Module 3.D

3D. CFO, Internal Audit, and External Audit (15%)
3D Learning Outcomes
On completion of this section, students will be better able to:
• Describe respective responsibilities of the chief financial officer, internal audit, and
external audit.
• Identify opportunities for collaboration among chief financial officer, internal audit, and
external audit.
• Describe processes of assurance mapping.
3D.1 Roles of the Chief Financial Officer
The Chief Financial Officer (typically Director of Finance in Albanian public sector entities) is the
most senior member of the finance and accounting team. As a member of senior management,
they have entity-wide responsibilities related to leadership, strategy development and
implementation, culture, and governance. As head of the finance unit, they have responsibility
for managing financial resources, ensuring liquidity, safeguarding assets, setting and
implementing financial strategy, determining financial policies, planning and budgeting,
monitoring, and reporting.
Chief financial officers have insight into every business unit. Given their visibility into
opportunities that can be unlocked by information-led transformations, it is no surprise
that CFOs are assuming new strategic roles. They are tasked with guiding the growth of
companies, building digital organizations, and transforming the finance function. 41
An important distinction is made between the roles of the Executing Officer (Director of Finance)
and the Authorizing Officer (Secretary General) as a crucial part of financial control at the
highest level. Additionally, the Minister (or political leader of the entity) holds neither of these
responsibilities.
The structure of the team and the roles within it depend on the purpose and size of the entity.
Many aspects of financial management and control are determined centrally or by superior
bodies, reducing the scope of responsibilities at the level of subordinated entities.
The following table (based on Finance Department Organization Structure, opsdog 42 ) illustrates
key functions (with potential areas of overlap) regardless of how these may be distributed and
structured. Some functions, such as payroll, may be outsourced.
Function
Description
41
The CFO Agenda: Transforming the Finance Function, Harvard Business Review, 2018.
42
Finance Department Organization Structure, opsdog.com.
69

Finance
Managing long-term and operational funding, accounting, and financial
reporting.
Accounts payable Managing amounts owing to suppliers to ensure timely and accurate
payment (maintaining Accounts Payable Ledger).
Accounts
Managing amounts due from clients and service-users to ensure prompt
receivable
collection (maintaining Accounts Receivable Ledger).
Accounting and Bookkeeping to record and track financial transactions and fixed assets
reporting (control) (maintaining Cash Book and General Ledger).
Budgeting and Preparing and monitoring budget, variance analysis, and management
forecasting accounts.
Expense
Approving, recording, reimbursing, and monitoring employee-generated
management expenses (travel, accommodation, etc.)
Tax
Planning and managing all tax-related expenses.
Treasury
Managing cash to maximize liquidity.
management
Payroll
Administering salaries, wages, bonuses, and deductions.
Another way of thinking about the roles of the CFO related to control is to consider the main
organizational functions of finance, as:
• Catalyst.
• Strategist.
• Stewardship.
• Operative.
These roles are illustrated below (taken from “What is a Financial Controller? Roles and
Responsibilities” 43 .
43
What is a Financial Controller? Roles and Responsibilities, Oracle Netsuite.
70

In the public sector of some countries a distinction is made between the similar roles of financial
controller and comptroller. The latter is viewed as having a broader and more senior role
overseeing fiscal activities similar to the role of the Chief Financial Officer. The controller is in
control of the accounting function and maintaining financial records.
Given the seniority of the position, the CFO plays both a strategic role to enable achievement of
the organization’s core purpose as well as an operational role supporting core functions. They
are key to ensuring conformance with reporting requirements as well as supplying information
internally to aid effective decision-making. They also have responsibility for overall financial
control. Therefore, it is essential the CFO fully understands their organization and its culture,
vision, mission, goals, priorities, risks, resources, people, and processes.
CIPFA developed a detailed description of the Role of the Chief Financial Officer in Public
Service Organisations based on five principles which is worth quoting in full. 44
Principle 1: The CFO in a public service organisation is a key member of the
Leadership Team, helping it to develop and implement strategy and to resource and
deliver the organisation’s strategic objectives sustainably and in the public interest.
44
Role of the Chief Financial Officer in Public Service Organisations, CIPFA, 2011.
71

