Horizontal Review of Internal Audit Function

Functional Review and Institutional Design of Ministries
Horizontal Review of
Internal Audit Function
FRIDOM – Functional Review and Institutional Design of Ministries is a DFID-funded project, implemented by
HELM Corporation, Consulting and Public Management Group, Governance institute Slovakia and Altair Asesores.

0. EXECUTIVE SUMMARY 4
0.1. Narrative summary 4
0.2. Action plan matrix 5
1. ABOUT THIS REVIEW 8
1.1. Scope of the review 8
1.2. Review methodology 9
2. THE POLICY FRAMEWORK FOR INTERNAL AUDIT 10
2.1. The “Policy Paper on PIFC” and the absence of control systems 10
2.2. Further documents about developing the internal audit function 10
3. MAIN FUNCTIONS AND CAPACITY IN INDIVIDUAL INSTITUTIONS 12
3.1. Consultancy to the establishment of M/CSs 12
3.2. Actual internal audit functions 13
3.2.1. Internal audit‟s purpose, authority and responsibility (IIA standard 1000) 13
3.2.2. Internal auditors‟ independence and objectivity (IIA standard 1100) 13
3.2.3. Internal auditors‟ proficiency and due professional care (IIA standard 1200) 13
3.2.4. Quality assurance and improvement programme (IIA standard 1300) 13
3.2.5. Management of internal audit activities (IIA standard 2000) 14
3.2.6. Planning of internal audit engagements (IIA standard 2200) 14
3.2.7. Communicating results of internal audit to management (IIA standard 2400) 14
3.2.8. Monitoring progress in the implementation of audit recommendations (IIA standard 2500) 15
3.2.9. Resolution of cases of acceptance of risks by management (IIA standard 2600) 15
4. CENTRAL HARMONIZATION FUNCTIONS AND CAPACITY 16
4.1. Identification of central harmonization functions 16
4.2. Harmonizing internal auditing by implementing a standardized methodology 19
4.3. Providing technical support & defining an IT Strategy based on internal audit regulations and
needs 19
4.4. Providing compliance and quality assurance of internal auditing 20
4.5. Summarizing internal audit findings to identify common weakness and recommendations 20
4.6. Fostering effective professional contacts internally and externally 20
4.7. Building up a sustainable professional education system for internal auditors 21
4.8. Instigating and encouraging a continuous dialogue with operational Management 22
4.9. Internal management of the CHUIA 22
5. ANNEXES 24
5.1. LIST OF PERSONS INTERVIEWED 24
5.2. LIST OF INSTITUTIONS RESPONDING TO QUESTIONNAIRE 25
2

CAO
CHUIA
CHUFMC
EU
FRIDOM
IA
IAU
IIA
LIA
MEF
MPA
OAG
PIFC
PP
SIGMA
Chief Administrative Officer
GLOSSARY OF ACRONYMS
Central Harmonization Unit for Internal Audit
Central Harmonization Unit for Financial Management and Control System
European Union
Functional Review & Institutional Design of Ministries programme
Internal Auditor
Internal Audit Unit
International Internal Audit (standards)
Law on Internal Audit
Ministry of Economy and Finance
Ministry of Public Administration
Office of the Auditor General
Public Internal Financial Control (EU model)
Policy Paper (on PIFC)
Support to Improved Management and Administration (EC/OECD programme)
3

0. EXECUTIVE SUMMARY
The following pages provide a short summary of the content of this report. The main issues dealt with and
the conclusions reached are first explained in a narrative format, with recommendations further
summarized into an Action Plan Matrix to facilitate implementation.
0.1. Narrative summary
This report presents an assessment of Internal Audit system (and related general aspects of the
Management and Control System) in the public sector of Kosovo. The situation in the country is
compared against the EU Public Internal Financial Control (PIFC) principles, International Internal
Auditing Standards (IIAS) and known good practice in selected of EU Member States. The report
provides recommendations for improving the organization and upgrading the manner of carrying out
relevant functions.
The first step in the review consisted of an analysis of the policy framework, through which we tested the
Government‟s acceptance of PIFC principles and its commitment to set up, develop and constantly
improve a modern PIFC system. That commitment is reflected in the Policy Paper on a Public Internal
Financial Control System in Kosovo (PP), a solid document except for its action plan, which currently
does not specify the authority responsible for overall implementation and sets no clear mechanism for
reporting of progress.
Based on the PP, the Law on Internal Audit (LIA) created the MEF‟s Central Harmonization Unit for
Internal Audit (CHUIA), IA Units in all public sector organizations and the methodological basis for internal
audit work. A new LIA was passed in late 2009 bringing marked improvements, including some
suggested by our team. Going further, it may help for the LIA to give the CHUIA a clearer mandate to
conduct external evaluations of internal audit providers (quality assurance, or compliance and
performance reviews).
Besides the PP and the LIA, a third relevant document is the Strategy for the internal audit function in the
PISG in Kosovo. Though now somewhat dated, this should present a more detailed action plan for
developing internal audit: we recommend updating this strategy and trimming down its unpractical long
list of central harmonization tasks. The three documents (PP, LIA and Strategy) should form a unified
framework for developing IA: however, they sometimes disagree with each other and should be
harmonized.
Passing from policy to actual activities, Internal Auditing in Kosovo‟s public sector opted for the
decentralised model, meaning that every organization should have its own IA Unit or provide for internal
auditing through outsourcing. Accordingly the main actors within the system are the individual
organizations (the internal audit units and the top management) as well as the CHUIA (as well as the
envisaged Central Harmonization Unit for Financial Management & Control - CHUFMC) at the MEF.
Starting from individual organizations, top managers appear for the most unaware of their responsibility
for risk management and the establishment of a management & control system (M/CS). Some managers
wish Internal Auditors to perform more preventive audits, showing they don‟t distinguish between Internal
Controls and Internal Audit. Even though internal audit reports have shown this fundamental deficiency,
serious recommendations to and discussions with top managers on addressing the problem have been
weak.
In this respect, we recommend that Internal Auditors demand their organizations‟ top management to
provide for risk management, set up a Risk Register and design the organisation‟s control system based
upon it. In turn auditors should proactively engage in consultancy assignments on the same topics for
their managers, sustained by the CHUIA (this will be essential to kick-start work on M/CS till the
CHUFMC is operational). The CHUIA should also present to managers the added value of IA across the
public sector.
Coming to actual IA functions, these are regulated by the LIA and IIA standards, with specifics in the
Internal Audit Manual. The review revealed some weaknesses and discrepancies in the implementation of
internal audit standards - the main one referring to close cooperation with Management regarding the
implementation of corrective measures. In general, communication with Management is not sufficient and
an increased mobilization of the Directors of IAUs, supported by the CHUIA, is necessary.
4

Looking at resources in each institution, IAUs have less than 2 auditors on average, which is not enough
to cover all tasks. IAUs Directors should produce “resource requirements” documents based on long and
short term planning, and discuss them with senior management and Audit Committees (in the meantime,
CHUIA support will be needed where capacity is too low to carry out basic IA functions). To enhance the
performance of IAUs, those still lacking a IA Charter or Audit Committees should quickly close the gap.
Increasing technical capacity to perform internal audit is also essential. Besides any quick-and-fast
certification programme, continuous education should also start as soon as possible: we recommend the
creation of a common strategy and platform for IA education. in addition to formal training, we suggest
that the CHUIA should provide some technical support to IA via the web. Internal auditors should also get
more support from CHUIA regarding networking and dissemination of best practice within the profession.
Concerning central capacity, central harmonization functions are located at MEF‟s CHUIA, already with its
own Charter, strategic plan and annual plan for 2009. It has enough staff to cover all its tasks and is
already well-started in most of them (besides drafting the IA Manual and revising the LIA, it also
performed some quality reviews and produced reports for the Government). However, if the CHUIA will
take active part in IA education and increase peer reviews for quality assurance, additional staff will be
needed.
Regarding its internal organization we recommend that CHUIA forms teams with different tasks rather
than creating internal units. The main task areas are reassessment and updating of IA documents;
drafting of internal procedures; preparation of education for Internal Auditors; providing technical support
for IA; instigating and encouraging a continuous dialogue with Management; and summarizing of Internal
Audit reports. CHUIA employees should specialize for certain areas in accordance with their core tasks.
0.2. Action plan matrix
#
1
2
Field
Policy framework
Internal Audit Units in
individual organizations
Recommendation Timing
The MEF should update the PIFC Policy Paper and its Action Plan, by clearly defining
the responsible authority and persons for its implementation, in particular with
reference to monitoring and evaluation mechanisms. This should contribute, amongst
others issues, to cut delays in the essential actions concerning the establishment of
the Management and Control System.
The MEF and CHIUA should as soon as practical revise the current Law on Internal
Audit to remedy to residual inconsistencies with international standards and good
practice. They should also revise the Strategy for the Internal Audit Function to bring it
in line with the PIFIC Policy Paper and the Law on Internal Audit, so that there will be
a common and consistent approach.
Until the CHUFMC is set up, Internal Audit Units should, with the encouragement and
guidance of the CHUIA, take a very active role in consulting their Management on
introducing risk management, control system design and the development of control
evaluation criteria.
All public sector organizations and Internal Audit Units should adopt an Internal Audit
Charter. For those lagging behind, the CHUIA should send a reminder and, in case of
no follow-up, a warning letters followed by information to the ministries of Economy &
Finance, as well as of Public Administration.
5
Short
term
Short
term
Short
term
Short
term

