The role of internal audit in the public sector has changed over recent years. Internal audit jurisdictions in the public sector, as represented by the Government Internal Auditors Council of Canada (GIACC), have noted an ongoing shift towards more operational, risk-based and governance audits in addition to the traditional focus on processes and controls. Internal audit has always performed its work in order to support the Audit Committee (or equivalent) but now internal audit needs to become more embedded in governance committees that support key priorities across organizations. This presence allows internal audit to be more current, timely and relevant across organizations.
Good governance, in theory, is relatively straightforward to implement. In practice, however, it can be challenging. There are various reasons for this in the public sector, including:
- The availability and diversity of key skills and experience.
- The availability of timely risk and performance data.
- A clear understanding of roles and responsibilities as they relate to key governance activities, including differentiating between “managing” and “overseeing”.
- The existence of complex multi-year initiatives that span multiple divisions/departments with competing (and sometimes changing) priorities.
Given these challenges, internal audit can provide timely and valued assurance and advisory services to support good governance, as noted below.
Internal Audit’s Role in Assessing or Advising on Governance Committees
Many guides exist for assessing governance, such as those developed by the Governance Centre of Excellence and CPA Canada. Governance can pertain to varying levels of an organization, including the most senior levels, departments/divisions, specific projects, or specific initiatives such as system implementations. Good governance helps ensure that an organization has oversight of its objectives and stays on track to meet them, for example: whether a system or major initiative is on track to be implemented on time, within budget, and to specification.
In all of these areas, audit can play a valuable role in considerations:
- Are the right people with the right skills charged with key governance responsibilities, including consideration of external advisors as appropriate? Opportunities here may include a skills survey and analysis against expected skills/experience to identify where there may be gaps within existing boards or committees.
- Are roles and responsibilities documented and clearly understood, including, for example, those related to key governance committees? Audit support in this area can range from assessments and interviews with key stakeholders and supporting the development of committee terms and references and key roles and responsibilities matrices.
- Are plans and strategies clear and do they align with key objectives? Auditors can assess whether the right stakeholders have been involved in the development and approval of these plans; whether key milestones and risks are identified, regularly monitored by senior management/governance committees, and updated to reflect/communicate risks or a changing environment; and, whether the plan has been cascaded to the right levels of staff, etc.
- Is the right information (including both financial and non-financial) being reported to monitor progress against objectives and provide early warning signals of key risks to management and committees? Auditors can assess alignment of this information with stated plans and the extent to which the information is leveraged to support timely corrective action.
- Are lessons-learned exercises conducted following key initiatives to support governance over similar or comparable activities in the future? Audit can support the facilitation of such exercises, which helps to provide independent and sometimes more transparent dialogue.
Successful governance requires a culture where key stakeholders can have open discussions around risks and even failures. Embedding internal audit into various governance activities as an advisor can help ensure these open discussions are taking place.
Internal Audit’s Role in Enterprise Risk Management (ERM) as a Function of Good Governance
It is important to note that management owns risks as part of the first line of defence and that as part of the second line of defence, risk management supports the first line in the achievement of their objectives through facilitating and monitoring an effective risk management system.
Internal audit can have a role in periodically assessing or monitoring an enterprise risk management function to provide assurance that risks are being managed effectively, there is awareness of risk policies and procedures, and as noted above, a strong culture for reporting on risks and issues (third line of defence). Regardless of the role of internal audit, there need to be clear divisions of responsibility/safeguards between the ERM function and internal audit to avoid issues related to independence, or even confusion between audit risk and enterprise risk management.
There, of course, have to be links between the two functions. For example, internal audit should be risk-based; therefore, an understanding of enterprise risks an organization faces allows internal audit to assess how it can support an organization in meeting its objectives.
Internal audit can also consider how responsibilities for risk management are delegated to departments and divisions within an organization. The key here is ensuring that staff members throughout the organization are aware of how to monitor, assess and report/escalate risks, and ensure appropriate actions are taken, where necessary, at their level of the organization. Internal audit may wish to consider any training around risk management that staff members receive during induction or on a refresher basis.
Internal Audit’s Role in Governance over Major Projects/Initiatives
Public Sector Organizations seem to be undertaking more organizational change, including major capital and IT projects, than ever before. The speed of technological change and aging public infrastructure has seen unprecedented demands on resources. With this comes increased risk in relation to cost overruns or delays–often both.
One important, frequently asked question is: “Why do major projects have such significant challenges?” One way to answer that question is to consider it from governance and risk perspective (i.e., risks not being adequately identified or effectively managed). Various articles and papers have been published on this topic, such as KPMG’s 2016 paper Building on success; learning from failure which explores good practices to help board members and executive management deliver and oversee large projects. 1 In addition, a number of articles from Australia reference governance as a key reason why major projects fail. These include the Auditor General of New South Wales in the article “Why large public sector projects sometimes fail,” which highlights governance, project management and leadership as key pillars for any project. 2
This provides an exciting opportunity for internal audit to provide assurance that there is effective governance around how risks are being managed and overseen, and even to play a role in ensuring that the right risks are being effectively managed. While internal auditors may not be subject matter experts in the particular capital project or IT implementation, there could be an opportunity to be involved in facilitating risk assessment or assisting in documenting the risks. While internal audit, of course, needs to consider independence from management, the risk lens that internal audit can bring could be invaluable in helping ensure effective management of risks and truly adding value to the organization. Some of the considerations posed under how internal audit can support governance committees are equally relevant to the role internal audit can play in assessing governance over major projects. For example, are the right people involved from a governance perspective, and is relevant and timely information being reported on the progress of the project?
This presents a continued opportunity for internal audit to be at the forefront of an organization, providing assurance that risks are being managed effectively and major projects are on track for completion.
Internal auditors have many resources available to help them to assess governance. This includes a growing skill base around governance and support on which they can draw throughout GIACC and the IIA.
- Building on success; learning from failure, kpmg.ca, 2016. Web.
- Achterstraat, Peter. Why large public sector projects sometimes fail; Audit Office of New South Wales, 2013. Web.