• Contributing to the effective leadership of the organisation, maintaining focus on
its purpose and vision through rigorous analysis and challenge.
• Contributing to the effective corporate management of the organisation, including
strategy implementation, cross organisational issues, integrated business and
resource planning, risk management and performance management.
• Supporting the effective governance of the organisation through development of
– corporate governance arrangements, risk management and reporting
framework; and – corporate decision making arrangements.
• Leading or promoting change programmes within the organisation.
• Leading development of a medium term financial strategy and the annual
budgeting process to ensure financial balance and a monitoring process to
ensure its delivery.
• Ensuring the medium term financial strategy reflects joint planning with partners
and other stakeholders.
Principle 2: The CFO in a public service organisation must be actively involved in, and
able to bring influence to bear on, all material business decisions to ensure immediate
and longer term implications, opportunities and risks are fully considered, and alignment
with the organisation’s overall financial strategy.
Responsibility for financial strategy:
• Agreeing the financial framework with sponsoring organisations and planning
delivery against the defined strategic and operational criteria.
• Maintaining a long term financial strategy to underpin the organisation’s financial
viability within the agreed performance framework.
• Implementing financial management policies to underpin sustainable long-term
financial health and reviewing performance against them.
• Appraising and advising on commercial opportunities and financial targets.
• Developing and maintaining an effective resource allocation model to deliver
business priorities.
• Leading on asset and balance sheet management.
• Co-ordinating the planning and budgeting processes.
• Establish a medium term business and financial planning process to deliver the
organisation’s strategic objectives, including: – a medium term financial strategy
to ensure sustainable finances; – a robust annual budget process that ensures
financial balance; and – a monitoring process that enables this to be delivered.
• Ensure that professional advice on matters that have financial implications is
available and recorded well in advance of decision making and used
appropriately.
72

• Ensure that those making decisions are provided with information that is fit for the
purpose – relevant, timely and giving clear explanations of financial issues and
their implications.
Influencing decision making:
• Ensuring that opportunities and risks are fully considered and decisions are
aligned with the overall financial strategy.
• Providing professional advice and objective financial analysis enabling decision
makers to take timely and informed business decisions.
• Ensuring that the organisation’s capital projects are chosen after appropriate
value for money analysis and evaluation using relevant professional guidance.
• Checking, at an early stage, that innovative financial approaches comply with
regulatory requirements.
Financial information for decision makers:
• Monitoring and reporting on financial performance that is linked to related
performance information and strategic objectives that identifies any necessary
corrective decisions.
• Preparing timely management accounts.
• Ensuring the reporting envelope reflects partnerships and other arrangements to
give an overall picture.
Principle 3: The CFO in a public service organisation must lead the promotion and
delivery by the whole organisation of good financial management so that public money is
safeguarded at all times and used appropriately, economically, efficiently, and effectively.
Promotion of financial management:
• Assessing the organisation’s financial management style and the improvements
needed to ensure it aligns with the organisation’s strategic direction.
• Actively promoting financial literacy throughout the organisation.
Value for money:
• Challenging and supporting decision makers, especially on affordability and
value for money, by ensuring policy and operational proposals with financial
implications are signed off by the finance function.
• Developing and maintaining appropriate asset management and procurement
strategies.
• Managing long term commercial contract value.
Safeguarding public money:
73

