Internal audit and risk management in public health organizations in Portugal

ORIGINAL ARTICLE

RIBEIRO, Renor Antonio Antunes ^[1]

RIBEIRO, Renor Antonio Antunes. Internal audit and risk management in public health organizations in Portugal. Revista Científica Multidisciplinar Núcleo do Conhecimento. Year 05, Ed. 12, Vol. 06, pp. 138-151. December 2020. ISSN: 2448-0959, Access link: https://www.nucleodoconhecimento.com.br/business-administration/public-health-organizations

ABSTRACT

Constant technological changes, as well as the recent global economic crises, have led organizations to develop their governance mechanisms, in order to mitigate risks and better manage the events that cause negative impacts. In the health sector, there is constant concern about the capacity of these organizations to achieve their objectives, considering the risk of collapse in the system, resulting from the emergence of new pandemics. Indeed, several organizations at the international level have been dedicated to developing regulations for the management of all risks that may jeopardize the functioning of organizations, whether they are public or private. Internal audit is a component of the fundamental internal control system for risk management, which must carry out its activities in accordance with international standards and legal regulations, assessing the organization’s risk management and internal controls. In order to know the role of internal audit in risk management in eight organizations in the health sector in Portugal, national legislation, applicable international standards and literature related to the subject were studied, with emphasis on the results of research. empirical. Then, interviews were conducted with eight (8) internal auditors, in order to find out whether the activities of internal audit in these organizations, in the perception of the interviewees, are in line with international standards and with the results of the empirical studies already carried out in this regard. the theme.

Keywords: audit, control, management, public, risks, system.

1. INTRODUCTION

The internationalization of companies, the increase in competition, technological innovations and the recent international crises generated the need to improve corporate governance processes, with risk management making a fundamental contribution to the achievement of institutional goals and mission. In this sense, norms and standards were developed for risk management and for the operation of internal audits in organizations in different countries, with the adoption of international norms and standards for internal controls, internal auditing, governance and risk management, such as norms of the “Committee of Sponsoring Organizations of The Treadway Commission” (COSO), the “International Organization for Standardization” (ISO), the “Federation of European Risk Management Associations” (FERMA) and the “International Structure of Professional Practices” (IPPF ), the latter coming from the Institute of Internal Auditors (IIA).

With the adoption of practices used in the private sector, corporate governance in the public sector started to use risk management, according to the model of the three lines, defended by the IIA (2013). Particularly in the public health sector, concerns about financial and operational sustainability, caused by economic crises that may reduce government financial contributions, in addition to the emergence of new pandemics that could lead the health system to an unprecedented collapse, make it necessary the adoption of strategies that can anticipate these risks or minimize their effects, in order to maintain the functioning of health entities. Therefore, it is necessary to adopt governance mechanisms, among which is risk management, and internal audit has a fundamental role in assessing the effectiveness of this management. Therefore, there is a need to know the extent to which risk management has been implemented and the role of internal auditing in this management, according to the perception of respondents in public health organizations.

Thus, a bibliographic review, empirical research studies, as well as semi-structured interviews were carried out to provide an understanding not only of the governance structure, but to learn about what happens in the practice of these organizations, according to the perception of the interviewees, who exercised, at the time of the interviews, internal audit functions in the analyzed health organizations.

Thus, this article intends to provide contributions for the diagnosis of the situation and for possible improvements in the risk management processes of the organizations that already have it, as well as for future implementations, as the case may be. In view of the current nature of the topic in the public sector, the empirical study of the practices adopted in public organizations in relation to risk management and internal audit may constitute a source of relevant information to support the improvement of governance and the management of public resources, in favor of the citizen.

2. THEORETICAL FOUNDATION AND BIBLIOGRAPHIC REVIEW

Risk is part of the activities of organizations, since any action involves a certain degree of risk. Risk can be defined as the “effect of uncertainty on objectives” for ISO 31000/2018 (p.1). This effect is a deviation from what would be expected, and may be a positive (opportunity) or negative (risk) effect. According to COSO (2007, p. 3), “the premise inherent in corporate risk management is that every organization exists to generate value for stakeholders”.

The treatment of risks must lead to residual risks in line with the risk appetite, in order to ensure the achievement of the entity’s objectives (RIBEIRO, 2020a). It is important to clarify that risk management, by itself, does not offer an absolute guarantee for the entity, especially with regard to possible losses and collusion. (COSO, 2007).

According to COSO (2007), the internal auditor has the role of assessing risk management on an ongoing basis, in order to improve the effectiveness of the process and organizational performance, in addition to generating useful information for senior management, to support decision making. decision, in favor of the fulfillment of institutional objectives.

For ISO 31000 (2018, p. 9), the risk management process “consists of the systematic application of management policies, procedures and practices involving the activities of communication, consultation, establishment of the context and evaluation, treatment, monitoring, registration and reporting of risks ”.

For FERMA, risk management

it is the process through which organizations methodically analyze the risks inherent to their respective activities, with the objective of achieving a sustained advantage in each individual activity and in the set of all activities (FERMA, 2002, p. 3).

Also according to COSO (2009), risk management should not be restricted to a specific group or sector, it should be implemented in the organization as a whole, and this involves establishing a risk culture for all employees. This risky culture should lead to the development of values ​​and attitudes, in order to promote integrity and identify all events that may have an impact on the achievement of organizational objectives.

2.1 INTERNAL CONTROL AND THE INTERNAL CONTROL SYSTEM

According to the Institute of Internal Auditors (IIA, 2009, p. 8), “control” can be defined as “any action taken by management, the board or other parties to manage risks and increase the likelihood that the established objectives and goals will be achieved ”. Internal control, according to the IIA, is designed and executed so that management plans, organizes and directs the execution of sufficient actions to ensure that the objectives and goals will be achieved.

According to the Audit Manual of the Court of Auditors of Portugal, internal control

it presupposes the existence of a plan and coordinated systems of controls that are relevant to the audit, as a result of the susceptibility of such controls to prevent, detect and correct materially relevant deficiencies or distortions (PORTUGAL, 2016, p. 131).

