What to do when the Auditor General knocks at your door

Notes for an address by Sheila Fraser, FCA, Auditor General of Canada, to the Public Policy Forum, 7 March 2006

---

Good morning everyone,

I'm very pleased to be here today. Thank you for inviting me.

Introduction

The topic of this session poses a question: "What do you do when the Auditor General comes knocking at your door?"

Well, as I see it, you have a few options. You could run and hide, or you could welcome us with open arms and embrace the opportunity to go through a valuable learning process. Human nature being what it is, chances are you'll probably do something in between...

I realize that nobody really looks forward to being audited, even my own Office. But it really doesn't have to be something that keeps you awake at nights...

I was delighted to learn that the Public Policy Forum was organizing this session as part of its workshop series on accountability and risk management in the federal system.

Why? Because the whole point of having an independent and non-partisan body conduct audits that follow professional standards and provide the results to Parliament is to promote better managed and more accountable government.

That's why the Office of Auditor General exists in this country. Independent auditing has an important role to play in every system of democratic and responsible government.

The fact is that governance is a risky business. Audits can help identify the areas of greatest risk, assess how well they are being managed, and provide suggestions for improvement. By doing so, we help promote open, transparent, and constantly improving government.

I recognize that there have been some high-profile audits in recent years that may have contributed to some degree of wariness among public servants about being involved in an audit.

There are, no doubt, a lot of questions out there about what happens during an audit and probably some misconceptions as well. I welcome the chance to demystify the process we follow in our performance audits and to try to allay any fears and misgivings you may have about being involved in them.

I hope to leave you today with the idea that by working together well and communicating effectively, those of you in departments and agencies can have a successful experience going through a performance audit and should emerge feeling that the process has been fair, constructive and useful.

I will try to be very practical and concrete in my remarks. I will try to be as brief as possible in order to allow as much time as possible at the end for your questions. I also look forward to hearing the views of the panel on their experiences.

First, I'll talk about what we audit and how we decide what to audit. The bulk of my remarks will focus on how we conduct a performance audit, what federal organizations can expect from us during the process, and what we expect from the organizations we audit.

I'll end with a brief word about what you can do in your everyday work to prepare for a successful audit experience.

What do we do?

To provide you with a bit of context, about half of our audit work involves performance audits and the rest is financial and other types of audits. Our financial audits include the government's summary financial statements and annual financial audits of Crown corporations.

Today, I will focus on performance audits. These are the audits that we report to Parliament several times a year to assist it in its decision-making and oversight role. Every year, my Office conducts some 30 performance audits a year in federal departments and agencies.

So let me define what I mean by a performance audit. The purpose of a performance audit is to assess how well government initiatives are being managed. Following professional standards, we examine government activities against established criteria, such as its own laws, policies, targets and best-practice benchmarks.

The Auditor General Act gives us the mandate to look at whether government programs and operations are being carried out with due regard for economy, efficiency, and environmental impact, and whether measures are in place to determine how effective they are.

The Act gives my Office considerable discretion to determine what areas of government to examine in our performance audits. We may decide to audit a single government program or activity (such as pesticide regulation), an area of responsibility that involves several departments or agencies (such as the protection of cultural heritage), or an issue that affects many departments (such as the security of information technology).

How do we decide what to audit?

Given the vast number of government activities, deciding what to audit is a complex and challenging exercise that requires sound knowledge of government and its functions.

The key point I want to stress here is that we take a strategic and risk-based approach to selecting topics for our performance audits, and we plan our program of audits several years in advance.

Contrary to what some members of the public think, we don't go through government departments with a fine-toothed comb, looking for signs of squandered money. Nor do we begin audits with an eye to confirming suspected flaws or weaknesses.

We go through a rigorous process called "one-pass planning" to determine the areas in which federal government organizations face the highest risk of not achieving their objectives.

We then determine if these can be audited. Some may be areas of policy, which we do not audit. We also don't audit areas under the exclusive jurisdiction of provincial or municipal governments.

We must also take into account such practical issues such as whether financial and human resources are available to conduct audits. Now you may wonder how we handle requests from parliamentarians to audit specific areas of interest.

