INTRODUCTION

INTOSAI’s focus on internal control in the audit context is pointed out in ISSAI 100: Fundamental Principles of Public Sector Auditing as one of key bases for “ understanding of the nature of the entity/programme to be audited ” [ISSAI 100, paragraph 47. ] . Without that, it seems impossible for SAIs to effectively serve their audit purpose, identified by the Lima Declaration as " indispensable part of a regulatory system " [Lima Declaration (INTOSAI-P 1), Section 1: Purpose of Audit.] . In such terms, understanding relevant internal controls can be helpful to SAI auditors: because it is a necessary step to properly asses risks of the entity or programme and because the design of internal controls reflects management’s response to identified risks. [ISSAI 100, paragraph 48. ]

In this Guidance, internal control is understood as a process effected by a public entity’s oversight body, board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the public entity’s objectives relating to its mission, its public services, its functioning, its reporting on these aspects and its compliance with relevant laws and regulations. Internal control comprises the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, and objectives of the entity, and to safeguard against possible threats that might prevent their achievement. Controls, which are established within the components of internal control, are interrelated and may support multiple principles and entity objectives. [This definition has been partially based on COSO 2013 and the US GAO Greenbook.]

In day to day practice, internal control is key for government to make sure that public services are delivered in an effective and efficient manner, that risks of misuse or abuse of public money are sufficiently reduced, and that all activities are well accounted for by the responsible entities. Given the role SAIs have, by means of audit, to foster the proper functioning of the government and its accountability therefore, it is important that SAIs pay attention to the control measures that are essential for proper functioning and accounting.

Understanding relevant internal controls means that a SAI obtains a clear view on which internal controls are key for ensuring the deliveries and mitigating the risks of the entity (or program) to be audited. It will vary from situation to situation. For instance, for an audit of a subsidy program, the internal controls on preventing misuse and on gaining reliable evaluation information on the effectiveness of the program might be key. In the case of long term public infrastructure works, the internal control over the quality of the legal contracts, the proper tendering processes, the controls over the risks of possible fraudulent or corrupt acting of the contracting authorities, and the independent inspection of services and deliveries of the work in progress might be key. To be able to identify the relevant internal controls, the auditor needs to have a clear understanding not only of the involved entity or program, but also of the controls that might be expected to be in place; hence, sound knowledge of norms, criteria and frameworks.

The International Organization of Supreme Audit Institutions (INTOSAI) benefits here, to a great extent, from the works on the internal control concept by other worldwide professional organizations like: COSO, IFAC, CIPFA or OECD. INTOSAI member, US GAO, issued an important practical implementation of the fundamental COSO work: Standards for Internal Control in the Federal Government (better known as the Green Book ). [U.S. Government Accountability Office, Standards for Internal Control in the Federal Government, GAO-25-107721 (Washington, D.C.: May 2025). The Green Book can be accessed at www.gao.gov/greenbook. ] With this Guidance, the INTOSAI Internal Control Standards Subcommittee (ICS) would like to make the next step in practical application of internal control – by drawing special attention to its fundamental elements: internal controls.

While planning an audit, auditors determine whether, and which elements of, internal controls are significant to audit objectives. If internal control is significant to the audit objectives, auditors obtain an understanding of the relevant internal control. SAI auditors can use knowledge of internal control to gain additional information that can be used to confirm facts or data analyses, and to improve the effectiveness of their audit. Specifically, they can use the information to understand the entity's control context, including the design and implementation of relevant policies and procedures (“control activities”) in the audited areas. They can also use this information to identify areas of higher risk and to tailor the audit procedures accordingly to address those risks. Furthermore, obtaining knowledge of internal control is necessary to allow auditors to properly assess the reliability of internal controls and the risk of material predicaments, like misstatements in financial statements. By understanding the entity's internal control system, auditors can choose appropriate audit procedures to meet their objectives, help ensure that financial reporting is sound, and provide value-adding services to the entity.

OBJECTIVE OF THIS GUIDANCE

This Guidance aims to help auditors of Supreme Audit Institutions (SAI) understand the concept of internal control and to show them how to recognize and assess the design, implementation, and operating effectiveness of internal controls as necessary to address the audit objectives.

Direct goals of the Guidance are then to:

• Provide understanding of the need for SAI auditors to consider and analyze (when significant to audit objectives) the relevance of internal control in the scope of their audits.

• Establish a control-oriented approach to audited subjects.

• Support auditors in 'decompiling’ entities, organizations, projects and processes to identify relevant internal controls and related risks.

• Promote standardized terminology of managerial control mechanisms – supporting structured representation of knowledge about audited subjects and fostering shared understanding of control related terms and their meanings across different audits.

• Support knowledge management to the benefit of SAI audits by developing ability to better use SAI audit reports and other digitalized contents available.

As a result, the motivation behind this Guidance is to provide its users with support for:

• Audit programs, findings, recommendations and reports.

• Communication with SAI stakeholders.

• Further development of the internal control concept.

• Cross-cut analyses leading to audit lifecycle enhancement.

UNDERSTANDING INTERNAL CONTROL

Internal control is, in the first place, a managerial concept – although this Guidance adopts primarily an auditor’s point of view. It makes an important difference, yet it does not contradict the objective of the Guidance. As part of an audit, auditors obtain an understanding of the entity, the program, and more broadly: the activity, the organization and information systems that they audit, as well as the managers’ and employees’ perspective.

Internal Control Frameworks and Standards

The concept of internal control, and controls, are extensively discussed across the domain of business science and it is a subject of numerous standards and guidance. The following paragraphs discuss some of the primary frameworks that management of the audited entity may use when designing and implementing a system of internal control.

COSO and GAO

COSO [Committee of Sponsoring Organizations of the Treadway Commission.] Internal Control – Integrated Framework is a fundamental work of the domain, which since 1992 has been supporting organizations in designing, implementing, and operating systems of internal control. As it is emphasized: “ Internal controls have value beyond compliance and external financial reporting. Effective internal controls can help an organization articulate its purpose, set its objectives and strategy, and grow on a sustained basis with confidence and integrity in all types of information ”.

The United States Government Accountability Office (GAO) in its Green Book adapted the COSO framework to the government environment. Here, internal control is understood as “ a process effected by an entity’s oversight body, management, and other personnel designed to provide reasonable assurance that the objectives of an entity will be achieved (…) Internal control comprises the plans, methods, policies, procedures, and other mechanisms used to fulfill the mission, strategic plan, goals, and objectives of the entity ”. Management sets the entity’s objectives, implements controls, and evaluates the internal control system and thus internal control serves as the first line of defense in safeguarding assets and securing information. Thus, an internal control system is always effected by people and designed to provide reasonable, but not absolute assurance, that an entity’s objectives will be achieved. [The Green Book, GAO-25-107721, can be accessed at www.gao.gov/greenbook.]

