Canadian Government Executive - Volume 24 - Issue 05

14 / Canadian Government Executive // October/November 2018 risk policies and procedures, and as noted above, a strong culture for reporting on risks and issues (third line of defense). Re- gardless of the role of internal audit, there needs to be clear divisions of responsibil- ity/safeguards between the ERM function and internal audit to avoid issues related to independence, or even confusion be- tween audit risk and enterprise risk man- agement. There, of course, have to be links be- tween the two functions. For example, internal audit should be risk-based; there- fore, an understanding of enterprise risks an organization faces allows internal au- dit to assess how it can support an organi- zation in meeting its objectives. Internal audit can also consider how responsibilities for risk management are delegated to departments and divisions within an organization. The key here is en- suring that staff members throughout the organization are aware of how to monitor, assess and report/escalate risks, and en- sure appropriate actions are taken, where necessary, at their level of the organiza- tion. Internal audit may wish to consider any training around risk management that staff members receive during induction or on a refresher basis. Internal Audit’s Role in Governance over Major Projects/Initiatives Public Sector Organizations seem to be undertaking more organizational change, including major capital and IT projects, than ever before. The speed of technologi- cal change and aging public infrastruc- ture has seen unprecedented demands on resources. With this comes increased risk in relation to cost overruns or delays–of- ten both. One important, frequently asked ques- tion is: “Why do major projects have such significant challenges?” One way to an- swer that question is to consider it from governance and risk perspective (i.e., risks not being adequately identified or effec- tively managed). Various articles and pa- pers have been published on this topic, such as KPMG’s 2016 paper Building on success; learning from failure which ex- plores good practices to help board mem- bers and executive management deliver and oversee large projects. 1 In addition, a number of articles from Australia refer- ence governance as a key reason why ma- jor projects fail. These include the Auditor General of New South Wales in the article “Why large public sector projects some- times fail,” which highlights governance, project management and leadership as key pillars for any project. 2 This provides an exciting opportunity for internal audit to provide assurance that there is effective governance around how risks are being managed and over- seen, and even to play a role in ensuring that the right risks are being effectively managed. While internal auditors may not be subject matter experts in the par- ticular capital project or IT implementa- tion, there could be an opportunity to be involved in facilitating risk assessment or assisting in documenting the risks. While internal audit, of course, needs to consider independence from management, the risk lens that internal audit can bring could be invaluable in helping ensure effective management of risks and truly adding value to the organization. Some of the considerations posed under how internal audit can support governance committees are equally relevant to the role internal audit can play in assessing governance over major projects. For example, are the right people involved from a governance perspective, and is relevant and timely in- formation being reported on the progress of the project? This presents a continued opportunity for internal audit to be at the forefront of an organization, providing assurance that risks are being managed effectively and major projects are on track for completion. Internal auditors have many resources available to help them to assess gover- nance. This includes a growing skill base around governance and support on which they can draw throughout GIACC and the IIA. Referenses 1. Building on success; learning from failure, kpmg.ca , 2016. Web. 2. Achterstraat, Peter. Why large public sector projects sometimes fail; Audit Office of New South Wales, 2013. Web. S anjeev B atra is the Audit Director at Ontario Internal Audit Division. N ick R olfe is Partner at KPMG. Internal Audit Public Sector Organizations seem to be undertaking more organizational change, including major capital and IT projects, than ever before. The speed of technological change and aging public infrastructure has seen unprecedented demands on resources. With this comes increased risk in relation to cost overruns or delays–often both.