Strengthening Internal Control and Risk Management in Finland

This chapter on the development of the recommendations for the central government-level internal control strategy and action plan, presents proposals regarding the time-bound objectives of the Ministry of Finance of Finland in key aspects of the design and delivery of the strategy and action plan for the improvement of the internal control system (Ministry of Finance, n.d.[1]).

It involves the identification of the objectives necessary to develop and implement the strategy and action plan and to enhance the quality of the internal control system. It also includes the recommended definition of actionable measures, responsible authorities and indicative timelines for achieving the objectives.

To be effective, the strategy and action plan should be based on a comprehensive assessment as well as the challenges and opportunities that the country faces. Therefore, the key findings and insights highlighted in the diagnostic chapter were drawn from different relevant sources: results of the interviews and discussions with key stakeholders, desk research, a survey of internal control and risk management stakeholders in Finland and an analysis of the “Effectiveness of Internal Control and Risk Management” dataset of the OECD Public Integrity Indicators, which reflects Principle 10 of the OECD Recommendation on Public Integrity (OECD, 2024[2]).

The implementation of many recommendations would entail complex and significant changes to current working practices and procedures. These recommendations will aid senior management in prioritising the development and enhancement of the internal control system. Implementation may also necessitate amendments to existing regulations, resource investment, and a deeper understanding of the issues from the management's perspective. The significance of adopting and implementing the action plan should be understood within this context, with rigorous monitoring of the implementation by the responsible Finnish authorities being essential.

The following section of the report sets out why taking a strategic approach to internal control and risk management is important to Finland. The third section presents the development opportunities for the internal control system focusing on the consolidated and systemised weaknesses of the public internal control and risk management in the country identified in the diagnostic chapter.

The next section delves into the key aspects of the application and implementation process of Finland’s strategy and action plan. It outlines the necessary approaches for executing the strategy effectively, ensuring alignment with best practices. The section discusses the monitoring and evaluation importance, and the consultation process to enhance stakeholder engagement to foster a sense of ownership and improve transparency.

The last section presents the consolidated practical recommendations to facilitate the Ministry of Finance of Finland in drafting the strategy and action plan for the development of an effective internal control framework in Finland. This section presents a detailed set of recommendations on objectives and actions essential for the effective implementation of Finland’s internal control and risk management strategy and action plan. It outlines specific goals and corresponding activities designed to address each key priority area. The recommendations aim to provide clear, actionable steps to enhance internal control mechanisms and risk management practices across the Central Government.

The OECD held necessary discussions with the Ministry of Finance of Finland on the framework of the strategy and action plan and outlined information from the diagnosis that is essential for the development of the action plan. In co-ordination with the Ministry of Finance, the OECD proposed potential priorities, objectives and actions. In March 2024, a discussion was held with the Ministry of Finance at the OECD to gather feedback and advice. Subsequently, the Ministry of Finance engaged in consultation with relevant country stakeholders and members of the Advisory Board for Internal Control and Risk Management (Ministry of Finance, 2021[3]). The chapter with recommendations was prepared to facilitate the Ministry of Finance to prepare the strategy and action plan for the improvement of the internal control system and risk management activities in the Central Government, setting out the time-bound objectives and priorities of Finland.

Figure 1.1 and Table 2.1 illustrate that all development areas suggested by the OECD have been recognised as important by Finnish stakeholders, with each area receiving a notable level of attention. However, priorities vary, with "Ensuring Internal Audit Independence" and "Building Managerial Awareness" ranked as the most critical areas. Lower-ranked areas, such as establishing a comprehensive reporting mechanism and optimising internal audit resources, are still acknowledged as relevant, albeit with a lower priority. This comprehensive prioritisation underscores a consensus on the importance of each area, guiding the OECD's recommendations toward the most impactful actions. The prioritisation exercise underscores that while all OECD-suggested development areas are valued, some are perceived as more urgent or foundational than others. This hierarchy enables Finland to allocate resources and attention more effectively, concentrating on areas that stakeholders see as having the most immediate need or potential impact. By aligning the national strategic decisions with these priorities, Finland could achieve meaningful and targeted improvements in its internal control framework.

From a statistical comparison perspective, the range of rankings from a minimum of 3.2 to a maximum of 6.5 reflects a moderate spread in stakeholder prioritisation of the OECD's key findings. This range suggests that, while all areas are recognised as important (with no scores below 3.2), there is a clear distinction in perceived urgency or value among them. A relatively high maximum score of 6.5 indicates a strong consensus around certain top-priority areas, such as "Ensuring Internal Audit Independence." Meanwhile, the lower end, at 3.2, shows that some recommendations are seen as less critical but still valuable, indicating a prioritisation rather than a dismissal of any suggestions. This spread allows Finland to focus on the highest-impact areas while acknowledging that all areas require some level of attention.

Integrity is essential for building strong institutions and assuring citizens that the government is acting in their best interest. Integrity also enhances economic productivity, public sector efficiency, and societal inclusiveness. The OECD Recommendation on Public Integrity (OECD, 2017[4]) offers policymakers a comprehensive vision for a public integrity strategy. This approach shifts the focus from ad hoc integrity policies to a context-dependent, behavioural, and risk-based strategy, emphasising the cultivation of a culture of integrity throughout society.

To effectively serve its purpose and remain relevant, a strategic approach must be supported by evidence on integrity risks and drivers of corruption. It should also include clear objectives and a measurement framework that tracks implementation, ensuring accountability and effective communication with both citizens and public officials. According to the OECD Recommendation on Public Integrity, members are advised to develop a strategic approach for the public sector that is based on evidence and aimed at mitigating public integrity risks, particularly through:

• Setting strategic objectives and priorities for the public integrity system based on a risk-based approach to violations of public integrity standards, and that takes into account factors that contribute to effective public integrity policies.