• Applying strong internal controls in all areas of financial management, risk
management and asset control.
• Establishing budgets, financial targets and performance indicators to help assess
delivery.
• Implementing effective systems of internal control that include standing financial
instructions, operating manuals, and compliance with codes of practice to secure
probity.
• Ensuring that delegated financial authorities are respected.
• Promoting arrangements to identify and manage key business risks, including
safeguarding assets, risk mitigation and insurance.
• Overseeing of capital projects and post completion reviews.
• Applying discipline in financial management, including managing cash and
banking, treasury management, debt and cash flow, with appropriate segregation
of duties.
• Implementing appropriate measures to prevent and detect fraud and corruption.
• Establishing proportionate business continuity arrangements for financial
processes and information.
• Ensuring that any partnership arrangements are underpinned by clear and well
documented internal controls.
Assurance and scrutiny:
• Reporting performance of both the organisation and its partnerships to the board
and other parties as required.
• Supporting and advising the Audit Committee and relevant scrutiny groups.
• Preparing published budgets, annual accounts and consolidation data for
government-level consolidated accounts.
• Liaising with the external auditor.
Principle 4: The CFO in a public service organisation must lead and direct a finance
function that is resourced to be fit for purpose.
• Leading and directing the finance function so that it makes a full contribution to
and meets the needs of the business.
• Determining the resources, expertise and systems for the finance function that
are sufficient to meet business needs and negotiating these within the overall
financial framework.
• Implementing robust processes for recruitment of finance staff and/or outsourcing
of functions
• Reviewing the performance of the finance function and ensuring that the services
provided are in line with the expectations and needs of its stakeholders.
• Seeking continuous improvement in the finance function.
74

• Identifying and equipping finance staff, managers and the Leadership Team with
the financial competencies and expertise needed to manage the business both
currently and in the future.
• Ensuring that the Head of Profession role for all finance staff in the organisation
is properly discharged.
• Acting as the final arbiter on application of professional standards.
Principle 5: The CFO in a public service organisation must be professionally qualified
and suitably experienced.
3D.1: Reflection
Consider planning, budgeting, monitoring, reporting, and financial control. In your
organization, how are the various responsibilities of finance and accounting arranged?
How is the work of financial control, financial inspection, external audit, and internal audit
coordinated?
Consider the five CIPFA Principles and criteria. How closely does the CFO and finance and
accounting function in your organization satisfy those criteria?
3D.2 Roles of External Audit
A Supreme Audit Institution (SAI) is established to undertake external audits of public sector
entities and report to parliament either directly or via a committee, council, or similar authority or
body.
A supreme audit institution (SAI), or national audit institution, fulfils the independent and
technical public sector external audit function that is typically established within a country’s
constitution or by the supreme law-making body. A SAI is responsible for overseeing and
holding government to account for its use of public resources, together with the legislature
and other oversight bodies. SAIs have different models and institutional arrangements
regarding the legislature, executive and judiciary. Where there is more than one body
fulfilling the public sector external audit role, the SAI is usually distinguished as possessing
the strongest constitutional guarantees of independence.
In line with their status as independent external bodies, SAIs require full discretion and
sufficiently broad mandates, although this differs depending on the SAI country context. In
order to provide expertise and credible findings on the use and management of public
resources, SAIs require the ability to access all relevant documents, to work onsite, and to
follow up with audited entities on their findings.
75

In order for a SAI to effectively hold government accountable for its stewardship of public
resources, it must operate on the fundamental principles of independence, transparency and
accountability, ethics and quality control. An independent and professional SAI should hold
itself to the principles that it expects of the public sector entities that it audits so as to lead by
example. 45
SAIs typically undertake three kinds of audits:
• Financial audits.
• Compliance audits.
• Performance audits.
In some countries, the SAI has jurisdictional authority with additional legal powers to investigate
and prosecute.
In Albania, the SAI is known as the Supreme State Control (SSC) and reports to the Assembly.
The SSC describes itself as “the highest institution of economic and financial control in the
Republic of Albania.” Its self-declared purpose is
to control the effective and beneficial use of public funds, financial good administration and
control of the implementation of legality in the economic and financial field…[including]
communication and providing information to public authorities and the public in general,
through the publication of unbiased reports. 46
The IIA and INTOSAI produced a joint report confirming the compatibility of the respective sets
of standards. Internal auditors and external auditors have very broadly the same objectives – in
terms of accountability, transparency, and assurance – and have similar methodologies. While
maintaining their individual independence, there is plenty of scope for collaboration in training
and professional development, the planning of audits, and sharing of findings. An internal audit
engagement may deploy a member of the SAI as a guest auditor. The degree of reliance placed
on the work of another assurance provider is dependent on the level of independence and
competency and the standards applied to the work, and its relevance, scope, and currency.
According to INTOSAI professional standards:
the Supreme Audit Institution has the task of examining the effectiveness of internal audit. If
internal audit is judged to be effective, efforts shall be made, without prejudice to the right of
the Supreme Audit Institution to carry out an overall audit, to achieve the most appropriate
division or assignment of tasks and cooperation between the Supreme Audit Institution and
internal audit. 47
45
OECD Public Governance Reviews: Supreme Audit Institutions and Good Governance, OECD, 2016.
46
State High Control, Shtetiweb, 2021.
47
ISSAI 1, The Lima Declaration, INTOSAI, 2019.
76