Therefore, according to TCU (2017), in TCU Judgment No. 1171/2017 – Plenary, for there to be good internal controls it is necessary that these controls are well designed throughout the process, being essential that they are able to take the risk to an acceptable level, according to the organization’s risk appetite.

According to TCU (2009),

Internal control, internal controls and internal control system (s) are synonymous expressions, used to refer to the process composed of the rules of organizational structure and the set of policies and procedures adopted by an organization for surveillance, inspection and verification, which allows foreseeing, observing, directing or governing events that may impact the achievement of its objectives. (TCU, 2009, p. 4).

According to TCU (2009), the internal control system is the responsibility of the entity’s management and constitutes an integrated process, covering all levels, activities and tasks of the organization, used as a means to achieve the organizational objectives and address the risks.

For the American Institute of Certified Public Accountants – AICPA, an effective system of internal control, by itself, cannot give an absolute guarantee that the organization will be successful, since all systems have inherent limitations, with the possibility of occurrence of malfunctions, errors or mistakes (AICPA, 2005). Thus, it is recommended that there is a service with the function of verifying the effectiveness of the Internal Control System – SCI, and this role has been exercised by the internal audit, which has evolved from a simple checker of legal and / or accounting compliance to a function of assessing the effectiveness of the SCI based on risks, in addition to the role of consultancy and advice (RIBEIRO, 2020b). According to Fülöp (2017), the work of auditors is essential in the control and management processes of organizations, and it is necessary to introduce the culture of risk management to improve the effectiveness of work processes (CASTANHEIRA; RODRIGUES; CRAIG, 2009 ). For Lima (2014, p.10), internal audit “appears as an important lever to support management”, as it generates value and offers assurance on the entity’s internal controls.

For FERMA (2002), the role of the “risk management” function can range from a single person in charge to a large-scale department. The internal audit function will be different in each organization, being able to give an opinion on the risks prioritized by the managers through audits and assessments of risk management, as well as by advising on the risks and the internal controls used for their treatment. Internal auditors can also provide information on risks and internal controls to the board of directors, the audit committee and other governance bodies. In its work, the internal audit must guarantee its independence and objectivity.

2.2 THE THREE LINES OF DEFENSE MODEL

The IIA (2013) established the model of the three lines of defense that should occur at all levels of the organization and involve internal auditing, which becomes part of the internal control system in conjunction with senior management.

According to the IIA (2013, p. 2),

In the Three Lines of Defense model, management control is the first line of defense in risk management, the various risk control and compliance supervision functions established by management are the second line of defense and independent evaluation is the third . Each of these three “lines” plays a distinct role within the organization’s broader governance structure.

In this sense, the public agents responsible for conducting activities and tasks are primarily responsible for the risks and internal controls of the first line, in their respective sectors. In addition to this control by the executor of the activity, organizations can institute a second line or layer, through specialized sectors for supervision and monitoring of the internal controls of the first line, in the form of specific boards or advisors to deal with risks, internal controls , integrity and compliance, constituting instances of supervision of the internal controls of the first line (RIBEIRO, 2020b).

Internal audits are the third line, responsible for assessing the internal controls of the first two lines. For IIA (2013), internal auditors have, as one of their functions, to evaluate the effectiveness of organizational processes, through risk management and the controls used to mitigate them, also evaluating the performance of governance bodies, such as such as advisory boards and bodies, in risk management and internal controls.

Next, we will see the normative provisions that emerged to regulate risk management in the public sector in Portugal, as well as the performance of internal auditing in public and private sector organizations in several countries, through the results of empirical studies. The importance of the topics to be addressed below consists in understanding the models and standards in force in both countries and how international standards and the respective national regulations influence the performance of internal audits, according to empirical studies.

2.3 THE ADVENT OF RISK MANAGEMENT IN THE PUBLIC SECTOR OF PORTUGAL

In 2008, the Corruption Prevention Council (CPC) was created by Law No. 54/2008, being an independent administrative entity that works with the Court of Auditors of Portugal and whose purpose is to develop, under the terms of the law, an activity of national scope to prevent corruption and the commission of other related infractions, according to art. 1 of Law No. 54/2008 (PORTUGAL, 2008).

In effect, the adoption of risk management practices within the scope of Portuguese public administration bodies and entities was regulated by Recommendation No. 1/2009, of July 1, of the Council for the Prevention of Corruption (CPC), which provides that public bodies are obliged to draw up plans to prevent the risk of corruption and related offenses, as well as to carry out and periodically report on implementation. Such plans must contain the attributions of the entity, organization chart and identification of those responsible, the identification of the risks of corruption and related infractions, the preventive measures of the risks, the strategies for measuring the effectiveness, usefulness, efficacy and eventual correction of the proposed measures.

In 2015, the Accounting Standardization System for Public Administrations (SNC-AP), approved by Decree-Law No. 192/2015, of September 11, Article 9, 3, provides that the internal control system in Portugal must guarantee, among other things, an adequate risk management (PORTUGAL, 2015).

2.4 STUDIES ON THE ROLE OF INTERNAL AUDIT IN ORGANIZATIONS

Below, we highlight some empirical studies about the role played by internal auditing in organizations. Macena, Jordão and Xavier (2017), ponders that the implementation of internal audit in a private sector hospital organization occurred due to the need to control costs and expenses and that, at the end of the study, it concludes that the internal audit contributed to increase efficiency and effectiveness of hospital unit management.

Borges; Diel and Fernandes (2015) point out, in two analyzed health organizations, that internal auditors do not only work to minimize risks, but also for quality care resulting from good practices, which results in customer satisfaction.

Keclíková and Briš (2011), whose study was carried out through a questionnaire applied to forty-seven (47) employees of one of the largest hospitals in the Czech Republic, showed the significance of internal auditors and their indispensable role in risk management, defends the adoption integrated systems and risk management systems to increase patient safety.