• Developing benchmarks and indicators and gathering credible and relevant data on the level of implementation, performance and overall effectiveness of the public integrity system.

A public integrity strategy is crucial for guiding and supporting a cohesive and comprehensive integrity system. It serves as a means to achieve the goal of a well-functioning integrity framework, rather than being an end in itself. Such strategies demonstrate a commitment to public integrity and help define institutional responsibilities within the system. However, if these strategies are not backed with adequate internal control systems and do not result in visible improvements due to poor implementation, they risk becoming irrelevant or, worse, undermining public confidence in national authorities (OECD, 2020[5]).

The needs for improvement and existing challenges identified in the diagnosis help shape the recommendations for the action plan aiming to support the implementation of actionable measures to enhance the internal control system and risk management functions in Finland's Central Government, recognising the intrinsic value of internal control for the sound functioning of government organisations.

This chapter further consolidates and details the findings and recommendations from the diagnostic to inform the development of the strategy and action plan. Considering the above the chapter provides concrete suggestions on how to establish the action plan to achieve the expected results for the development of internal control and risk management and align the plan with the national environment, priorities and international good practices.

Designing a national internal control strategy and consolidating the harmonised efforts towards its adequate implementation are an effective means to enhance the internal control and risk management systems in Finland and provide the country with a long-term, strategic, and evidence-backed approach to internal control that builds on co-operation among relevant stakeholders. The adoption and implementation of the strategy and action plan for Finland could:

• Recognise the importance of internal control at the highest policy level and define its scope, based on the evidence collected during the diagnostic phase and the identification of national needs.

• Complement and support other national public policies that seek to foster integrity and accountability, economic and social prosperity.

• Create mechanisms for co-operation and awareness among internal control stakeholders from the public sector, private sector, and civil society, identifying a national lead function for harmonisation, co-ordination and advice, and interdepartmental co-ordinating body.

• Establish a roadmap to achieve objectives set based on evidence collected at the government-wide level.

• Provide guidance for stakeholders in designing and implementing their own internal control initiatives.

• Encourage adequate monitoring and evaluation to measure progress and effectiveness and propose improvements accordingly.

A well-developed internal control and risk management strategy not only addresses immediate risks but also builds long-term trust in public institutions by demonstrating a commitment to transparency, accountability, and effective governance (OECD, n.d.[6]). Accordingly, the OECD Public Integrity Indicators, besides the dedicated indicators for internal control, assess the strategic framework for public integrity systems, emphasising the need for a comprehensive approach to mitigating risks and benchmarking whether national authorities have established a robust strategic framework that includes objectives for internal control and risk management (OECD, n.d.[7]). By adopting evidence-based and inclusive strategies, governments can enhance transparency, accountability, and public trust, ensuring systematic and effective risk mitigation across all governance levels.

The Finnish government aims to make Finland a strong, committed, and stable country capable of withstanding global challenges while fostering actions that build faith in the future (Finnish Government, 2023[8]). It emphasises the importance of an ownership strategy that ensures that risk management supports policymaking. To achieve this, strategic and effective internal control is crucial for efficiently managing public resources and enhancing accountability. It supports informed decision-making, improves governmental performance, and ensures resilience and transparency in public administration. Effective management of resources, as emphasised in the Programme of the Government, aligns with international standards and best practices, fostering a resilient and transparent public administration system. Strong internal control mechanisms are essential to achieving the goals of the Programme, ensuring that public administration operates effectively and efficiently while safeguarding public trust and resources (OECD, 2020[5]).

The OECD Anti-Corruption and Integrity Outlook provides that Finland fulfils 53% of OECD criteria on the quality of its strategic framework and 63% for implementation in practice, compared to the OECD average of 45% and 36% respectively (Figure 2.1). Finland’s National Anti-Corruption Strategy 2021-2023 has broad coverage and refers to several international legal instruments relating to public integrity. However, it does not include outcome-level indicators for the public integrity objectives (OECD, 2024[9]).

According to the Ministry of Finance, Finland needs ambitious structural reforms to boost employment, economic growth, and general government finances (Finnish Government, 2022[10]). Given the need to strengthen Finland's finances by at least nine billion euros over the next two parliamentary terms to ensure long-term prosperity, an effective internal control framework is crucial. It can prevent financial mismanagement, reduce waste, support the implementation of necessary reforms, and ensure the effective delivery of essential public services, thereby securing long-term prosperity for future generations.

The Finnish Government's National Anti-Corruption Strategy and Action Plan for 2021-2023 emphasises the critical role of internal audit, internal control, and risk management in combating corruption (Finnish Goverment, 2021[11]). Key measures include strengthening co-ordination and co-operation among authorities, enhancing training for officials and internal auditors on corruption risks, and increasing transparency in decision-making. The plan also focuses on developing guidelines for internal audits to better identify and manage corruption risks and enhance the autonomy and access to information for public sector internal audits. These comprehensive measures aim to reinforce public integrity, effective management of resources, and maintain public trust, aligning with international standards and best practices.

Nevertheless, in Finland, 47% of people reported high or moderately high trust in the national government in 2023, and this figure has decreased by 14 percentage points since 2021 — the second-highest decrease among the eighteen OECD countries with available data (Figure 2.2) (OECD, 2024[12]).

