Internal audit in the public sector – comparative study between the Nordic countries: The development of internal auditing within the public sector in the Nordic countries

The subject of this paper is a comparative study about the current status of internal audit within the public sector in the Nordic countries. The aim is to understand the basis and recognize trends in the development of internal audit in the public sector in these countries. The status of internal audit within each country, Denmark, Finland, Iceland, Norway and Sweden, is presented and also the regulatory basis, laws and regulations, for internal audit and the main challenges that internal auditing faces. Finally, the opportunities for further development of internal audit in the public sector are addressed. The International Standards for Internal Auditing are well recognized and in use in all the countries. There are differences between these countries in their approach of the regulatory framework for internal audit and the arrangement of the Icelandic Review of Politics and Administration Vol. 14, Issue 2 (19-44) © 2018 Contacts: Anna Margrét Jóhannesdóttir, anna.margret.johannesdottir@reykjavik.is/amjjoh@gmail.com Article first published online June 21st 2018 on http://www.irpa.is Publisher: Institute of Public Administration and Politics, Gimli, Sæmundargötu 1, 101 Reykjavík, Iceland Stjórnmál & stjórnsýsla 2. tbl. 14. árg. 2018 (19-44) Fræðigreinar © 2018 Tengiliðir: Anna Margrét Jóhannesdóttir, anna.margret.johannesdottir@reykjavik.is/amjjoh@gmail.com Vefbirting 21. júní 2018 Birtist á vefnum http://www.irpa.is Útgefandi: Stofnun stjórnsýslufræða og stjórnmála, Gimli, Sæmundargötu 1, 101 Reykjavík DOI: https://doi.org/10.13177/irpa.a.2018.14.2.2 This work is licensed under a Creative Commons Attribution 3.0 License. 20 STJÓRNMÁL & STJÓRNSÝSLA Internal audit in the public sector – comparative study between the Nordic countries operation of internal audit units. Therefore, further development of internal auditing should be pursued in cooperation and to harmonize the regulatory bases in these countries and to learn from each other when implementing internal audit in the public sector.


Introduction
Many changes have taken place in the last couple of years regarding the development of internal audit within the public sector in the Nordic countries.The role of the public sector in the Nordic countries is in many cases similar, providing services and goods.The overall government spending in these countries accounts for about 43% -57% of the gross domestic product (GDP), (OECD 2015).The population of Finland is about 5,5 million people, Sweden 10 million, Norway 5,3 million, Denmark 5,7 million and 340 thousand in Iceland.There has been a development in laws and regulations that set the basis for establishing and strengthening the status of internal audit, except in Denmark.The reform of these laws and regulations has notably taken place as a response to economic crisis or fraud scandals, in order to strengthen the oversight and control mechanisms.Finland, Iceland, Norway and Sweden have laid down provisions in laws, regulations and/or ordinances regarding internal auditing within the public sector.
All the Nordic countries operate internal audit departments within the public sector.However, there are some differences between the countries regarding the structure and operation of their internal audit departments.Therefore, it is important to map out and understand the arrangement of the internal audit function within the public sector in the Nordic countries in order to learn from each others' experience.
The internal audit profession has a strong common ground in the International Standards for the Professional Practices Framework (IPPF), issued by The Institute of Internal Auditors (IIA), which define the criteria for how to operate an internal audit unit (1000 Attribute Standard) and for how to practice internal audit (2000 Performance Standard) (The Institute of Internal Auditors, Global 2017a).
The definition of internal audit describes the fundamental purpose, nature, and scope of internal auditing.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes (The Institute of Internal Auditors, Global 2017b).
The role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively.Internal audit is an important function for the control environment of an organization and contributes to more effective risk management.The internal audit function provides

Methodology and approach
When initiating a comparative study of internal auditing in the public sector, major questions come to mind, such as what is the public sector and what should be the scope of this comparative study?The public sector can be defined in several ways, according to the types or nature of the organization and the level of the governmental structure.
The Supplemental Guidance: "Public Sector Definition", published by the IIA includes a definition of the public sector (The Institute of Internal Auditors, Global 2011).The public sector operates on four levels: International (multi-state entities or partnerships), National (an independent state), Regional (a province/county within a national state), and Local (municipal level body such as a city).There can be several types or nature of public functions or organizations within each of these levels, ranging from core government services to publicly owned companies.A distinction between the nature of public sector functions can be seen as: A) Organizations that are generally considered public sector, that includes entities that provide public services solely or largely funded by tax revenues, and B) Operations within the so-called gray zone, which are outside this clear public sector area, i.e. companies owned by the government, state businesses operating on the market.
The definition of the former (A) is that the public sector generally consists of at least three types of organizations; core government, agencies, and public enterprises.
Core government is the level of government that includes ministries, departments, or functions that report directly to the central authority, such as the legislature, council, cabinet, or the executive head.Agencies consist of separate public organizations that are part of the government and that deliver public programs, goods, or services.Some agencies are governed by a board and others not.Public enterprises are independent organiza-

STJÓRNMÁL & STJÓRNSÝSLA
Internal audit in the public sector -comparative study between the Nordic countries tions that deliver public programs, goods, or services, they often have their own sources of revenue, and in some cases additional direct public funding, and may also compete in private markets (The Institute of Internal Auditors, Global 2011).
The focus point of the public sector in this study will be on the core government and agencies, and could in some cases cross over to public enterprises.The gray zone falls outside the scope of this study, i.e. state businesses.
In Denmark, Finland, Norway and Sweden, the public sector is divided into three levels: national, regional, and local.In Iceland, however, the public sector is generally divided into two levels, national and local. 2  The definitions above will be adapted to the Nordic countries.For this comparison study four categories were defined in order to make the comparison between the Nordic countries.The categories are, National level -ministries, National level -agencies, Regional level and Local government level.The definition of those categories are shown in table 1.