IFAC

The International Federation of Accountants (IFAC) is another influential organization that recognizes the special significance of internal control. In its Evaluating and Improving Internal Control in Organizations , IFAC underlines that " internal control is a crucial aspect of an organization’s governance system and ability to manage risk, and is fundamental to supporting the achievement of an organization’s objectives and creating, enhancing, and protecting stakeholder value ". IFAC notes that the right kind of internal controls enables an organization to capitalize on opportunities while offsetting the threats, thus saving time and money, and promoting the creation and preservation of value. The document concludes that effective internal control also creates a competitive advantage, as an organization with effective controls can take on additional risk. [Evaluating and Improving Internal Control in Organizations, IFAC, 2012, paragraph 2.1.]

IAASB

IFAC provides financial auditors with standards through its independent standard setting body: the International Auditing and Assurance Standards Board (IAASB) . The Identifying and Assessing the Risks of Material Misstatement (ISA 315) and Communicating Deficiencies in Internal Control to Those Charged with Governance and Management (ISA 265) belong to the most crucial internal control related pronouncements developed by IAASB.

IFAC and CIPFA

In their jointly developed framework [International Framework: Good Governance in the Public Sector, July 2014 by IFAC and CIPFA.] , IFAC and the Chartered Institute of Public Finance and Accountancy (CIPFA) emphasize the role of internal control in good governance in the public sector: “ Internal control supports a public sector entity in achieving its objectives by managing its risks while complying with rules, regulations, and organizational policies ” [Paragraph F3.] . Thus, public sector entities’ governing bodies should set the risk management strategies and internal control policies through, among others: operational processes, information practices, decision making, conformance with applicable laws and regulations, safeguarding the entity’s resources and information systems, monitoring, and internal audit.

OECD

Even more emphasis on public administration in application of internal control is put by the Organisation for Economic Co-operation and Development (OECD) . On its webpage OECD states that: “ Robust internal control and risk management systems are essential for upholding public integrity. Effective frameworks reduce vulnerability to fraud and corruption by providing reasonable assurance that the organisation is achieving its objectives and managing risk, and help to ensure value for money by ensuring governments are optimally delivering programmes ”. The statement is followed by extensive publications regarding both national level pronouncements and methodologies related to the OECD mission.

IIA

The Institute of Internal Auditors (IIA) published, in September 2024, the updated version of its Three Lines Model depicting structures, processes and roles in the achievement of organizations objectives, governance and risk management. [The IIA’s Three Lines Model, an Update of the Three Lines of Defense, September 2024. ] An important objective of this position paper is to depict the position and ‘third line’ role of internal audit in an organization. This position paper also depicts management’s first line roles (provision of products and services) and second line roles (expertise, support and monitoring), and addresses the way in which these three lines relate to the governance roles of the board. This framework can provide SAIs with guidance on which actors to address within the audited entity. More explanation of this model is provided in the ICS Guidance on Cooperation with Internal Auditors. [See: https://www.psc-intosai.org/projects/ics-guidance-on-cooperation-with-internal-auditors/]

ICS

This Guidance provides the perspective of SAIs, with an aim to help them review internal control systems and thus support good governance across the public sector. Taking the above definitions and methodologies into account, the following key characteristics of internal control can be considered:

Purpose driven – internal control is not control for its own sake, but it is rather tailored to support its entity (organization, project, program, activity) in achieving its objectives, first of all: operational effectiveness and efficiency, reliable reporting, compliance with laws, regulations and branch standards.

Systemic nature - Internal control is woven into the fabric of entity’s daily, as well as mid- and long-term operations by official decisions of responsible management, rather than existing as a standalone mechanism.

Human-centered - though large part of the internal control system can be automated, and while they are often associated with documents, policies, and organizational mechanics, crucial roles depend on humans, their abilities, professional judgment, ethics and integrity.

From information to activities – if an entity can be compared to an organism, internal control can be broadly compared to its nerve system, which reacts to data and signals and selects an optimal type of activity.

Evolving – the system requires appropriate level of balance between stability and dynamics to respond properly to changing risks, technologies, and organizational environment. A well-designed internal control system looks for its own weaknesses and possible refinements. It is always exposed to bipolar risks of: too increased bureaucracy, rigidity, lost opportunities on one hand, and non-transparency, chaotic organization, reduced accountability, errors or even fraud – on the other.

Assurance, not guarantee – no system can eliminate all risks or errors, the managerial goal is to reduce their occurrence to acceptable levels.

Within the previous framework of INTOSAI standards, the ICS issued guidance designed to help public sector entities and SAIs identify, implement, and report on internal control. [See INTOSAI GOV 9100, Guidelines for Internal Control Standards for the Public Sector (2004); INTOSAI GOV 9110, Guidance for Reporting on the Effectiveness of Internal Controls: SAI Experiences (1997); INTOSAI GOV 9120, Internal Control: Providing a Foundation for Accountability in Government (2001); and INTOSAI GOV, Guidelines for Internal Control Standards for the Public Sector- Further Information on Entity Risk Management (2004). ]

Controls in organizations

To better understand the reality of an organization’s internal control system, it is necessary to gain a deeper insight into controls – the crucial constituents of the system. In line with the GAO Green Book: policies reflect management or oversight body statements of what is expected to be done, and procedures consist of actions that implement policies. Policies and procedures that establish controls are a subset of the entity's overall policies and procedures. Management establishes controls to effect relevant principles within each component of internal control. Controls are interrelated and may support multiple principles and entity objectives. Control activities are actions that management establishes through policies and procedures as part of the control activities component to specifically mitigate risks to achieving the entity's objectives to acceptable levels. Thus, policies and procedures embed controls, and the controls embed control activities [The Green Book, GAO-25-107721, www.gao.gov/greenbook.The relationship between policies and procedures, controls, and control activities is depicted by Figure 3, page 7.] .

In many cases, individual control activities will differ, depending on the sector and the specific activity, but frequently similarities and common features also exist which can be observed and analyzed.

