12 / 32
12
/ Canadian Government Executive
// November 2016
Ted
Doane
Several factors are driving an increased
interest in horizontal assurance in the
public sector:
• Governments are increasingly realizing
that effective service delivery to citizens
often requires the involvement of multi-
ple departments or agencies. Horizontal
assurance initiatives can produce find-
ings that are relevant to and supported
by all the participating organizations.
• Technology has matured to the point
where it is not cost-effective for a gov-
ernment to have multiple data centres,
websites, email systems, and so on. But
centralized systems serving numerous
departmental clients within a govern-
ment raise challenges of accountability
– challenges that can be addressed with
horizontal assurance initiatives.
• Some activities continue to occur in
similar or identical ways in multiple
departments – such as procurement,
grants and contributions programs, or
privacy protection. Or a single depart-
ment might have multiple programs
delivering similar services, such as
funding agreements with private sec-
tor partners. It provides an opportunity
to conduct a horizontal audit, leverage
audit resources and share the findings
and lessons learned across all involved
programs or departments.
With interest in horizontal assurance grow-
ing, the Government Internal Auditors
Council of Canada (GIACC) placed the top-
ic on the agenda for its 2016 Forum. GIACC
brings together the heads of internal audit
of Canada’s federal, provincial and territo-
rial governments. This year’s Forum took
place on September 28-30, 2016 in Halifax.
GIACC invited the Chief Audit Execu-
tives (CAEs) of two federal government
departments to share their experiences
with the group. Provincial and territorial
members of GIACC then joined the con-
versation.
Coordinated audits fill a gap
Yves Genest is the CAE for Shared Ser-
vices Canada (SSC). He described how the
Government of Canada is in the process of
consolidating its email systems, data cen-
tre sites and wide area networks.
SSC was created in 2011 to lead this
transformation. It shares responsibility for
these IT systems with the users: SSC is re-
sponsible for the IT infrastructure, and its
partners are responsible for information
management.
Genest said SSC does its own internal
audits, and its partners do their audits.
However, he noted that separate audit
opinions would not provide senior man-
Internal Audit
HowHorizontal Assurance
is Evolving in
the Public Sector
agers with adequate assurance, in particu-
lar in the case of IT security.
This problem is addressed in part by
horizontal audits conducted by the federal
Office of the Comptroller General (OCG),
which is responsible for planning and co-
ordinating horizontal assurance engage-
ments across large and small federal de-
partments.
For instance, the OCG carried out Phase 1
of a horizontal audit on Information Tech-
nology Security in departments in 2016,
and intends to do two related horizontal
audits over the next couple of years.
The Office of the Auditor General (OAG)
of Canada is also active in this area. It con-
ducted a performance audit of Informa-
tion Technology Shared Services in 2015.
Genest said SSC cooperates with the OAG
activities pertaining to seven IT General
Controls audits within partner organiza-
tions annually.
Despite this level of activity, SSC saw a
need for additional assurance. One option
would be to conduct horizontal audits on
specific risks with one or more partners.
“But the governance and management of
these audits can be delicate and compli-
cated,” Genest said.
And so, with its partners, it developed
the concept of the horizontal or coordinat-
ed audit, to provide synchronized and har-
monized findings to senior management
teams. The parties develop the audit scope
jointly, conduct their own audits, and then
share the results – a simple solution, Gen-
est said. Such audits are currently under-
way with several SSC partners.