According to Standard 2050 – Coordination and Reliance:
The chief audit executive should share information, coordinate activities, and consider
relying upon the work of other internal and external assurance and consulting service
providers to ensure proper coverage and minimize duplication of efforts.
Interpretation:
In coordinating activities, the chief audit executive may rely on the work of other assurance
and consulting service providers. A consistent process for the basis of reliance should be
established, and the chief audit executive should consider the competency, objectivity, and
due professional care of the assurance and consulting service providers. The chief audit
executive should also have a clear understanding of the scope, objectives, and results of the
work performed by other providers of assurance and consulting services. Where reliance is
placed on the work of others, the chief audit executive is still accountable and responsible
for ensuring adequate support for conclusions and opinions reached by the internal audit
activity. 48
Assurance mapping and combined assurance are considered in more detail in section 3D.3.
Some external audits of public entities may also be conducted by providers other than the SAI in
accordance with legal requirements. This occurs where a publicly funded entity is responsible
for tendering for an external provider for some of its statutory audits as well as any additional
external assurance deemed valuable at the discretion of the organizational leadership to
complement the work of the SAI, internal auditors, financial inspectors, and others.
3D.2: Reflection
Which body or bodies conduct external audits of your organization?
What use does external audit make of internal audit findings? What use does internal audit
make of external audit findings?
Do internal and external audit collaborate in any other way, such as training, information
sharing, and planning?
Could a member of the SAI be deployed on an internal audit mission as a guest auditor?
48
International Professional Practices Framework, The IIA, 2016.
77

3D.3 Assurance Mapping
Senior management and the governing body receive assurance from various internal providers
(e.g., management, internal control, risk and compliance, and internal audit) and external
providers (e.g., SAI, inspectors, and other consultants). An assurance map is used to record
which party is providing assurance on each group of key risks and control to avoid unwanted
gaps and unnecessary overlaps and duplication. Some gaps may be deliberate, especially
where management regards those risks as being of a lower priority or controls are known to be
reliable and effective. Likewise, some overlap and duplication is intentional for high risk areas,
new risks, or areas requiring a high degree of specialist expertise where a second opinion is
valued.
Assurance mapping can also help with audit fatigue which can arise in teams subject to multiple
reviews, inspections, and investigations in a relatively short period of time. Assurance provides
can collaborate on timing to minimize this danger. Alternatively, two audits may be conducted
together.
Internal audit may use the map to inform their planning and determine whether there is scope to
use the work of other assurance providers rather than repeat it. Management may use the map
to ensure resources and structures are being utilized with the greatest efficiency and
effectiveness.
The internal audit function is well laced to create such an assurance map.
The IIA guide Coordination and Reliance: Developing an Assurance Map suggests five steps for
producing an assurance map:
1. Identifying sources of risk information.
2. Organizing risks into risk categories for consolidated viewing.
3. Identifying assurance providers.
4. Gathering information and documenting assurance activities by risk category.
5. Periodically reviewing, monitoring, and updating the assurance map. 49
A further advantage of the assurance mapping process is it requires assurance providers to
share information with each other and thus help to create a more coherent view of the
organization.
An assurance map can take many forms. It will likely reflect the risk categories adopted by the
organization and used in the risk register. An example assurance map is shown below. The
example does not include external assurance providers which should be considered for a
comprehensive picture.
49
Coordination and Reliance: Developing an Assurance Map, The IIA, 2018.
78