In other words, controls can be understood as elements used repeatedly to build, modify and operate organizations. Controls form a system of activities, mechanisms and their parts – which make the fabric of an organization, its processes, projects and operations or individual activities. It means that they are, by definition, a very broad set of phenomena – which can be difficult to encompass. During their engagements, auditors encounter controls all the time, so they need to understand their key characteristics. The following list is not exhaustive, but comprises these features of controls that are usually to be considered.

Role of controls

Thanks to understanding of the different roles that controls have, auditors can identify controls relevant for their audits. A properly designed and implemented internal control system allows an organization to:

• Help achieve its objectives.

• Compare actual performance against required targets.

• Help detect deviations.

• Provide feedback.

• Rectify situations that led to failures.

• Help adjust targets, rules, standards etc.

• Establish authority.

Hierarchy

Each organization incorporates internal control systems that are more or less formalized, and more or less defined. The systems in place can be seen through organizations’ components: structures, projects, operations and processes, which are executed through controls of various levels. Understanding the hierarchy of an organization is the first step in recognizing multilevel and interdependent components and their control categories, from cross-control notions to individual controls. In other words, analyzing the internal control system requires distinguishing and detailed understanding of the organization’s governance and operations.

Categories

Controls – element by element and part by part – constitute a control system, but most often they are themselves complex and interconnected structures:

• Fundamental organizational domains like: governance, management, development, operations or acquisition, logistics, etc. are cross-control notions. They are based on policies and procedures, which include controls of various level and require their interrelations.

• The domains could not function without manifold groups of controls, required to conduct design, to make decisions, to perform work activities, to coordinate and to monitor them.

• Each of the groups contains individual controls. They can be compound , e.g. a communication protocol used by the coordination function. Parts of compound controls can be called single or basic controls – in other words, controls to safeguard the proper execution of single activities, e.g. registering start of work, or marking a milestone in a project.

Phases

Assessing the proper functioning of phase oriented controls can be very helpful when conducting an audit of large scale projects. These controls hence can be observed by the auditor at particular stages of a project or a development, which are:

• Setting main objectives

• Design

• Tests

• Implementation

• Operation

• Monitoring and measurement

• Evaluation

• Re-designing and refinement

• Closure (if appropriate)

Structure

Depending on the type of control, there may be various aspects of the control structure that can be relevant to the audit objectives. For instance, in audits regarding the processes of providing public services, in which several public entities are involved in a delivery chain or network, auditors may consider:

• Construction schemes.

• Facets or parts.

• The actions that controls perform, or the actions that have to be performed to operate the controls.

• Subject and operator.

• Dependencies in connection with other controls.

• The organizational level of their application (from strategic level decisions, to detailed organizational controls, like entry time registering).

• Input – output – outcome.

• Costs – at each stage – from design and construction to closure – management should identify costs incurred in the design, operation, and maintenance of the internal control system; some costs may be so small that they are not identified and thus not included in management’s cost/benefit assessment of individual control activities. However, this does not mean that these costs do not exist.

• A matter for management’s consideration will be the controls’ effectiveness (how proper, applicable and ‘well fit for the purpose’ they are), as well as efficiency (cost/benefit assessment).

Types

Basic typologies can be as follows:

• By level of an organization: strategic (for instance, milestones and goals tied to strategy execution), and operational (related to practical implementation of the strategy, and encompassing all mechanisms responsible for the organization’s everyday functioning).

• By way of impact: direct (for instance a step-by-step instruction), through parameters (indicating level of expected results), through influence (for instance, by frequent examples of behaviour typical for an organization’s culture).

• By type of action: preventive (to avoid certain risks), ensuring (to obtain certain results), detective (to explain what happened), corrective (to recover if an error happened).

• By nature of trigger: event-driven (to be executed in certain conditions, for instance, in case of emergency), time-driven (to be executed at or after certain time, for instance, annual reporting).

Functions

Controls have an impact on various activities, both on those that are basic for organizations and on those more general for their functioning:

• Access, including identification, authentication, and authorization.

• Cognition, for instance, in monitoring or review.

• Communication: informing, discussing or just signaling things.

• Decisions, for instance, starting or ending a project.

• Instructions (step-by-step, narrative, conditional etc.) providing users with guidance on how to do something or how to behave in specific situations.

• Institutional knowledge, including documentation or databases.

• Regulations in various organizational environments: from service design to legal provisions.

• Verification, including one or a series of checks.

Resistance to control

Employees will usually accept reasonable controls or even request controls which add to the feeling of justice or equal opportunities. But by definition, people appreciate more to be free than to be controlled. It means that controls have also a phycological aspect, involving the feeling of personal dignity. As such it varies across cultures and depends on many factors, including urgency, risk or threats to an organization. All experienced managers are, however, aware of the fundamental contradiction between freedom and control, and – to manage effectively – they try to find pragmatic solutions and introduce controls in a way that can be accepted by staff. Thus, the approach of those charged with governance and management towards this issue will, to a great extent, influence the culture of an organization. These behavioural realities are of course very difficult to quantify and assess, but awareness of the existing balance between acceptance and resistance, can be useful also from the auditor’s point of view to better understand background conditions of control activities.

AUDIT CONTEXT

Depending on its significance to audit objectives, gaining an understanding of an auditee’s internal control system and the work of particular controls in the context of organizational structures, projects, activities and processes, can be helpful in auditing. Focus on specific internal controls during an audit provides significant benefits, including reduced audit risk on specific elements, improved reporting, and enhanced stakeholder confidence. However, it requires careful execution to avoid pitfalls such as over-reliance, cost escalation, or misaligned expectations. A balanced approach, integrating internal control assessment with substantive testing, is essential to maximize benefits and mitigate risks.

Control oriented approach to an audit

Understanding the audited entity is fundamental for quality and effectiveness of auditing. At the same time - using the internal control logic – it can be stated that: understanding operations means understanding what the entity does to achieve its goals. Thus, an approach oriented on understanding and using practical knowledge of control mechanisms can be applied at all stages of an audit.

Lifecycle

Control mechanisms can be similar in various entities, projects, activities and processes. Thus, it seems effective to analyse them not only when preparing individual audits. Auditors may gain a general understanding of potential control deficiencies by reviewing publicly available reports of completed audits of similar entities. The efficiency of such cyclic analyses depends on the strength of knowledge management, and it also helps to improve it.

Pre-audit assessment

The pre-audit assessment phase covers the fundamental requirement to obtain an “ understanding of the nature of the entity/programme to be audited ” [ISSAI 100: Fundamental Principles of Public Sector Auditing, paragraph 47.] . Understanding the audited entities (projects, programs, etc.) and their respective domains of activity includes their internal control systems. By thoroughly evaluating the entity in its environment, its processes, and key internal controls, auditors design a tailored audit approach that maximizes efficiency, addresses key risks, and adds value to the entity.