3
Central Harmonization of
Internal Audit
Directors of Internal Audit Units should entertain direct contacts with Management
and all organizations should also set up Audit Committees with their own charter,
which are now lacking in some cases. The CHUIA should support IAUs by addressing
management on these needs and following up with the ministries of Economy &
Finance and Public Administration in case of no follow-up.
All Internal Audit Units should prepare a programme for External Quality Assurance,
in which the CHUIA should also play a more active role in this. Besides helping
Directors of IAUs to improve their services, peer reviews can provide the basis for a
horizontal analysis of deficiencies, which can be important to properly design training
and the sharing of good practice.
Directors of Internal Audit Units should produce “IAU Resource Requirements”
documents based on their long and short term planning, with the encouragement and
lead of the CHUIA. These documents should be discussed with the respective Audit
Committees and chief administrative officers. Based on their analysis, the CHUIA
should present to the Government any general staffing and budgeting problems.
Directors of Internal Audit Units should prepare detailed description of objectives,
scope and responsibilities including consultancy activities and establish a supervision
programme for engagements, like specific questionnaires for Auditees and Auditors,
weekly meetings to discuss engagements etc.
Directors of Internal Audit Unit should, with the support of CHUIA, try to resolve any
difficulty in discussing recommendations directly with the chief administrative officer
(such cases should be brought to the attention of the competent Minister). All IAUs
should adopt written instructions on communication of audit results, including
limitations for communication to parties outside the organization.
All Internal Audit Units, which still do not do it, should start discussing with the
Management action plans for corrective actions based on internal audit reports. A
main point concerns not just the plans, but also the practical arrangements for the
monitoring of their implementation.
Directors of Internal Audit Units should, under the lead of the CHUIA, discuss the
importance of the decisions on acceptance of risk with the chief administrative officer
and senior management as well as members of Audit Committees. The matter should
be included in the training module for senior managers.
The CHUIA should establish a small team to analyse discrepancies amongst the
current key documents (PIFC Paper, LIA, IA Strategy) concerning the identification of
central harmonization functions. The activity should result in a new, single Strategy
document, guiding the future approach.
The CHUIA should review and define its strategy on IT-based technical support to
IAUs, including equipping all of them with the same kind of IT Audit Tool (e.g. IDEA or
ACL), as well as organizing effective web-based assistance (e.g. FAQ, forum).
6
Short
term
Medium
term
Short
term
Short
term
Short
term
Short
term
Medium
term
Short
term
Short
term

The CHUIA should centrally analyze IA reports from all organizations looking for
diagnoses of horizontal problems that are caused by faults not of each organization
but of generally applicable legislation or practices. It should identify such problems,
work out the solutions, and forward the recommendations to the Government for
consideration.
The CHUIA should engage proactively in networking by organizing quarterly technical
meetings with Directors of IAUs based on pre-decided agendas; facilitating a webbased
community of practice; and holding at least one annual conference for all
internal auditors. We advice the CHUIA to invite the OAG to such conferences, and
includes it in its networking activities.
The CHUIA, with OAG and possibly other relevant institutions, should elicit IAUs‟s
views on training needs and put together a Syllabus covering both IA standards and
techniques and the specificities of Kosovo‟s public sector. A Task Force of local
institutions and international experts should develop continuous training and
certification in IA on this basis. Options for delivering the program outside the CHUIA,
as well as for introducing audit in University programmes should be considered.
The CHUIA (in partnership with the CHUFMC once activated) should instigate and
encourage senior Management across the public sector to a continuous dialogue with
the respective IAUs, through targeted seminars/ workshops and ultimately full training
modules on the importance of MC/S (risk management, control system design and
development of control evaluation criteria) as well as on the use of IA.
The internal management of the CHUIA should not be based on a conventional
subdivision into thematic units, but rather on the formation of teams for specific tasks.
For this purpose, it is essential that the CHUIA produces internal acts describing its
business processes in all main areas, and that it puts in place for them a formal risk
assessment, risk register and internal control plan.
7
Short
term
Short
term
Medium
term
Medium
term
Short
term

1. ABOUT THIS REVIEW
In this initial chapter, we discuss the issues that the horizontal review covered, as well as its scope in
terms of analyzed institutions. We also presents the methodology followed for collecting data, analyzing
them, and discussing conclusions with stakeholders.
1.1. Scope of the review
Management is the most general function within any organization (be it private or public). Amongst other
features, it ensures that work is framed in such a way to achieve the planned outputs effectively and
efficiently, while minimizing risks of failure. It requires business processes to be designed in detail,
allocating all required actions to identified units and individuals. In modern practice, these processes and
the details of their execution should be written down as procedural manuals/guidelines and if possible
also described graphically, as bloc diagrams.
However, meticulously regulating processes is rarely enough. In practice, organizations face constant
risks of something going wrong in their operations, affecting their well-organized capacity to produce the
desired outputs without losses (e.g. of reputation, money, assets, lives…). Managers must therefore
protect their organizations by identifying what risks could threaten the implementation of each specific
process, how likely such risks are and how bad their impact could be. This “risk assessment” needs to be
constantly repeated as circumstances change.
Managers must thus prevent risks from occurring or at least mitigate the likelihood of their occurrence to
an acceptable level. If they actually occur, they must contain the risks‟ adverse impact. The way in which
managers play this role is by designing and ensuring the operation of Internal Controls. These are all the
actions and procedural features incorporated into business processes with the aim to eliminate, mitigate,
detect and correct risks. All such elements, as part of business processes‟ design, should be precisely
described in written form along with the indication of the people responsible.
Modern managers, in brief, have to design processes, identify risks, establish controls and ensure that
there is a proper information flow amongst the different actors involved in a business process, also
soliciting feed-back from them on what was done, how it was done, whether any of risks occurred and
how that occurrence was treated - so to take corrective actions whenever needed (i.e. management has
also to provide for monitoring). It is indeed a very complex and detailed job, in which top managers may
well do with some assistance.
That is where Internal Audit comes into play, as the tool that support managers by getting continuous and
objective information on how the organization‟s Management & Controls System (M/CS) is performing
and on what eventually should to be changed, corrected or improved in it. The typical elements of a M/CS
include Processes Design, Risk Assessment, Control Activities, Information & Communication, and
Monitoring, together with the general attitude of the very management (e.g. towards transparency,
lawfulness, business ethics).
Internal auditing is the independent, objective and professional activity of systematically assessing the
working of internal M/CSs to provide Management with information on deficiencies, negligence and abuse
in their implementation. It is a tool to support Management in its responsibility to professionally run an
organization and can have also a consultative function (advising on establishing M/CSs), though auditors
should take no direct part in decisions concerning the shape of the processes they asses. Internal
auditing cannot be a substitute to any of the mentioned responsibilities of professional managers.
Rules for M/CSs and Internal Audit in the public sector are an important part of EU legislation, particularly
in relation to business processes for using public money (national budget) and in preparation for the
decentralized implementation of EU Pre-Accession Funds. The European Commission (DG Budget) set
standards with in mind countries with little experience of western-style government, management
accountability and internal auditing. The full set is called Public Internal Financial Control (PIFC), covering
Financial Management & Control Systems (FM/CSs), Management Accountability and Internal Audit.
Countries moving towards EU membership are required to incorporate PIFC rules into their administration
and apply them in practice. From the mid nineties, all have been expected to set up a PIFC platform in a
form of a Policy Paper, adopt a legislative basis for PIFC, set up so called Central Harmonization Units for
FM/CSs and Internal Audit, and implement the Internal Audit function. Even though Kosovo is not yet a
8

