The Changing Environment of Internal Audit

Notes for an address by Sheila Fraser, FCA, Auditor General of Canada, to the Institute of Internal Auditors, Ottawa, Ontario, 26 September 2006

---

Introduction

Good morning everyone. Thank you for your warm welcome.

The Institute of Internal Auditors plays an important role in leading, educating, and setting standards for internal auditors. We are fortunate to have a large and active chapter here in Ottawa that provides us with a forum to share ideas and information.

The environment of internal audit has changed substantially in recent years, in both the private and the public sectors. I'm pleased to have this opportunity to share my views on those changes, from my perspective as a legislative auditor. I would also like to talk about the relationship between my role as external auditor and the role that internal auditors play.

Before I discuss some recent changes in internal audit, let me briefly outline my role as the Auditor General of Canada. I will then speak in more detail about those changes and their implications for the internal audit community.

In particular, I'll talk about the federal government's new policy on internal audit. Also of interest to internal auditors in the public sector will be how the Federal Accountability Act could affect internal audit working papers and draft reports.

The role of the Auditor General

The Auditor General plays an important role in our democratic system of government. To me, this is not so much a job as a public trust.

Some people have called me a government watchdog, but that isn't really what I do. My role is to audit government operations and provide Parliament with the information it needs in its role of holding the government accountable for its stewardship of public funds.

As you know, there has been a sea change in public sector management. In an environment that has evolved toward managing for results, detailed spending information doesn't really tell managers—or parliamentarians and taxpayers, for that matter—what they need to know.

Today, managers are looking beyond activities and outputs to focus on actual results—the impacts and effects of their programs. Put another way, they focus on what has been actually accomplished with the public money spent.

As the federal government's auditor, we examine whether public programs are managed with due regard to economy, efficiency, and environmental impact, and whether there are measures in place to determine how effective the programs are.

With a staff of almost 600 people and an annual operating budget of more than 70 million dollars, we examine most areas of the federal government. This includes about 70 government departments and agencies, about 40 Crown corporations (such as CBC and VIA Rail), some 10 departmental corporations, and about 60 other entities. We also audit the Public Accounts of Canada, the government's summary financial statements—probably the largest audit in Canada.

Besides the federal government, we audit the governments of the three Canadian territories, about 30 territorial agencies, and two United Nations agencies.

Thanks to an expansion of my mandate in 2005, my Office now has access to federally created foundations in the course of our regular performance audit work. These foundations are non-government organizations, entrusted with large amounts of public money to fulfill significant public policy objectives of the government. Genome Canada and the Canadian Foundation for Innovation are two examples.

A foundation will be included in one of our reports for the first time later this week, when the Report of the Commissioner of the Environment and Sustainable Development is tabled in the House of Commons. The Commissioner, Johanne Gélinas, will report on the role that Sustainable Development Technology Canada plays in the federal government's approach to climate change.

As you know, the position of the Commissioner was created within the Office by Parliament in 1995 to assess the extent to which the federal government complies with environmental laws and meets its goals for sustainable development.

Our perspective on internal audit

My Office has spent a great deal of time and resources studying and assessing internal audit. We began with a study of best practices, which resulted in the 1992 publication, Internal Auditing in a Changing Management Culture.

Later, we recommended that departmental audit committees include external members to enhance their independence.

A few years ago, we examined the internal audit function in the federal government. We said it needed to be more independent from senior management in departments. We also said that the internal audit function needed to become more professional.

Today, in line with our emphasis on the value of leading by example, the chair of the audit committee who oversees our internal audit group comes from outside the Office and reports directly to me.

The changing environment of internal audit

Let me talk for a few minutes about the changing environment of internal audit.

In the private sector, two words speak volumes: Enron and WorldCom.

I don't need to tell you about the mismanagement, fraud, and abuse of trust associated with these two companies. They're legendary, even to people who aren't auditors. Small wonder that the downfall of Enron and WorldCom has fuelled the public's concern about the values and ethics of corporate officials.