Audit planning

The internal control based audit planning focuses on the control system and its critical elements relevant for the audit objectives, but also on its organizational context. The knowledge of the particular topic and entity can be accompanied by an analysis of audit reports previously issued by the SAI, and publicly available audit reports from other audit organizations. Experience in a broader set of entities and domains can be used in such a planning process – what counts is the similarity of control structure, not necessarily operations of the of entity or the branch [See below: Examination strategies.] . The analysis needs proper understanding of the fact that, while some controls may be universal, programmatic controls can vary widely between different programs and particular agencies.

Conducting an audit

As a minimum, when conducting a control oriented audit, the following are covered:

• A review of the internal control system design.

• Walkthroughs of key processes, with special attention to key controls.

• Identification of potential control weaknesses or gaps.

• Impact of the internal control system on core activities, including consideration of previously identified internal control deficiencies that are relevant to audit objectives.

Reporting and follow-up

As already mentioned, when describing findings and expressing an audit opinion it is most often necessary to link control related observations with context knowledge. Thus, in the case of reporting and follow-up, flaws in the internal control system can be crucial for identifying causes of the operational domain problems found. Knowledge of these aspects might be of special interest to those charged with governance, like audit committees and supervisory bodies. Apart from supporting their work in general, control focused findings and recommendations can be more informative and, consequently, more effective.

Audit database

Standard elements of internal control can be used to organize a SAI’s knowledge of previously conducted audits. A database of audits, if maintained and updated properly, can provide an organization with an input to a control based problem analysis, and it can support concepts of new audits. An example of such a practical application of an audit database is the Control space of e-government [Project of EUROSAI IT Working Group (egov.nik.gov.pl) , supporting also Audit Reports Collection of the INTOSAI Working Group on IT Audit (wgita.intosaicommunity.net/audit-collection/). ] .

Benefits of using Internal Control in Auditing

The benefits of including relevant internal control assessments in audits can be divided into global benefits and those related to an individual audit. Global benefits improve audits in a longer term because they:

• Improve communication between auditors and auditees, because auditors are using the terminology of the internal control framework used by management.

• Increase consistency of reporting by audit teams using a similar terminology.

• Support analyses and usage of audit reports, which adds value to SAIs’ knowledge management.

• Enhance stakeholders’ acknowledgement of the added value of the audits by clarifying the actions needed for improvement of governance and control.

Individual audits that use the knowledge of internal control and controls can be:

• Better targeted – by being more precise in identifying the causes of problems revealed.

• More effective – by focusing on the weaknesses of the audited areas.

• More efficient – through reducing audit costs since well-designed internal controls reduce the risk of material misstatements, which potentially allows auditors to reduce the extent of substantive testing.

• Easier to share – control related matters tend to be similar across various branches and domains, which makes the learning curve less steep for the audit team members.

Risks

Control based audits require care to avoid:

• Inherent limitation of internal control, which by definition reduces, but cannot eliminate all risks, particularly those involving collusion, management override, or human error.

• Unrealistic stakeholder expectations – audits can assess and report on increases or decreases in the number or magnitude of internal control deficiencies or fraud, but they cannot guarantee their total absence, even if no internal control deficiencies are identified and reported.

• Overly narrow audit scope – reduced to management technicalities and thus ineffective, by undervaluing specific issues related to core processes of audited activities.

• Overly detailed audit – controls can consist of great volumes of sub-elements, which need overview and risk based selection – without that they can overload reviewers with extensive work on details.

• Inconsistent or deficient application of the approach, based on insufficient analysis of the audited internal control system and its key controls.

RELEVANCE OF INTERNAL CONTROL IN AUDITING

This chapter presents a practical approach to the system of internal control and strategies for using it in auditing. An analysis of the audited entity, its environment, internal controls, and controls in process can be done in many ways, depending on audit objectives, time and resources.

To apply any of them, SAI auditors need, first of all, to understand the management’s point of view. The way management has implemented controls in various phases of a program or activity can be then effectively taken into account during the audit. In practice, this Guidance suggests analyzing the following universal sets of elements:

• Organizational environment: with a special focus on public interest fundamental values.

• Entity: operating model, strategies, structures, resources and mechanisms involved in achieving organizational objectives and values processing.

• Processes by which the entity operates to achieve its objectives, including controls of various complexity.

Examination strategies

A general overview of the subject of an audit – which can be an entity (or organization), a program, a set of activities, etc. – is usually the first step of preparations. It is often based on experience and materials collected, which include the results of previous audits related to the same or similar subject.

Top-down: System assessment

Evaluating the entire internal control system requires a well-established internal control methodology. In the case of public administration, GAO’s Green Book [https://www.gao.gov/greenbook] can be recommended as a set of standards that provide “ managers criteria for designing, implementing, and operating an effective internal control system ”. Depending on depth of analysis, this can be the most demanding strategy in terms of audit time and resources. On the other hand, it will most probably provide auditors with an insight into the organization, which can be useful not only for the current audit, but also for future audits of the entity.

Bottom-up: Issues analysis

An alternative approach is to begin an analysis by examining already known issues. This involves identifying controls that have failed to function as intended, and then tracing their position and role within the entity.

By working through these controls systematically, from simple to more complex structures and organizational processes, auditors can gain a deeper understanding of the actual alignment of the organizational strategy with core capitals and values.

Here the cost of the audit will not depend on the number and scale of findings – the control analysis will just help to connect them with causes and potential risks, and then to describe them in a more consistent way.

Vulnerable controls review

Even without knowing much about specific problems of particular entities, a list of controls that are most vulnerable to deficiencies can be prepared based on findings of other audits.

In terms of resources, this approach helps save time that is needed to prepare an audit analysis, and it can be applied to audits which, for some reasons, require a quick start.

Horizontal comparison of domains

Another approach is to compare domains of activity that share similar challenges.

By examining common issues that arise in these interdependent domains (like IT, infrastructure and research in the above example), auditors can formulate analytical hypotheses about potential risks associated with planning of such projects, like inadequate user consultation.

This strategy can provide audit teams of various fields, with control-based, more efficient communication. Its main goal will usually be to obtain more synergy from cross-sectional analysis.

Other strategies

The list of potential strategies is not exhaustive – in practice, control-based audits often involve combining the above examination methods with targeted tests and evaluations tailored to the specific type of the actual audit.

