Canadian Government Executive - Volume 23 - Issue 07

October 2017 // Canadian Government Executive / 9 Audit Consequently, the internal audit func- tion has better coverage of risk areas of importance to senior management; more rigour and objectivity in the identification of risk areas; and, thus, more value-added and timely insights (through a mix of au- dits and advisory engagements) for senior management and the audit committee. The Proof is in the Pudding The approach and methodology that led to the innovative business-architecture risk framework at ESDC has been reviewed by an independent third party and subjected to peer-review by other internal audit functions across departments. Both the independent and peer reviews concluded that the approach and methodology: • is defensible, as it is founded in recog- nized industry standards and frame- works, such as TOGAF, Committee of Sponsoring Organizations of the Tread- way Commission (COSO), Control Objec- tives for Information and Related Tech- nologies (COBIT), Generally Accepted Privacy Principles (GAPP), and Generally Accepted Accounting Principles (GAAP), among others; • is consistent with industry trends to- ward horizontal, integrated operational risk management to address evolving risk events in real-time; • leverages principles of structured flex- ibility and objective inheritance for adaptability to change and more com- prehensive views aligned to departmen- tal priorities and risks; • is data-driven, which is consistent with leading best practices; and • uses a standardized vocabulary and ap- proach, with the built-in ability to aggre- gate risk information. ESDC is recognized as a leader in the internal audit community across the providing more value-added and timely insights for senior management. In addi- tion, the business-architecture audit uni- verse is resilient to organizational change as it is organizationally neutral and covers all areas under ESDC’s mandate. To ensure a more strategic focus, the re- defined audit universe reflects how ESDC delivers value to individuals and organiza- tions, much like a supply chain. In addition to being consistent with best practices and industry standards, this approach allows for vertical, horizontal and matrix views of the Department’s universe that enables the examination of interdependencies across business lines as well as risks. The internal audit function is now better equipped to direct its limited resources to strategic en- gagements that impact multiple business lines, and address departmental risks in areas that have a greater cascading effect throughout the Department. The business-architecture approach to developing an audit universe for risk- based audit planning is driven by risk evi- dence and is assembled to allow for analy- sis of risks to, and across, business lines. Each business line is driven by key objec- tives, accompanied by associated risks; these business objectives and their cor- responding risks are confirmed through a validation exercise with management. The practice of using available risk information and business intelligence allows for man- agement to address risk areas identified by the internal audit function in real-time, nipping potential issues in the bud, thus possibly even eliminating the need for an audit. That’s value-added performance! In summary, adopting this leading prac- tice of business architecture has helped the internal audit function to better rely on an audit universe that is: • adaptable – comprised of defined inter- dependent business lines logically orga- nized to permit analysis in many dimen- sions - from the bottom-up or top-down, vertically or horizontally, by risk type or delivery model; • comprehensive – based on rigorous analysis of the legislative and regulatory mandate for the Department, resulting in over 150 identifiable auditable busi- ness lines; and • organizationally neutral and resilient to change – not dependent on who de- livers the business but rather how well the programs and services are being delivered. With this approach, the audit universe is not affected by ongoing orga- nizational change and restructuring. federal government. The internal audit group has also been sharing its best prac- tice with other departments and agen- cies through presentations and learning events organized by the Institute of In- ternal Auditors. Key Takeaways Leveraging a business-architecture ap- proach can drive a common vision, vo- cabulary and approach. It can also provide a holistic and comprehensive view of the business, and enable the effective usage of existing risk information and business intelligence across the organization. In addition to providing a basis for an adapt- able, comprehensive and change-resilient audit universe, this approach can deliver a sound foundation for enterprise risk management. Furthermore, it allows for a common ground approach between the internal audit function and management, offering structured flexibility, adaptability, and agility. Rethinking the audit universe can drive higher-value audit activities: de- fining an audit universe on the basis of business architecture can enable the in- ternal audit function to better focus on the organizational value-delivery chain, and more easily direct limited resources to strategic engagements, addressing objectives and risks in real-time with greater cascading effect throughout the organization. Establishing a framework to harness existing risk intelligence can promote greater rigour and objectivity. It is condu- cive to the collection, interpretation and continued leveraging of risk information and business intelligence (or “risk intel- ligence”), enabling more rigorous and ob- jective risk-based planning. The practice of using existing risk intelligence also al- lows management to address risk areas identified by the internal audit function in real-time, helping to maximize value-for- money in the context of limited internal audit resources. V incent D a L uz is a Chief Audit Execu- tive at Internal Audit Services Branch, Employment and Social Development Canada, Government of Canada and Senior Special Advisor for the Federal Government CAE Community, Govern- ment Internal Auditors Council of Canada. D ean S hivji is a Senior Advi- sor at Internal Audit Services Branch, Employment and Social Development Canada, Government of Canada Figure 1 – Value-Delivery Chain Concept Diagram