Furthermore, only 36% of Finns expect the public sector to adopt innovations to improve services, below the OECD average of 39%. The 2024 OECD survey on drivers of trust also notes that trust in an institution could enhance its effectiveness, suggesting a reciprocal relationship where trust not only contributes to but also results from improved institutional performance (OECD, 2024[13]). Hereby, strategic internal control plays an important role as it ensures transparency, accountability, and efficiency within public sector operations (OECD, n.d.[14]; n.d.[15]). Implementing effective internal control can drive innovation and improve service delivery, thereby increasing public confidence and satisfaction (OECD, 2022[16]). Accordingly, by prioritising internal control and risk management, Finland can address the trust deficit and enhance the overall effectiveness and integrity of its public institutions

In today’s complex information environment, characterised by the rise of disinformation, the creation, sharing, and consumption of information are closely tied to trust. Evidence-based decision-making is a significant driver of trust, as OECD data demonstrates. Governments can earn public trust by better communicating the data and evidence that supports reforms. However, only 41% of people believe that the government uses the best available evidence in decision-making, and just 39% think that communication about policy reforms is adequate (Figure 2.3) (OECD, 2024[17]).

The OECD 2024 Survey on Drivers of Trust in Public Institutions results indicate that people expect key democratic principles – accountability of institutions and people’s voices - to be anchored in practice to build trust in government (OECD, 2024[17]). Nevertheless, according to the OECD's integrity outlook, while Finland has a robust anti-corruption strategy, there are gaps in practical implementation. The OECD notes that Finland must focus on effectively utilising internal controls and risk management frameworks to address these gaps. Strengthening internal audit capabilities, developing central harmonisation capabilities, and ensuring consistent resources and practices across ministries are essential steps. These measures could enhance accountability, support the long-term goal of a corruption-resistant society, and align with the OECD’s recommendations (OECD, 2024[9]).

Therefore, a robust internal control strategy could ensure that decisions are grounded in reliable data and transparent processes, which can enhance the credibility and accountability of government actions (OECD, n.d.[14]). By systematically addressing risks and implementing effective controls, such a strategy can demonstrate a commitment to high standards of governance and accountability. Furthermore, effective communication of these efforts and the underlying evidence can help bridge the trust gap, showing the public that their government is dedicated to making informed, transparent, and responsible decisions (OECD, 2024[17]). This approach could significantly bolster public confidence and trust in governmental institutions.

The OECD Public Integrity Indicators (PII) utilise a mixed-methods approach, incorporating both administrative and big data from governments, as well as surveys, to assess key aspects of the OECD recommendation on public integrity implementation. The unique value of the PII lies in providing policymakers and practitioners with an international perspective on the integrity system's status, serving as a credible alternative to existing indices. Rather than ranking countries, the PII aims to highlight various steps that can be taken to strengthen core components of the integrity system.

As described in more detail in the previous chapter, the internal control and risk management framework of Finland was analysed in 2023 under the “Effectiveness of Internal Control and Risk Management” dataset of the OECD Public Integrity Indicators. The relevant indicators that Finland does not fulfil are shown in Figure 1.9, following the identification of relevant development opportunities, specifically regarding five indicators: the regulatory framework for internal audit, coverage of central functions to implement internal control and internal audit, central reporting, internal audit & risk-based approaches in practice, and use of integrity risk management in practice, which are described in more detailed below.

Establishing policies and regulations is essential for setting direction and minimum standards, while co‑ordination and monitoring at the central government level ensure coherence and oversight. Ultimately, the effectiveness of these mechanisms depends on their implementation within budget organisations. Therefore, indicators focus on the most critical aspects and those concerned with public integrity, rather than covering all areas relevant to the overall effectiveness of public sector organisations or the internal control and risk management framework.

Successful implementation of the PII enhances countries' ability to measure the resilience of their public integrity systems and offers an evidence-based foundation for developing and implementing more effective integrity policies. As provided in the previous section, internal control and risk management mechanisms are vital for maintaining public integrity within the public sector; effective internal control and risk management policies and processes reduce the vulnerability of public sector organisations to fraud and corruption by providing reasonable assurance that the organisation is achieving its objectives and managing its risks effectively. These policies and processes ensure value for money and facilitate optimal decision-making by balancing enforcement with preventive, risk-based approaches, thus helping governments deliver beneficial programs efficiently and avoid wasteful spending.

Indicator Regulatory framework for internal audit reviews the regulations established for the internal audit function (OECD, 2024[2]). The related criteria are based on the IIA IPPF Standards 2017, and INTOSAI GOV 9140 professional standards. The absence of several key integrity criteria within Finland's regulatory framework for internal auditing indicates several vulnerabilities in the system.

The absence of specific operational arrangements for internal audit functions could lead to inconsistencies and inefficiencies across government bodies, compounded by the lack of published standards guiding the conduct of internal auditors. Additionally, without clear stipulations on the independence of the audit function, there is a risk of external influence compromising objectivity. The failure to require internal audit units to develop a standard methodology-based manual and undergo regular external quality assessments could reduce uniformity and effectiveness. Lastly, the absence of mandatory annual activity reports to a central harmonisation function could hinder transparency, accountability, and the ability to monitor and evaluate internal audit performance across the public sector.

Indicator Coverage of central functions to implement internal control and internal audit reviews the mandate and specific duties of the central harmonisation function - the government body responsible for co-ordinating and monitoring the implementation of internal control and internal audit activities. The criteria are based on COSO 2013 IC-IF, IIA IPPF standards 2017, INTOSAI GOV 9100, and 9130 and the EU PIC model.

When a country fails to meet the integrity criteria related to central functions and oversight for internal control and internal audit, some major weaknesses in governance and accountability could arise. Without a central government body (such as a central harmonisation function) to develop and promote internal control and internal audit systems, there could be a lack of standardised methodologies and practices, leading to inconsistencies and potential gaps in integrity measures across various government organisations. The absence of government-wide reviews on internal control and internal audit systems over the past three years further exacerbates this issue, as it means that systemic weaknesses and areas for improvement are not identified and addressed regularly.

