Canadian Government Executive - Volume 24 - Issue 05

October/November 2018 // Canadian Government Executive / 13 Internal Audit G ood governance, in theory, is relatively straightforward to implement. In practice, howev- er, it can be challenging. There are various reasons for this in the public sector, including: • The availability and diversity of key skills and experience. • The availability of timely risk and per- formance data. • A clear understanding of roles and responsibilities as they relate to key governance activities, including differ- entiating between “managing” and “over- seeing”. • The existence of complex multi-year initiatives that span multiple divisions/ departments with competing (and some- times changing) priorities. Given these challenges, internal audit can provide timely and valued assurance and advisory services to support good gover- nance, as noted below. Internal Audit’s Role in Assessing or Advising on Governance Committees Many guides exist for assessing gover- nance, such as those developed by the Governance Centre of Excellence and CPA Canada. Governance can pertain to vary- ing levels of an organization, including the most senior levels, departments/divisions, specific projects, or specific initiatives such as system implementations. Good gover- nance helps ensure that an organization has oversight of its objectives and stays on track to meet them, for example: whether a system or major initiative is on track to be implemented on time, within budget, and to specification. In all of these areas, audit can play a valuable role in considerations: • Are the right people with the right skills charged with key governance responsi- bilities, including consideration of ex- ternal advisors as appropriate? Opportu- nities here may include a skills survey and analysis against expected skills/ experience to identify where there may be gaps within existing boards or com- mittees. • Are roles and responsibilities docu- mented and clearly understood, includ- ing, for example, those related to key governance committees? Audit support in this area can range from assessments and interviews with key stakeholders and supporting the development of committee terms and references and key roles and responsibilities matrices. • Are plans and strategies clear and do they align with key objectives? Auditors can assess whether the right stakehold- ers have been involved in the devel- opment and approval of these plans; whether key milestones and risks are identified, regularly monitored by senior management/governance committees, and updated to reflect/communicate risks or a changing environment; and, whether the plan has been cascaded to the right levels of staff, etc. • Is the right information (including both financial and non-financial) being reported to monitor progress against objectives and provide early warning signals of key risks to management and committees? Auditors can assess align- ment of this information with stated plans and the extent to which the infor- mation is leveraged to support timely corrective action. • Are lessons-learned exercises conducted following key initiatives to support gov- ernance over similar or comparable ac- tivities in the future? Audit can support the facilitation of such exercises, which helps to provide independent and some- times more transparent dialogue. Successful governance requires a culture where key stakeholders can have open discussions around risks and even fail- ures. Embedding internal audit into vari- ous governance activities as an advisor can help ensure these open discussions are taking place. Internal Audit’s Role in Enterprise Risk Management (ERM) as a Function of Good Governance It is important to note that management owns risks as part of the first line of de- fense and that as part of the second line of defense, risk management supports the first line in the achievement of their objec- tives through facilitating and monitoring an effective risk management system. Internal audit can have a role in peri- odically assessing or monitoring an en- terprise risk management function to provide assurance that risks are being managed effectively, there is awareness of The role of internal audit in the public sector has changed over recent years. Internal au- dit jurisdictions in the public sector, as represented by the Government Internal Auditors Council of Canada (GIACC), have noted an ongoing shift towards more operational, risk-based and governance audits in addition to the traditional focus on processes and controls. Internal audit has always performed its work in order to support the Audit Committee (or equivalent) but now internal audit needs to become more embedded in governance committees that support key priorities across organizations. This presence allows internal audit to be more current, timely and relevant across organizations.