The internal audit function in the Canadian public sector finds itself at the intersection of two pressing priorities. We must replace retiring or departing auditors with new recruits, and prepare them to take on increasing levels of responsibility in the years ahead. At the same time, we must adapt and learn to apply powerful new technologies that hold the promise of increasing the role and value of internal audits in dramatic ways.
How we respond to these twin challenges today will naturally shape the future of internal auditing in the government for years to come. Clearly, there is no time to lose.
This was the consensus that emerged from our discussions at the annual Forum of the Government Internal Auditors Council of Canada (GIACC) this past September in Halifax, Nova Scotia. GIACC annually brings together the heads of internal audit from the federal, provincial and territorial governments to discuss the audit issues of the day. Participants included:
- Michael Ferguson, Auditor General of Canada
- Michael Pickup, Auditor General of Nova Scotia
- Jeff Conrad, Deputy Minister, Internal Services, Province of Nova Scotia
- Professor Luc Juillet, University of Ottawa
- Courtney Brown, Data Analytics Expert, PricewaterhouseCoopers (PwC)
We heard from Michael Ferguson, who suggested that the way to attract young people into the profession is to inspire them with a vision of what auditors can contribute to society. ‘Show them how they can change lives, how they can make our country better, how they can have an impact,’ he said.
The audit executives in attendance also agreed that new graduates can reinvigorate the workforce by bringing different skills to the table. However, they will likely lack business knowledge, so it will be crucial to have experienced employees mentor and coach them.
The issue of professionalization, and whether internal auditors should be required to hold a designation, also received significant air time.
Today, at the federal level, Chief Audit Executives are, for the most part, required to hold either a Certified Internal Auditor (CIA) designation or and professional accounting designation. As well, many departments require these designations for their entire internal audit staff.
Meanwhile, at the provincial and territorial levels, most internal auditors are currently required to hold an accounting designation. And those in the other jurisdictions are strongly encouraged to obtain one.
With this in mind, our discussion on designations led to a rich conversation around the difficulty of growing the community when certification is an entry-level prerequisite. Interestingly, many GIACC members indicated that they value the breadth of experience of a candidate just as much as their designations.
Overall, we agreed on a range of strategies to promote growth on our teams. They include:
- Hiring people mid-career from areas outside of audit to encourage cross-pollination of skills and perspectives
- Promoting a matrix environment in which auditors work on a variety of engagements and projects
- Strengthening in-house training and supporting ongoing professional development
- Encouraging auditors to spend more time with clients or to take on an assignment in other parts of the organization
The bottom line is that the internal audit shops of the future must be increasingly staffed by intellectually curious, tech-savvy auditors who bring to the table a healthy combination of academic excellence, professional designations, and diverse work experiences.
Using technology effectively
Clearly, internal audit groups are using software applications in their work more than ever. These technology tools have multiple uses. They can enable auditors to automate repetitive tasks, produce electronic working papers, drill down into data, identify trends and present findings in dynamic ways.
Data analytics, in particular, continues to be an area of high interest to the internal audit community. Not surprisingly, it proved to be another stimulating topic of discussion at the Forum. GIACC members agreed that the value of technology is best demonstrated to auditors and their clients when used in the areas of greatest risk to an organization.
There, it can be used to help plan the scope of an audit, to increase audit coverage, combine data from multiple sources, and identify outliers. It is especially powerful in the many ways it can be used to communicate information to clients.
However, introducing data analytics into internal audit operations is not a simple task. It requires planning, training and for subject matter and technical experts to work hand-in-hand to ensure data reliability and integrity, data consistency and data confidentiality.
Courtney Brown, a director in the Risk Assurance Services Practice with PwC, advised GIACC members not to venture into this area on their own. He suggested co-developing a strategy with IT specialists, data analysts and business owners. He also reminded forum participants that data analytics is not a back-office solution. It requires collaboration and ongoing communications with all parties involved if it is to succeed.
Richard Kennedy shared what his group observed on how data analytics could be used. In one instance, data analytics revealed that more than 16,000 Ontario secondary students had dropped out of school even though they were only a few credits short of graduating. The information that was gathered, in addition to other corroborative evidence, led to a highly successful campaign to specifically encourage these former students to return and complete credits and obtain their high school diploma. According to Kennedy, ‘data analytics opportunities are emerging from a data-driven systems environment, an increased emphasis on evidence-based decision-making and the availability of robust tools and expertise.’
Producing more useful and user-friendly audit products
One of the key benefits of data analytics software is that it allows users to produce sophisticated, eye-catching visuals to communicate with program managers and executives.
This was another area that generated thought-provoking discussions among GIACC members, and a number of useful strategies were put forward to enhance communications with clients. They include:
- Distilling audit reports down to a single page summary that highlights the reasons for the audit and the key findings.
- Avoiding bureaucratic language.
- Investing effort into visualization of audit results so executives can quickly focus on recommendations.
- Using a text box and bullets to outline key findings.
- Improving timeliness of reports so the recommendations can reach clients while interest is still high.
- Publishing case studies, best practices and management frameworks (e.g. for fraud detection, contracts and grants management) to maximize the impact of individual audits.
- Helping organizations design effective controls at the beginning of a process rather than recommending them after the fact.
- Introducing agile or ‘just-in-time’ auditing.
- Producing quarterly risk-based dashboards.
- Tracking recommendations and actions alongside success indicators
Forum participants recognized that many of these approaches break with the way internal audit has delivered services in the past, signaling that an important culture change is taking place across our profession.
While this necessarily means there will be a period of adjustment, the new direction in which we are evidently headed signals the need for a strong commitment to explore ways to improve approaches to serving clients and to enhancing the value we provide to government.
The future we discussed at the GIACC Forum is actually right on our doorstep, so we encourage the community to mobilize efforts to address these challenges without delay. At the end of the day, the one thing that we all know with certainty is that the first step is to continue to work together and share our knowledge and our progress.
Jennifer Robinson is A/Executive Director, Internal Audit Policy and Communities at the Office of the Comptroller General of Canada and Vice-Chair of GIACC.