79

3D.3.1 Combined Assurance
An extension of assurance mapping is sometimes referred to as combined assurance. Beyond
the tracking of assurance coverage across all major risk categories, combined assurance is a
more coordinated approach to provide greater insights on governance, risk management, and
internal control. According to guidance produced by AuditBoard:
True combined assurance represents the ultimate level of coordination, including such
elements as combined scheduling, consolidated planning and reporting, shared terminology,
and use of common and shared technology. 50
The seven steps described in the article are:
1. Establish a baseline.
2. Outline and define your objectives and expected benefits.
3. Obtain involvement of other assurance providers.
4. Communicate with, educate, and obtain sponsorship of key stakeholders.
5. Take an iterative step-by-step approach.
6. Create a change management plan.
7. Measure and report on success against expected benefits. 51
More advanced guidance is given by AuditBoard in the guide Advancing Combined Assurance
to Manage Risks. 52
In the King IV Code of Corporate Governance, combined assurance has a specific meaning
linked to King’s model of five lines of assurance, an extension of the Three Lines Model to
include external audit and the board.
3D.3: Reflection
Who provides assurance to management and the governing body in your organization?
Are there any risk areas of over-coverage or under-coverage in terms of assurance?
Does your organization produce an assurance map? If so, who produces the assurance
map? What use is made of the assurance map?
Does internal auditing use the work of other assurance providers? If so, what examples do
you have? How do auditors determine the work of other assurance providers can be relied on?
50
What is Combined Assurance? Seven Steps to Start a Successful Program, AuditBoard, 2020.
51
What is Combined Assurance? Seven Steps to Start a Successful Program, AuditBoard, 2020.
52
Advancing Combined Assurance to Manage Risks, AuditBoard, 2021.
80

References and Additional Reading
10 Tips for Evaluating Internal Control Deficiencies” AuditBoard, 2021.
https://www.auditboard.com/blog/tips-evaluating-internal-control-deficiencies/
Acquis, Eur-Lex. https://eur-lex.europa.eu/EN/legalcontent/glossary/acquis.html#:~:text=The%20European%20Union%20(EU)%20acquis,syste
ms%20of%20EU%20Member%20States.
Advancing Combined Assurance to Manage Risks, AuditBoard, 2021.
https://www.auditboard.com/resources/ebook/advancing-combined-assurance-to-managekey-risks/
Budgeting the Internal Audit Function: How Much is Enough? Tone at the Top, The IIA,
December 2018
https://www.theiia.org/globalassets/site/content/tools/advocacy/2018/budgeting-the-internalaudit-function-how-much-is-enough/tone-at-the-top-issue-90-december-2018_updated.pdf
Chapters of the Acquis, European Commission. https://neighbourhoodenlargement.ec.europa.eu/enlargement-policy/conditions-membership/chapters-acquis_en
CIPFA Financial Management Code https://www.cipfa.org/policy-andguidance/publications/f/financial-management-code
Coordination and Reliance: Developing an Assurance Map, The IIA, 2018
https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/coordination-and-reliance-developing-an-assurance-map/pg-coordination-andreliance-developing-an-assurance-map1.pdf
De Koning, Robert, PIFC Public Internal Financial Control, 2007.
Delivering Excellent Public Finance: CIPFA’s Whole System Approach to Public Financial
Management. https://www.cipfa.org/policy-and-guidance/reports/whole-system-approachvolume-1
Finance Department Organization Structure, opsdog.
https://opsdog.com/categories/organizationcharts/finance#:~:text=A%20Finance%20Department%20manages%20a,the%20finances%
20of%20the%20company.
Framework for assessing public financial management, PEFA, 2019.
https://www.pefa.org/sites/pefa/files/resources/downloads/PEFA%202016_latest%20version
_with%20links%20%282%29.pdf
IIA Practice Guide: Measuring Internal Audit Effectiveness and Efficiency, The IIA, 2010
https://www.theiia.org/globalassets/documents/content/articles/guidance/practice-
81