Organizational Control Terminology

The notions used later in this chapter provides SAIs with a set of standardized concepts, related to control systems, individual controls, organizational functions, and key parts of organizational environment. This set, along with its detailed technical components, can be used in automated content analysis, training material development, and the creation of expert audit tools. Thus, a more distant aim is followed in this Guidance: supporting managerial control ontology [https://www.ontotext.com/knowledgehub/fundamentals/what-are-ontologies/ ] considered as a key technology enabling semantic interoperability and integration of data and processes.

Entity in its environment

Understanding an internal control system and working with it requires knowledge of the entity (organization) or program, and their results. It is crucial, however, not to limit the scope of comprehension to the entities under examination. A broader context is usually essential for an overview of an entity and its internal control system because it shapes the risks the entity faces, informs strategic goals, and determines regulatory requirements. Only when recognizing the meaning of the context, and its key features, both managers and auditors can be sure that internal controls are aligned with the organizational environment, culture, and objectives, making them more effective and relevant. Without proper rapport with the professional environment, controls may be misaligned, inefficient, or fail to address key risks.

To discuss the entity in its environment, the notion of value has to be applied. In this Guidance, the concept of value covers its material and monetary meaning, but also a broader sense, in which value relates to a kind of priority , worth or importance for societies regarding crucial conditions of their existence, especially those depending on governments and public administration activities [An approach parallel to the one of Integrated Reporting Framework.] .

Organizations in context of their professional environment can be depicted as “value processing” machineries. In such a perspective, an organization takes from the environment inputs – such as finance and assets, natural resources, information and knowledge, human capital and other forms of capitals. Organizations operate within a system of regulation imposed by governments and regulatory bodies, which for the sake of safety of the whole system, define the boundaries within which organizations operate. Values of various kind received in this way are then processed through organizations’ internal systems (including staff, technology, and controls), and on the output side – values for stakeholders are created. Areas of public interest – public safety, health, economic, social, technological, legal, cultural, etc. – shape both what is considered valuable and how value is processed and delivered. Public administration will be especially determined to support values like well-being of society, including expectations around fairness, transparency, sustainability, and ethical conduct. Refinements of the regulatory system will also often result from its activities. Similarly, public entities will be in an interaction with the natural environment – improving it, or deteriorating it as a result. Internal control systems of these entities, then, act as mechanisms to ensure that value processing goes efficiently, ethically, and in alignment with strategic goals.

Thus, a general overview of an entity usually covers the following:

• Organizational environment, which creates conditions for the organization to function, and provides it with various values, understood in a broad way described above.

• The very entity, with its structures, objectives and activities, which processes the values.

• Outputs and outcomes, which result in transforming, enlarging or reducing the values, and at the same time provide the entity with means that influence its potential.

When planning an audit, auditors obtain an understanding of the nature of the program, or program component under audit, and the potential use that will be made of the audit results or report as they plan a performance audit. The nature and profile of a program may include:

• Visibility, sensitivity, and relevant risks associated with the program under audit.

• Age of the program or changes in its condition.

• Size of the program in terms of total outlays, number of citizens affected, or other measures.

• Level and extent of review, or other forms of independent oversight.

• Program’s strategic plan and objectives.

• External factors or conditions that can directly affect the program.

Having in mind the broad meaning of values mentioned above, the following list of basic notions, based on a review of SAI audit reports [The main source is the EUROSAI ITWG project: egov.nik.gov.pl.] , may be taken into account for internal control analysis purposes:

The notions used in the figure above are briefly discussed below.

Community

Values related to fairness and equal opportunities ensure that all individuals can participate fully and contribute meaningfully to the society. SAIs will often be interested in governments’ efforts to protect and foster transparency, social cohesion and a commitment to the common good, because together these values uphold the stability, resilience, and integrity across the national community. Closely related notions, which can be helpful in identifying the community set of values, can be the following:

• Safety – refers to the protection of individuals and communities from harm—whether physical, emotional, environmental, or digital. Regulations in areas like food safety, transportation, cybersecurity and workplace health are often considered essential to preventing accidents and maintaining public trust.

• Well-being – encompasses not just physical health, but also mental, emotional, and social welfare. Policies that ensure access to healthcare, education, housing, and social support systems contribute to the overall quality of life and happiness of citizens.

• Reputation – reflects how institutions, governments, or businesses are perceived by the public. A social licence to operate refers to the informal acceptance and approval granted by society. Maintaining ethical behaviour, environmental responsibility, and transparency is essential for sustaining this trust.

• Accountability – means that individuals and institutions are answerable for their actions and decisions. Mechanisms such as oversight bodies, audits, public reporting, and democratic processes ensure that power is exercised responsibly and fairly.

• Learning and growth – involves fostering continuous development of skills, knowledge and innovation. This is not only a matter of personal plans and ambitions, but also a feature which is critical for societal resilience and adaptation.

• Advancement opportunities – refers to individuals’ ability to improve their economic, social, or professional standing. Equal access to jobs, education, training, and entrepreneurship helps reduce inequality and supports social mobility and inclusion.

• Professional engagement – is about individuals feeling connected, valued, and involved in their work or societal roles. This includes participating in decision-making, adhering to professional ethics, and contributing meaningfully to collective goals.

Stakeholders

Stakeholders are individuals, groups, or organizations that have an interest in or are affected by the actions, decisions, or outcomes of a particular entity, such as a government, business, or community initiative. In the context of SAI audits, stakeholders can include:

• Citizens – the primary beneficiaries of policies and services. In the context of digital government and public service delivery, citizens often take on the role of customers or users of digital services.

• Government institutions and entities – responsible for creating and implementing laws and programs and related to the SAI audit.

• Lawmakers – whose primary role is to create, debate, and pass laws that reflect the will and needs of the people.

• Media – which inform the public, shape public discourse and to some extent represent citizens’ feelings, doubts and expectations.

• Non-governmental organizations ( NGOs ) and civic or community groups – that advocate for social, environmental, or human rights issues, organize grassroots participation and support local needs.

• International bodies – when global cooperation or obligations are involved.

• Businesses , employers and shareholders – who influence and are influenced by economic and labour policies.

Regulatory system

A system of laws and regulations provides a framework of rules and standards that help maintain order, protect rights, and ensure fairness in social, economic, and environmental interactions. SAIs’ findings prove that with poorly operating regulatory systems, power imbalances and exploitation, conflicts are more likely to arise, threatening national trust and cohesion.

• Laws – provide a formal legal framework that defines rights, responsibilities, and consequences for individuals and institutions.

