World Bank Institute Regional Workshop on Auditing and Financial Accountability Addis Ababa Implementing an Internal Audit Reform Program Case study for National Department of Health South Africa Gloria Spelman Head: Shared Internal Audit Services Eastern Cape Provincial Administration South Africa

Agenda Background What we sought to achieve Indicators for success or failure Creating an effective IA structure for reform Establishing an effective Audit Committee Conclusion

Background Status of the department. People (professionals) Attitudes, Empowerment, Political influences, Gender issues (affirmative action), Level of understanding of IA function, Work ethic, respect and awareness of government policies (comparison of the ECPA, DPSA and NDoH.)

Vision Seeing the bigger picture. Passion for IA Belonging to the IIA Passion to empower others. Commitment to make a difference and be an agent of change Academic vs practical approach

What we sought to achieve? Development of a five year strategic plan identification of core objectives setting our goals setting targets establishing indicators

What we sought to achieve (2) Core objectives Service all levels of management, AO and AC, providing them with independent, management oriented advice on the department’s internal control systems, operating and performance, risk management and governance with a view to improving accountability. Give assurance to the Accounting Officer and audit Committee that the standard of the financial and administration management is maintained at a satisfactory level, internal controls are appropriate and effective and that legislation and departmental policies and procedures are being observed.

What we sought to achieve (3) Goal To ensure that the department achieves its goals and objectives, by Improving risk management, and Creating a control conscious and corruption free environment, as well as Giving feedback (timely reporting) of independent and objective reviews and evaluation of activities with recommendations for improvement to management.

What we sought to achieve (4) Target All the department personnel, All levels of management, Accounting Officer, and Provincial Departments of where and when necessary. By continuously assessing changing risks and encouraging control self assessment.

Indicators for success or failure General indicators Target groups approaching internal audit for pro-active advice with regard to internal control, risk management and corporate governance issues Implementation of recommendations. Specific indicators Look at specific goals

Approach Adopted Things we did to build relationships with the client: Staying relevant to Management needs (using ad hoc assignments to get a buy-in) Staying abreast of IA issues (consistent research) Staying abreast of government issues( i.e. educating management on new pertinent legislation) Build confidence with client by being pro-active and not re-active

Approach Adopted (2) Encourage management to take control of their situation (control self assessment) Display a high degree of honesty when giving informal advice Set an example by your own honesty and integrity (honor God in the way you do business) Honor departmental invitations Introduce your staff to management at the start of an assignment When handling disagreements on findings with management always do it in way that will make you win the confidence of management

Approach Adopted (3) Things to do in the management of IA function: Encourage your IA staff to research IA issues and ensure that they are members of IIA Ensure that IA staff have personal development plans Develop a structure that ensures and/or encompasses future growth (succession plan), to create a sense of belonging to the IA staff Allow your staff to chair your internal IA meetings where you are a participant Have experiential training program both as a socially responsible way to develop skills and empowerment but also as a means to address staff shortages (this also makes your recruitment easier)

Approach Adopted (4) Things to avoid Creating an impression that IA is a fraud investigation unit Serving in departmental committees to make decisions Do not bark at everything that comes your way Being reactive

Creating an effective IA structure Linking assurance and consulting on internal control, risk management and governance to ensure achievement of goals by improving accountability, adding value and improving performance (encompassing the IIA definition of internal auditing) Compliance with laws, regulations, procedures function Performance function Information technology function Fraud prevention and investigation

Creating an effective IA structure (2) Linking structure to: IA core function (specialization) Strategic plans Social responsibility Annual plan and budget

Creating an effective IA structure (3) Job evaluation (developing clear roles and responsibilities) Approval Recruitment and resourcing focusing on your strategic plan and risk profile Staff empowerment, development and structure (i.e. co-sourcing and skills transfer)

Impact of an effective Audit Committee Audit Committee mandate (Terms of reference and its approval). - PFMA - Treasury Regulations - King Report - IIA standards Audit Committee and independence of the IA function. Composition - skills and capacity, - executive vs non executive and independent. Involvement of IA, Accounting Officer and Executing Authority in establishing the AC. Secretariat to the AC. Appointment of members (conflict of interest being one of the major consideration even before expertise).

Impact of an effective Audit Committee (2) Key responsibilities Evaluation of performance of IA function. Co-ordination of scope and communication of IA with external auditors. Enhance relationships and communication between Internal Audit, External Audit and Management (Confidential meetings with IA, EA and Management)

Results General To a greater extent the unit achieved results. Since this was a five year strategy we would not have fully achieved all what we set ourselves to do. The function will have its Quality Assurance Review done by the IIA during the course of this year as approved by the Audit Committee. Specific Core objectives – this is an ongoing process which cannot be achieved in a short term. The solid infrastructure that has been established serves as an assurance that these objectives will be achieved as intended i.e. the first IA nationally to achieve its true independence in the midst of arguments that IA cannot be completely independent i.e. IA that is truly under the control and the direction of the Audit Committee with no interference at all from management.

Results Goals Control-conscious and corruption free culture – the solid infrastructure for this has been established not only for the DoH but for the entire National Health System and has been partly achieved (the rate of whistle blowing throughout has increased through our ethics hotline) Timely feedback - this was the biggest challenge as we did not fully use the software, the unavailability of client staff, training and orientation of staff, shortage of staff (structure was still developed) Achievement of goals and objectives – this is an ongoing issue and the challenge is identification of risk at the right level by the right people. Targets Achieved the message was sent to the target groups but not fully as intended with the Provincial Departments due to constitutional demarcation.

Conclusion In conclusion ladies and gentlemen, I have experienced that when you are committed to make a difference you are the hardest hit by the reactions and you feel like giving up. But, remember the 6 C’s as the pillars of your efforts: - compassion (don’t condemn always bring hope), - community (serve), - communication (build relationships), - challenge (do not give up), - commitment ( you are the beneficiary) - compromise (preserve your values, they reflect the legacy you leave behind).

Thank you QUESTIONS