candidate to EU membership, it wishes to join as soon as possible and the Internal Audit system has
been set up based on EU practices. It can therefore be assumed that standard EU concepts apply.
Within this premise, this review provides an assessment of:
The legal framework for Internal Audit including Policy Paper, legislation and related documents,
Management & Control System as much as it is necessary for the assessment of Internal Audit,
The Central Harmonization Unit for Internal Audit (CHUIA),
The Internal Audit Units (IAUs) in Public Administration,
The relations with CHUIA and IAUs with the Auditor General Office (OAG).
In particular, the legal framework was assessed to indentify eventual gaps or discrepancy with EU and
internationally recognized standards (where applicable). The Financial MC/S was assessed in the basic
aspects of Risk Management and the set-up of internal controls. Internal Audit Units were assessed
regarding human resources, organizational aspects, conduction of work in line with the Internal Audit
Manual and relations with Management. The CHUIA was assessed in respect to human resources,
liaison with IAUs and the OAG and performance of services and support for IAUs.
1.2. Review methodology
The review presented in this report was carried out by Jurij Milatovic (international short-term expert and
former Director of the Budget Supervisory Office, Ministry of Finance of Slovenia) and Bernard Nikaj
(national short-term expert, formerly external advisor to the MEF). Gianni La Ferrara (Lead Adviser for
Horizontal Reviews, FRIDOM) supervised their work and edited the final report. The methodology
followed by the team was the standard one applied in all other horizontal reviews within the FRIDOM
project, based on several stages of desk work and field research.
In particular, review activities started with the studying of legal acts and other relevant internal
documents, followed with discussions with the CHUIA (as the system‟s central institution) and the Auditor
General. Further on, internal audit practice was surveyed based on a Questionnaire distributed to all IAUs
in the central administration. The replies received (see annex at the end of this report) were analyzed and
additional interviews were scheduled in a selected sample of institutions, focusing on Accountability
Officers (Permanent Secretaries) and the staff of Internal Audit Units.
While performing its review, the FRIDOM team took also into consideration the results of the Kosovo
PEFA Assessment Report from April 2007 as well as the draft of the PEFA self-assessments prepared by
the government in 2009. The SIGMA PIFC Assessment from May 2008 was also considered - to the
extent possible our reports build and elaborates on and aims at reinforcing all these previous analyses.
The findings and recommendations were presented and discussed with the stakeholders (CHUIA,
representatives of IAU and Permanent Secretaries), as well as to the Ministry of Finance and Economy.
As this report is submitted to the Government‟s Commission for Public Administration Reform, the authors
and the FRIDOM project would like to expressly thank all the officials of all institutions involved in the
review. Their interest, openness and patience during the whole process were remarkable. They all
demonstrated great commitment to their jobs and to the improvement of the administration‟s overall
performance in this novel area. We hope they will find the report useful, and stand ready to take part in
further discussions and support them in implementing the recommendations, as might be required.
9

2. THE POLICY FRAMEWORK FOR INTERNAL AUDIT
In the standard EC approach, the introduction of Internal Audit in the public sector is to be based on
several documents, starting from a Policy Paper summarising (based upon analysis of the current state
and existing gaps) the accepted concepts and the actions necessary to implement a sound PIFC system.
This initial paper is used to obtained a shared understanding amongst key actors and is normally followed
by the preparation and adoption of a legal base (law, regulations), the creation of necessary
administrative bodies and detailed plans for their working and further development.
All these features are already present in Kosovo. The Government adopted a “Policy Paper on a Public
Internal Financial Control System in Kosovo” on January 2005, revising it in May 2007. The first legal
basis dealing with our subject was the Law on Internal Audit, promulgated in June 2007 and revised at
the time our research (now in force as Law No. 2009/03-L-128). On the basis of legislation, further
practical developments concerning internal audit were outlined in a July 2007 “Strategy for the Internal
Audit Function in the Provisional Institutions of the Self Government in Kosovo”.
All this considered, and also thanks to the availability of considerable external assistance, Kosovo might
now look like a case of very rapid completion of the basic PIFC architecture, at an unusually early in the
EU integration process. However, a main theme throughout this report is that this quick advance was
actually possible only because all the effort focused on increasing technical Internal Audit capacity per se,
with very little attention for the Financial Management and Control Systems that the internal audit function
should be instrumental to maintain and improve.
2.1. The “Policy Paper on PIFC” and the absence of control systems
The MEF should update the PIFC Policy Paper and its Action Plan, by clearly defining the responsible
authority and persons for its implementation, in particular with reference to monitoring and evaluation
mechanisms. This should contribute, amongst others issues, to cut delays in the essential actions
concerning the establishment of the Management and Control System.
The 2007 PIFC Policy Paper mentioned above is a solid basis for all actors to understand the core
principles of budget implementation in the sense of risk management, control and internal audit, based on
EU and international good practice. The Policy Paper sets out a range of reasonable actions to take in the
two main fields relevant to PIFC implementation, namely FMC/Ss and Internal Audit. However, the
structure of the document and the actual use that has been made of it have somewhat affected its
chances of fully successful implementation to date.
The Policy Paper‟s weak point is that it isn‟t very strict when it comes to responsibilities (e.g. actions 1 to
7 are mandatory, yet responsibilities aren‟t allocated). The Action Plan is a bit better, but no authority is
made responsible for its overall implementation and for intervening in the case of delays. There are no
mechanisms for checking/reporting on progress. This is unfortunate, as some core activities are way
behind schedule - especially the establishment of the Central Harmonization Unit for M/CSs at the MEF
and consequently the development of financial management and control policies/procedures.
This contributes to the main problem detected in the whole system: the Internal Audit system is formally
developed (at least in term of systems and capacities) to an extent much beyond that of the Management
& Control System which it is in theory called to analyse. We therefore recommend that the Policy Paper is
updated and that its Action Plan is clearly re-assessed, with a punctual indication of the authority and
person responsible for its implementation and a monitoring and evaluation mechanism - also with a clear
authority and persons in charge.
2.2. Further documents about developing the internal audit function
The MEF and CHIUA should as soon as practical revise the current Law on Internal Audit to remedy to
residual inconsistencies with international standards and good practice. They should also revise the
Strategy for the Internal Audit Function to bring it in line with the PIFIC Policy Paper and the Law on
Internal Audit, so that there will be a common and consistent approach.
Coming to Internal Audit, the Law on Internal Audit (LIA) provides a basis for IA based on a decentralized
model (till 2007, the MEF audited for everybody). The LIA makes the MEF‟s Central Harmonization Unit
10

