21 / 32
December 2016 //
Canadian Government Executive /
21
Audit
Searching for assurance
In an effort to assist organizations in such
scenarios control risks and provide ac-
countability across organizations, the In-
stitute of Internal Auditors provides some
guidance. The “3 lines of defense” in effec-
tive management and control are:
• Management control;
• Oversight; and
• Independent assurance.
Independent assurance is usually per-
formed by an organization’s internal
audit function. Internal audit provides
independent assurance that an organisa-
tion’s risk management, governance and
internal control processes are operating
effectively.
Audits for horizontal initiatives can take
several forms. For example:
• A centralized audit function can con-
duct a horizontal audit across multiple
organizations.
• Independent audit groups in organiza-
tions participating in an initiative can
each audit their own organization’s ac-
tivities and share the results.
• Audit groups in participating organiza-
tions can jointly plan and conduct an au-
dit of an initiative or a common business
process.
A strong internal audit function can con-
tribute to the provision of horizontal as-
surance in the public sector and enable
efficiencies to be gained by leveraging the
successful strengths of one ministry to be
applied to another ministry for the same
activity.
Begin at the beginning
Internal audit can be a very effective
management support when it is engaged
at the beginning of an initiative, i.e. at the
design stage, rather than called in to con-
duct audits after the initiative is under-
way or complete. This is particularly true
for horizontal initiatives. When multiple
organizations are involved, the potential
exists for gaps to appear in oversight and
control measures – gaps that internal
auditors may be able to spot and recom-
mend clarity around roles and responsi-
bilities.
By participating in the design phase
of an initiative, the audit function can
advise on risk and control measures up-
front so that adequate measures are put
in place. Early prevention is much better
than later detection.
Avoid duplication
On the other hand, the existence of in-
dependent oversight and control mea-
sures in multiple organizations engaged
in a common endeavour could result in
oversight duplication and audit burden.
This is particularly relevant where one
organization provides a service for many
other organizations. There is potential for
chaos if each client organization plans to
audit the service provider in its own way.
An independent audit conducted by
the service provider in consultation
with the audit groups of the client orga-
nizations may prove sufficient to meet
everyone’s needs, or at least provide a
foundation for the client organizations’
own audit activities.
For their part, centralized audit func-
tions can help reduce the audit burden for
government ministries when they conduct
horizontal audits of activities that are car-
ried out in multiple ministries, such as
procurement or grants and contributions.
The audit group can select a handful of
ministries to audit on the basis of risk;
once it assesses the results of the audit,
it can provide best practices and lessons
learned to all ministries.
Similarly, when programs are delivered
cooperatively by several organizations, an
audit by one organization – if designed col-
laboratively – may meet the needs of all,
and free up resources for other priorities.
In addition, 100 % coverage may often
not be practical to achieve when conduct-
ing horizontal audits. The identification of
key themes and lessons learned from those
in scope as part of horizontal audits can
be quite valuable. These themes and les-
sons learned can allow for broader aware-
ness across organizations that are not in
when programs are delivered cooperatively by several
organizations, an audit by one organization – if designed
collaboratively – may meet the needs of all, and free up
resources for other priorities.