Table 1. Categories for comparative study for the Nordic countries
Each level has different roles and obligations.The role at ministry level is policy-making, and the agencies are independent organization that implement the public policy.The regional level provides regionally based services, and the local government provides local services.All the countries can identify with those categories, even though there are differences in scope and obligations on each level between countries, and there are also some overlaps.
The concept "organization", that is frequently used in this paper, is used as a general concept that refers to any kind of operation, for example all the types of operations mentioned in Table 1 can be referred to as organizations.Also, the concept internal audit unit is frequently used, and refers to internal audit operation, function, offices, or department, with at least one person employed as internal auditor, but not to independent outsourced services.
The study uses a qualitative approach, based on interviews, a questionnaire, and information gathered during the process of the study.All countries, Denmark, Finland, Iceland, Norway, and Sweden, were visited and interviews conducted.There were 20 interviews with the head or representative of the internal audit units from all levels of government sector, and also several interviews with others who could provide information relating to the subject of this study.A questionnaire was distributed, and 23 answers

STJÓRNMÁL & STJÓRNSÝSLA
were received from various internal audit units of all levels and types of organizations in all five countries.
The work and review process was organized in such manner that the main author has the overall responsibility for this study, all field work (visits) and for setting forth the outcome.The role of the co-authors was to assist in gathering information, review and analyze material during the process of the study, and to review the final paper.The role of other contact persons and reviewers was to help with setting up meetings for on-site visits in each country, gathering information, and to review the outcome regarding their respective country.

Status of internal audit in the Nordic countries -comparison
Table 2 gives an overview over the status of internal audit in the public sector in the Nordic countries according to the level and nature of organization.The objective was to identify and analyze those which have existing internal audit units (IAU) within their organization.Outsourced internal audit was not within the scope of this study, although it deserves mentioning that some audit units buy specifically defined internal audit services.Interviews were conducted and questionnaires sent to internal audit units on all levels and types of organizations, as mentioned above.In Table 2, some categories are marked "not applicable" which refers to the fact that an internal audit unit is not operating in that category, but in some cases other set-ups exist for oversight, that will not be further described in this paper.As shown in Table 2, only Finland and Norway have audit units within all four levels.The set-up is divided into both a centralized and decentralized arrangement, which means that some have a central unit that is responsible for internal auditing for more than one independent organization.In some cases there is a decentralized set-up which means

STJÓRNMÁL & STJÓRNSÝSLA
Internal audit in the public sector -comparative study between the Nordic countries that each organization has their own internal audit unit.In some cases there is a mix of both a centralized and decentralized arrangement that is referred to as dual set-up.

National level -ministries
The set-up or arrangement for internal audit at ministry level differs between countries.In some countries the ministries have a wide range of roles and responsibilities, while others have a narrower role.For example Sweden has a strong separation between ministries and public agencies.Ministries are rather small, with 4500 employees altogether.Their key role is policymaking and oversight, and the agencies are strong and independent.In Denmark, the ministries have a wide scope with a sectoral approach.In some cases, the function or role of ministries resembles the function or role of agencies in other countries, as for example the Ministry of Taxation in Denmark.
Table 3 below provides a comparison on several issues, such as the regulatory basis (laws/regulations) that mention internal audit in their provisions, the structure or set-up of the audit unit, use of the IIA standards, reporting line, and whether the audit reports are public or not.

Regulatory basis
There are great differences between the Nordic countries in the approach to setting laws and regulations concerning internal audit for the ministry level of the public sector.Finland, Iceland and Sweden have adopted laws and/or regulations for internal audit at ministry level, while Denmark and Norway have not.
The basis for internal audit in Finland is in the State Budget Decree (1243/1992).These provisions apply for both ministries and public agencies.Chapter 9, Internal control, section 69 to 70 in the State Budget Decree, as amended in the Ordinance (263/2000), includes a discussion on internal audit: If there is due cause in view of the internal control procedures required in sections 69 and 69 a, the management of a government agency shall arrange for internal auditing.The purpose of internal auditing is to ascertain for the management that the internal control system in place is adequate and sufficient, and to carry out the audits prescribed by the management.The general standards and recommendations concerning internal audit shall be taken into account when arranging internal audits.The stipulations on the procedures and status of internal audits in a government agency organization are issued in the standing orders for internal auditing confirmed by the agency itself.The relevant ministry and the State Audit Office shall be notified of the standing orders for internal audit (Ordinance 263/2000, sec 70).
It is non-mandatory for the management at ministry level to set up an internal audit unit.It is thus up to the management to decide whether an internal audit function should be established or not, based on the status of internal control within the ministries.However, the European Commission requires internal audit in connection with financing from EU funds through for example grants, procurement and financial instruments. 3 In Iceland, the Public Finance Act No. 123/2015, which entered into force January 1, 2016, provides that central government entities (ministries and agencies) shall have an internal audit unit.The obligation for internal auditing is stated in Article 65 -Internal control and internal audit: Internal audit shall be carried out within Part A central government entities on the basis of a regulation adopted by the Minister, cf.Article 67, and in accordance with international standards and internal audit codes of ethics issued by the International Institute of Internal Auditors (The Public Finance Act No. 123/2015, Article 65).
The law also states that a Minister may appoint a special committee for consultations regarding the organization and implementation of internal control and internal audit.