for Internal Audit (CHUIA) responsible for standard setting, and requires Internal Audit Units (IAUs) to be
set up in each public sector organization. It defines the roles of CHUIA and IAUs, their Directors and
individual Auditors (along with recruitment and qualifications) as well as that of “Chief Administrative
Officers” (senior managers, i.e. Permanent Secretaries and Chief Executive officers of agencies).
In general the LIA, both in its original 2007 text and in the new version that underwent parliamentary
deliberation at the time of our research, follows the principles of the International Internal Auditing (IIA)
standards. However, there are a few omissions and divergences that our team pointed out to the CHUIA
in the course of the review – some were removed in the new law, though others are still present. Because
of either being unclear or not in line with good practice, the following piunts may be worth reconsidering -
especially those concerning the internal audit profession and the role of the CHUIA:
Article 7.7 - The expression “desired to become Internal Auditors” - we suggest that the title be
changed into State or Public Sector Internal Auditors, as sooner or later there will be in Kosovo an
institution certifying Internal Auditors for the private sector and the CHUIA will probably not be in position
to deal with them.
Article 12.2 - The idea that “the internal auditor should have the salary close to the salary of the
Director of IAU” is imprecise and subject to individual interpretations. It doesn‟t provide what is essential,
that is that internal auditors in different public entities would have the same salary in case of similar
qualification and experience.
Article 13.2.1 - The idea that a person cannot receive or retain an IA license if holding or performing in
the last 3 years “any office, position or function in or for a political party” is not based on any IA Standard
and is probably not in line with constitutional rights. Besides, one thing is to have a licence, another to
serve as an internal auditor.
Article 8 - The CHUIA should be tasked with conducting a survey of problems detected by IAUs in
more than one institution. Such problems are often linked to poor or unclear legislation, which is outside
the affected institutions‟ control. The survey would give the CHUIA a channel to propose corrective
actions to the Government via the MEF.
Additionally, we strongly recommend including the provision that the CHUIA has the mandate to
conduct reviews (or compliance audits) in all IAUs and over all Internal Auditors or outsourced individuals
or audit companies which perform internal auditing in the public sector.
Besides the Policy Paper and the LIA, the third document completing the package is the 2007 Strategy,
which presents a solid and well-structured approach to the further development of the IA function over a
five-year period. Unlike for the Policy Paper, the owner of the strategy is precisely defined; it is the MEF,
through the CHUIA. Yet, again nothing is provided on the responsibility for monitoring and reporting on
progress made by the CHUIA. A “self assessment” process is possible, but independent monitoring would
be much more objective.
Also, the Strategy‟s approach to the CHUIA key competencies and responsibilities is different and more
expansive than listed in the Policy Paper. In this respect, we call the attention of the MEF on the fact that
a strategy, to allow effective monitoring of its implementation, should focus on important priority objectives
rather than drawing up long lists of often secondary tasks. We therefore suggest to update the Strategy
bringing it in line with the Policy Paper and the LIA, so that there will be a common approach to CHUIA
competencies and responsibilities (see more about this further on in this report).
Some of the details might at times be addressed through other documents. In particular the organizational
setup, key competencies, responsibilities and main aspects of professional audit practice of Internal Audit
Units are currently dealt with in an Internal Audit Manual, which is issued by the Central Harmonization
Unit for Internal Audit of the Ministry of Economy & Finance. The first version of this manual dates from as
early as November 2004, and its text was further updated in December 2008. With this, a rather
comprehensive framework developing the key policy choices concerning internal audit was completed.
11

3. MAIN FUNCTIONS AND CAPACITY IN INDIVIDUAL INSTITUTIONS
In the decentralized model, all organizations should perform internal audits. The LIA stipulates that each
should have its own IA unit (IAU) unless an exception is granted (in which case auditing services are
procured). Arrangements are standardized across and apart from the LIA, other acts (like the Internal
Audit Manual or the Treasury Financial Rules) outline the relationship of key officials officials, among
themselves and towards the CHUIA. The following paragraphs address the main outstanding issues.
3.1. Consultancy to the establishment of M/CSs
We strongly recommend that Until the CHUFMC is set up, Internal Audit Units should, with the
encouragement and guidance of the CHUIA, take a very active role in consulting their Management on
introducing risk management, control system design and the development of control evaluation criteria.
The 2007 Policy Paper recognizes Management & Control Systems as indispensable to the PIFC system.
It‟s a matter of simple logic: if the job of internal auditors is to check on the proper functioning of M/CS,
such systems must obviously be in place beforehand. If they are not, internal auditors may have little to
actually audit. Our assessment disclosed that progress in developing a modern and robust M/CS has
been slow, and is now much behind the technical achievements of the internal audit system.
This led to an odd situation in which the chariot runs in front of the horses. In such a context, the
timetable for further developing internal audit functions appears too fast and optimistic, as it ignores that
unless elements of M/CS are introduced before, such functions will remain largely theoretical. We
strongly advise that the CHUFMC is set up immediately to work on common standards for internal control
systems, risk management techniques, the documentation of business processes and education of senior
mangers.
During our inquiry about 90% of IAUs declared to base their auditing on strategic and annual planning,
based in turn upon risk assessments. However, managers in most institutions (about 80% by our findings)
perform no risk assessment and have no Risk Register. As proper risk management is not developed,
internal auditors in most institutions cannot take in consideration risks as indentified by management and
must prepare their audit plans by directly engaging in a much wider-based risk assessment.
Identifying risks should instead be the job of managers. And yet, current practice unfortunately tends to
reinforce Permanent Secretaries and Agency Directors in the conviction that the risk management
process is something they shouldn‟t care for, leaving it to internal auditors. During our research we came
to a firm conclusion that only a very small percentage of top managers are aware of their professional
duty to engage in risk management, and that even fewer are familiar with the practical details of the task.
We strongly recommend that internal auditors demand the top management in their institution to provide
risk management for the organization, setting up a Risk Register and accordingly designing the
organisation‟s control system. We also recommend that, due to the senior managers‟ obvious lack of
familiarity with risk management, internal auditors accept to actively promote the concept and act, at least
at this early stage much more as their managers‟ close advisors in these matters.
The old LIA was silent on the possibility that internal auditors play also a consultancy role in setting up the
M/CS. The new text, however, deals with this in art 5.3.2: “the audit assignment for consultancy consists
of providing advice, opinions, training or other services, designed to improve the processes of risk
management and control without the internal auditor assuming any managerial responsibility therefore”. It
also provides that “the audit assignment for consultancy shall be initiated by the Management”.
The provision doesn‟t envisage the consultancy function as systematic and yet, under the circumstances,
the lack of explicit requests from management should not stop auditors from promoting of a sound M/CS.
As managers lack sufficient knowledge on risk management and internal controls, auditors should be
proactive in their proposals. Until the CHUFMC will be up and running, the CHUIA should back them up,
standing in provisionally for the CHUFMC and later cooperating with it to synchronize their work.
We also recommend that donor‟s technical assistance projects give more attention to this topic. In the
former Candidate Countries, when the introduction of the PIFC system was put to trial by the need to
prepare structures for the decentralised implementation of EU Funds, it was Risk Management and the
Internal Control System that proved to be the weakest points. Early engagement in this field will not only
give immediate meaning to IA, but also assist in the efficient use of EU pre-accession funds.
12

3.2. Actual internal audit functions
Coming to actual internal audit functions, a very comprehensive Internal Audit Manual is in place. It
follows the IIA standards on Internal Auditing and guides IAU Directors and Internal Auditors through all
necessary procedures for planning audit work (long or short term and single audit assignments),
performing different types of audits, reporting, and follow up. In the next few sections we assessed the
compliance of IAUs‟ work with IIA standards and other Internal Audit Manual requirements.
3.2.1. Internal audit‟s purpose, authority and responsibility (IIA standard 1000)
All public sector organizations and Internal Audit Units should adopt an Internal Audit Charter. For
those lagging behind, the CHUIA should send a reminder and, in case of no follow-up, a warning letters
followed by information to the ministries of Economy & Finance, as well as of Public Administration.
By the IIA standard and Kosovo‟s IA Manual, IAUs should also have a charter in the form the Manual
defines. By our survey only 31% complied. The Charter is a basic document establishing the IAU‟s
organisational status by defining its purpose, authority and responsibility, and it is essential that all get
one approved by their chief administrative officer and IA Committee. It‟s not just a formality: it puts the
CAO and IAC into position not only to acknowledge the standards for IA and also their role in the system.
Benefits would also include more awareness of and respect for the role of the CHUIA, as the hub of the
overall IA system. For instance, at the time of our survey only in 46% of public sector entities appeared to
have consulted the CHUIA and sought its consent for the employment of the Director of their IAU. This
was in spite of the fact that under the LIA (art. 13.1. at the time), such appointments would simply not be
effective without the written consent of the CHUIA.
3.2.2. Internal auditors‟ independence and objectivity (IIA standard 1100)
In all organizations, IAU Directors should entertain direct contacts with Management and Audit
Committees with their own charter should be adopted. The CHUIA should support IAUs by addressing
management on these needs and following up with the MEF and MPA if delays persist.
This standard requires IAUs to be positioned under and to report directly to the chief administrative
officer. Formally this is always the case in Kosovo, thought in practice there are problems in reporting. In
several cases, reports are just sent formally to the top manager. Only in a few the Director of IAU is able
to meet regularly with the chief administrative officer and senior managers to discuss findings and explain
recommendations. This is usually needed to convey in-depth understanding of M/CS deficiencies.
Besides, for the purpose of discussing recommendations, the LIA requires each organization to form an
Audit Committee consisting of the chief administrative officer (e.g. Permanent Secretary, Chief Executive
Officer) and at least three other members of the senior management. At the time of our survey, 69% of
organizations had formed such a committee and only 20% had an Audit Committee Charter had been
approved. The majority of Audit Committees has no Terms of Reference to guide their work.
3.2.3. Internal auditors‟ proficiency and due professional care (IIA standard 1200)
Most of the internal auditors employed in organizations went through the professional training provided by
two EC-funded projects. These trainings were conducted by Internal Audit experts and appear to be
sufficient for the time being (by self-estimates, only some 30% of the staffs lacks proper training). What is
missing is a programme for continuous training and complete education process that could be the basis
for professional certification. The CHUIA has this among its priority tasks (see below).
3.2.4. Quality assurance and improvement programme (IIA standard 1300)
All Internal Audit Units should prepare a programme for External Quality Assurance, in which the
CHUIA should also play a more active role in this. Besides helping Directors of IAUs to improve their
services, peer reviews can provide the basis for a horizontal analysis of deficiencies, which can be
important to properly design training and the sharing of good practice.
Quality assurance is an important mechanism providing an objective assessment of how IA functions are
performed, and a basis for steadily improving their organization, planning and performance. A little more
than 50% of the Directors of IAUs already prepared a programme for Internal Quality assurance, which is
good - but others should quickly follow. Especially in the early phase of introduction of IA function it is
13