guides/measuring-internal-audit-effectiveness-and-efficiency/practice-guide-measuringinternal-audit-effectiveness.pdf
International Professional Practices Framework, The IIA, 2016.
Handbook of International Public Sector Accounting Pronouncements, Volume 1, IPSASB,
2021. https://www.ipsasb.org/publications/2021-handbook-international-public-sectoraccounting-pronouncements
Handbook of International Public Sector Accounting Pronouncements, Volume 2, IPSASB,
2021. https://www.ipsasb.org/publications/2021-handbook-international-public-sectoraccounting-pronouncements
ISSAI 1, The Lima Declaration, INTOSAI, 2019.
https://www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_1_u_P_10/INT
OSAI_P_1_en_2019.pdf
Local Government Management Guide: Management’s Responsibility for Internal Control, Office
of the New York State Comptroller, 2016 https://www.osc.state.ny.us/files/localgovernment/publications/pdf/managements-responsibility-for-internal-controls.pdf
OECD Public Governance Reviews: Supreme Audit Institutions and Good Governance, OECD,
2016. https://read.oecd-ilibrary.org/governance/supreme-audit-institutions-and-goodgovernance_9789264263871-en#page20
Position Paper: Internal audit's relationship with external audit, Chartered Institute of Internal
Auditors, 2020. https://www.iia.org.uk/resources/delivering-internal-audit/position-paperinternal-audits-relationship-with-externalaudit/#:~:text=The%20external%20audit%20focus%20is,are%20effective%20in%20managi
ng%20risks
“Public Financial Management,” Transparency International, knowledgehub.transparency.org.
https://knowledgehub.transparency.org/topics/public-financial-management-parentlabel#:~:text=Public%20financial%20management%20(PFM)%20is,allocated%2C%20spent
%20and%20accounted%20for.
Role of the Chief Financial Officer in Public Service Organisations, CIPFA, 2011.
https://www.cipfa.org/-/media/Files/CIPFA-Thinks/Reports/Role-of-CFO-v2-2011.pdf
State High Control, Shtetiweb, 2021. http://shtetiweb.org/2012/09/28/kontrolli-i-larte-i-shtetit
Sustaining High Performance Beyond Public Sector Pilot Projects, McKinsey, 2018.
https://www.mckinsey.com/industries/public-and-social-sector/our-insights/sustaining-highperformance-beyond-public-sector-pilot-projects
82

The Practice of Internal Controls, Office of the New York State Comptroller, 2010
https://www.osc.state.ny.us/files/local-government/publications/pdf/the-practice-of-internalcontrols.pdf
The CFO Agenda: Transforming the Finance Function, Harvard Business Review, 2018.
https://www.coupa.com/lp_fce-19-hbr-cfo-
agenda?utm_source=GoogleAds&utm_medium=Paid-Search&utm_campaign=SEM-
2022Q1&utm_trm=NA-Finance&utm_content=19-HBR-The-CFO-
Agenda&utm_last_engagement=PG19246A1&gclid=CjwKCAiA_6yfBhBNEiwAkmXy5wDvrc
oK8C1kvT6hcTjB_OZNyMMy5dbcRZqfUr-lslnIjK1xBWNpHhoCGFsQAvD_BwE#top
What is Combined Assurance? Seven Steps to Start a Successful Program, AuditBoard, 2020.
https://www.auditboard.com/blog/combined-assurance-get-started/
“What Internal Audit Can Do To Improve Financial Management,” Internal Audit 360, 2019.
https://internalaudit360.com/what-internal-audit-can-do-to-improve-financial-management/
What is a Financial Controller? Roles and Responsibilities, Oracle Netsuite.
https://www.netsuite.com/portal/resource/articles/accounting/financialcontroller.shtml#:~:text=Most%20of%20what%20a%20financial,%2C%20operator%2C%20c
atalyst%20and%20strategy.
Whittaker, J., Strategy and Performance Management in the Government, Pilot Software,
November 2003. Quoted in “How to Manage (and Measure) Government Performance,”
FreeBalance, August 9, 2022. https://freebalance.com/en/blog/pfm/why-use-the-balancedscorecard-ingovernment/#:~:text=The%20balanced%20scorecard%20provides%20governments,used%
20in%20the%20private%20sector.
.
83