Eugeniu et al. (2011), when conducting a study in public hospitals in Romania, in which the internal audit function is present in less than a quarter of the public hospitals in the sample analyzed, report that although the internal audit has contributed to improving the management of public hospitals in Romania, in fact, such a role cannot be exercised in its entirety, due to the restriction of the function and the role of internal audit due to the intervention of the Romanian agency for internal control.

The results of the study carried out with employees of companies listed on the Athens stock exchange, by Drogalas et al. (2017), revealed that the interviewees understand that the internal audit has the function of assessing risk management.

Study by Castanheira; Rodrigues and Craig (2009), in internal audit bodies in fifty-nine organizations in Portugal, reveal that the planning of audits is based on risk in 82% of these entities. According to Ribeiro (2019), according to research results on the role of internal audit in forty public sector organizations in Portugal and Brazil, it was observed that the functions performed by the third line in these organizations include the assessment of risk management and the provision of services. advisory and consultancy services.

Trisciuzzi (2009) highlights that the internal audit, through its recommendations, pointing out which control points need to be improved and implemented, is a management tool to help the organization achieve its objectives, in addition to being a support tool to support senior management. Morais (2008), when studying the cases of five hundred Portuguese companies, pointed out that the information from the internal audit influences the decision making of the managers and that the management requests consultancy services for the internal audit.

When analyzing a philanthropic organization in the health area, Soares (2007) highlights that one of the benefits of internal audit includes that of assessing the adherence of internal controls in relation to compliance with the legislation, which is fundamental for the maintenance of philanthropy services. Duarte (2017), when analyzing the importance of internal audit through the collection of empirical data in five public hospitals, concludes that internal audit is an asset to promote efficient management of resources, contributing to management efficiency and for the improvement of the internal control system.

Souza et al. (2013), based on six case studies in Brazilian public and philanthropic hospitals, point out that the internal audit is centered on the labor and tax obligations of the Brazilian legislation, with little or no concern with the management processes, in addition to being found low investment in the improvement of the SCI by the hospitals analyzed. Guerini and Guerini (2019) consider that the internal audit can help to help rationalize the decision-making process and contribute to the management of health units.

When analyzing the contribution of internal audit in a government entity, Silva and Costa (2019) highlight that internal audit contributes to governance and as an aid to decision making, in addition to providing assurance of organizational management and risk management assessment. We must highlight that, according to Brito et al. (2017) in the public sector, the success of risk-based auditing is directly related to the risk management structure adopted in the organization

In view of the above, risk management and the internal audit of this management are applicable both in private companies and in the public sector, considering that the rules and principles treated are fully applicable to any bodies or entities, whether public or private. Bearing in mind that the change in the SCI and internal audit paradigms may occur due to the influence of international norms and standards, changes in national legislation, as a result of recommendations and / or determinations from regulatory bodies, or to replicate good practices from other companies of the branch or other public sector organizations, among other factors, we will see, below, the analysis of these factors of change, originated from internal and external pressures, through institutional theory.

2.5 INSTITUTIONAL ISOMORPHISM

For Drehmer; Raupp and Rosa (2017), the most appropriate current for analysis through institutional theory is the New Institutional Sociology – NSI, which allows the analysis of the factors that promote changes and the implementation of new management practices, as well as pressures regulatory bodies, the provisions of the legislation, market pressures, among other factors. As Callado; Kovacs and Almeida (2015), the institutional perspective guides the practice of entities due to external and internal pressures, and these pressures can lead to the adoption of similar practices in various organizations.

In this sense, Borges; Diel and Fernandes (2015) state that mimetic isomorphism occurs when organizations choose a tool, because other successful organizations have also done so. According to Moura and Souza (2016, p. 584), “there is a focus on the part of organizations to the models and practices that stand out in the market and an attempt to copy them, so that these organizations look modern and professional”. Nascimento, Padilha and Sano (2017) state that good practices in the public sector are encouraged by replication in other locations. Therefore, it is understood that there is institutional pressure for innovations to be disseminated in the public sector by isomorphisms.

According to DiMaggio and Powell (2005), coercive isomorphism stems from political influences and the problem of legitimacy, with Silva and Oliveira (2018) pointing out that the organization is forced to structure itself due to pressure from the government or other organizations with greater influence, while Carvalho; Vieira and Goulart (2005) emphasize that these pressures can be formal or informal, notably from organizations that manage financial resources. Mimetic isomorphism results from the imitation of practices adopted by other entities in the same or other sectors as good practices (VICENTE; PORTUGAL, 2014). In turn, normative isomorphism, associated with professionalization and professional categories, is associated with the “sharing of rules and working methods by the members of each occupational segment” (INGLAT; SANTOS; JÚNIOR, 2017, p. 13).

3. METHODOLOGICAL PROCEDURES

The research was carried out through bibliographic review and empirical data collection, through interviews recorded in audio, in order to better understand the topic studied (VERGARA, 2009). According to Hill and Hill (2016) an empirical investigation is one in which observations are made for a better understanding of a phenomenon to be studied. For Denzin and Lincoln (2006), qualitative research focuses on the environment in which the phenomenon occurs, in order to better understand the phenomena. For Tashakkori and Creswell (2007), it is not sought to reduce meanings in a few categories or ideas, it is essential that the researcher look for more complex perspectives.

For Gil (2008), interviews can be used to investigate a topic in depth, in qualitative research. Edwards and Holland (2013) observe that the use of the recorder allows the interviewer to focus on listening, observing and maintaining eye contact with the interviewee, instead of having to make notes during the interview.

For Mesquita and Matos (2014), the case study is the typology in which the object is a unit analyzed in depth and has as research techniques, mainly, the interview and observation. For Gil (2008, p. 58), the case study “is an empirical study that investigates a current phenomenon within its context of reality, when the boundaries between the phenomenon and the context are not clearly defined and in which several sources”.

For Belei et al. (2008), a good interviewer is one who knows how to listen to the interviewee in an active way, showing interest, asking new questions, without, however, influencing his speech. For Mattos and Goldenberg (2004), each interview is unique and can bring new elements to the research, depending on both the interviewer and the interviewee’s willingness to reveal details.