very important for the IAUs Directors and the CHUIA to get an objective picture of the quality on the
ground.
However, we must keep in mind that internal reviews give good results when the knowledge of at least
some auditors is quite high. At an early stage, as now in Kosovo, external quality assurance can offer
much more objective information. However, only 15% of IAUs has developed the programme for External
Quality Assurance. It also seems that sharing the information of quality assurance results is somehow
restricted as only in 23% of IAUs this information was send to the IA Committee and management.
3.2.5. Management of internal audit activities (IIA standard 2000)
Directors of Internal Audit Units should produce “Resource Requirements” documents based on their
long and short term planning, with the encouragement and lead of the CHUIA. These documents should
be discussed with the respective Audit Committees and chief administrative officers. Based on their
analysis, the CHUIA should present to the Government any general staffing and budgeting problems.
Our analysis shows management of the IA activity is already good. Almost all IAUs prepared strategic
and annual plans based on risk assessment, regularly updated. The 23% of plans, however, includes no
consultative activities which, as mentioned will be crucial until management gains sufficient insight and
knowledge. On the other hand, 85% of IAUs Directors report periodically to their Audit Committees and
chief administrative officers on IA purpose, performance, risks exposures and control issues.
Much less - around 54% of IAU Directors - has established IAU resource requirements. Proper resourcing
is essential for internal auditing to be efficient and effective. Usually, at the early stages of introducing IA
in a public sector that historically lacked these functions (almost all new EU member states went through
this) the main problem is insufficient human resources. Indeed, in Kosovo 71% of IAUs Directors claimed
during our survey that there is not enough staff in their units.
Also following a comparatively common tendency, when later on there will be more qualified auditors
available, needs might tend to shift on more technical support and additional funding to support their
activities. In Kosovo, the situation with proper budget and proper technical tools is not good to start with.
None of IAUs has a specialised computer programme to help auditors in sampling, statistics, report
writing etc. Tracking IAUs budget as a cost centre could also be a good idea.
3.2.6. Planning of internal audit engagements (IIA standard 2200)
Directors of Internal Audit Units should prepare detailed description of objectives, scope and
responsibilities including consultancy activities and establish a supervision programme for engagements,
like specific questionnaires for Auditees and Auditors, weekly meetings to discuss engagements etc.
To the extent that we could observe, engagement planning has proved to be already quite satisfactory.
The IA Manual is of a big help in this, as it is very comprehensive. All audits are properly planned and
discussed with the auditee at the initial meetings. In almost all cases, a detailed programme of work is
developed for each engagement. The main area in which some improvements appear to be possible
might be the supervision of engagements.
What seems to be not so strong is, once again, the consultancy function of IA and as a consequence its
reflection in planning. This is now worth some attention, as consultancy to the top management is likely to
become an essential function in the nearest future. In principle, there should be agreement with the
respective managers and, as a consequence, a rather detailed description of objectives, scope and
responsibilities for consultancy activities.
3.2.7. Communicating results of internal audit to management (IIA standard 2400)
Directors of Internal Audit Unit should, with the support of CHUIA, try to resolve any difficulty in
discussing recommendations directly with the chief administrative officer (such cases should be brought
to the attention of the competent Minister). All IAUs should adopt written instructions on communication of
audit results, including limitations for communication to parties outside the organization.
IAU Directors generally have no problem to communicate audit results directly to their chief administrative
officer and Audit Committee: by our questionnaire management is not easily reachable only in 14% of
cases. However, several IAU Directors stressed that they communicate audit results only through reports,
14

and have rarely the possibility to discuss recommendations (IAUs Directors are also not invited at
management meetings). Personal contacts are very important and such situations should be remedied.
IAUs need written procedures and limitations concerning the communication of results to parties outside
the organization. This is formally already the case in 43% of IAUs. Confidentiality seems to be taken quite
literally: in fact, it applied to our team, which wasn‟t allowed to see actual audit (or consultancy activity)
reports. It was therefore impossible to assess the actual performance of IA engagements (IIA standard
2300) or the accuracy, objectivity, completeness and timeliness in communicating specific results.
3.2.8. Monitoring progress in the implementation of audit recommendations (IIA standard 2500)
All Internal Audit Units, which still do not do it, should start discussing with the Management action
plans for corrective actions based on internal audit reports. A main point concerns not just the plans, but
also the practical arrangements for the monitoring of their implementation.
The improvement of the FM/C System, risk management and governance can only be achieved if
management is thoroughly informed of auditors‟ findings, is aware of what corrective actions are needed
and implements them within reasonable time. Discussion of action plans for the implementation of audit
recommendations and their monitoring are therefore the final results of Internal Auditing. If these two
elements are missing, all the added value of an IA system is weak - or is not there at all.
In the course of our survey, 79% of IAUs declared that an Implementation Action Plan for corrective
actions is discussed between the management and the IAU Director. This is positive: however, the
percentage of cases in which its actual implementation is monitored by the IAUs, instead, is arguably
smaller. Indirectly, the observation of the general lack of M/CSs suggests that the degree to which plans
are actually followed is largely insufficient.
3.2.9 - Resolution of cases of acceptance of risks by management (IIA standard 2600)
Directors of Internal Audit Units should, under the lead of the CHUIA, discuss the importance of the
decisions on acceptance of risk with the chief administrative officer and senior management as well as
members of Audit Committees. The matter should be included in the training module for senior managers.
If management doesn‟t accept the corrective measures proposed by internal auditors, the decision should
be communicated to the Director of the IAU in written form. If the Director of the IAU still believes the level
of residual risk to be not acceptable for the organization, he/she should discuss the matter with senior
management and report disagreement to the Audit Committee for resolution. Our survey shows that 57%
such cases are discussed, though only in 36% cases the IAU Director is informed in writing.
15

4. CENTRAL HARMONIZATION FUNCTIONS AND CAPACITY
After a centralized start with the MEF‟s Central Internal Audit Unit in charge of auditing all public sector
organizations, in the last few years Kosovo has turned to a decentralised model, in which every
organization should have its own IAU, or provide for internal auditing by outsourcing. In this set-up, the
EC approach requires a Central Harmonization Unit for Internal Audit (CHUIA) to be established as a hub
promoting, assisting the development of, and coordinating internal auditing in public sector. To play this
role, the CHUIA must enjoy functional independence and sufficient human and other resources.
The Kosovo CHUIA evolved from the Central Internal Audit Unit and was formed in August 2008 as a
MEF‟s internal unit of the MEF, subordinated directly to the Minister. It has two groups of auditors, one for
policy-making and the other to conduct auditing, with 7 employees overall. The auditors and the Director
went through the whole establishment of an IA system starting since the early 2000, worked in the
previous Central IA Unit and went through the trainings provided through EC-funded projects – which
altogether makes them competent enough to carry out basic tasks of the CHUIA.
The CHUIA had its own Charter adopted in August 2008 by the Minister, and the following October
produced its Strategic plan and Annual Plan for 2009. At the beginning of its existence it primarily focused
on the following activities:
Revising the LIA and developing secondary legislation - a good, comprehensive IA Manual was
issued by the Minister in December 2008;
Quality assurance reviews of IAUs (10 reviews were conducted in 2008, in 2009 they are planned for
the second half of the year).
Networking within the Internal Auditors is planned - it should start in 2009 with 4 meetings with IAUs
Directors.
Help-desk support to Internal Auditors is organized via e-mail. Besides, all IA documents are placed
on MEF Internet site.
Consolidated IA recommendations, (based on quarterly reports from IAUs), is regularly delivered to
the Government.
Partnering with IA bodies in region and with some of new EU MS and CIPFA.
Advising organizations on the employment of IAUs Directors
Maintaining the register of trained Internal Auditors (only as an internal information).
Liaising with OAG started with 2 meetings in 2008.
Reviewing Audit Plans of all organizations and recommending modifications if required.
Preparing administrative instructions on IA regarding adequacy of IA resources.
This means the CHUIA already covers or prepared to cover most basic central harmonization functions.
To assess its ability to perform more fully, however, a punctual assessment of its mandate is needed. For
instance, additional staff might be needed if the CHUIA will intensify peer reviews for quality assessment
of IAUs; take active part in IA education (lecturing, correction of exams, etc); or get active in building up
national capacity for auditing of EU funds (i.e. creating an Audit Authority for IPA Funds) once needed.
4.1. Identification of central harmonization functions
The CHUIA should establish a small team to analyse discrepancies amongst the current key
documents (PIFC Paper, LIA, IA Strategy) concerning the identification of central harmonization
functions. The activity should result in a new, single Strategy document, guiding the future approach.
The importance of getting a clear list of what is expected should not be underestimated. The current one
is provided in the PIFC Policy Paper, with additional details in the 2007 Strategy and the LIA. In general,
16