Additionally, without co-ordinated training and certification systems for new staff, there is a risk of insufficiently trained personnel handling critical auditing tasks, undermining the effectiveness of internal audits. The lack of issued guidelines on assessing integrity risks also suggests that public sector organisations may not have the latest tools and frameworks needed to effectively identify and mitigate risks, leaving them vulnerable to integrity breaches and corruption. Overall, these deficiencies could compromise the robustness of the internal control and audit systems, hindering efforts to ensure transparency, accountability, and integrity in the public sector.

Indicator Central reporting on internal control and internal audit reviews the reports for internal control and internal audit, which can consist of one report or two separate reports. The annual report refers to a summary of all individual reports.

Without centralised reporting from all required institutions, there is a lack of oversight and co-ordination, hindering consistent internal control application. When a country doesn’t meet indicators for internal control and internal audit reporting and oversight, gaps in transparency, accountability, and integrity management could arise. The absence of annual reports detailing the implementation of internal audit recommendations and their public availability further could undermine transparency and trust. Moreover, the lack of relevant data and self-assessments in recent reports could impede comprehensive evaluation of control effectiveness. Additionally, missing dedicated sections on integrity, anti-corruption, or fraud risks in reports, could leave critical vulnerabilities unaddressed. These deficiencies could compromise the government's ability to ensure accountability, effectively mitigate risks and maintain public integrity.

Indicator Internal audit and risk-based approaches in practice reviews data provided by the central harmonisation function. For some criteria, a sample is taken to review practice. The sample organisations include all ministries and the 10 central government agencies reporting directly to a ministry, the Government, or the central budget authority with the largest budgets.

Not meeting the aforementioned criteria could compromise the robustness of the internal audit function, leading to weaknesses in accountability, risk management, and public integrity. For example, if internal audit units are not staffed according to legal requirements and do not include at least two auditors per unit, the capacity to conduct thorough and effective audits is severely limited. The absence of a national certification scheme for internal audit professionals could undermine the quality of audits due to potentially insufficient qualifications and expertise. Similarly, without audit procedure manuals adopted by heads of institutions, inconsistencies in audit practices could arise. Additionally, if internal audit unit reports are not submitted directly to institution heads, critical findings and recommendations may not reach key decision-makers. Also, there could be an inadequate evaluation of control environments and internal control at large when internal audit reports do not include internal control assessment.

Indicator Use of integrity risk management in budget organisations in practice reviews data provided by the central government body responsible for risk management. Α sample is taken to review practice. The sample organisations include all ministries and the 10 central government agencies reporting directly to a ministry, the Government, or the central budget authority with the largest budgets.

If organisations do not conduct regular risk assessments, assign clear roles for risk management, or document risk assessment results, it could lead to unclear accountability and inefficient risk tracking. The absence of internal audits reviewing risk management policies and processes further could weaken assurance of their effectiveness, and if the integrity risk management body lacks independence, it could compromise objectivity. Additionally, without guidance documents and integrity risk assessments identifying both inherent and residual risks, organisations may miss critical vulnerabilities and necessary control decisions.

According to the diagnosis, despite the growing number of good risk management initiatives at the central government level, the lack of managerial awareness and accountability are still perceived to be one of the major obstacles to obtaining effective internal control functions. Additionally, comprehensive central co-ordinating and monitoring actions are necessary to address systemic and institutional weaknesses that could facilitate the internal control system and related practices in the first place. Accordingly, research and interviews conducted for this report revealed a consensus among the majority of stakeholders that, although regulation and guidance have evolved, actual implementation needs to be strengthened. Furthermore, while the Ministry of Finance has broadly promoted knowledge of public internal control and risk management, the implementation of internal control, risk management, and internal audit functions is not receiving the recognition it deserves for its value, nor is it being treated with equal and harmonised importance.

The diagnosis has revealed that while the existing internal control system in Finland includes a robust risk management framework supported by comprehensive guidance, effective central networking facilitated by the Ministry of Finance, high levels of transparency, and a strong culture of trust — factors that collectively enhance the overall effectiveness and reliability of internal controls — there are significant areas that require development and improvement, such as the lack of comprehensiveness and the outdated nature of regulations, insufficient managerial awareness, fragmented practices, unclear roles and responsibilities, the absence of harmonised and co-ordinated approaches, inadequate quality assurance and systemic accountability mechanisms, an unregulated and often ineffective internal audit function, inconsistent internal control and risk management practices due to a lack of harmonised quality assurance, and underutilised advisory board capabilities that lack a systemic proactive approach.

The research and analysis provided in the diagnosis of the internal control framework in Finland have recognised major findings that should guide the country’s considerations for further development looking forward. These are consolidated and structured in Table 2.7 below.

The OECD Public Integrity Indicators define the quality of a strategic framework (Figure 2.4) by its comprehensive coverage, evidence-based problem analysis, inclusion of essential strategy contents, inclusiveness and transparency in consultations, adequacy of implementation structures and reporting, effective implementation of activities, financial sustainability, and transparency of evaluation practices and their use in decision-making (OECD, n.d.[7]).

The process of developing a national integrity strategy is considered as important as the strategy itself. An inclusive and thorough development process can help identify relevant strategic objectives meaningful to citizens and businesses, prioritise and sequence actions transparently to address critical integrity risks, provide evidence for the most cost-effective and impactful interventions, and foster a sense of ownership and commitment to the stated goals and activities. The key driver for choosing the strategy type – whether it be a single strategy or mainstreaming integrity into existing policy plans and strategies – is to ensure coherence among organisations, policies and objectives. Nevertheless, a single dedicated strategy can more easily signal commitment, and the streamlined efforts can make co-ordination and a system-wide approach easier (OECD, 2020[5]).