In relation to the choice of the entities surveyed, in Portugal contacts were made based on the list available on the Portal of the Ministry of Finance – General Directorate of Treasury and Finance based on the document called “Portfolio of State Participations[2]”, as well as the disclosure on the website of the Portuguese Institute of Internal Audit – IPAI, through which it was possible to interview the chief auditor of the Portuguese central health agency.

The interviews were conducted in Portugal between 28/03/2019 and 21/08/2019. One (1) interview was carried out for each hospital entity in which the interviewees were willing to collaborate, so that the details of the positions and functions of the interviewees, segregated by sector of activity are summarized in the following table:

Table 1. People interviewed in Portugal

Note. Data collected in interviews applied to the managers and internal auditors of the public sector in Portugal, in 2018.

The interviews were transcribed and sent to the interviewees, to reinforce the accuracy of the interview data and to avoid possible errors or misinterpretations, while also offering the possibility of obtaining additional information (GUERREIRO; RODRIGUES; CRAIG, 2015).

For Bardin (1977), the analysis of the data collected in an empirical way consists of reading all material, followed by the selection of words and sets of words that have meaning for the research, as well as in the classification in categories or themes that are related to the criterion. syntactic or semantic.

In the qualitative approach, the researcher can adopt several methods to ensure an in-depth understanding of the phenomenon under study (CHUEKE; LIMA, 2012). According to Bardin (1977), the analysis of the content of interviews or texts basically consists of: pre-analysis; exploration of the material; and treatment of results, inference and interpretation.

Pre-analysis consists of choosing the documents to be analyzed (Bardin, 1977). According to Bardin (1977), the exploration of the material deals with encoding, decoding and enumeration. Duarte (2004) defends the edition of the transcriptions, correcting errors and language vices. Azevedo et al. (2017) argue that transcriptions can be done literally or according to the content of the information.

In view of the transcribed interviews, a content analysis was carried out, defined by André (1983), which consists of reducing a large volume of material in various content categories. After the transcriptions, the analyzes of the interviews took place, based on institutional theory, which allowed to evidence the influence of factors of a coercive, normative or mimetic nature (DANIEL; PEREIRA; MACADAR, 2014).

4. ANALYSIS OF RESULTS

Through bibliographic review, the study of legislation and empirical data, it was possible to understand the practices of internal audit in public sector entities in Portugal in the health area. Thus, it was possible to understand the components of risk management in the public organizations analyzed and the performance of the internal audit.

Based on COSO, FERMA, IPPF and ISO standards, in empirical studies, in compliance with institutional theory and in order to understand the role of auditing in risk management in the public sector in Portugal, the interviews were structured in the following topics:

1) The implementation of internal audit and risk management;

2) Role of risk and challenge management;

3) Role of internal audit in managing risks and challenges.

Through the collection of data from the interviews conducted in 2018 in Portugal, it was noticed that the respondents are aligned with the guidelines contained in the international standards for the practice of internal audit and risk management, notably the ISO, COSO and IPPF standards . In this regard, we can classify the responses of participants from Portugal according to the following topics.

4.1 THE IMPLEMENTATION OF INTERNAL AUDIT AND RISK MANAGEMENT

Regarding the implementation of risk management, it was observed that, in the central health administration body and in the hospitals analyzed, there are internal audits and first and second line bodies in each of the organizations, as reported by the interviewees.

In this regard, Mendes and Rodrigues (2007) clarify that, in December 2002, thirty-four (34) hospitals of the National Health Service – SNS were transformed into thirty-one (31) hospitals S.A. belonging to the Portuguese state. Then, on September 7, 2005, the Council of Ministers transformed all hospitals S.A. into Public Business Entities – EPE, a nomenclature that remains today.

According to the interviewees in Portugal, it was found that the coercive isomorphism occurred in relation to CPC Recommendation No. 01/2009, which obliges entities to prepare corruption risk management plans.

In the health entity of the direct administration of Portugal, P1 and P2 highlighted the implementation of risk management and audit in these entities with internal audits, and, according to Trisciuzzi (2009, p. 153),

Organizations that do not have an internal audit function are depriving themselves of the valuable benefits that internal auditors provide. In addition, they run the risk of relying on management, who may not be in the best position / situation to offer reliable, independent and objective opinions and opinions on internal controls.

Empirical studies and interviews indicate that the presence or absence of a sector responsible for the internal audit function within the organization seems to be related to the success or failure of risk management. This result is in accordance with Silva and Costa (2019), who observed the contribution of internal audit in a government entity.

Regarding the implementation of risk management.

4.2 ROLE AND CHALLENGES MANAGEMENT ROLE

Regarding the role of risk management, it was observed that respondents have homogeneous responses and are in line with the IPPF rules regarding the roles that must be played in the three lines of the internal control systems of their respective bodies and entities. P8 recalls that the directors of services / sectors are responsible for the first line, according to IIA rules.

Virtually all respondents argued that risk management aims to ensure the achievement of the organization’s objectives, in accordance with the standards of ISO, FERMA, IIA and COSO-ERM. The results of these interviews are in agreement with Brito et al. (2017), because the risk management structure is directly related to the success of the internal audit based on risks. For Mustapha and Abidin (2017), risk management can contribute to the work of the audit.

The risk management assessment process was described by P1, as follows:

Following international practices, we analyze our acceptable risk levels, analyze the internal control system in any of the areas and do our planning and development in the works. We make our report, submit it for superior approval and then monitor the implementation process of the recommendations.

Interviewee P3, argues that the role of risk management “is to ensure the management of the internal control system, with a view to ensuring the company’s long-term survival”. Regarding the role of the internal auditor in the organization’s internal control, P3 listed the following competencies: “the internal auditor has competence in the evaluation of internal control processes, risk management at the accounting, financial, operational and IT levels and human resources. In other words, only here do we already have a lot to work on ”.