these lists include all essential elements of a very modern PIFC system. However, from a practical point
of view, guidance is somewhat confusing - both because the description of functions is not always clear
and aimed at the essential, and because of obvious differences in content across the three documents.
Differences in the description of central harmonization functions across the main elements of the Internal
Audit policy framework are stressed in the following table:
Policy Paper on PIFC New Law on Internal Audit Strategy on Internal Audit
1. Drafting and issuing an
Internal Audit Manual and a
Charter;
2. Preparation of a Certification
Program with Code of Ethics;
3. Providing Technical Support;
4. Developing and carry through
a Quality Assurance system;
5. Organizing basic training for
managers and auditors and
further encouraging continuing
professional development of all
internal auditors;
6. Ensuring consistency and
compliance with ethical
standards;
7. Fostering effective
professional contacts within and
over sectors in the society;
8. Instigating and encouraging a
continuous dialogue with
Operational Management
concerning the effective use of
Internal audit;
9. Summarizing of Internal Audit
Reports to identify common
features and areas of weakness
for discussion at seminars and
annually draft a comprehensive
public sector IA report;
10. Defining an Information
Technology Strategy based on
the regulations and the needs of
the Internal Audit;
11. Setting the basis for an
appropriate information system
that should support the auditors
during the performance of their
tasks to plan, perform and
document the audit mission and
follow up on recommendations. A
national audit recommendation
1. The CHUIA shall develop and
submit to the Minister for
approval rules, policies, manuals,
guidelines, Internal Audit Charter,
Code of Ethics and professional
standards for the conduct of
internal audits by internal
auditors and Internal Audit
Units.(PP 1)
2. The CHUIA conducts external
evaluations as are, review of
quality assurance, performance
of internal audits in PSS based
on the approved methodology
(PP 4 and 6)
3. The CHUIA shall provide
professional advices for Internal
Audit Units and Internal auditors
in all aspects of audit, work
plans, European good practices
in internal audit, as well as the
adequate quality and functioning
of the internal audit system (PP
3)
4. The CHUIA shall arrange and
institutionalise a system of
rigorous professional training and
rigorous, objective and
anonymous testing, prior to and
upon completion of the training of
all persons desiring to become
Internal Auditors.(PP 2, 5 and 13)
5. The CHU shall issue a license
to a person to practise as an
Internal Auditor (PP 2)
6. The CHUIA shall establish a
system for mandatory continuing
professional education for
persons who have been licensed
as Internal Auditors
7. The CHUIA develops and
submits to the Minister a formal
written annual report on the
functioning of the internal audit.
(PP 9)
17
1. Recruiting, training and testing
internal auditors; (PP 2, 5and 13)
2. Licensing and de-licensing
auditors;(PP 2)
3. Continuous professional
education;(PP 5 and 13)
4. HR management for Internal
Auditors;
5. Contracting out internal audit
services;
6. Guiding the allocation of
internal audit resources to public
sector entities;
7. Harmonizing Internal Audit by
implementing a standardized
methodology; (PP 1 and 3)
8. Assuring the quality of audit
services.(PP 4 and 6)
9. Encouraging the use of
modern techniques and
technologies;(PP 10 and 11)
10. Partnering with internal audit
bodies to support the ongoing
development of internal audit;
(PP 7)
11. Helping Internal Audit Units
and internal auditors conduct
their work in accordance with the
relevant standards and best
practices;(PP 3)

egister, should be developed by
the CHU and used by all internal
auditors in a prescribed way;
12. Defining hardware, software
and infrastructure requirements;
13. Defining the training needs of
the auditors and train them
regarding their own use of their
IT support and to developing
their capability to efficiently audit
information systems
14. Defining the roles and
responsibilities for the
organisation made responsible
for the implementation,
maintenance and support of the
system, and to provide training
and assistance to auditors on a
daily basis
As shown in the table, several tasks in the Policy Paper (points 8,10,11,12,13 and 14) were not
developed in the LIA and the Strategy. On the other side, the Strategy introduced some new tasks (points
4,5 and 6), which were not considered in the PP or the LIA and might not fully fit a decentralized model.
This shows a lack of consistency in preparing the documents, which appear mostly to reflect the different
perception of the different consultants that assisted the MFE in recent years. We recommend that the
CHUIA reviews of all three documents, and the MFE puts to the Government the necessary changes.
In this respect, we suggest keeping as core functions those listed in the Policy Paper, but that really
unclear ones (such as the one under its 14 th point) be deleted, and a few others be clarified as follows:
Point 10 Pp - A clarification is needed on the role of the CHUIA in defining of an Information
Technology Strategy and in setting up of an information system. Our recommendation is that this
should be the task of the CHUFMC and that CHUIA should only be involved when it comes to the use
of Internal Auditors of the data important for their work and of the transmission of data to audit
programmes for internal auditing (like IDEA or ACL);
Point 11 Pp - The part on a national register of recommendations makes little sense: most
recommendations from different IAUs address different deficiencies related to different business
processes and circumstances. Such a register could have a role only if limited to recommendations for
improving horizontal issues like procurement, salaries, etc. The text should be changed into
consolidating findings and suggest improvements on such issues;
Point 13 Pp - Auditing IT systems is a very specific function requiring specific knowledge. At the
international level, there is a specialized Certification programme for Certified Information Systems
Auditors (CISA). We recommend the CHUIA to employ a CISA auditor or send one person with good
knowledge on Information Technology (an IT specialist) abroad to CISA course. Otherwise, in absence
of capacity listing the function makes little sense.
Concerning the additional functions listed under in the 2007 Strategy (and included in neither the current
nor the initial version of the Policy Paper) we recommend adopting the following approach:
18