• Operational regulations – more detailed rules that specify how laws are implemented and enforced in practice, often created by regulatory agencies.

• Norms and standards – can be obligatory or voluntary, and help to ensure consistency, security and quality across sectors and professions.

• Government strategies – outline long-term goals and priorities, guiding action in areas like economic development, climate adaptation, or digital transformation. Government policies set specific directions for how objectives will be achieved, often translating strategy into actionable plans and resource allocation.

Finance

The backbone of government operations, enabling effective governance and the delivery of public services. Historically, examining the financial reporting was a starting point for many SAIs. Even if the scope of some SAIs audits is much broader, the public finance remains a primary focus of the state auditing. This very broad area involves most often:

• State budget – involves forecasting revenue, planning expenditures, and ensuring that funds are allocated to essential services.

• Support by international organizations – for instance: the International Monetary Fund (IMF), World Bank, United Nations Development Programme (UNDP) or programs of the European Union (EU) can support governments in various ways. Financial assistance, technical assistance and capacity building are the most popular forms.

• Subsidies – financial aid, direct or indirect, provided by the government to support specific sectors or activities, which influences economic stability, social welfare, market efficiency, etc.

• Grants – non-repayable funds provided by the government or other entities to support specific projects or initiatives. They usually aim to improve public services, to provide economic stimulus, or to enhance community development.

• Revenue collection and other means generated by public entities and state owned companies.

• Public debt – also known as government debt or sovereign debt, refers to the total amount of the money that a government owes to external creditors and domestic lenders.

Area of public interest

The backbone of government operations, enabling effective governance and the delivery of public services. Historically, examining the financial reporting was a starting point for many SAIs. Even if the scope of some SAIs audits is much broader, the public finance remains a primary focus of the state auditing. This very broad area involves most often:

• State budget – involves forecasting revenue, planning expenditures, and ensuring that funds are allocated to essential services.

• Support by international organizations – for instance: the International Monetary Fund (IMF), World Bank, United Nations Development Programme (UNDP) or programs of the European Union (EU) can support governments in various ways. Financial assistance, technical assistance and capacity building are the most popular forms.

• Subsidies – financial aid, direct or indirect, provided by the government to support specific sectors or activities, which influences economic stability, social welfare, market efficiency, etc.

• Grants – non-repayable funds provided by the government or other entities to support specific projects or initiatives. They usually aim to improve public services, to provide economic stimulus, or to enhance community development.

• Revenue collection and other means generated by public entities and state owned companies.

• Public debt – also known as government debt or sovereign debt, refers to the total amount of the money that a government owes to external creditors and domestic lenders.

Domain knowledge

Specific expertise, understanding, and knowledge of a particular area or field of operations encompasses the unique characteristics, challenges, and requirements of the domain, as well as the relevant laws, regulations, policies, and procedures. The knowledge is essential for experts, officials, auditors, and other stakeholders to effectively operate, manage, oversee, and evaluate government entities, programs and activities. It can be characterized by the following, often interconnected, features:

• Industry-specific – knowledge specific to a particular industry or sector, including understanding of industry trends, regulations, and best practices.

• Technical – expertise in the technical aspects of a domain, such as mechanics, construction, programming languages, telecommunication technologies, voting systems, or engineering principles.

• Procedural – knowledge of procedures, protocols, and workflows associated with a domain, including policies, regulations, and standard operating procedures.

• Conceptual – understanding of the underlying concepts, principles, and theories that govern a domain, including philosophies, models, frameworks and background of best practices.

• Factual – knowledge of specific facts, data and their interpretation, as well as information related to a domain, including statistics, research findings, and historical context.

Human capital

If community related values emphasize the individuals’ and groups’ expectations and ambitions, the human capital notion represents the employers’ point of view. It refers to the skills, knowledge, experience and abilities of human resources, which can be used to create value in an entity, or in whole economy. SAI audits often refer to the presumption that organizations enlarge their capacities, among others, by investing in human capital to attract, retain, and motivate employees.

• Skills – the specific abilities and competencies that employees possess.

• Performance – the level of productivity, efficiency and effectiveness with which employees contribute to an entity.

• Attitude – the mindset, motivation and work ethics of individuals, which can impact their job satisfaction, engagement, learning abilities and overall performance.

• Competitive advantage – the unique combination of skills, knowledge, and experience provided by teams of employees, which can give organizations a competitive edge. This feature is most often applied to companies, but can be also helpful in public administration to understand the role of human capital in effectiveness of particular programs or entities, especially when compared across the international perspective.

• Problem-solving – the ability to analyze complex problems, identify solutions, and implement effective strategies.

• Innovation – the capacity of teams to generate new ideas, products, or services that can drive growth, improvement, and differentiation.

• Knowledge and skills retention – the ability of entities to retain and apply knowledge and skills of their employees over time, which is critical for long-term success and adaptability in a rapidly changing environment. It is often perceived as a problem issue in the public administration, and thus is a trigger to develop knowledge management systems.

Assets

Valuable resources related to public interest. Finance and nature have been listed as separate forms of assets, and other assets covered by this notion refer to the basic categories of current - fixed assets, tangible - intangible assets etc.

Nature

Vital components of a nation's wealth and well-being, encompassed by the world's stock of natural resources. They are indispensable for both economic stability and environmental health. They require careful management and conservation to continue providing their invaluable services:

• Air

• Water

• Land

• Flora and fauna

• Mineral resources

• Ecosystem.

Assessing Internal Control in an Audit

The understanding of the nature of the entity (organization), or the program under audit, allows an auditor to determine if, and to what degree, internal control is significant to the audit objectives. When internal control is significant to the audit objectives, auditors obtain an understanding of relevant internal control. This assists auditors in identifying an audited entity’s key controls relevant to the audit objectives. Key controls are those controls that are necessary to achieve the entity’s control objectives, and that provide reasonable assurance of achieving the entity’s objectives. Key controls often have one or both of the following characteristics:

• Their failure may significantly affect the achievement of the entity’s objectives if not detected in a timely manner by other controls.

• Their operation may prevent or detect other control failures before they have an opportunity to become significant to the achievement of the entity’s objectives.

When internal control is significant to the audit objectives, the auditor determines the level of internal control assessment necessary to address the audit objectives. The levels of internal control assessments are the following:

• Assessing the design.

• Assessing the design and implementation.

• Assessing the design, implementation, and operating effectiveness.

A control cannot be effectively implemented if it has not been effectively designed. A control cannot operate effectively if it has not been effectively designed and implemented.