STJÓRNMÁL & STJÓRNSÝSLA
Internal audit in the public sector -comparative study between the Nordic countries Article 65 has not yet been implemented, other aspects of this new law have been prioritized.However, it is in the process of policy development, what kind of set-up/ arrangement would be most suitable for the ministry level in Iceland.
The basis for the central internal audit at ministry level in Sweden is the Ordinance (1996Ordinance ( , 1515) ) for Government Offices, as amended by ordinance (2008,66).In articles 62 to 65 it is stated that there should be an internal audit: The Internal Audit Office of the Government Offices shall independently review how internal management and control of the Government Offices is carried out, as well as how their financial reporting obligations are met.Internal auditing shall be conducted in accordance with good practice for internal auditing (Ordinance 1996(Ordinance , 1515, sec 63), sec 63).
The central audit unit must also follow the Internal Audit Ordinance SFS 2006:1228, which specifies the obligations which the internal audit unit must comply with.
Denmark and Norway have no laws or regulations rendering it obligatory to have an internal audit unit, or recommending that a ministry should consider establishing an internal audit department at ministry level.
The National Audit Office (Rigsrevisionen) in Denmark used to conclude individual agreements with several ministries on internal auditing, but the scope was mainly limited to financial audits.In June 2016, this arrangement was terminated and it is up to each ministry whether to have an internal audit function or not.Some ministries closed down their internal audit section but some are still in place, based on a managerial decision.

Structure/set-up
The structure or set-up varies between countries.Sweden has one centralized internal audit unit of 8 people, which is responsible for internal auditing for all ministries.The internal audit unit is placed at the Prime Ministry's office (Regeringskansliet).Formerly, internal audit units were decentralized, placed within each of the ministries.
Both Finland and Denmark have a decentralized system.Finland has internal audit units in every ministry, except the Prime Ministry, and internal auditing is outsourced at the Ministry of Defence.The size of the units varies from one to 10 people.Denmark has internal audit units at three ministries: the Ministry of Finance with 8 people, the Ministry of Defence with 8 people, and the Ministry of Taxation with 25 people.
Both in Finland and Denmark some ministries have responsibility for internal auditing in the agencies that fall under the respective ministry.For example, the Ministry of Finance in Denmark is responsible for internal audit for its five agencies.
In Norway, one ministry, the Ministry of Defence, has an internal audit unit, a central audit department which has a contract with four agencies and is responsible for the internal audit within those agencies.

Use of the IIA standards
The requirements for following the IIA standards are not mentioned in any of the laws and regulations, except in the Public Finance Act in Iceland.It is usually stated that general standards and recommendations for internal auditing shall be applied.But in practice all the internal audit units are using the IIA standards as a guideline.
The central internal audit unit in Sweden and the internal audit unit at the Norwegian Ministry of Defence have undertaken external quality assessments, as required in accordance with the IIA Standard on External Assessments.
In Denmark the IIA standards are recognized, but another standard, The Good Public Audit Standard, issued by the Danish National Audit Office, is in use, although not mandatory.

Reporting line
The audit units at ministry level report to the respective Permanent Secretary and to the management which is subject to the audit.There seem not to be any audit committees at ministry level in any of these countries.

Public report
It varies somewhat between countries whether the audit reports at ministry level are public or not.In most ministries the reports are generally not public, but in some cases they can be made public depending on the issue or can be obtained upon request.In Norway the reports are not public at ministry level.

National level -agencies
The status of internal audit at agencies level differs between countries.Mention of internal auditing can be found in laws and/or regulations in Finland, Iceland, Norway and Sweden.Many of the largest agencies in Finland, Norway and Sweden have their own internal audit unit.But there are very few internal audit units at agencies level in Denmark and Iceland.Table 4 below provides comparison on agencies level.

STJÓRNMÁL & STJÓRNSÝSLA
Internal audit in the public sector -comparative study between the Nordic countries

Regulatory basis
The basis for internal auditing in Finland is in the Budget Act (423/1988) and the State Budget Decree (1243/1992).An amendment to the State Budget Decree regarding the operation of internal auditing was adopted in the year 2000 (Amendment 263/2000).These provisions apply for both ministries and agencies.
As mentioned in the previous discussion, in the State Budget Decree (1243/1992), in sections 70, 69, 69a, it is stated that it is optional for the management at agency level to set up an internal audit unit, based on the situation of internal control within the respective agency.In some cases, the relevant audit unit at ministry level has made a recommendation to an agency that it should consider establishing an internal audit unit.Some agencies have established an internal audit unit, in order to meet the requirement