Point 4 St. - Reformulating it so that it can be comprised in already listed functions: HR Management
should be included only in the aspect of training and registration of Certified Internal (Public Sector)
Auditors;
Point 5 St. - Deleting it completely, as there is no reason for this being a central concern: contracting
any external provider of internal audit services should be left to the organizations using such services;
Point 6 St. - Reformulating it so that it doesn‟t amount to a full function. Guiding the allocation of
internal audit resources to public sector entities should be restricted to keeping information on the IAUs
and Internal Auditors.
Lack of synchronization amongst key documents can and affect the Internal Audit stakeholders‟
expectations on the extent and authority of central harmonization functions. We therefore recommend the
CHUIA to forms a small team to reassess all documents and update them so that they will present a
unified platform. Two people can do the job of preparing analysis and suggestions to be discussed on a
panel meeting of all CHU staff. The proposal should than be discussed with Management of MEF.
As a result, we propose that a single Strategy document is adopted as the blueprint for the further
development of the IA functions from this point on (strategic and annual plans should than be
synchronized with this document only). Apart from these discrepancies and the evident need for
consolidation, the approach to the development of central harmonization functions is quite clear. The
assessment regarding each of the main tasks, and related recommendations are described underneath.
4.2. Harmonizing internal auditing by implementing a standardized methodology
Perhaps the most important amongst central harmonization functions is to ensure that the internal audit
function is based on the same standards and follows the same understanding of good practice all across
the public administration. Common guidelines, standards, code of conduct etc. are the basis for ensuring
this. While this is one of the most essential central harmonization functions, not much additional standardsetting
work is needed at this stage.
This is so because the main tool already exists, in the form of the Internal Audit Manual prepared by the
CHUIA in cooperation with experts of the EC-funded project “Further Support on PIFC and IA”. This is
generally an excellent document, which represents a very concrete tool to assist internal auditors in
introducing and practicing a standardized methodology for internal auditing in public sector. At this stage,
more elaborate standards are not needed; the main challenge is transferring them into practice.
4.3. Providing technical support & defining an IT Strategy based on internal audit regulations and
needs
The CHUIA should review and define its strategy on IT-based technical support to IAUs, including
equipping all of them with the same kind of IT Audit Tool (e.g. IDEA or ACL), as well as organizing
effective web-based assistance (e.g. FAQ, forum).
The Policy Paper refers to “technical support” with no other explanation and it isn‟t fully clear what central
function this refers to. If it points to advising internal auditors on using the manual, perform the internal
audit process, do sampling, etc… then it would partly overlap with the quality assurance, networking and
training functions dealt with below. If the focus is instead on “technical” IT support, the task could instead
refer to the use of a common IT Audit Tool (like IDEA or ACL), and the operation of an on-line help desk.
In relation to the former, the further reference to an Information Technology Strategy for the IA function
deserves a comment. While any of the mentioned off-the-shelf software packages could be used, this is
often easier said than done. Putting such systems to good use depends largely on being able to derive
proper data from the existing IT systems supporting the audited M/CSs. The main point might hence be to
get the IT services of the Government and of each organization to work together with CHUIA and IAUs.
On the help desk, this should be an extension of the present e-mail assistance, which the Director should
assign to one employee in charge to follow all questions posted on the web site, distribute them to the
CHUIA employee responsible for the topic in question and take care that answers are provided in due
time. While almost banal in appearance, this function can contribute to push CHUIA staffs to specialize in
19

different internal audit matters (financial audits, system audits, money for value audits, IT audits) and
possibly by functions (public procurement, payroll, accountancy, financial management etc.).
4.4. Providing compliance and quality assurance of internal auditing
Besides setting standards and providing tools, central harmonization functions also include regular
reviews (also called audits or peer reviews) to assess how internal audit providers follow the common
rules. Such regular reviews not only provide compliance assurance, but also help improving the overall
quality of audit services and assist managers responsible for internal auditing. Carrying out this function
requires not only in-depth knowledge of all central legislation and internal acts for internal audit, but also
some specific knowledge of management practices and of the quality assurance process.
The Policy Paper and the Strategy incorporate this function, though this is less clear in the LIA. The latest
text on which we commented states in art. 7.5: the “CHUIA conducts such external evaluations as are
reviews of quality assurance, and performs internal audits in PSS based on the approved methodology by
the Minister”. This doesn‟t amount to a mandate to review all audit providers (including private ones);
besides, no methodology for the quality assurance process has yet been set, even in draft form. Clarifying
this CHUIA responsibility to the fullest extent and make it operational should be regarded as a priority.
4.5. Summarizing internal audit findings to identify common weakness and recommendations
The CHUIA should centrally analyze IA reports from all organizations looking for diagnoses of
horizontal problems that are caused by faults not of each organization but of generally applicable
legislation or practices. It should identify such problems, work out the solutions, and forward the
recommendations to the Government for consideration.
Quite often, reports by internal auditors in different organizations register similar problems but cannot
propose to their management effective remedies as causes lie in inappropriate legislation, amending
which lays outside their control. The Policy Paper envisages as a central harmonization function the
gathering of such problems for discussion in seminars. In reality, the task could amount to allowing the
CHUIA to analyze any such findings made by IAUs and formulate common recommendations.
As our team already proposed, this function could be more clearly built into the LIA (possibly, art. 7)
including, besides a clear description, the obligation of the CHUIA to discuss its analysis with IAUs and
present proposals for collective actions to the MEF at least twice a year. Until this is formally provided,
however, nothing prevents the CHUIA from following up to the Policy Paper‟s task of recording such
issues for discussion in seminars with the Internal Audit Units,
As a result of these seminars, the CHUIA should prepare proposals for corrective actions, which should
then be further discussed with and presented as internal audit recommendations to be carried out by
Institution responsible for regulating the relevant horizontal function (e.g. directly the MEF for the treasury
system; the MPA for civil service regulations; the Pubic Procurement Regulatory Commission of
procurement, etc.).
Carrying out this work does not require additional or even large resources. We propose that the Director
of the CHUIA forms a team of two employees, which will analyse Internal Audit reports looking for
information this type of information. They should organize discussions with IAUs as part for the regular
seminars, and liaise with CHUFMC (ideally, both CHUs should form a Task force team on this) to identify
the most proper corrective measure. They should also prepare the final recommendations for action.
4.6. Fostering effective professional contacts internally and externally
The CHUIA should engage proactively in networking by organizing quarterly technical meetings with
Directors of IAUs based on pre-decided agendas; facilitating a web-based community of practice; and
holding at least one annual conference for all internal auditors. We advice the CHUIA to invite the OAG to
such conferences, and includes it in its networking activities.
Currently, relations between IAUs and the CHUIA are generally very good, though mainly on an individual
basis: the CHUIA provides support whenever Directors of IA Units or internal auditors ask for it. What is
lacking is systematic networking, aimed at sharing best practices and presenting solutions to problems to
20

the IA community. 71% of IAU Directors feels there isn‟t enough networking amongst auditors and 64%
that there aren‟t enough meetings with the CHUIA to discuss problems and proposals for improvement.
The CHUIA could organize regular (quarterly?) meetings of IAUs Directors (some are already planned) to
discuss problems arising in daily practice, changes in the environment, auditing techniques, international
standards, etc. We recommend preparing an annual calendar including topics, and discussing it with
those concerned. Besides ad hoc questions, a topic should be set for each meeting. Directors of IAUs
should take active role in preparing presentations and contribute to discussions.
A way to maintain a community of practice of all internal auditors (not just Directors of IAUs) is networking
through the internet. We recommend the CHUIA web pages to display not just auditors‟ questions and
CHUIA‟s answers, but also the comments of every colleague interested in the topic. Besides, we
recommend that once (or twice) a year a general conference of all internal auditors be organized, where
topics chosen at Directors meetings or gathered through a questionnaire will be discussed.
Besides internal auditors, relations with the Office of the Auditor General are important. The OAG can
contribute (also via the Assembly) to raise Management‟s awareness of the importance of IA. Also, while
internal and external audit serve different purposes, there are many points of contacts and a partnership
can assist internal auditors to identify problems and improve technically. We recommend the CHUIA to
include meetings with the OAG in its annual work plan, inviting it to present at its annual conferences.
4.7. Building up a sustainable professional education system for internal auditors
The CHUIA, with OAG and possibly other relevant institutions, should elicit IAUs’s views on training
needs and put together a Syllabus covering both IA standards and techniques and the specificities of
Kosovo’s public sector. A Task Force of local institutions and international experts should develop
continuous training and certification in IA on this basis. Options for delivering the program outside the
CHUIA, as well as for introducing audit in University programmes should be considered.
There has been no sustainable education system for internal auditors in the public sector, just training
provided by different donors‟ projects. While we don‟t doubt the professionalism of those trainers or the
quality of their delivery, the approach left behind problems of different approaches and techniques
(experts come from different countries with different IA practices). Also, depending on projects leaves the
internal audit system unable to train new auditors, as constantly needed to remedy to staff turnover. This
applies also to the current EC project the main objective of which is the certification of internal auditors.
We recommend the MEF to create a national platform for training internal public sector auditors. The
CHUIA should cooperate in forming a Syllabus - i.e. an educational program - with institutions having
partly similar needs, such as the OAG and the SKAK (the institution in charge of training accountants).
Modules should involve domestic experts from Treasury, MEF budget departments, central public
procurement bodies etc, so to offer not only knowledge of internal auditing (IIA Standards, audit planning,
risk assessment, audit techniques, reporting etc.), but also of the specific public sector environment.
The need for a Kosovo-owned training platform will remain even if international institutions will be
engaged in providing training (as foreseen in the Strategy), as the training provided by those can only
concern internal auditing techniques, and not the necessary modules aiming at specific knowledge on the
Kosovo public sector (legal acts, budgeting, budget execution etc). Besides the obvious needs in terms of
teaching contents, a Kosovo-owned training platform is also a very effective instrument to bring important
institutions in closer touch with the CHUIA, and reinforce the role of internal auditors in the administration.
As a result of training, the LIA envisages that internal auditors should pass exams resulting in formal
certification, which the CHUIA is for now tasked to award. Still, running the logistics of lessons and exams
is time-absorbing and we suggest this is only for a limited period. Ultimately, the Kosovo-based body that
will take over the implementation of the Syllabus and the complete education of Internal Auditors should
be in charge of certification. Candidates include the Kosovo Institute of Public Administration (KIPA) and
possibly the SKAK (which in the future will anyway have to train private sector internal auditors).
As Kosovo-owned educational materials on Internal Audit become available, one further step and task for
the CHUIA would consist of securing the involvement of the Universities. Having at least one University
introducing the studying of auditing in its programme has obvious advantages, as it gives the possibility to
students to acquire at least a basic level of knowledge about the profession. In turn, this would create a
21