As an Agent of Parliament, I do feel it is my role to pay particular attention to requests for audits from parliamentary committees, and we have agreed to conduct such audits in the past, such as the one of the Office of the Privacy Commissioner.

We do try to accommodate requests from committees, but the ultimate decision about what to audit rests with our Office. This is essential to preserving our independence and credibility.

How do we conduct an audit?

Let me give you a brief overview of the three main phases of a performance audit—they are planning, examination, and reporting. The whole process takes about 18 months, on average. Those of you who would like more detailed information on our methodology should visit our Web site, where you can find all our audit manuals.

The process begins with planning. In this phase, the audit team sets out to understand the organization being audited—to get "the big picture." We need to be fully versed in the applicable legislative authorities, the way the organization is structured to achieve its mandate, and the challenges it faces.

The audit team then identifies the areas to be audited. These are generally those that are most important to the proper functioning of the program. The team develops the criteria against which the audited activities can be assessed. Audit criteria are reasonable and attainable standards of performance against which compliance, adequacy of systems and practices, and the economy, efficiency and cost-effectiveness of operations can be assessed.

Sources for the criteria include laws and regulations, standards developed by the organization being audited, standards developed by recognized professional organizations, targets set in DPRs and RPPs, and prior work of the Office.

We make sure these criteria are clear and explicit to the organizations we audit. In fact, we take management's views into account about whether the criteria we are using are reasonable.

The second phase is the examination phase. Here, the audit team gathers evidence to allow it to determine if the program is operating according to the criteria established.

Evidence gathering can include holding interviews with program staff and stakeholders; reviewing documents such as legislation, studies and evaluations, and program files; testing key transactions, systems, and controls; and benchmarking.

The audit team then compares the evidence with its criteria. We make our conclusions against the criteria. The team ensures that any resulting observations and conclusions are fair and well founded and that recommendations could lead to improvements.

In the reporting phase, the audit team drafts the document that will eventually be included in my Report to the House of Commons. When we prepare reports to Parliament on performance audits, we aim to make the reports as clear and easy to understand as possible and answer key questions:

• What did the audit examine?
• Why is this important to Parliament and to Canadians?
• What would the audit team expect to find if everything were working properly?
• What did the audit find: What is working well? What needs improvement?
• What did the audit recommend to improve operations or performance?

Expectations of both sides during an audit

We strive to cultivate respectful and effective relationships with the organizations we audit. Good communication is absolutely vital to this and so is a clear understanding of each other's roles and how we will work together.

So let me move on now to discuss what organizations can expect from us throughout the audit process and what we expect as well.

We are committed to maintaining open, professional and ongoing communication with all federal organizations about current and future audits. This can take the form of periodic meetings, briefing sessions or written communication.

What is really important is that deputy heads are sufficiently briefed concerning planned and existing audit work. We've learned from experience that it's best for all concerned if deputy heads have early involvement in the audit process rather than come in at the end.

That's what happens before we begin an audit. Once we decide to conduct an audit, we will notify you formally by letter of our plan. This is critical for both those auditing and those being audited. Among other things, the notification letter will outline the audit subject, the purpose of the audit and our contact person.

The first thing you should do is identify an official as the first point of contact. We will try to arrange a meeting within a few weeks to discuss the audit.

From this point on, all arrangements for assistance and future communications are handled by the relevant liaison people on both sides. Sometimes our audit work cuts across a number of federal departments and agencies.

A recent example was our audit of horizontal initiatives, such as the Vancouver Agreement that Ardath Paxton Mann of Western Economic Diversification was involved in. In such cases, we will send letters of notification to both the central agencies affected and individual organizations included in the scope of the audit.

Before conducting detailed audit work, we will acquire an essential understanding of the audit subject and give management an opportunity to discuss the proposed audit plan. It is vital that organizations being audited ensure that all officials affected by the audit are sufficiently briefed before audit work begins.

To reinforce ongoing communication, contact persons on both sides should have the authority and responsibility to set up regular meetings throughout the audit, ensure that appropriate representatives attend, help resolve any problems or barriers, and co-ordinate entity comments regarding draft audit reports as they occur.