The design of internal control is assessed by determining whether controls individually and in combination are capable of achieving an objective and addressing the related risk. The implementation of internal control is assessed by determining if the control exists as designed and has been placed into operation. The operating effectiveness of internal control is assessed by determining whether controls achieved their objective and were applied at relevant times during the period under assessment, the consistency with which they were applied, and by whom or by what means they were applied.

During the assessment of each control, an auditor may identify deficiencies. A deficiency in an internal control exists when the design, implementation, or operation of the control do not allow management or personnel to achieve control objectives and address related risks. A deficiency in design exists when a necessary control is missing or has not been properly designed, so even if the control operates as designed, the control objective is not met. A deficiency in implementation exists when a control has been properly designed, but it has not been implemented correctly in the internal control system. A deficiency in operating effectiveness exists when a properly designed control does not operate as designed, or the person performing the control does not have the necessary competence or authority to perform the control effectively.

Internal Control Deficiencies

Internal control deficiencies are evaluated for significance within the context of the audit objectives. Deficiencies are evaluated both on an individual basis and in the aggregate. Consideration is given to the correlation among deficiencies. This evaluation and the audit work performed form the basis of the auditors’ decision whether, individually or in combination, the deficiencies are significant within the context of the audit objectives.

Determining whether deficiencies are significant within the context of the audit objectives involves evaluating the following factors:

• Magnitude of impact – refers to the likely effect that the deficiency could have on the entity achieving its objectives, and is affected by factors such as the size, pace, and duration of the deficiency’s impact. A deficiency may be more significant to one objective than to another.

• Likelihood of occurrence – refers to the possibility of a deficiency impacting an entity’s ability to achieve its objectives.

• Nature of the deficiency – involves factors such as the degree of subjectivity involved with the deficiency and whether the deficiency arises from fraud or misconduct.

Internal control deficiencies are a type of finding. When determining the cause of internal control deficiencies, it may be helpful for auditors to perform an analysis to identify the root cause of the deficiencies. Identifying the root causes of internal control deficiencies may strengthen the quality of auditors’ recommendations for corrective actions.

Control map of an entity

Organizations differ from one another in many respects. They have their individual and branch characteristics, including mandate, structures, and roles, which also affect their internal control structures. At the same time, however, they use similar, repeatable elements of processes and structures that constitute organizational activities. For instance, it is natural that a Ministry of Education differs in its activities from a Tax Office. Both of them, however, require strategic goals, translated into operational projects and followed by more detailed planning procedures. In both cases, an effective coordination, clear responsibility management or monitoring are necessary conditions for success.

Processing structure

An organizational structure encompasses operating units, operational processes, and other structures that management uses to achieve the objectives. The objectives concern usually values [See above: Organization in its environment.] of various kind that can be:

• Transformed, for instance budgetary resources are transformed into higher quality and better accessibility of education – thanks to activities, among others, of the Ministry of Education, or

• Increased, for instance the state budget volume – thanks to, among others, the Tax Office.

In practice entities create services or products and, at the same time, they build their own potential. Their governance, management, core work and auxiliary components are operated by a control system which can be analysed more in-depth through its subsystems, main functions, as well as controls of various complexity.

In case of organizational failures, which to a great extent depend on the quality of the internal control system, the values transformed by entities can be lower than expected, and in some cases there is a reduction instead of an increase.

Controls in process

Analysis of controls in the subsequent stages of the operational processes can be very helpful when a SAI wants to gain insight in potential causes of failures in public services delivery. For the needs of this Guidance, a simplified universal model of organizational processes is used. Even if many organizational processes are complex and multilevel, and their stages can partially overlap with one another, the simplified model below can help auditors to identify and distinguish key managerial functions and controls involved, as well as their position in the process. Understanding of these managerial functions and controls, in their organizational context, can support the auditor in identifying potential causes of findings during the audit.

Functions and related controls can be grouped in the following way:

• Functions covering all phases.

• Initial phase (concept and preparations).

• Performance phase (core-work and accompanying processes).

• Process completion (delivery and final steps).

Functions applied to all stages

The following four functions are applied across the whole process:

Coordination

Coordination is deliberate and systematic alignment of efforts, activities and resources among different individuals, teams, units and entities, aimed to achieve common goals and objectives. It involves harmonization of diverse functions, tasks, and responsibilities to ensure that the entity operates cohesively and efficiently. Successful coordination requires clear communication channels, well-defined roles and responsibilities, collaboration mechanisms, and strategic planning. It aims to minimize redundancy, to prevent conflicts, and to optimize the use of resources, fostering a unified and synchronized approach to work. Coordination is fundamental for achieving organizational effectiveness, promoting synergy among various elements, and responding adaptively to internal and external challenges. It encompasses both formal structures and informal processes that enable seamless collaboration and contribute to the overall success of the entity.

Communication

Especially in public sector organizations, communication can be characterized as a vital and complex element that permeates all levels and aspects. Internal and external communication serves as the foundation for coordination, collaboration and overall functioning of the organizational structure, and for the trust that external stakeholders (parliament, citizens) put in public entities.

Documentation

Documentation refers to the collection of written materials that detail an entity’s policies, procedures, guidelines and records. It ensures consistent communication, supports decision-making, and serves as a reference for legal, operational and administrative activities within the entity.

Reporting

Reporting is the process of presenting information about various aspects of an entity's operations, performance, finances, and other relevant metrics. Reporting provides stakeholders, such as government, regulatory bodies, citizens/clients, advisory boards, executives, managers, public oversight authorities, etc., with insights into the entity's (organization’s, strategy’s, program’s, project’s) current status, progress towards goals, and areas that may require attention or improvement. Effective reporting serves as the basis for identifying trends, patterns and areas for improvement. It facilitates informed decision-making, strategic planning and accountability to the public.

Stage-oriented functions

Next come the functions that apply to the different stages in the process:

Initial phase

The initial planning and preparation phase can sometimes be a lengthy and resource consuming process. It is always heavily influenced by the nature of the activity, project type or entity’s characteristics. Thus it is beneficial to look only for these fundamentals of the phase that allow for initiating the core work in the following phase.

Goal-setting

The process of establishing clear and specific objectives that align with the overall strategic requirements of the entity (mission and vision) involves defining measurable targets, outlining realistic timelines, and ensuring that the objectives set are challenging, yet achievable. Effective objective-setting provides a roadmap for individuals and teams, guiding their actions and efforts toward desired outcomes. It serves as a fundamental framework for decision-making, resource allocation, and performance evaluation within the entity. Clear communication of these objectives is crucial to fostering alignment and motivation among stakeholders, and to facilitating a focused and purposeful pursuit of success.