4.3 ROLE OF THE AUDIT IN RISK AND CHALLENGE MANAGEMENT

Regarding the role of internal audit in the context of risk management, according to the participants and in accordance with the IPPF, this role consists of assessing the internal control and risk management system of the respective entities, and the process of risk management risks in themselves do not belong to the internal audit, but to the first and second lines of defense, as highlighted by Drogalas et al. (2017). Lima (2014) highlights that, in the opinion of the managers, the internal audit contributes to the improvement of the internal controls, of the business risks, being important both to subsidize the management decisions and to guarantee a greater efficiency of the SCI, an understanding followed by Morais (2008). P3 comments on the breadth of the role of the internal audit and the internal auditor within the services (sectors) of a hospital organization:

Our internal audit service is so transversal, we run for so many services, we do such diverse things, that I believe … I do not believe, I am sure that no one knows the organization as well as the internal auditor. So, if we have access to all of this, it is we who are much more easily able to recognize and apprehend the risks that these services within the organization itself are subject to.

Thus, it was realized that internal auditors and managers understand the breadth of the role of internal audit in assessing the management of various sectors of an organization. In this sense, Alexandre (2016, p. 55), observed that in Portuguese hospitals, the internal audit function contributes to “Risk Management, reinforcing the SCI, combating fraud, creating value and supporting management [ . . .] meeting the objectives foreseen for the function ”.

One of the difficulties reported by the participants, namely by P1, P3 and P5, refers to the number of internal auditors in the audit services, and in most organizations analyzed, the internal audit was conducted by only one (1) professional in the period of the interviews. In this regard, P5 reports, in relation to the number of units and services to be examined, that:

It’s too much. And this is not just this building, there is the hospital there, the health center, all the health centers in the district, in addition to the headquarters hospital. So this is big, it is very dispersed and it is not always easy.

In hospitals, internal auditors delivered speeches in line with the IPPF, ISO 31000 and COSO standards on internal auditing, the function of internal auditors, the internal control system, risk management and, in addition to demonstrating a proactive stance, they reported that they are improving professionally through training and exchange of ideas among peers (normative isomorphism). For Castanheira et al. (2009, p. 95), this may be related to the fact that, for example, a hospital, which is a smaller organ than a health ministry, has fewer resources than a larger one, which can cause the internal auditor is more in demand to contribute to the implementation of risk management. Finally, in the interviewees’ reports, there was a balance between the advisory and assessment role of the internal control system and risk management. Regarding the guidance of the managers of his organization, P6 noted that, many times, the professionals already know what the risks and controls are to be adopted, but they do not dominate the most recent vocabulary of the IIA. Thus, the internal auditor is responsible for guiding the roles of the lines of defense in relation to risk management in a hospital organization.

5. FINAL CONSIDERATIONS

According to the information collected in the bibliographic review and empirical data collection, it was observed that the internal audit exercises the role of evaluating the internal control system and advising / consulting in the analyzed entities, according to the model of the three lines defense of the IIA (2013) and with the roles to be exercised by the internal audit in the scope of risk management (IIA, 2009). In relation to the bodies of direct administration, risk management and internal audit are implemented in the central health body of the Portuguese government, as reported by participants P1 and P2.

Regarding institutional theory, coercive institutionalism was observed in all interviews, both in relation to Recommendation CPC 01/09, as well as normative isomorphism resulting from the exchange of experiences between the internal auditors themselves.

In all investigated entities, whether in the direct administration of the health area or in hospitals, the presence of at least one internal auditor was observed within their structures, with risk management implemented.

As noted, the presence of an internal auditor within the organization’s structure seems to be related to a greater degree of implementation of risk management. This may be related to the fact that an internal auditor within the structure of the entity has greater possibilities for iterating with managers, making risk management easier to assimilate, which does not seem to occur in entities that have less intense contact government internal audit. Therefore, because the internal auditor has more opportunities to communicate with managers and administrators, he would have a better chance of changing the entity’s culture to manage its risks.

In view of this, the cultural change strongly advocated by the internal auditors who work within the corporate space can play a significant role in the implementation of risk management, which may mean that the promotion of a risk culture in public sector entities may be related to effective structuring of the internal control systems and internal audits in the agencies, based on the model of the three lines of defense. It should be noted that, in the public sector, this structuring cannot be done at the initiative of the manager without a legal provision, as public managers should only do what the law authorizes, in order to obey the principles of public administration, especially when principle of legality.

BIBLIOGRAPHIC REFERENCES

ABNT NBR ISO 31000. Gestão de riscos – diretrizes – risk management – guidelines. 2. ed. Rio de Janeiro: Associação Brasileira de Normas Técnicas, 2018.

ALEXANDRE, V. M. A função de Auditoria Interna no Serviço Nacional de Saúde Dissertação de Mestrado. Departamento de ciências econômicas e empresariais. 2017.  Universidade Autônoma de Lisboa – UAL, Lisboa, Portugal, 2016.

AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS. Private Company Financial Reporting Task Force Report. New York: American Institute of Certified Public Accountants. 2005. Disponível em: https://www.fasb.org/fasac/03-22-05_aicpa.pdf. Acesso em: 10 dez. 2019.

ANDRÉ, M. E. D. A. Texto, contexto e significados: algumas questões na análise de dados qualitativos. Cadernos de Pesquisa. 45, p. 66-71, maio de 1983.

AZEVEDO, V. et al. Transcrever entrevistas: questões conceptuais, orientações. Disponível em: doi: org/10.12707/RIV17018. Acesso em: 10 dez. 2019.

BARDIN, L.  Análise de Conteúdo. 70. ed. Lisboa: revista e ampliada, 1977.

BELEI, R. A. et al. O uso de entrevista, observação e videogravação em pesquisa qualitativa. Cadernos de Educação – FaE/PPGE/UFPel, 30, p. 187–199, jan./jun. de 2008.

BORGES, G. R.; DIEL, F. J.; FERNANDES, F. C. A Contribuição da Auditoria Interna de Riscos para o Planejamento de Organizações na Área de Saúde. Disponível em: doi: 10.5585/rgss.v4i2.134. Acesso em: 11 dez. 2019.

