Several factors are driving an increased interest in horizontal assurance in the public sector:
- Governments are increasingly realizing that effective service delivery to citizens often requires the involvement of multiple departments or agencies. Horizontal assurance initiatives can produce findings that are relevant to and supported by all the participating organizations.
- Technology has matured to the point where it is not cost-effective for a government to have multiple data centres, websites, email systems, and so on. But centralized systems serving numerous departmental clients within a government raise challenges of accountability – challenges that can be addressed with horizontal assurance initiatives.
- Some activities continue to occur in similar or identical ways in multiple departments – such as procurement, grants and contributions programs, or privacy protection. Or a single department might have multiple programs delivering similar services, such as funding agreements with private sector partners. It provides an opportunity to conduct a horizontal audit, leverage audit resources and share the findings and lessons learned across all involved programs or departments.
With interest in horizontal assurance growing, the Government Internal Auditors Council of Canada (GIACC) placed the topic on the agenda for its 2016 Forum. GIACC brings together the heads of internal audit of Canada’s federal, provincial and territorial governments. This year’s Forum took place September 28-30, 2016 in Halifax.
GIACC invited the Chief Audit Executives (CAEs) of two federal government departments to share their experiences with the group. Provincial and territorial members of GIACC then joined the conversation.
Coordinated audits fill a gap
Yves Genest is the CAE for Shared Services Canada (SSC). He described how the Government of Canada is in the process of consolidating its email systems, data centre sites and wide area networks.
SSC was created in 2011 to lead this transformation. It shares responsibility for these IT systems with the users: SSC is responsible for the IT infrastructure, and its partners are responsible for information management.
Genest said SSC does its own internal audits, and its partners do their audits. However, he noted that separate audit opinions would not provide senior managers with adequate assurance, in particular in the case of IT security.
This problem is addressed in part by horizontal audits conducted by the federal Office of the Comptroller General (OCG), which is responsible for planning and coordinating horizontal assurance engagements across large and small federal departments.
For instance, the OCG carried out Phase 1 of a horizontal audit on Information Technology Security in departments in 2016, and intends to do two related horizontal audits over the next couple of years.
The Office of the Auditor General (OAG) of Canada is also active in this area. It conducted a performance audit of Information Technology Shared Services in 2015. Genest said SSC cooperates with the OAG activities pertaining to seven IT General Controls audits within partner organizations annually.
Despite this level of activity, SSC saw a need for additional assurance. One option would be to conduct horizontal audits on specific risks with one or more partners. “But the governance and management of these audits can be delicate and complicated,” Genest said.
And so, with its partners, it developed the concept of the horizontal or coordinated audit, to provide synchronized and harmonized findings to senior management teams. The parties develop the audit scope jointly, conduct their own audits, and then share the results – a simple solution, Genest said. Such audits are currently underway with several SSC partners.
The importance of details
Vincent DaLuz is the CAE of Employment and Social Development Canada (ESDC). He cited three reasons why horizontal auditing is important in the federal government:
- the “whole of government” approach that has increasingly characterized federal operations, as reflected in the creation of Shared Services Canada
- shared responsibility for the delivery of services
- the need for assurance along the entire service/process continuum.
DaLuz gave the example of the passport program to illustrate how his organization is working with other federal government departments. ESDC is one of three departments responsible for delivering the program, together with Global Affairs Canada and lead department Immigration, Refugees and Citizenship Canada.
“Auditing such services is a challenge”, DaLuz said. “The Westminster system of Ministerial responsibility requires that CAEs understand the respective accountabilities of each Minister and Deputy Minister leading to different perceptions of risk, or different tolerances for risk; internal processes can differ; even the speed at which each department completes an audit can vary.”
For the passport program, ESDC is a delivery agent for another department. Soon, the shoe may be on the other foot, as ESDC is in early discussions with some provincial and territorial ministries around delivery of certain services on behalf of ESDC. The aim would be to improve service to Canadians, but it would add yet another layer of complexity to the task of providing assurance to senior managers.
Memoranda of Understanding between organizations are helpful, DaLuz said, but they tend to be very high level. He said prior to the start of a horizontal audit, detailed issues need to be discussed thoroughly and clearly understood – issues such as audit criteria, tests, the process for clearing findings through multiple departments, etc.
Horizontal assurance initiatives at the provincial level
Following the presentations by Genest and DaLuz, members of GIACC talked about developments in their jurisdictions. Some are already actively engaged in horizontal assurance initiatives; others are providing tools to help managers control risks across government. For example:
- The Ontario Internal Audit Division (OIAD) within the Treasury Board Secretariat conducts horizontal or “enterprise-wide” audits in addition to ministry-specific audits. These horizontal audits have been a priority for over 10 years, and their value has resulted in the establishment of three dedicated enterprise-wide audit service teams. Specifically, an enterprise-wide operational audit service team, an enterprise-wide information & information technology (I&IT) audit service team, and an enterprise-wide financial assurance audit service team.
- One example of a recently completed enterprise-wide audit relates to in-year Treasury Board submissions. The audit found opportunities to improve assumptions, risk and performance measures related to the financial information provided throughout the process, which led to enhancements in approval/challenge processes and submission development.
- OIAD recently facilitated a cyber-security maturity assessment to identify opportunities for improvement, including a roadmap for enhanced security in the government.
- OIAD has also committed to sharing key themes relating to horizontal audits/approaches that may be beneficial for other public sector internal audit jurisdictions to leverage.
- OIAD is also exploring opportunities to partner with ministries on data analytics strategies.
- In British Columbia, the Province’s Internal Audit and Advisory Services (IAAS) is working with the Ministry of Education to conduct reviews of a sampling of school districts. IAAS is also engaged in reviews of several Crown Corporations.
- Newfoundland’s Professional Services and Internal Audit Division is developing a government-wide fraud management program, including a government-wide fraud policy, fraud awareness and education training, and a fraud risk assessment methodology. Its annual audit plan includes two detailed fraud risk assessments. The division has also developed a fraud risk self-assessment tool for departments.
- In Nova Scotia, the Internal Audit Centre reports to its Audit Committee on systemic and corporate issues. It has examined IT security in the government, and is currently conducting a detailed review of cybersecurity. Such initiatives as the development of a contract management framework and a grants management working group are also adding corporate value.
As this approach leverages audit resources, drives efficiency or practice and increases organization-wide impact, public sector internal audit organizations are paying increased attention to the need for horizontal assurance. How they address that need depends on their individual circumstances. Some are developing and refining new techniques – such as coordinated or horizontal audits – to navigate complex accountability relationships. It is a topic the GIACC will visit again, and continue to share themes, lessons learned and better practices amongst the public sector internal audit jurisdictions.
Ted Doane, FCPA, FCA, is the Executive Director, Internal Audit, for the Province of Nova Scotia and a member of GIACC.