A strategic approach that integrates integrity objectives into existing strategies often encounters fewer issues with institutional setup, staffing, and funding, as these strategies are already established. However, it could face the challenge of adopting a whole-of-government, collaborative approach and accordingly meeting the necessary expectations, thus making this approach not suitable for national internal control frameworks. It is important to note, accordingly, that developing an internal control framework requires the involvement of various actors at the government-wide, institutional, and individual levels to ensure effective implementation, with a strong central harmonisation role across the public sector, which therefore advocates for a need of the dedicated strategic approaches (OECD, 2020[5]).

An evidence- and risk-based strategic approach is essential for mitigating public integrity risks. A robust strategic framework must have adequate coverage and consist of strategies developed based on data and evidence, inclusively formulated, adequately implemented, systematically evaluated, and financially sustainable (OECD, 2020[5]). The strategic framework should cover key areas including human resource management, public financial management, internal control and risk management.

Accordingly, to be effective, a national integrity or internal control strategy should be grounded in an assessment of the problems and their causes, as well as the challenges and opportunities the country faces. Such diagnosis involves assessing the nature, extent, and impact of the country's integrity problems and risks. Secondly, it includes evaluating the opportunities and obstacles that may either facilitate or hinder the implementation of effective integrity reforms (OECD, 2023[18]). Table 2.8 outlines the minimum standards of good practices for developing evidence-based strategies.

Considering the integrative aspect and overall dynamics of internal control systems, an internal control strategy must be treated as a living document, continually evolving to reflect new insights and emerging risks, ensuring that it remains effective and responsive to the dynamic nature of organisational challenges. Moreover, to assure continuity in development, mechanisms are needed that allow continued policy exploration and development across policy cycles supported by new evaluation and measurement procedures (OECD, 2022[19]). Therefore, the responsible authorities should ensure that effective strategies rely on thorough problem analysis and diagnostic tools, incorporating diverse data sources like international indicators, surveys, and public registries. Strategies could include situation analyses identifying existing risks, outcome-level indicators with target values, and references to international legal instruments related to public integrity.

Simultaneously, the strategy development process must be inclusive and transparent, involving public and inter-institutional consultations with sufficient durations, availability of draft strategies and supporting materials on public portals, and inputs from key integrity bodies and non-state actors (OECD, 2020[5]). Effective implementation requires central co-ordination, action plans with clear outcome-level indicators, baseline targets, activities linked to strategic objectives, and identification of lead organisation(s). Additionally, clear monitoring, reporting, and evaluation arrangements are essential, along with the use of administrative data sources and the inclusion of survey data.

Box 2.1 describes the cross-governmental approach in Finland to developing an anti-corruption strategy. An advanced strategic framework could have objectives to mitigate public integrity risks in the private sector, public corporations, state-owned enterprises or public-private partnerships, as well as in interactions with civil society organisations.

Therefore, an evidence-based perspective is essential to an internal control strategy as it could ensure that risk-based decisions and related national objectives are grounded in reliable data and objective analysis, rather than assumptions or subjective judgments. This approach enhances the recognition and effectiveness of internal controls by enabling organisations to identify, assess, and mitigate risks more accurately, ensuring that strategic measures are both relevant and effective. Additionally, an evidence-based strategy could promote continuous improvement, as it allows for the regular review and adjustment of assurance systems based on empirical outcomes and changing circumstances.

Balancing rules-based and values-based approaches is a common challenge for integrity strategies. While compliance-based strategies focus on adherence to rules and procedures to prevent misconduct, values-based approaches aim to foster an environment that supports positive ethical behaviour. This balance is crucial for guiding decision-making across various functions and departments (pertinent to the internal control environment) through shared values and standards (OECD, 2020[5]).

A values-based approach also can guide the design of policies ensuring collaboration with trusted, values-aligned partners. This approach helps navigate conflicts between different policy objectives, such as economic, environmental, and security concerns. It also ensures that technology development and governance adhere to high ethical standards. Implementing this approach involves creating robust processes for deliberating on which values to apply throughout the innovation chain and requires dedicated governance structures and strategic intelligence (OECD, 2024[20]).

Accordingly, such an approach is essential for national internal control and risk management strategies as it ensures that internal control frameworks are not only designed to meet regulatory and operational requirements but are also aligned with the ethical standards and values of society. This alignment fosters a culture of integrity and accountability within organisations, enhancing the effectiveness of risk management by ensuring that decisions are made consistently with the organisation's core principles, which strengthens trust and resilience in governance systems.

OECD Public Integrity Indicators emphasise the importance of incorporating well-integrated monitoring and evaluation activities within every strategy. An effective integrity strategy and action plan must not only outline a comprehensive set of substantive reforms but also specify the means for ensuring its implementation, monitoring, evaluation, and communication. An efficient monitoring and evaluation system should be integrated into the continuous update and improvement cycle of the strategic framework. Table 2.9 outlines the key elements of effective monitoring practices based on the criteria established in the OECD Public Integrity Indicators (OECD, 2024[2]).

Accordingly, various stakeholders are increasingly called to collaborate and maximise the impact of their efforts to achieve sustainable development in the overarching strategic development, such as for internal control. Results frameworks could be essential for implementing these approaches, as they offer a clear strategy for translating inputs into outcomes and impacts, providing a structured method to address local and global challenges. A well-designed results framework reflects a harmonised strategic intention and ensures that resources and efforts are directed towards interventions that have the highest potential for creating positive change. These frameworks facilitate evidence-based decision-making, learning and adapting, accountability, and communication (Figure 2.5) (OECD, 2023[21]).