STJÓRNMÁL
& STJÓRNSÝSLA of the European Commission for internal auditing in connection with grants or funding received from the EU, as mentioned earlier.
In Iceland, as mentioned before, a new law entered into force on January 1, 2016, the Public Finance Act No. 123/2015, where Article 65 stipulates that central government entities (ministries and agencies) shall have an internal audit.Four public agencies have internal audit units that have been operating for several years, namely the Directorate of Customs, the Police, the Icelandic Road and Coastal Administration (IRCA), and the University of Iceland.The foundation for the existence of internal audit unit for these four agencies rests on a recommendation from the Icelandic National Audit Office and their existence is based on management decision.
Internal auditing is not mentioned in the law in Norway.The Minister of Finance issued an ordinance (Finansdepartementet 2016, Rundskriv R-117) on internal audit for government agencies, which entered into force October 1, 2016.In section 4 it reads as follows: The agency may use internal audit as part of the management and control system of the organization.Agencies that have total expenses or aggregate revenues above NOK 300 million shall assess whether they should apply internal audit.The requirement for such assessment does not apply to the ministries (Finansdepartementet 2016, Rundskriv R-117, Section 4).
Internal auditing is not mentioned in the law in Sweden.In 2006, the Government issued a new updated Internal Audit Ordinance (2006).This ordinance states the obligations that an internal audit unit is required to follow.The decision on establishing and setting up an internal audit unit is made by the government and regulated by or with instructions or rules for each agency.There are no formal criteria in the ordinance regarding which kinds of agencies need to have an internal audit unit.The Swedish National Financial Management Authority (ESV) has published Guidelines on Internal Auditing for central government agencies, with unofficial (internal) criteria used by the government departments.The criteria are: -Large cash flows -Total costs (operating costs and transfers) exceeding SEK 1 billion -Balance sheet total of at least SEK 1 billion -The number of staff amounts to at least 1000 employees.(Ekonomistyrningsverket 2014, 11) In addition to these criteria, the EU regulatory framework, which requires certain activities to be covered by internal audit, must be taken into account.Also, some criteria are mentioned which refer to complexity, risk, delegation line, etc.An internal audit unit is considered to be established when there is an internal auditor, a Chief Audit Executive, employed by the authority.

STJÓRNMÁL & STJÓRNSÝSLA
Internal audit in the public sector -comparative study between the Nordic countries The Swedish National Financial Management Authority (ESV) has an oversight role for the public internal audit.The ESV issues an annual report on the status of internal audit, and draws attention to the main findings of the internal audit and follow-up on external quality assessments.This annual report is submitted to the Ministry of Finance, since ESV falls under the area of responsibility of the Ministry of Finance.
Denmark has no laws or regulations that make it mandatory to have an internal audit unit, or recommend that an agency should consider establishing an internal audit function.
As mentioned earlier, the National Audit Office (Rigsrevisionen) used to have an agreement on internal auditing with several agencies, but it was mainly limited to financial auditing.In June 2016, the contract was terminated and it was up to each agency if they would choose to establish an internal audit function or not.
Structure/set-up Finland has a dual set-up, a decentralized and centralized structure, at the national agencies level.A central audit unit within a ministry is in some cases responsible for internal auditing for their respective agencies.There are 14 out of 48 government agencies that have an audit unit or have employed at least one full time internal auditor (Finnish National Audit Office 2017).
Sweden has a decentralized structure.There are 69 agencies out of about 250 agencies in total, that have their own internal audit, together these 69 agencies comprise 90 percent of the state budget (Riksrevisionen 2017).
Norway has a decentralized structure, with some exceptions.There are 15 agencies with in-house internal audit unit, 14 outsourced, and 13 with other types of arrangement for internal audit units.That includes, as mentioned earlier, four agencies under the Ministry of Defence that have a contract for internal audit services with the central audit units at ministry level.
Denmark has a dual set-up, a centralized and decentralized structure.Some agencies have their own internal audit department, for example in the field of agriculture and the Police.Some agencies still have a contract with the National Audit Office.As mentioned before, some ministries are responsible for internal auditing for the agencies that fall under the respective ministry.For example the Ministry of Finance in Denmark has an internal audit oversight role for its five agencies: the Agency for the Modernization of Public Administration, the National Center for Public Sector Innovation, the Agency for Digitization, the Agency for Governmental Administration, and the Agency for Governmental IT Services.In Denmark some ministries have a similar function or role as agencies have in other countries, such as in the Ministry of Taxation, with a wide scope for services.
Iceland has a decentralized structure.There are internal audit units within the four agencies already mentioned: the Directorate of Customs, the Police, the Icelandic Road and Coastal Administration (IRCA) and the University of Iceland.

STJÓRNMÁL & STJÓRNSÝSLA
Use of IIA standards Requirements to follow the IIA standards are not mentioned in any laws and/or regulations, except in the Public Finance Act in Iceland.It is usually only stated that recognized standards for internal audit shall be applied.
For example the Swedish Ordinance (2006Ordinance ( , 1228)), section 7, mentions that internal auditing shall be conducted in accordance with good internal audit practice.The guidelines published by the Swedish National Financial Management Authority (ESV) recommend the use of the IIA standards, and also that external quality assessment of internal audit units should be conducted on a five year basis.
In section 5.3 in the Norwegian Ordinance it is stated that the use of recognized standards is mandatory.The IIA standards are recognized, but it is also mentioned that other recognized standards can be used if that is considered to be more appropriate (Finansdepartementet 2016, Rundskriv R-117).
In Sweden most of the internal audit units have been subjected to external quality assessment in conformity with the IIA standards.In Finland and Norway, external quality assessment of several agencies has been conducted, but this has not been done in Denmark and Iceland.
In practice all the internal audit units are using the IIA standards as a guideline.In Denmark the IIA standards are recognized, but another standard, The Good Public Audit Standard, issued by the Danish National Audit Office, is in use, although not mandatory.

Reporting line
All of the agencies report to the head of the agency, to the management in question and those that are subject to the audit.Also, some of the internal auditors within agencies, that have a board or supervisory board, report to that board.Some agencies mentioned that they also submit the report to the ministries that govern the respective agencies.In Denmark, for those agencies that have a contract with the Danish National Audit Office, their reports are submitted to that office (NAO).In Iceland some of the agencies submit the reports to the Icelandic National Audit Office.

