Internal Audit – An Enabler of Intelligent Risk-taking at NRCan 

Canadians expect their public services to be delivered in a way that demonstrates cost-savings and efficiency. To date, the ability of the public sector to achieve great results this has been hindered by a risk-averse culture. One symptom of this aversion to risk is an environment of excessive controls over business processes with multiple layers of oversight and verification. To address this impediment, federal public sector leaders have been emphasizing the importance of intelligent risk-taking. This concept refers to the empowerment of public servants to make decisions by considering risk, rather than avoiding decision-making due to a fear of failure. As such, intelligent risk-taking will require federal departments and agencies to reconsider their service delivery models to reduce unnecessary bureaucracy, while continuing to ensure that sound stewardship and accountability are maintained.

The Government of Canada has implemented several measures over the past few years to strengthen accountability and increase transparency in the public sector, including bolstering the role of internal audit. Since the implementation of the Treasury Board’s Internal Audit Policy in 2006, internal audit has established itself as an effective internal oversight tool for deputy heads and as trusted advisors to senior management across the public service. As a result, the number of internal audit recommendations has significantly increased and directly contributed to the strengthening of stewardship and accountability through improvements to management controls and frameworks. These recommendations; however, have also led to an increase in the number of organizational controls in place as well as the bureaucratic processes required for their implementation.
Within this context, internal audit has a critical role to play in this transformation by contributing to their department as enablers of intelligent risk-taking. Traditionally, internal audit has been focused on providing assurance on the efficiency and effectiveness of governance, risk management, and control frameworks with an emphasis on mitigating risks identified by management, rather than questioning whether risks actually warrant the controls in place. By challenging management’s understanding and appetite for risk and assessing the cost-effectiveness of controls in place, internal audit has an opportunity to make significant contributions to the reduction of bureaucracy and elimination of redundant controls. This includes assessing whether risks are well understood in the first place; determining whether risk tolerance is well communicated by senior management; and whether existing controls remain relevant to address the current risk environment. Positioning internal audit as an enabler of intelligent risk-taking; however, may be challenging, considering the risk averse culture of both public sector managers and the internal audit function itself.
Although deputy ministers and senior executives often refer to the need for intelligent risk-taking, public sector managers may be conflicted between efficiencies gained from eliminating redundant controls and the perceived consequences of a control failure. Ultimately, all controls were created to address risks identified at a given time, sometimes in response to a previous control failure. Management’s aversion to risk inherently conflicts with the willingness to eliminate existing controls, even when their cost-effectiveness and value may not always be clear. For example, redundant controls such as multiple approval layers often add limited value and cloud accountabilities; however, they continue to broadly exist in all departments and agencies. Some public sector managers may be reluctant to accept audit recommendations that eliminate such controls, as they provide management with a sense of security against perceived risks.
Another driver of risk aversion is the perceived consequences of non-compliance with policies and related ‘rules’. There are several cases where departmental and government-wide procedural policies may be out of date or misinterpreted, particularly with regards to corporate service related functions such as travel and staffing. Rather than applying the spirit of a given policy, burdensome processes are often created to ensure compliance with rules, when the rules themselves may be unclear. An example of this is the varying degree to which departments and agencies have interpreted the 2013 Treasury Board Directive on Travel, Hospitality, Conference and Event Expenditures (the Directive).

The internal audit community is equally risk averse. Although identifying efficiencies is part of internal audit’s mandate, auditors may be reluctant to recommend eliminating excessive controls for fear that their removal may result in future control failures as well as potential impacts on their credibility. Traditionally, internal auditors have maintained the view that it is management’s responsibility to identify risk tolerance levels and establish control frameworks. As such, auditors often place a greater emphasis on examining the effectiveness of existing controls and the efficiency in administering them, rather than challenging the established risk tolerances or whether the controls should be maintained based on the current risk environment. This is often seen in audits that focus on procedural compliance, rather than questioning the existence, relevance, and value of the procedures themselves.
The pressure is mounting on the federal government to provide better public services with fewer resources. This transformation of the public service inherently conflicts with the current risk averse culture in our institutions. To continue to be viewed as a credible and relevant partner, internal audit must increase its focus on reducing costly bureaucratic processes, while still maintaining its credibility through the provision of assurance on relevant and efficient controls and processes.
The Internal Audit Branch (IAB) within Natural Resources Canada (NRCan) has begun its own transformation towards becoming an enabler of intelligent risk-taking, in pursuit of greater efficiencies and a reduction of bureaucratic processes. To achieve this transformation IAB has recruited internal auditors with the right experience, professional designations, and necessary leadership competencies to succeed. Furthermore, building strong relationships with senior management as trusted advisors and value-added partners has been critical in establishing ourselves as an effective agent of organizational change, including challenging management’s appetite for risk. The following are recent examples of when IAB questioned risk tolerances, resulting in the elimination of redundancies:

• Challenging the type of files regularly reviewed by a senior level committee, resulting in a significant reduction of files reviewed and a shift towards providing risk-based advice and decision making, rather than an informal ‘approval’ mechanism.
• Questioning mandatory training originally planned for all employees, resulting in targeted training of a number of employees based on their specialized responsibilities and job requirements.
• Reducing burdensome reporting and oversight processes for low-risk funding transfers to other federal government departments.

As IAB seeks to further increase its value to NRCan, we believe opportunities exist to play a significant role in the early stages of program development. This would enable IAB to leverage its knowledge and expertise to support senior management in the development of controls and processes at the onset of new initiatives. Such an approach could lead to leaner processes, a reduction in bureaucracy, and improved service delivery to Canadians.

It should be noted that in spite of its contribution towards intelligent risk-taking, NRCan’s audit function remains committed to providing assurance on the effectiveness of relevant controls and processes as part of its mandate. Audit recommendations to strengthen controls related to legislative and government policy requirements are essential to sound stewardship and are areas that will always benefit from assurance activities.

As part of assurance services; however, the value of providing recommendations that challenge risk tolerance levels and result in the elimination of redundant controls is equally important. Ultimately, this approach to the provision of audit services would allow senior management to view internal audit not just as an ‘assurance’ function, but as an effective mechanism to reduce and eliminate costly bureaucratic processes. As an enabler of intelligent risk-taking, internal audit is well positioned to support departments in achieving greater cost savings and efficiencies that Canadians expect from their government.

Ziad Shadid is Director of Audit Operations, Natural Resources Canada