Evaluation mechanisms at various stages of the policy process should be defined and planned before any actions are implemented. Identifying what data will be collected, as well as how and when the measures will be evaluated, helps shape the design and execution of these actions. Establishing evaluation mechanisms before implementation is crucial for ensuring measurability, generating progress reports, and maintaining accountability. While some data may overlap with what was gathered during the risk identification and assessment stage, monitoring and evaluation serve a different purpose: holding the implementing actors accountable for their achievements and efficiency (OECD, 2020[5]).

To facilitate the assessment of the effectiveness of an integrity strategy, it is essential to clearly define monitoring and evaluation arrangements. Monitoring is an ongoing process that systematically collects data on specific indicators to show progress toward achieving objectives. In contrast, evaluation is the systematic and objective assessment of an ongoing or completed project, program, or policy, including its design, implementation, and outcomes. Unlike monitoring, evaluation involves making a judgment about the value and impact of the activity and its results (OECD, n.d.[23]).

Respectively, the primary intention of the results framework is to focus on outcome results, especially from the perspective of seeking to strengthen their contribution to the desired impact. Impacts are influenced by many factors beyond the direct control or influence of various actors, even though they represent the desired change and ultimate objective (Figure 2.6). These external factors, which can affect the connection between outputs, outcomes, and impacts, must be considered when setting results objectives and targets, as well as during implementation. In a theory of change, these factors could be identified as assumptions or risks.

It is recommended for Finland to build on these principles by enhancing the delivery, accountability, and adaptability of its internal control and risk management system through a robust, results-based monitoring and evaluation approach. This includes institutionalising the internal control feedback system (IC360) as a coherent and responsive assurance network, embedding OECD Public Integrity Indicators, and enabling a dedicated M&E co-ordination function. To sustain momentum, Finland could further align monitoring with results-based management practices, integrate M&E into strategic cycles, deploy digital dashboards for real-time insights, and invest in capacity-building and transparency, ensuring that evidence from evaluation systematically informs strategy refinement and adaptive risk governance.

As described in the previous sections, managerial awareness and accountability together with comprehensive central monitoring and support are perceived as the major obstacles to obtaining adequate and effective implementation of internal control and risk management. Therefore, the outlined development opportunities present the foundation for defining the following key priorities and objectives (Table 2.10), including indicators of the objectives to facilitate necessary advancement and monitoring (0), for the public internal control framework of Finland:

As regards the first priority, an integrated, effective and well-addressed internal control framework is essential for achieving government accountability, ensuring that finances are used efficiently, and securing expected outcomes in all processes and projects. Managers serve as the first line of assurance, responsible for upholding clear responsibilities and communicating expectations to all staff, ensuring vigilance over public funds (OECD, 2020[25]). Moreover, performance risks can be amplified in times of crises and when policy targets are unclear or processes are poorly designed, making the role of managers in maintaining robust oversight even more critical (OECD, 2024[26]). Therefore, a well-defined role of managers in ensuring effective internal control and overall assurance is crucial for maintaining accountability and transparency within the public administration and financial management systems (OECD, 2020[5]).

The second priority outlines the central harmonisation function, which is vital for maintaining a consistent and effective government-wide internal control environment, ensuring governments are prepared and resilient, regardless of the situation, through ongoing support from senior management. The ultimate value of the function is to provide assurance that control (assurance) systems are functioning, i.e. ensuring the effectiveness of internal control and risk management across all government institutions (OECD, 2024[26]). The function co-ordinates policy and methodological standards, harmonising internal control processes, including internal audit policy, across various government units. It also proposes new or modified regulations, monitors overall quality and performance, and organises training and capacity-building activities. Its responsibilities include setting and harmonising internal control standards, providing guidance and tools, evaluating efforts to safeguard integrity, and standardising practices for reporting and responding to integrity breaches (OECD, 2020[5]).

To facilitate policy dialogue and necessary decisions on public internal control in Finland, Table 2.11 below provides a list of proposed actions. The table clarifies the responsible authorities and indicates whether the actions can be implemented in the short, medium, or long term. For actions requiring legislative changes, detailed responsibility may not be attributed to any single body, however, the government could use these recommendations as a basis to advance discussions or propose amendments to the legislative framework. The table also suggests which government entity could advance each proposed action. Ideally, the Ministry of Finance should initiate discussions and proposals for legislative changes, as it co-ordinated the OECD PII analysis process on P10 (internal control and risk management) on behalf of the country and possesses the key expertise on the subject.

• A legal analysis to assess the current internal control, risk management, and internal audit regulatory framework against international standards and good practices is conducted.

• The comprehensive internal control legal framework is drafted based on the legal analysis, stakeholder consultations and OECD recommendations. The framework includes provisions for internal control, risk management, internal audit functions, definitions, objectives, roles, responsibilities, and accountability requirements.

• The finalised legal framework is presented to the appropriate legislative body for formal adoption.

• A capacity-building plan is developed to facilitate the implementation of the law. This involves training programs for managers, internal auditors, risk managers, and other relevant personnel, as well as the establishment of monitoring mechanisms to ensure compliance with the new legal framework.

• A continuous monitoring and evaluation mechanism of the internal control framework's effectiveness, incorporating feedback loops for periodic updates and improvements based on practical experience, evolving local requirements, international standards and good practices, is developed.

• All relevant stakeholders and their existing functions within the internal control, risk management, and internal audit frameworks are mapped out based on OECD diagnosis and recommendations.

• The core competencies required for managers, internal auditors, and the Ministry of Finance are clearly defined in the context of internal control, risk management, internal audit and central harmonisation, including the accountability structures to ensure each role is responsible for specific outcomes.

• Provisions specifying the roles and responsibilities of managers, internal auditors, and the Ministry of Finance are included in the legal framework, ensuring its alignment with international standards and good practices.

• A mechanism for periodic reviews of the defined roles and responsibilities to ensure they remain aligned with organisational needs and evolving best practices is defined.