natural pool of prepared candidates for recruitment in internal audit positions, which is important taking
into account that the actual certification process can take place only in relation to already recruited staff.
Without prejudice of technical assistance under way, the CHUIA Director could concretely advance this
objective by preparing a timetable and tasking a team of two employees. This would include running a
basic survey on training needs across IAUs (give a picture of which skills are deficient); as well as
discussions with partner organizations and possibly the creation with them of a joint Taskforce. This
Taskforce should than prepare a proposal for Syllabus and agree on technical implementation (domestic
and international partners, distribution and length of lecturing topics, etc.).
4.8. Instigating and encouraging a continuous dialogue with operational Management
The CHUIA (in partnership with the CHUFMC once activated) should instigate and encourage senior
Management across the public sector to a continuous dialogue with the respective IAUs, through targeted
seminars/ workshops and ultimately full training modules on the importance of MC/S (risk management,
control system design and development of control evaluation criteria) as well as on the use of IA.
During the interviews with IAUs and Permanent Secretaries/Chief Executive Officers it became obvious,
that the purpose and the mission of internal audit are not clear to all Managers and consequently most
expect internal auditors to perform duties that are instead their own responsibility (like risk assessment
and ex ante controlling). In a significant minority of cases, Managers even treat internal auditing as a
„useless‟ function staffed for purely bureaucratic reasons, avoiding to have regular meetings with their IAU
Director or to invite them to important management meetings in the organization.
In this respect, the importance of informing and training managers cannot be underestimated. We
recommend that a module on internal auditing is made available and incorporated into any training
programme for top managers. Apart from these obligatory training, similar shorter information should be
available for non-professional top positions, such as the Ministers and their Deputies. All these positions
often change as a consequence of political change and newcomers may have different backgrounds, not
necessarily including knowledge of Management & Control systems, and Internal Audit.
A Syllabus for such courses could be put together by the CHUIA, CHUFMC and OAG, covering topics
such as Institutional Governance, Risk Management, Internal Controls design, Internal and External
Audit. Practice in new EU members shows that if the courses are not obligatory, only a small percentage
of top managers attends because of failure to appreciate their relevance or because managers
considering themselves too busy with day-to-day work. In countries that have made such mini-courses
obligatory for top professional managers (Slovenia is one case) their impact proved surprisingly efficient.
To practically advance this objective, the CHUIA could start by tasking one employee with responsibility
to gather and maintain information on management attitudes to IA, prepare materials for discussions
amongst IA staff (as part of the regular meetings) and formulate the first proposals to discuss with partner
organizations on a training module aimed at top managers (mostly, chief administrative officers and
others potentially serving as Audit Committee members) on the effective use of IA.
4.9. Internal management of the CHUIA
The internal management of the CHUIA should not be based on a conventional subdivision into
thematic units, but rather on the formation of teams for specific tasks. For this purpose, it is essential that
the CHUIA produces internal acts describing its business processes in all main areas, and that it puts in
place for them a formal risk assessment, risk register and internal control plan.
Finally, we would like to spend a few words on the organization of work at the CHUIA. While the unit is
small and has only a handful of employees, they can be enough to carry out all functions if properly
organized and trained. Perhaps the key point in this respect is that while the CHUIA is in charge of
several different functions, none of them requires day-to-day work on a year-round basis: for that reason
we recommend that, rather than divided into internal units, it is organized in teams for different tasks.
While CHUIA employees should tend to specialize in accordance with their core tasks, such organization
makes the definition of business processes most important. As any other internal unit, the CHUIA must
document properly its M/CSs. At least the implementation of the main functions should be described in a
form of concise “manuals”. At the time of assessment the CHUIA had no internal acts describing its
procedures, no risk assessment and contribution to a risk register, and no internal control plan.
22

We recommend that the CHUIA produces such internal documents, not only for their own use, but also as
a model for other departments of the MEF and for other public sector organizations from which the same
is expected. Internal manuals should cover all aspects of CHUIA operations like the procedures for:
risk management and contributing to a Risk Register;
document flow, filing of documents, retention of documents, access to documents;
quality assurance reviews;
summarising IA reports and issue recommendations for Government;
follow up world development of internal auditing and for dissemination of new knowledge;
liaison with partner organizations;
technical support to IAUs and individual Internal Auditors;
assignments of ad hoc tasks to CHUIA personnel.
The Director of CHUIA should prepare a timetable for drafting of each manual and assign the task to one
or two employees. The draft should be discussed with the Director and the final version officially adopted.
Once the manuals are adopted, the description of working assignments should be updated accordingly so
that all operations are properly covered. The Director should provide for supervision of processes and
quality assurance. On this basis, the CHUIA should be subject to IA by a separate MEF‟s IAU.
23

5. ANNEXES
5.1. LIST OF PERSONS INTERVIEWED
Nr. Institution Person Position Date
1
Ministry of Economy
and Finance
Ministry of Economy
Bedri Hamza Deputy Minister 03.04.2009
2
and Finance, Central
Harmonization Unit for
Internal Audit
Ministry of Economy
Kosum Aliu Director 31.03.2009/17.04.2009
3 and Finance, Treasury
Department
Ministry of Transport
Lulzim Ismajli Director 02.04.2009
4 and
Telecommunication
Ministry of Transport
Ndue Nikaj Internal Auditor 31.03.2009
5 and
Telecommunication
Bekim Hertica Internal Auditor 31.03.2009
6 Kosovo Police Service Sami Shabanaj
Director of Police
Inspection and Audit
01.04.2009
7 Kosovo Police Service Nizajete Latifi Director of Internal Audit 01.04.2009
8
Ministry of Labour and
Social Welfare
Ruhan Kadriu Director of Internal Audit 01.04.2009
9 Kosovo Customs Naile Hoti Director of Internal Audit 02.04.2009
10
Ministry of Public
Services
Ministry of Education,
Fitim Sadiku Permanent Secretary 03.04.2009
11 Science and
Technology
Vebi Ismajli Director of Internal Audit 14.04.2009
12
Ministry of Culture,
Youth and Sports
Bislim Gashi Director or Internal Audit 14.04.2009
13
Ministry of Energy and
Mines
Valbona
Polloshka
Director of Internal Audit 14.04.2009
14 Ministry of Health
Ministry of Transport
Isa Latifaj Director of Internal Audit 14.04.2009
15 and
Telecommunications
Ministry of Local
Skender Gashi Permanent Secretary 16.04.2009
16 Government
Administration
Besnik Osmani Permanent Secretary 16.04.2009
17
Office of the Auditor
General
Lage Olofsson Auditor General 17.04.2009
24

5.2. LIST OF INSTITUTIONS RESPONDING TO QUESTIONNAIRE
Nr. Institution Contact person
1 Ministry of Economy and Finance, Treasury Department Nusret Hoxha
2 Ministry of Internal Affairs Bashkim Berisha
3 Ministry of Health ISa Latifaj
4 Ministry of Public Services Shefki Gashi
5 Ministry of Transport and Telecommunication Ndue Nikaj/ Bekim Hertica
6 Office of the President Naser Jakupi
7 Kosovo Police Service Nizajete Latifi
8 Kosovo Customs Naile Hoti
9 Ministry of Local Government Administration Ismail Halili
10 Ministry of Energy and Mines Valbona Polloshka
11 Ministry of Culture, Youth and Sports Bislim Gashi
12 Ministry of Agriculture, Forestry and Rural Development Halil Bytyqi
13 Kosovo Judicial Council Secretariat Kadifete Hasani
14 Ministry of Economy and Finance Dervish Bytyqi
25