izjava o Oceni Notranjega Nadzora Javnih Financ, https://www.uradni-list.si/files/RS_-2010-102-05234-OB~P001-0000.PDF.

[76] Republic of Slovenia (n.d.), Legislation of the Office of Budgetary Control, https://www.gov.si/drzavni-organi/organi-v-sestavi/urad-za-nadzor-proracuna/zakonodaja/.

[75] Republic of Slovenia (n.d.), Rules on Guidelines for the Coordinated Operation of the System of Internal Control of Public Finances (PISRS), https://pisrs.si/pregledPredpisa?id=PRAV4278.

[77] Republic of Slovenia (n.d.), Rules on the Conditions for Obtaining the Title of State Internal Auditor and Certified State Internal Auditor (PISRS), https://pisrs.si/pregledPredpisa?id=PRAV10853.

[78] Republic of Slovenia (n.d.), Statement on the Assessment of Internal Control of Public Finances, https://www.gov.si/zbirke/storitve/izjava-o-oceni-notranjega-nadzora-javnih-financ.

[90] Swedish Parliament (2010), Förordning (2010:1764) med instruktion för Ekonomistyrningsverket (Kommittédirektiv 2010:1764), https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/forordning-20101764-med-instruktion-for_sfs-2010-1764/?utm.

[89] Swedish Parliament (2007), Ordinance (2007:603) on Internal Governance and Control, https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/forordning-2007603-om-intern-styrning-och_sfs-2007-603/.

[55] Tampere Higher Education Community (n.d.), Master’s Programme in Auditing and Evaluation, https://www.tuni.fi/fi/tule-opiskelemaan/tilintarkastuksen-ja-arvioinnin-maisteriohjelma.

[94] U.S. Department of the Treasury (2023), Financial Report of the United States Government, Fiscal Year 2022, https://fiscal.treasury.gov/files/reports-statements/financial-report/2022/02-16-2023-FR-(Final).pdf.

[85] VTV (2017), “Current state of internal control and risk management in central government”, National Audit Office of Finland, https://www.vtv.fi/en/publications/current-state-of-internal-control-and-risk-management-in-central-government/.

[60] Wetten Overheid (n.d.), Regeling - Nadere voorschriften kwaliteitssystemen - BWBR0038869, https://wetten.overheid.nl/BWBR0038869/2022-01-01/.

[61] Wetten Overheid (n.d.), Regeling - Wet op het accountantsberoep, https://wetten.overheid.nl/BWBR0032573/2021-07-01/#Hoofdstuk1_Artikel1.