• A need assessment to establish independent audit committees in ministries where the audit committees could play a significant assurance role in overseeing governance, risk and control processes as well as promoting an effective internal audit and strong culture for integrity is carried out and discussed with key stakeholders.

• The induction training is developed for all public officials, including senior management, on internal control and internal audit responsibilities.

• A regular training mechanism for managers is established, aiming to strengthen the implementation of managerial responsibilities on internal control and internal audit.

• The knowledge-sharing mechanism is developed for management to facilitate the exchange of good practices on governance, control and risk management.

• A network is functioning for internal control practitioners for an adequate exchange of relevant practices and information between its participants and to ensure the proper understanding of the roles linked with the fundamental principles of the internal control framework.

• The primary regulation clearly defines the organisational and functional independence of the internal audit activity, including the direct reporting line to the head of an organisation, ensuring that ensure that the internal audit function has the authority to determine the scope of internal auditing, perform work independently, and communicate results without interference.

• Clear conditions for smaller internal audit functions are defined in regulation to ensure adequate implementation of legal requirements, especially regarding the scope of assurance, quality control, objectivity and independence.

• Internal audit units establish strategic audit plans, including the audit needs assessment.

• Internal audit staffing requirements are defined in primary regulation.

• Guidelines for conducting audit needs assessments are created that help organisations determine the optimal size of their internal audit units.

• Provisions in the regulatory framework define internal audit arrangements to vary based on the organisation's type and size.

• Policy recommendations are adopted regarding the adequacy and effectiveness of the assurance mechanisms and risk management in organisations not covered by the internal audit system.

• An internal audit accountability system is established aiming to ensure comprehensive reporting on internal audit, providing the requirement for the heads of internal audit units to report to the central harmonisation function on the internal audit function’s implementation and quality assurance.

• A hierarchical internal control accountability system is defined, aiming to ensure comprehensive reporting on the implementation of internal control within a sector or field of responsibilities.

• The role of central harmonisation function includes co-ordination and monitoring of the implementation of the internal control and internal audit policies.

• The primary regulation defines managerial and internal audit responsibility and accountability requirements.

• Completion of the review and formal definition of the CHF's mandate, specific duties, and structure in line with OECD recommendations.

• Comprehensive set up of the CHF, with leadership and key staff appointed, and empowerment to co-ordinate and monitor internal control and internal audit systems across the government.

• Issuance of initial internal control and internal audit guidelines based on international standards to all relevant government entities.

• Several workshops, seminars, and training sessions were conducted to promote and implement internal control and internal audit methodologies aligned with international standards and good practices.

• Completion of a comprehensive government-wide review of internal control and internal audit systems, including the identification of gaps and issuance of recommendations for improvement.

• A standardised internal control policy guidance for the Central Government is approved by the relevant authority with a requirement that an individual internal control policy is prepared considering the guidance and approved by the head of the organisation.

• The central harmonisation function ensures regular monitoring that all internal audit units have internal audit manuals, which are adequately documented and approved and that adopted charters are in line with relevant regulations and guidelines.

• Principles of co-operation with external auditors are defined, aiming to avoid overlapping outputs, inefficiencies, and duplication of work, as well as to facilitate a combined assurance approach and to support internal control and risk management implementation.

• Standard methodology and guidance are established to ensure an adequate quality level among the internal control and internal audit manuals and working documents.

• Practical exchange networking for public managers and internal auditors is established, aiming to share good practices and value-added of system-based assessment of internal control.

• Training dedicated to systemic internal control assessment is established and regularly provided to Central Government auditors.

• Systemic internal control assessments are incorporated into the regular accountability and audit cycles.

• A number of pilot audits by internal auditors and systemic internal control evaluations by managers in selected organisations are organised to support a quicker introduction of the systems-based approach that could enable internal auditors to provide assurance over the internal control systems in an audited organisation.

• Workshops and webinars are regularly organised to continuously build and enhance the capacity of managers and internal auditors in the Central Government while fostering knowledge sharing, networking, and information exchange.

• The development of a national training and certification system tailored to the unique needs of the Central Government was considered, with the goal of strengthening internal audit capabilities within Central Government organisations.

• The necessity of a central certification committee and quality control procedure for the professional development and certification system was discussed with key stakeholders.

• Regulations define mechanisms for the continuous professional education and competence development of public internal auditors.

• The central harmonisation function role includes monitoring and co-ordinating the implementation of external quality assessment requirements.

• Internal audit quality self-assessments are performed regularly, and external quality assessments are performed at least once per five years.

• A guidance and training module for quality management and control practice is established.

• Detailed guidelines are established that outline the standards, processes, and criteria for conducting self-assessments and external quality assessments, based on international good practices and tailored to the specific needs of the Central Government.

• The central harmonisation function's mandate includes conducting regular government-wide reviews of the internal control and internal audit systems, aimed at drawing conclusions and making recommendations for systemic actions to enhance internal audit, internal control, and risk management practices.

• The impact of the systemic recommendations provided by the central harmonisation function is measured on how to overcome any bottlenecks in the implementation of the adopted policies and whether its recommendations are being properly carried out.

• A regular self-assessment of the quality and effectiveness of the central harmonisation function is performed in order to develop and maintain procedures for quality assurance and improvement, that cover all aspects of the central harmonisation function’s responsibilities.

• Administrative capacities for the central harmonisation function are increased to ensure government-wide coverage, systematic and regular monitoring and quality assurance.

• A standardised framework is created for monitoring the implementation of internal control and audit requirements across all government entities, defining key performance indicators, reporting requirements, and data collection methodologies to ensure consistent and comprehensive oversight.

• The inter-departmental Advisory Board provides effective oversight over internal control, risk management and internal audit development advancements.