Public report
In Norway, Denmark, and Iceland, the reports at agencies level are generally not public.In some cases it was mentioned that if access to the report was requested, it could be made public, depending on the subject.However, in Sweden the reports are public if they are not actively classified, and a few of the agencies publish them on their website.In Iceland, one agency mentioned that the major findings were accessible to the staff on the in-house network.In Finland it varies between agencies whether or not reports are public.

STJÓRNMÁL & STJÓRNSÝSLA
Internal audit in the public sector -comparative study between the Nordic countries

Regional level
The governmental structure on the regional level varies between the Nordic countries.It seems that over the last years there has been a trend in strengthening the regional government level.Regions (counties) have been merged, they are thus getting bigger, and their capacity to embrace stronger roles and obligations concerning public services has thus increased.It is rather complicated to compare the regional level between the Nordic countries, since its structure and scope varies so much.There are several different types of set-up on the regional level and also some cooperation between counties and municipalities, especially in the field of operating the health care services.Norway and Finland are the only countries that apply internal audit for the regional level.

Finland
At the moment there are no laws concerning internal auditing for the regional level.Around 12 regional hospital districts have internal audit units with at least one person.
For example the Hospital District of Helsinki and Uusimaa, HUS, is a regional district, a Joint Authority, formed by 24 municipalities with a population of 1,6 million.HUS is the second largest employer in Finland with more than 22 thousand employees.There is one internal audit unit with three staff members.The HUS internal audit is placed directly under the Chief Executive Officer (CEO) within the organizational chart.The internal audit office reports to the heads of the organizations and those that are subject to the audit, but occasionally an annual summary is presented to the board.The reports are generally not public.The IIA standards are recognized and in use.
The Finnish government has submitted a bill to the Finish Parliament with a proposal for major government reform on the regional (county) level.It is proposed that Finland should be divided into 18 regions, with new defined responsibilities and a formal governmental structure within each region.All social and health care services, as well as many other types of services, which were provided on the municipal level, will be moved to the regional level, such as environment, planning, promoting enterprises, etc. Chapter 45 of this bill concerns internal audit.According to the section, the regional (Landskap) government shall organize an independent internal audit of the region (Regeringens proposition RP 15/2017rd).
The purpose of this bill is to ensure that the internal control of the region functions properly.However, in the Regions Act, the proposal does not include any further provisions on the model under which internal audit is to be organized.It can be organized for example as an activity in the region itself, or in collaboration with other regions or obtained from an external service provider (Regeringens proposition RP 15/2017rd).
The aim is to have this bill passed in Parliament in spring 2018, and the social services and regional government reform in Finland should be in force in 2020.There have been some political debates about this bill and it seems that there will be some delay in passing it through the parliament.

Norway
Norway is divided into four health regions which means that within each health region there is some cooperation between counties, and each region has an internal audit function.The foundation for the health regions is based on the Regulations on Governance and Quality Improvement in the Health Sector (2017) and the Act on Health Trusts (Helseforetaksloven), 2001 (LOV-2001-06-15-93n).In Article 37 of the Act it is stipulated that it is mandatory to have an internal audit function: Regional Health Authorities shall establish an independent and objective internal audit.Internal audit shall, through a systematic and structured method and confirmation, contribute to improving risk management, internal control and corporate governance.Internal Audit shall report functionally to the Board and administratively to the General Manager.The internal audit shall also include the health trusts owned by the regional Health Authorities and the conclusion and follow-up of agreements with other service providers.Internal auditing shall be conducted in accordance with recognized standards and continuous monitoring of the business (The Act on Health Trusts 2001, article 37).
As an example, the South-Eastern Norway Regional Health Authority (Helse Sør-Øst RHF) internal audit will be described.The South Eastern Regional Authority provides health services for a population of 2,9 million -about 57% of the total population, and has about 78.200 employees.The internal audit unit is a centralized, independent function, as in a parent company, with 11 underlying subsidiaries, which all have internal audit units.It is an important factor for the central audit unit to have the oversight role and cooperation with all of the internal audit units within each subsidiary.The central function has a staff of 11 auditors, including the Chief Audit Executive (CAE).In addition, temporary auditors are hired from subsidiaries with specialized health competences (medical science, psychology, pharmacy, etc).The central internal audit unit is independent and reports functionally to the audit committee (6-7 meetings a year) and also to the board.The audit reports are made public on the organization website.

Local government level
The status of internal audit at local government level varies between the Nordic countries.There is an internal audit department in all the capital cities, except Stockholm.The City of Stockholm does not have a separate unit for internal auditing, but there is a City Audit Office.According to the reports that are published on their website, there seems to be some overlapping in the nature of their responsibilities with the types of work that internal audit units perform.
Finland is the only country that also has internal audit units in several other municipalities, as about 20 municipalities operate internal audit unit functions.However, there has been some discussion among municipalities in Iceland about internal auditing, or

STJÓRNMÁL & STJÓRNSÝSLA
Internal audit in the public sector -comparative study between the Nordic countries finding some solution for smaller municipalities, f.ex.by establishing a central unit that could serve more than one municipality.
The discussion here focuses on the capital cities.The highest government level within the cities is usually based on two steps, the city council, with all the elected representatives, and the executive council, with fewer representatives from the council.There are differences in the use of the word for executive council, as in Oslo it is called "city government" and in Helsinki it is called "board".In this paper the term "executive council" will be used for the concept.