BRITO, G. C. et al. Benefícios e desafios na implantação da auditoria baseada em risco em instituições federais de ensino. Revista GUAL, Florianópolis, v. 10, n. 4, p. 109-133, 2017 .Doi: 10.5007/1983-4535.2017v10n4p109. Disponível em: https://periodicos.ufsc.br/index.php/gual/article/view/1983-4535.2017v10n4p109/35453. Acesso em: 11 dez. 2019.

BRIS, P.; KECLÍKOVÁ, K. Risk management and internal audit in integrated process management of hospitals. Disponível em: http://www.ekonomie-management.cz/download/1346067034_21ca/2011_04_keclikova_bris.pdf.  Acesso em: 03 jan. 2020.

CALLADO, A. A. C. et al. Práticas de gestão estratégica e isomorfismo: uma investigação empírica entre empresas do porto digital a partir da teoria institucional. Revista Eletrônica Sistemas e Gestão,Rio de Janeiro, v.10, n. 3, p. 246-355, 2015. Doi: 10.7177/sg.2015.v10.n3.a1. Disponível em: http://www.revistasg.uff.br/index.php/sg/article/view/V10N3A1. Acesso em: 12 dez. 2019.

CARVALHO, C.A.; VIEIRA, M.M.F.; GOULART, S.  A trajetória conservadora da teoria institucional. Revista de Administração Pública, Rio de Janeiro, v. 39, n. 4, p. 849-872, jul./ago. 2005. Disponível em: https://www.redalyc.org/articulo.oa?id=241021497002. Acesso em: 06 jan. 2020.

CASTANHEIRA N.; RODRIGUES, L. L.; CRAIG, R. Factors associated with the adoption of risk-basedinternal auditing. Managerial Auditing Journal. v.25, p. 79-98, jan. 2010. Disponível em: doi: 10.1108/02686901011007315. Acesso em: 13 dez. 2019.

CHUEKE, G. V.; LIMA, M. C. Pesquisa qualitativa: evolução e critérios. Revista Espaço Acadêmico, n. 128, p. 63–69, jan. 2012. Disponível em: https://www.researchgate.net/profile/Gabriel_Chueke/publication/279664207_Pesquisa_Qualitativa_Evolucao_e_Criterios/links/55c1758908ae092e96684604.pdf. Acesso em : 05 jan. 2020.

COSO – Committee of Sponsoring Organizations of the Treadway Commission. Gerenciamento de riscos corporativos – estrutura integrada: sumário executivo. Disponível em:  http:www.coso.org/documents/COSO_ERM_ExecutiveSummnary_Portuguese.pdf. Acesso em: 12 dez. 2019.

COSO – Committee of Sponsoring Organizations of the Treadway Commission. Enterprise risk management. Aligning risk with strategy and performance. Disponível em: https://www.coso.org/Documents/COSO-ERM-draft-PostExposure-Version.pdf. Acesso em: 03  jan. 2018.

DANIEL, V. M., PEREIRA, G. V. & MACADAR, M. A. Perspectiva institucional dos sistemas de informação em saúde em dois estados brasileiros. Revista de Administração Contemporânea, v.18, n. 5, p. 650–669, 2014. Disponível em: http://www.scielo.br/scielo.php?pid=S1415-65552014000500650&script=sci_abstract&tlng=pt. Acesso em: 05 jan. 2020.

DENZIN, N. K. e LINCOLN, Y. S. Introdução: a disciplina e a prática da pesquisa qualitativa. 2. ed. Porto Alegre: Artmed, 2006.

DIMAGGIO, P. J.; POWELL, W. W. A gaiola de ferro revisitada: isomorfismo institucional e racionalidade coletiva nos campos organizacionais. Revista de Administração de Empresas, v. 45, n. 2, abr./jun. 2005. Disponível em: http://bibliotecadigital.fgv.br/ojs/index.php/rae/article/viewFile/37123/35894. Acesso em: 06 jan. 2020.

DREHMER, A. F.; RAUPP, F. M.; ROSA, F. S. Teoria Institucional no Setor Público: Mapeamento e Análise de Conteúdo das Publicações. Revista UNIABEU, Rio de Janeiro, n.26, v. 10, p. 127–142, ago. 2017.

DROGALAS, G.et al. Perceptions about effective risk management. The crucial role of internal audit and management. Disponível em: doi:10.21511/imfi.14(4).2017.01. Acesso em: 03 jan. 2020.

DUARTE, M. da S. A Importância da Auditoria Interna para uma Gestão Eficiente e Eficaz em Instituições Hospitalares do Setor Público. 2017. f.108. Dissertação de Mestrado em Auditoria. Porto – Instituto Superior De Contabilidade E Administração Do Porto, 2017. Disponível em: https://recipp.ipp.pt/bitstream/10400.22/10957/1/Mariana_Duarte_MA_2017.pdf. Acesso em: 03 jan. 2020.

DUARTE, R. Entrevistas em pesquisas qualitativas. Educar, Curitiba, n. 24, p. 213-225, out. 2004. Disponível em: http://www.scielo.br/pdf/er/n24/n24a11.pdf. Acesso em: 03 jan. 2020.

EDWARDS, R.; HOLLAND, J.  What is qualitative interviewing?. Ed. 1. London:  Bloomsbury Academic, 2013.

FERMA – Federation of European Risk Management Associations. Norma de gestão de riscos. Bruxelas, 2003. Disponível em: https://www.ferma.eu/app/uploads/2011/11/a-risk-management-standard-portuguese-version.pdf. Acesso em: 17 dez.  2019.

FULOP, M. T.; SZEKELY, S. V. The evolution of the internal auditing function in the context of corporate transparency. Audit Financiar, v. 15, n. 147, p. 440-450, jan. 2017. Disponível em: http://revista.cafr.ro/temp/Article_9545.pdf. Acesso em: 05 jan. 2020.