• The establishment of an integrated IT system to enable real-time tracking and analysis of systemic risks, and adequacy of internal control and audit activities was considered and discussed with key stakeholders

[11] Finnish Goverment (2021), Government Resolution on the National Anti-Corruption Strategy and Action Plan 2021-2023, http://urn.fi/URN:ISBN:978-952-383-678-5.

[8] Finnish Government (2023), A Strong and Committed Finland : Programme of Prime Minister Petteri Orpo’s Government 20 June 2023, Publications of the Finnish Government, http://urn.fi/URN:ISBN:978-952-383-818-5.

[10] Finnish Government (2022), “General government finances must be strengthened by at least nine billion euros over the next two parliamentary terms in order to safeguard the prosperity of future generations”, https://valtioneuvosto.fi/en/-/10623/general-government-finances-must-be-strengthened-by-at-least-nine-billion-euros-over-the-next-two-parliamentary-terms-in-order-to-safeguard-the-prosperity-of-future-generations.

[24] Ministry for Foreign Affairs (2023), Results Based Management (RBM) in Finland’s Development Policy – Managing for Sustainable Development Results - Guiding Document, https://julkaisut.valtioneuvosto.fi/bitstream/handle/10024/165200/UM_2023_16.pdf?sequence=1&isA.

[3] Ministry of Finance (2021), Advisory Board on Internal Control and Risk Management 2022-2024, https://vm.fi/hanke?tunnus=VM156:00/2021.

[1] Ministry of Finance (n.d.), Development of Internal Control and Risk Management, https://vm.fi/sv/utveckling-av-den-interna-kontrollen-och-riskhanteringen.

[13] OECD (2024), “Annex A. The public governance drivers and personal characteristics shaping trust in public institutions”, in OECD Survey on Drivers of Trust in Public Institutions – 2024 Results: Building Trust in a Complex Policy Environment, OECD Publishing, Paris, https://doi.org/10.1787/9a20554b-en.

[9] OECD (2024), Anti-Corruption and Integrity Outlook 2024 - Country Notes, OECD Publishing, Paris, https://doi.org/10.1787/968587cd-en.

[20] OECD (2024), “OECD Agenda for Transformative Science, Technology and Innovation Policies”, OECD Science, Technology and Industry Policy Papers, No. 164, OECD Publishing, Paris, https://doi.org/10.1787/ba2aaf7b-en.

[2] OECD (2024), OECD Public Integrity Indicators (database), https://oecd-public-integrity-indicators.org/ (accessed on 15 May 2024).

[17] OECD (2024), OECD Survey on Drivers of Trust in Public Institutions – 2024 Results: Building Trust in a Complex Policy Environment, OECD Publishing, Paris, https://doi.org/10.1787/9a20554b-en.

[12] OECD (2024), OECD Survey on Drivers of Trust in Public Institutions 2024 Results - Country Notes: Finland, OECD Publishing, Paris, https://www.oecd.org/en/publications/2024/06/oecd-survey-on-drivers-of-trust-in-public-institutions-2024-results-country-notes_33192204/finland_8f83ddc0.html.

[26] OECD (2024), “Promoting accountability, control and oversight in response and recovery funds in the Asia Pacific Region”, OECD Public Governance Policy Papers, No. 58, OECD Publishing, Paris, https://doi.org/10.1787/1a3c2831-en.

[18] OECD (2023), A Strategic Approach to Public Integrity in Hungary: The 2023-25 National Anti-Corruption Strategy and Action Plan, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/a5461405-en.

[21] OECD (2023), OECD TOOLKIT - Impact by design - Effective Results Frameworks for Sustainable Development, Capacity4dev, European Union and OECD, Paris, https://capacity4dev.europa.eu/library/oecd-toolkit-impact-design-effective-results-frameworks-sustainable-development_en.

[19] OECD (2022), Anticipatory Innovation Governance Model in Finland: Towards a New Way of Governing, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/a31e7a9a-en.

[16] OECD (2022), Tax Morale II: Building Trust between Tax Administrations and Large Businesses, OECD Publishing, Paris, https://doi.org/10.1787/7587f25c-en.

[5] OECD (2020), OECD Public Integrity Handbook, OECD Publishing, Paris, https://doi.org/10.1787/ac8ed8e8-en.

[25] OECD (2020), “Public integrity for an effective COVID-19 response and recovery”, OECD Policy Responses to Coronavirus (COVID-19), OECD Publishing, Paris, https://doi.org/10.1787/a5c35d8c-en.

[4] OECD (2017), Recommendation of the Council on Public Integrity, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0435.

[22] OECD (2012), “Managing for sustainable development results”, OECD Publishing, Paris, https://www.oecd.org/en/publications/2021/03/development-co-operation-tips-tools-insights-practices_d307b396/managing-for-sustainable-development-results_69ffd2a7.html.

[23] OECD (n.d.), Development Co-operation Peer Reviews and Learning, OECD, Paris, https://www.oecd.org/content/oecd/en/topics/sub-issues/development-co-operation-peer-reviews-and-learning.html.

[14] OECD (n.d.), Internal Control and Audit, OECD, Paris, https://www.oecd.org/en/topics/sub-issues/internal-control-and-audit-in-the-public-sector.html.

[6] OECD (n.d.), Public Integrity Indicators, OECD, Paris, https://www.oecd.org/en/topics/sub-issues/public-integrity.html.

[7] OECD (n.d.), Quality of Strategic Framework, OECD Public Integrity Indicators, OECD, Paris, https://oecd-public-integrity-indicators.org/indicators/1000053.

[15] OECD (n.d.), Risk Management to Safeguard Integrity, OECD, Paris, https://web-archive.oecd.org/fr/temp/2020-11-17/530503-risk-management-integrity.htm.