Design

An entity’s operational process design refers to a systematic approach to analyzing, mapping and optimizing the sequence of tasks, activities and workflows within an organization or across a project/program to achieve desired outcomes and objectives efficiently. It involves identifying key processes, understanding their interdependencies, and strategically redesigning them to enhance productivity, quality and public satisfaction with services, while minimizing waste and costs.

An effective operational process design also involves considering risk management principles to identify, assess, and mitigate potential risks associated with process changes. By integrating risk management practices into the design phase, entities can anticipate and address potential challenges, in this way ensuring that process improvements are implemented in a way that minimizes disruption and enhances resilience against unforeseen events.

Responsibility

Responsibility is the ability to clearly define roles and accountabilities to individuals or teams in an organizational environment. It needs to be in line with the entities’s mission goals and joined with the authority to carry these out successfully. In addition to completing duties as assigned, responsibility usually includes proactive identification and mitigation of risks, such as waste of effort or fraud potential. Properly managed responsibility will be supported by clear documentation, oversight procedures, and good communication. It serves as the foundation of organizational effectiveness, directing resource allocation, performance evaluation and decision-making, while encouraging flexibility and ongoing development in the service of strategic objectives. Responsibilities of individuals, teams and units, when mapped onto the entire entity, produce the organizational structure as an output.

Guidance

In the context of the entity’s activities, guidance refers to the direction, advice, or instruction provided to individuals, teams, or the entire organization to help them achieve specific objectives, improve performance, or navigate challenges. This can come from a variety of sources, including legislation, guidance from involved authorities, leadership, consultants, or external advisors, and it can cover a range of areas such as strategy, operations, finance, or compliance. Guidance can be formal, like through consulting reports or structured mentorship programs, or informal, such as advice given in meetings, or through feedback sessions.

Training

Training is the process of developing employees' skills, knowledge, and abilities to improve job performance and support career growth. It involves structured programs or activities designed to enhance competencies, to adapt to new technologies or processes, and to align them with organizational goals. Training can take various forms, such as workshops, on-the-job training, e-learning, or seminars.

Work processes

The core part of the process is performed at this stage, which typically involves the transformation of inputs into public services. This phase is central to processing and delivering the types of value that the entity deals with. It will often require technologies, methodologies and practices typical for particular branch of public administration.

For instance, in a Ministry of Health the production phase refers to the implementation of health services, programs, and interventions that directly impact public health outcomes. This phase translates health related strategic goals of government, its policies and budgets into real-world medical services, disease prevention efforts, and health system support.

On the other hand, in a Customs Office, the production phase involves the execution of border control, trade regulation, and revenue collection functions. This is where customs policies and laws are operationalized to regulate the movement of goods across borders while facilitating legitimate trade and ensuring national security.

Monitoring

Monitoring of the entity’s processes – both in industrial production and in public administration – is usually rooted in the initial phase decisions and expected result indicators. It involves a systematic observation, analysis, and oversight of various activities and workflows within the entity to ensure efficiency, effectiveness, and compliance with established objectives. This ongoing surveillance includes identifying bottlenecks and evaluating overall performance to facilitate informed decision-making and continuous improvement. By employing monitoring tools and methodologies, organizations can optimize their processes, enhance efficacy, and respond promptly to emerging challenges, ultimately contributing to the overall success and sustainability of the entity.

Procedures

Procedures are normative descriptions of step-by-step activities, involving appropriate structures, roles, resources and tools, as well as outputs to be produced.

Tools

Tools in the context of organizational processes can refer to the methods, systems, frameworks and strategies that entities use to achieve their goals, to optimize performance, and to manage their operations. These tools go beyond physical equipment and include non-tangible resources that help entities function more effectively.

Core work

Core work primarily includes activities or functions that align with the entity’s mission and objectives. These are the essential tasks or services the entity performs to achieve its goals. Core work typically includes key operations, product or service delivery, value creation, and activities that directly impact the entity's success and sustainability.

Testing

Organizations conduct various testing activities to ensure the effectiveness, quality, and compliance in their operations. These may include quality assurance ( QA ) testing to meet quality standards, compliance testing to adhere to regulations, and user acceptance testing ( UAT ) to verify user requirements. Processes and risk management can be assessed, while performance and security testing evaluate system stability and data protection. These activities help identify issues, ensure compliance, and improve overall outcomes.

Incident management

The process involves handling incidents—unplanned interruptions or reductions in quality of IT or other services—to restore normal service operation as quickly as possible. Problem management is closely related to incident management, it focuses on addressing the root causes of incidents to prevent them from recurring.

An incident is an unplanned interruption or reduction in the quality of services, whereas a problem is the underlying cause of one or more incidents.

Completion of process

The process is usually closed when results are achieved. Other possible reasons can be depletion of resources, staffing problems, or just a decision by management. A properly closed successful process will, however, not only provide information on its results, but it will also prepare grounds for further processes in the course of handover and lessons learned.

Product

Product in a public entity is the tangible or intangible output that fulfils the entity’s objectives and requirements. It represents the end result or deliverable that the entity is designed to create, such as public health services, road facilities or policy reports on how to respond to the issues of increasing housing shortage. The nature of product can vary widely depending on the type of entity. It is usually clearly defined and serves as a marker for strategy achievements, delivering value to the stakeholders, or fulfilling a specific purpose.

The critical characteristics of a product, especially in the context of it being the final output of a project, refer to the key attributes that ensure the product fulfils its intended purpose and meets stakeholders’ expectations. These characteristics can be categorized based on quality, functionality, alignment with goals, and stakeholders’ needs.

Results review

After the main execution of the process, it is important to verify whether the outcomes meet the required quality standards and criteria. It usually includes:

• Conducting quality assurance checks.

• Comparing results against predefined standards or key performance indicators (KPIs).

• Identifying any errors, defects, or non-conformities.

Handover

The process formally ends in this stage, with the outputs being delivered, handed over, or transferred to the next stage in the broader workflow, or to the final recipient, e.g., citizens as customers of public services, stakeholders, or other (internal) departments of the government.

Process optimization

Based on the evaluation, feedback, and performance data, process optimization involves refining or re-engineering the process to enhance its efficiency, effectiveness, and adaptability. Identification of the areas for optimization, like automating certain steps, or removing bottlenecks, serves further processes. Thus, this final step of an analyzed process is at the same time a crucial element of the organizational works life-cycle.