GIL, A. C. Métodos e técnicas de pesquisa social. 6. ed. São Paulo: Atlas, 2008.

GUERINI, I. C.; GUERINI, E. Racionalização das ações de controle interno e auditoria como processo de controle na gestão da saúde em unidades hospitalares no contexto brasileiro. Revista Brasileira de Tecnologias Sociais v. 6, n. 1, p. 56-69, jan. de 2019. Disponível em: https://siaiap32.univali.br/seer/index.php/rbts/article/view/14415/8181. Acesso em: 03 jan. 2020.

GUERREIRO, M. S.;RODRIGUES, L. L.; CRAIG, R. Institutional Change of Accounting Systems: The Adoption of a Regime of Adapted International Financial Reporting Standards. European Accounting Review, v. 24, n. 2, p.379–409, 2015. Disponível em: https://www.tandfonline.com/doi/full/10.1080/09638180.2014.887477. Acesso em: 03 jan. 2020.

HILL, M.; HILL, A. Investigação por questionário. Lisboa: Sílabo, 2008.

INGLAT, L. P. da S.; SANTOS, E. T. P. dos; JUNIOR, C. da S. P. Isomorfismo normativo: influência das instituições na construção do perfil do administrador. Revista Foco, São Paulo, v.10, n. 2, jan./jul. 2017. Disponível em: http://revistafocoadm.org/index.php/foco/article/view/361. Acesso em: 06 jan. 2020.

INSTITUTO DE AUDITORES INTERNOS.  IIA position paper: the role of internal auditing in enterprise-wide risk management. Disponível em: https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in%20Enterprise%20Risk%20Management.pdf. Acesso em: 13 dez. 2017.

INSTITUTO DE AUDITORES INTERNOS. As três linhas de defesa no gerenciamento eficaz de riscos e controles. Disponível em: http://www.iabrasil.org.br/new/2013/downs/As_tres_linhas_de_defesa_Declaracao _de_Posicionamento2.pdf. Acesso em: 13 dez. 2017.

JÚNIOR, A. J. S. de O.; GOMES, A. R.; MACHADO, G. de V. Metodologia de auditoria com foco em processo e risco. Revista do TCU, n. 132, p. 28-37, 2015. Disponível em:  https://revista.tcu.gov.br/ojs/index.php/RTCU/article/view/249. Acesso em: 02 jan.  2020.

LIMA, P. N. D. O impacto da auditoria interna no desempenho organizacional: A relevância de auditoria de recursos humanos. Dissertação de Mestrado – Instituto politécnico do Porto, Porto, Portugal, 2014.

LURLEA, E. et al. Empirical research on the internal audit into public hospitals from Romania. Academy of Economic Studies, Bucharest. Disponível em: http://www.academicjournals.org/app/webroot/article/article1380625689_Turlea%20et%20al.pdf. Acesso em: 20 dez. 2019.

MACENA, J. L. et al. Auditoria interna: uma análise da implantação em uma instituição privada de serviço de saúde (Hospital). RPA – Revista Pesquisa em Administração UFPE (Caruaru, PE) v.1 n. p.69-84, jul./dez 2017. Disponível em: https://periodicos.ufpe.br/revistas/rpa/article/download/231698/25850. Acesso em: 19 dez. 2019.

MATTOS, P. L. C. L. D.; GOLDENBERG, M. A entrevista não-estruturada como forma de conversação: razões e sugestões para sua análise. Revista de Administração Pública, v.39, n.4,  p. 823-857, jul./ago. 2005.

MESQUITA, R. F. D.; MATOS, F. R. N. Pesquisa qualitativa e estudos organizacionais: história, abordagens e perspectivas futuras. In: IV Colóquio Internacional de Epistemologia e Sociologia da Ciência da Administração, IV, 2014, Florianópolis Disponível em: https://www.researchgate.net/profile/Rafael_Mesquita2/publication/278727035_Pesquisa_Qualitativa_e_Estudos_Organizacionais_historia_abordagens_e_perspectivas_futuras/links/5584563a08ae71f6ba8c4598/Pesquisa-Qualitativa-e-Estudos-Organizacionais-historia-abordagens-e-perspectivas-futuras.pdf. Acesso em: 03 jan. 2020.

MORAIS, M. G. da C. T. A importância da auditoria interna para a gestão: caso das Empresas portuguesas. Portugal. 2008. Disponível em: https://docplayer.com.br/684140-A-importancia-da-auditoriainterna-para-a-gestao-caso-das-empresas-portuguesas.html. Acesso em: 03 jan. 2020.

MOURA, A. L. N.; SOUZA, B. C. Gestão estratégica de pessoas na administração indireta do setor público federal: na prática, ainda um discurso. Revista do Serviço Público, v. 67, n. 4, p. 575–602, 2016.  Disponível em: http://www.spell.org.br/documentos/ver/44137/gestao-estrategica-de-pessoas-na-administracao-indireta-do-setor-publico-federal–na-pratica—ainda-um-discurso. Acesso em: 03 jan. 2020.

MUSTAPHA, W. M.; ABIDIN,. N. H. Z. Práticas de auditoria interna e gerenciamento de riscos entre universidades públicas na Malásia. Journal  of  Research  and  Practice  in  Public  Sector  Accounting  and Management, v.7, n. 1, p. 1-14. 2017. Disponível em: https://www.researchgate.net/publication/326989324_Internal_Audit_and_Risk_M anagement_Practices_among_Public_Universities_in_Malaysia. Acesso em: 03 jan. 2020.

NASCIMENTO, A. B. F. M.; PADILHA, Y. L.; SANO, H. Contribuições da Teoria Institucional para Análise de Disseminação de Inovação na Gestão Pública. In. IV Encontro Brasileiro de Administração Pública, 4, João Pessoa. A construção da administração pública do século, 2017. XXI. Disponível em: http://www.ufpb.br/ebap/contents/documentos/0917-933-contribuicoes-da-teoria-institucional-para-analise-de-disseminacao-de-inovacao.pdf. Acesso em: 03 jan. 2020.

