Canadian Government Executive - Volume 23 - Issue 07

8 / Canadian Government Executive // October 2017 Vincent DaLuz Dean Shivji I nternal audit is increasingly being asked to focus on the essentials: (i) conducting engagements that add value and bring timely insights to se- nior management and audit committees; and (ii) helping their organization move forward with greater agility to address ar- eas of highest risk. Employment and Social Development Canada (ESDC) is the federal department responsible for developing, managing and delivering social programs and services. As part of its mandate, ESDC manages an- nual disbursements of over $120 billion to Canadians through social programs such as Employment Insurance, Canada Pension Plan and Old Age Security. In ad- dition, the Department is responsible for passport delivery and issuance of social insurance numbers. ESDC’s diverse, dynamic and expansive risk landscape prompted the internal au- dit function to access real-time risk intel- ligence, to re-think its audit universe, and to develop a process driving greater value and risk insights for the Department. The new departmental risk-based audit plan- ning initiative was launched in the fall of 2013. The objective of this initiative was Audit a Value-Added Risk-Based Audit Plan to create a risk-based audit plan that cor- responds strategically to the needs of the Department, through better identification of areas of high risk from a business per- spective. The initiative was a collaborative effort between ESDC’s internal audit func- tion and formerly, A Hundred Answers, a Canadian professional services firm pro- viding advisory, digital and technology so- lutions, and services. The key innovation was the creation of a depiction of the Department’s activities – an audit universe based on a business- architecture risk framework. Architecture-Driven Risk Framework Using this approach, cross-functional busi- ness lines are viewed in a holistic and comprehensive manner: individually, in groupings or laterally. This framework complements existing methods, tools and techniques employed by risk professionals, but is novel in its use of The Open Group Architecture Framework (TOGAF). TOGAF is a methodology recom- mended by the Treasury Board Secretar- iat of Canada, which provides an industry standard for business architecture, helping Leveraging Business Architecture and Business Intelligence to Create organizations align business objectives and business activities in a logical manner. Some Surprising Results Leveraging the business-architecture ap- proach to define its audit universe result- ed in a framework with implications and scenarios beyond those initially anticipat- ed by the internal audit function. In par- ticular, the framework provides a sound basis and foundation for enterprise risk management as it leverages the existing risk information and business intelligence across the Department. The framework also allows the internal audit function and management to share a common vision, vocabulary, and approach to risk identifi- cation with structured flexibility, adapt- ability and agility. Defining an audit universe on the basis of business architecture has also enabled focus on the value-delivery chain, as seen conceptually in Figure 1. This redefinition of the audit universe has led to having bet- ter risk coverage in areas of higher interest to senior management as well as of highest value to Canadians through greater rigour and objectivity in the evidence-based se- lection of engagements and, consequently,