Regulatory basis
There are no specific requirements regarding internal auditing in local government legislation in any of the countries that have internal audit units within the capital cities.
The foundation for internal audit units is based on a city council decision.It is interesting to notice that Helsinki, Reykjavík and Copenhagen all have gone through a policy reform regarding the structure for audit, which has implemented separation between internal and external audit.In 1998, a new internal audit unit was set up in Helsinki, and external auditing was outsourced.The same was done in 2003 in Reykjavík, when external auditing was outsourced and a new internal audit unit was established.On January 1, 2009 a new internal audit unit was set up in Copenhagen and external auditing was also outsourced.

STJÓRNMÁL & STJÓRNSÝSLA
The internal audit unit in Oslo was established 1992 by a city council decision.The external audit is not outsourced, and is at the responsibility of the Office of the City Auditor.

Structure/ set-up
In Copenhagen the audit unit is placed under the city council.In Reykjavík it is placed under the executive council.The Helsinki audit unit is placed at the central administration under the City Executive Office.The Oslo internal audit unit is placed at the office of the Governing Mayor.All those internal audit units have a charter or ordinance that defines their independence.
All the audit units are responsible for the auditing of core city government services or core public entities.But regarding subsidiaries, the role of internal audit varies between cities.In some of the cities, internal audit units are not responsible for internal audit within subsidiaries or enterprises.
The internal audit unit in Reykjavík has an oversight role for the consolidated Reykjavík Group.The unit is responsible for the internal auditing of the core city government and most of the subsidiaries, except two, which have outsourced their internal audit.In those cases there is cooperation between the internal audit service providers for the subsidiaries and the Reykjavík City central internal audit unit.One of the biggest subsidiaries used to have a one person internal audit unit, but at present the City of Reykjavík is responsible for their internal audit.
The Helsinki internal audit unit has an oversight role for the municipal enterprises and the subsidiaries of Helsinki City Group except for Port of Helsinki and Helen Ltd, which have outsourced internal audit.
The need for improved information flow between internal audit in subsidiaries and internal audit at the city internal audit office was mentioned in some interviews.
The size of the audit units varies.The internal audit unit in Helsinki city has 15 staff members: the head of internal audit, 13 internal auditors, and one secretary.Six persons have a CIA degree and one has a CISA degree.The Oslo internal audit unit has five employees, two with CIA and one with CISA, but all have a Norwegian national certification diploma.The internal audit office in Reykjavík has a staff of eight , thereof one with CIA and one with CISA.The Copenhagen internal audit office has 12 staff members, in addition to three staff members working at the Data Protection Officer (DPO) unit, which is placed at the Copenhagen internal audit office.
There have been some discussions among internal auditors on whether it is appropriate that the DPO officer is placed at the internal audit unit or not.The Chief Internal Auditor at the City of Copenhagen has undertaken the responsibility to be head of the DPO function.

Use of IIA standards
The IIA standards are very well recognized and in use in all cities, except Copenhagen, where they are recognized, but not much in use.Other standards, such as IAS, FSR and

STJÓRNMÁL & STJÓRNSÝSLA
Internal audit in the public sector -comparative study between the Nordic countries the "Good Public Audit Standard", issued by the Danish National Audit Office, are generally in use.
The Helsinki city internal audit unit has undergone external quality assessment and conforms to the standard.The City of Reykjavík internal audit unit has also undergone external quality assessment.

Reporting line
The internal audit unit in Copenhagen reports to the management subject to the audit, and to the Audit Committee, Economic Committees, Professional Committees and External Auditors.The Audit Committee is represented by elected politicians.The internal audit unit in Reykjavík reports to the management subject to the audit, the City Executive Council and the Audit Committee, and to the board of subsidiaries in question.In some cases the reports have been placed on the Agenda of Council meetings.
The head of the internal audit unit in Helsinki reports to the management subject to the audit and to the Mayor, and once a year a report is submitted to the City Executive Council.The internal audit of Helsinki does not report to the City Audit Committee.
The Oslo internal audit unit reports to the heads of the various departments and the management subject to the audit.The audit plan and the annual report are presented to the Executive Council.

Public report
In Helsinki the audit reports are generally public, but the audit reports have an appendix, containing more detailed information, which is not made public.At the City of Reykjavík the audit reports are generally public, although in some cases they may not be, depending on the issue.The subsidiaries reports are generally not public, but some are made public, depending on the issue.In Oslo the reports of planned audit assignments are only made public upon request.The internal audit reports in Copenhagen are not made public directly from the Internal Audit Office, but the reports are on the agenda of the City Committees and are thus available on the website.

Internal auditing -value and challenges
Even though the status of internal audit differs between the Nordic countries the differences between the countries are not necessarily very apparent in the answers to the questionnaire and the interviews, when it comes to values and challenges faced.Therefore, there will be a summarized discussion on this matter in this section and no comparison table provided.
Most of those who answered the questionnaire said that governance assurance, strategy, and compliance auditing are the issues taking most of their time, but clearly IT auditing is a growing part of internal auditing.Some internal audit units have the responsibility for a hotline, which includes fraud detection and investigation, which can be a time consuming task.Some IA units are still working considerably on finance auditing.Risk Anna Margrét Jóhannesdóttir Stina Nilsson Kristiansson Niina Sipiläinen Riikka Koivunen

STJÓRNMÁL
& STJÓRNSÝSLA management is more like a horizontal issue that touches all aspects of the audit work, but there are also specific risk management audits and consulting work on that matter.