PORTUGAL. Decreto n° 192/2015. Aprova o Sistema de Normalização Contabilística para as Administrações Públicas. Diário da República Eletrônico, Portugal, n. 178, 11 set. 2015.  Disponível em: https://dre.pt/home/-/dre/70262478/details/maximized. Acesso em: 05 jan. 2020.

PORTUGAL. Lei n° 54/2008, de 4 de Setembro de 2008.  Cria o Conselho de Prevenção da Corrupção (CPC). Diário da República, Lisboa, 1.ª série, n.º 171, 4 de Setembro de 2008.  Disponível em: https://dre.pt/pesquisa/-/search/453985/details/maximized. Acesso em: 03 jan. 2020.

PORTUGAL. Recomendação nº 1/2009, de 1º de julho, do Conselho de Prevenção da Corrupção (CPC). Sobre planos de gestão de riscos de corrupção e infracções conexas, disponível em: http://www.cpc.tcontas.pt/documentos/recomendacoes/recomendacao_cpc_20090701.pdf. Acesso em: 03 jan. 2020.

RIBEIRO, Renor Antonio Antunes. O papel da auditoria interna na gestão de riscos em entidades do setor público de Portugal e do Brasil. 2019. Dissertação de Mestrado.

RIBEIRO, Renor. Gestão de Riscos no Setor Público: normas e padrões internacionais, análise das legislações nacionais de Portugal e do Brasil e aplicação na base normativa do setor público. 1ª ed. Brasília: Athenas Editora, 2020.

RIBEIRO, Renor. Gestão de Riscos em Organizações Públicas: normas e padrões internacionais utilizados para a gestão de riscos, etapas do processo e análise da base normativa de Portugal e do Brasil. 1ª ed. Lisboa: Edições Exlibris, 2020.

SILVA, A. A.; COSTA, A. J. B. A contribuição da auditoria interna para a governança: estudo de caso em uma organização social vinculada ao governo federal. Cuadernos de Contabilidad. v. 20, n. 49, 2019. Disponível em: doi: https://doi.org/10.11144/Javeriana.cc20-49.caig. Acesso em: 02 jan. 2020.

SILVA, M. do R. da.; OLIVEIRA, R. R. Institucionalização das atividades de auditoria interna: um estudo no Instituto Federal de Alagoas, à luz da teoria institucional. Congresso de Administração, Sociedade e Inovação, 2018 Disponível em: <https://even3.blob.core.windows.net/anais/119053.pdf. Acesso em: 30 dez. 2019.

SOARES, M. A. Auditoria interna aplicada em uma instituição filantrópica hospitalar.  ConTexto, Porto Alegre, v. 7, n. 11, 1º semestre 2007. Disponível em: https://seer.ufrgs.br/ConTexto/article/download/11235/6638. Acesso em: 19 dez. 2019

SOUZA, Antônio Artur de. et al. Análise do sistema de controle interno e da auditoria interna em hospitais públicos e filantrópicos Tourism & Management Studies, Universidade do Algarve Faro, Portugal. v. 3, p. 896-906, 2013 Disponível em: https://www.redalyc.org/pdf/3887/388743876016.pdf   Acesso em: 19 dez. 2019.

TASHAKKORI, A.; CRESWELL, J. W.  Editorial: exploring the nature of research questions in mixed methods research. Journal of Mixed Methods Research. v.1, n. 3, p. 207–211. jul. 2007. Disponível em:  https://doi.org/10.1177/1558689807302814. Acesso em: 3 jan. 2020.

TRIBUNAL DE CONTAS DA UNIÃO. Critérios Gerais de Controle Interno na Administração Pública: um estudo dos modelos e das normas disciplinadoras em diversos países. Brasília. 10 ago. 2009. Disponível em: https://portal.tcu.gov.br/lumis/portal/file/fileDownload.jsp?fileId=8A8182A15A4C80AD015A4D5CA9965C37. Acesso em: 3 jan. 2020.

TRIBUNAL DE CONTAS. Manuais de tribunais de contas. Lisboa. Disponível em: https://www.tcontas.pt/pt-pt/NormasOrientacoes/ManuaisTC/Pages/Manuais-do-Tribunal-de-Contas.aspx. Acesso em: 27 out. 2019.

TRISCIUZZI, C. R. F. A Auditoria Interna como ferramenta de melhoria dos controles internos de uma organização: Estudo de caso em uma empresa do segmento industrial do Rio de Janeiro. 198 f. (Dissertação de Mestrado). Universidade do Estado do Rio de Janeiro, Rio de Janeiro, 2009. Disponível em: http://www.bdtd.uerj.br/tde_busca/arquivo.php?codArquivo=9425. Acesso em: 3 jan. 2020.

VERGARA; C., S.; Projetos e relatórios de pesquisa em administração. 10. ed. Atlas, 2009.

VICENTE, S. C. da S.; PORTUGAL, M. Isomorfismo coercitivo: as implicações das pressões institucionais no processo de aquisições de empresas brasileiras. III – SINGEP: Simpósio Internacional de Gestão de Projetos, São Paulo, nov. 2014. Disponível em: http://repositorio.uninove.br/xmlui/bitstream/handle/123456789/1107/494.pdf?sequence=1. Acesso em: 3 jan. 2020.

APPENDIX – FOOTNOTE REFERENCES

2. Available at: http://www.dgtf.pt/sector-empresarial-do-estado-see/carteira-de-participacoes-do-estado. Retrieved on 10/27/2019.

3. The occupants of the highest position in the internal audit bodies in the health system were interviewed.

4. Chief auditors occupy the post that represents the highest managerial or monocratic position for internal audits in public hospitals.

^[1] Master in Public Administration at the University of Minho – UMINHO (Portugal), MBA in Strategic Management in Public Administration, Specialist in Public Administration at UMINHO, Specialist in Educational Planning, Graduated in Mechanical Engineering from UFC, Degree in Physics from UECE, Degree in Education Musical by UnB.

Submitted: November, 2020.

Approved: December, 2020.