We will communicate regularly about the progress of the audit, changes to the audit plan, emerging findings, and any obstacles impeding our audit work. We will try to give you a realistic idea of how much time you will need to devote to the process.

As we complete our examination phase, we try to employ a 'clear as you go' policy about the accuracy, relevance and completeness of the audit evidence and facts we've acquired. This may require a series of meetings with your officials.

After the audit work has been completed and the facts have been checked for accuracy and completeness, the process of drafting the audit report begins.

Let me be clear here. We report on significant matters and we report what we find. That means if we find that organizations are doing well, we say that.

Our auditing standards require that we provide audit entities with an opportunity to review and comment on draft audit reports before they are issued.

Two audit draft reports are the key points in the review process: the initial draft—at about 20 weeks before tabling—and the final draft at about 9 weeks before tabling.

Before finalizing the first draft, we will seek management's views on the validity and completeness of audit evidence, audit observations, conclusions, and recommendations. We can't accept oral comments or unsigned e-mails as responses, and it may be necessary to meet to discuss your comments.

What we try to do during these meetings is gain a full understanding of your comments and any additional information.

After this, we consider the substance of the comments and revise the initial draft report as appropriate. When the final changes to this draft are complete, we submit a final draft to the Deputy Head to obtain final comments, planned corrective actions in response to our recommendations and a formal statement on any final areas of disagreement. The Deputy Head is expected to confirm in writing whether he or she agrees with the facts.

The Main Points set out at the beginning of the report are selected highlights designed to provide parliamentarians with a useful summary of the audit. They reflect what we say in the chapter. Your management does not approve them, but is welcome to provide comments about them.

On the day the Auditor General's report is tabled in Parliament, we distribute a news release about each chapter, which explains our main findings in easily understandable language.

As a courtesy, audited organizations are given an opportunity to view any news release that mentions them by name a few days before the report is tabled in the House of Commons. Audited organizations are also invited to send up to two observers to the Auditor General's news conference, which is held the day the report is tabled.

Keys to a successful audit

People sometimes ask how to prepare for an audit. Since audits assess government management, I guess the simple answer is to manage your programs and operations as well as you can.

Obviously, this means ensuring that you are in compliance with applicable laws, policies and regulations, since we can look at all those things.

It also means paying a great deal of attention to managing your risks effectively. Make sure your systems and controls are working properly and that your records are in good shape.

Management needs to have information to give to Parliament about its performance. So you need to know what you're trying to achieve and collect the right information in an accessible fashion to help judge whether you're achieving it.

There have been many cases in recent years where we have been surprised to find that departments do not collect the basic performance information that you would expect them to have.

There have been a few extreme cases in recent years where the documentation in files and on decisions made was so poor that we had to draw attention to it in our reports. We encourage you to be open with information and not defensive. We are committed to being fair and open to reason.

I hope you will not try to withhold information from us. That creates a climate of distrust. When we come up against instances where departments try to withhold information and we find "nasty" surprises, we have to wonder what else is being concealed.

On the positive side, we often see departments and agencies that are committed to improvement and demonstrate that commitment by taking action even while the audit is ongoing.

In such cases, we will reflect this as much as we can in our report.

Conclusion

In closing, I want to emphasize that we are committed to building and maintaining good working relationships with the organizations we audit at all stages of the audit process. And let me reiterate how important it is that your senior-most people are involved and thoroughly briefed on the audit as it goes along.

And tone at the top is vital here. Senior management needs to clearly communicate its commitment to cooperating fully with the auditors. Just as with any successful relationship, there needs to be openness, honesty, trust, and a willingness to understand the other's viewpoint.

We need to understand your context, but you need to understand that we have to report things as we see them, and that we are committed to doing so in a way that people will understand.

A successful audit experience requires a climate of mutual respect. Achieving that is quite realistic and we have seen many positive examples of it in the years we have been conducting performance audits.

I hope these remarks have helped clarify what to expect when the Auditor General comes knocking at your door, and has laid the groundwork for many more successful audit experiences.

Thank you. I would be happy to take your questions now.