Value adding
Both in the interviews and in the replies to the questionnaire, several issues were mentioned concerning the value that internal auditing adds to the organization.The audit work focuses on contributing to the achievement of the objectives of the organization by identifying risk areas and putting forward recommendations for improvement of the operation.The internal auditor reports to the politician, political representative, board and management, in order to provide them with assurance on the status of internal control.Information about control system effectiveness and risks gives management an increased awareness of the importance of effective internal control and good governance, as well as helping them to maintain a high level of internal control within their field of their responsibilities.
There exist two recent surveys regarding the management attitudes towards the value adding role of internal audit.The Swedish National Financial Management Authority (ESV) published the findings of a survey in 2017, concerning the benefits and support that internal audit contributes to government management.The answers provided indicate that the central management is very positive towards internal audit, and the work is considered to be of use and support for the management and the organization as a whole.About 85 percent of those who answered said that the internal audit is valuable for the organization, and that the internal audit contributes to improvements in both control and management processes.Also, communication between management and internal auditing is considered to be good (Ekonomistyrningsverket 2017).
The National Audit Office in Finland also conducted a survey in 2017 about the value and support that internal audit provides to the organization.About 50% of the answers did fully agree that internal audit brings additional value and support to the management, another 30% found some value in internal auditing for the management and 20% more or less did not find any value of internal audit (Finnish National Audit Office 2017).
Many of the answers to the questionnaire and many of the interviewees in this study mentioned that the existence of internal audit units provides an overview of the organization's operation and makes them able to perform cross unit checks, for example COSO framework assessments on the status on internal controls and risk management.Internal audit units are also able to provide insights to the board and top management regarding governance and risk management.As one said: "We are almost the only unit within our organization who has an overview of the risks".
Better overview and recommendations are preventive control measures in order to reduce risks, improve processes, foresee "hot topics", as one said: "in our audits we highlight important issues and recommend actions that management should take into consideration and improve the organization's operation and processes."Several auditors mentioned that their work

STJÓRNMÁL & STJÓRNSÝSLA
Internal audit in the public sector -comparative study between the Nordic countries helps in order to gain a better output of the external audits: "We find many problems while they are small -and get addressed before external audit comes".
In some organizations, internal audit plays a consulting and facilitating role, especially when it comes to risk management.Having an internal audit unit demonstrates that the organization is committed to ethical conduct.

Challenges
One of the goals of this study was to identify the challenges that audit units face.Several challenges were identified in this study: Scope and complexity of the organization and its environment.The scope of the audit universe is big and faced with rapid changes, also in many cases where the size of the audit unit is very small in relation to the size of the organization.Handling the diversity of the nature of work, evaluating the effectiveness of control systems, risk management and governance issues, is a challenge.Building up a balanced audit plan is also a challenge, i.e. pinpointing the risk that needs to be looked into, as well as meeting the expectations of the board or council and top management.
Overlapping of work.In some cases there are some overlaps of works with functions that fall under the organizational second line of defence and the blurred line between the separation of responsibilities between internal and external auditing, and other audit units.In some organizations the National Audit Office conducts an audit or there is an external audit, or financial audit function, which can overlap with the work of the internal auditor.Therefore the division of roles and obligations between these units and the internal audit needs to be clarified in order to prevent overlaps.
Budget strain.Audit units face a constant competition for resources, as well as a demand for cost cutting and keeping the number of employees down.Small audit units with small resources within a large organization are faced with considerable risk areas.In the Finnish NAO report on internal control it was mentioned that 32% of internal auditors said that they did not have sufficient resources in relation to the audit universe and the size of auditees (Finnish National Audit Office 2017).
Size -quality challenges for IA Unit.It is a challenge to operate a one person audit unit, which often has limited budgetary resources to buy services for co-sourcing and/or various audit tools.A one person audit unit has difficulties in upholding quality, such as reviewing reports and possessing the necessary knowledge and experience in all aspects of the operation of the organization, especially with limited resources, in addition to implementing the internal and external assessments required by the IIA standards.Internal auditing is a very extensive field.It must be noted that there is a rather high proportion of one employee internal audit units in the Nordic countries.This issue, having only one person employed in an audit unit, is a risk factor and therefore a weakness (Swedish National Audit Office 2017).
Staffing.Availability of competent staff, as well as being able to attract and keep competent personnel, and also recruiting professional colleagues, is a challenge.The audit unit of today faces new requirements in the field of internal auditing, with demands for qualified personnel with an IT-oriented background.Developing, broadening and strengthening our expertise in line with development of the organization and new risk areas is always a challenge.
Status (independence) and organization culture.In some cases a challenge can be found in the position of the internal audit within the organizational chart.If not next to the board or political representative, then there can in some cases be no or very limited direct relations with the board and/or the audit committee.Also, some highly qualified experts within the organization want to be independent and are reluctant to be subject to monitoring or internal audit engagement.
New obligations -whistleblowing hotline / investigations -DPO function.This is a new project that demands time and attention.Some audit units are for example responsible for the "Whistleblowing Hotline" and experience a strong increase in the workload in connection with whistleblowing investigations.Also, there have been some discussions whether the DPO (Data Protection Officer), which all organizations and entities are required to have in accordance with the new General Data Protection Regulation that will enter into force in the EU in May 2018, should be placed within the internal audit unit.
Public report.There is a demand for transparency and trust within the government.The publication of audit reports supports the demanded transparency within the government.At the same time it is a challenge to present reports that contain information based on trust with the employees in question.Also, the possibility that an audit report might be referred to in the media gives rise to challenging issues, such as the presentation of findings and the wording used in the report, knowing that it might be used in headlines in the media.

