Mr. Andrade agrees that it is better to practice integral risk management when there is sufficient information. However, risk can be managed without full information.
No country can achieve objectives without an internal control structure. Governments can only encourage citizen participation through publishing of information according to Mr. Andrade. Information that is not published has no value. Audit is an important part of the internal control structure. Mr. Andrade provided a full discussion of an internal control and risk management structure.
The control environment requires ethics, integrity and senior leadership. This supports accountability. Mr. Andrade provided a detailed list of actions necessary to create a control and risk management environment. He emphasized the need for goals and indicators. The higher the objective, the higher the risk.
Mr. Andrade said that accountability and transparency requires processes. It is very difficult to ensure accountability without proper processes. These processes must follow each step from the data being available until it is disseminated. Human Resource processes are also required for internal control according to Mr. Andrade. This helps set the environment for internal controls. Each step must have accountability, according to Mr. Andrade. The processes must be defined. The way in which public servants are accountable must be defined.
Training and capacity building is critical to effective internal controls, according to Mr. Andrade.
Information Technology can enable more effective transparency. Mr. Andrade warns that the IT system needs to be properly designed and there needs to be a strategic plan. The system must be fully integrated.
Transparency requires simple information publishing such as government budgets and budgets by results, according to Mr. Andrade. This information is accessible to the public and adds social control to government and accountability.
Mr. Andrade recommends that auditors become active in promoting internal controls. Modern audit requires active participation to improve integral risk management. Risk management also means that there is a reasonable chance of achieving goals and risk is mitigated. Mr. Andrade introduced a risk map to show where resources should be focused. Organizations should begin articulating and managing risk even before detailed statistics are available. Mr. Andrade showed a risk management audit plan in a matrix format.
Mr. Andrade ended his presentation by observing that people do not like controls. But, proving the results of controls can achieve acceptance.