Conclusion and opportunities for further development
In this study, internal audit within the public sector was compared between the Nordic countries on four levels: National level -ministries, National level -agencies, Regional level and Local government level.The present status of internal auditing varies between these countries.Finland and Norway have internal audit units within all four levels.Denmark has internal audit units on national ministry level, agencies level and in local government.Sweden has internal audit units on national ministry level and agencies level, and Iceland on agencies and local government levels.
The use of the International standards, IIA, is common among all the operating internal audit units.In all of these countries the IIA standards are well recognized and in use, but they are less used in Denmark, where the Good Public Audit Standard, issued by the Danish NAO, is more widely used.
There is a common understanding on the added value that internal audit provides regarding oversight and insight into the operations of the organizations.Internal auditors are able to give the board/politician (elected representative) and top management an assurance on the status of internal control and governance and risk management, as well as raising awareness for the importance of keeping up with high quality internal

STJÓRNMÁL & STJÓRNSÝSLA
Internal audit in public sector -comparative study between the Nordic countries control.Recommendations from internal audit units have preventive control effects and contribute to helping the organizations to achieve their goals.

Policy and regulatory framework
There is a notable difference in the approach towards policy setting for internal audit within the public sector between these countries.In several instances an obligation for internal audit is laid down in laws and regulations.The issues that need to be addressed for further development of internal audit within the public sector are as follows: ➣ Policy making regarding internal audit is needed in all levels of the public sector.
The regulatory framework is strongest for national agencies but the status of internal audit at regional and local government levels is weak.However, examples can be found in other countries, e.g.UK and USA.➣ Strengthen the regulatory basis for internal audit in the Nordic countries.There are opportunities to harmonize the laws and regulations in the Nordic countries, that address the need and obligations for internal auditing.It would be interesting to see what can be learned from the private sector regarding the legal framework and regulations on internal auditing.➣ Defining -Who is doing what?In this process it is necessary to view the whole picture of the audit world.Define who is doing what and prevent overlaps.It is important to promote cooperation and coordination between different audit parties, in order to avoid redundant work and ensure that the auditing of the public sector is efficient and effective.➣ Use the opportunity that international cooperation can provide for policymaking, such as cooperation between the European Confederation of Institutes of Internal Auditing (ECIIA) and the International Organization of Supreme Audit Institutions (INTO SAI).These organizations have signed an agreement under a memorandum of understanding, which promotes closer cooperation between internal and external audit in the public sector, as well as an improved understanding of the role of each other, that can lead to less overlapping and mutual benefit from each other's works.

The set up and model for internal audit
There are differences in structure and set-up of the operation of internal audit in the Nordic countries.The set-up is in many cases either centralized or decentralized.In some cases there is a mixture of both.A further elaboration on the criteria and types of set-up that would be most suitable for the operation of internal audit units should be addressed: ➣ Model for internal audit and criteria.It is important to set up several types of options for operating internal audit units.The set-up needs to be looked into, especially regarding one-person internal audit units, as there is some risk regarding the Anna Margrét Jóhannesdóttir Stina Nilsson Kristiansson Niina Sipiläinen Riikka Koivunen

STJÓRNMÁL & STJÓRNSÝSLA
maintenance of the quality of the operation, as mentioned earlier.Therefore it is interesting to study options that could better meet the needs of smaller organizations, which have a narrower scope and smaller budget, for example a centralized internal audit unit that could serve several smaller organizations.A sectoral approach could be an interesting model, as for example a ministry having agreements with its respective agencies in the same sector.Also, a central unit that is responsible for internal audit for several smaller towns/municipalities.

Status of internal audit
The status of internal audit unit needs to be addressed.The public sector environment faces some challenges that are different compared to the private sector, especially regarding the reporting line and the demand for public reports.The status of internal auditors is in some cases challenging, as well as getting their voices heard, and the reporting line needs in some cases to be strengthened towards the top level, audit committee, board, and/or political representative.The status of the audit in the organizational chart and reporting lines should be at the top level, in order to ensure objectivity and independence as required in the IIA standards.
➣ Reporting line within the public sector can be complicated, due to the governmental structure.Most of the internal audit units report directly to the head of the organization.Regarding organizations with an audit committee and or a board, the access to these highest levels varies between internal audit units.It should be considered to strengthen the reporting line towards the top level and give instructions for the government sector on that matter.➣ Public report.It varies considerably whether audit reports are public or not.The issue whether reports and findings should be public or not possesses a challenge, but the requirement for public government transparency is pressuring the demand for public reports.➣ It is important to mention the demand for quality assessment that is stated in the IIA standard.Several IA units in Sweden and Norway have been subject to external quality assessment in accordance with the recommendations of the IIA standards, but only few in Finland and Iceland, and none in Denmark.This is an important factor for creating a stronger status for internal audit.
Foundations for further development can consist of increased cooperation between the Nordic countries and learning from each others' experience in implementing internal audit within the public sector.Also, harmonizing the laws and regulations for internal audit within these countries.Important issues that need to be addressed are the policy, regulatory framework and models for the set-up for the operation of internal audit.

Table 2 .
Internal audit -comparison between the Nordic countries

Table 3 .
Internal audit -comparison of set-up at national ministry level

Table 4 .
Internal audit -comparison at national agencies level

Table 5 .
Internal audit -comparison between capital cities, local government level