But the private sector doesn't hold a monopoly on governance problems. There's no doubt that when governance falls short in the public sector, it can waste taxpayers' dollars. But there can be other consequences as well. Poor governance can put the health and safety of Canadians at risk, harm our natural environment, or even threaten national security.

Although they inhabit different worlds, internal auditors in both the private and the public sectors face many of the same challenges. They have a vital role to play in ensuring good governance.

Canadians—whether shareholders or taxpayers—want to be confident that their interests are protected. They want to see greater scrutiny and more vigilant oversight of institutions. They want to see values and ethics upheld more diligently by leaders.

Changing role of government

Let me talk about the changing role of the government and the implications for its internal auditors.

Over the past decade, the federal government has faced growing demands from taxpayers for better services. Increasingly, Canadians also call for government to improve its management. They expect government to focus more on results, responsible spending, and accountability.

In response to these challenges, government has been transforming itself. It has focussed more on managing risks and managing for results, improving financial management and control, and reporting more clearly on its performance.

In this context, federal departments need a strong internal audit function to manage resources more effectively, to make better decisions, and ultimately to help improve the effectiveness of the public service.

New Policy on Internal Audit

As part of its drive towards modern comptrollership, the government introduced a new Policy on Internal Audit in April this year that addresses many of the concerns we have raised in the past. The policy is designed to strengthen public sector accountability by providing for greater assurance from an independent internal audit committee.

This policy focuses on assurance, risk management, and the independence of internal audit from management. This is an important step in addressing some of the problems that arose in the federal government's sponsorship program.

As you may know, it was an internal audit that first sounded the alarm about the sponsorship program. Management, however, just wasn't listening and didn't take action.

In fact, many of the problems that have been the subject of our audit reports were first raised by internal auditors. Independent internal audit committees can put more pressure on management to take action on problems reported by internal auditors.

The new policy is an opportunity for a renewal of the internal audit function. It redefines the internal auditor's role in the stewardship of public funds. It calls for independent audit committees composed of members from outside the federal public service to oversee the internal audit function.

In turn, the audit committees will provide the deputy heads of departments with added independent assurance on risk management, control, and governance.

The independent audit committee will play an important role in strengthening accountability in government. It will assess the performance of internal and external auditors as well as the effectiveness of internal controls. It will also provide oversight of the risk management framework and control environment.

An internal audit committee independent of management will help restore public confidence in the government's financial management practices. It will be important to measure its effectiveness. Mr. Bruce Sloan, our Office's internal audit expert, will be speaking about this later.

Challenges for internal audit

I would now like to discuss some of the challenges associated with the new policy on internal audit.

One challenge will be to ensure that the policy is implemented effectively, and that departments have enough resources to meet the policy's requirements.

The independent audit committee will only be as effective as its members, who must deal with all the complexities of financial and program management. Committee members will have to be financially literate. As well as bringing a broad perspective to the work, they will need to acquire knowledge of the business lines of departments and agencies they are reviewing.

They must be independent and impartial and be seen as such by the organization. The challenge will be to attract and retain enough qualified people to meet the requirements of the policy.

If the independent audit committee is to play its role effectively, senior management will have to support it. This sends a message to the entire organization that the audit committee is important. Internal auditors will also play an important part in the success of the audit committee.

Furthermore, it will take persistence, ingenuity, and—above all—a strong commitment from management to meet the new demands placed on internal auditors. Whether it's improving financial management, strengthening internal controls, or meeting high standards of accountability, I'm confident that internal auditors will rise to the challenges ahead.

Success of the new policy

A number of factors will contribute to the success of the policy's objective, which is to strengthen the internal audit function.

An effective internal audit group needs people with a professional designation and a broad range of skills. It needs people with specialized knowledge of the business side of a department.

Departments need to identify the appropriate number of internal auditors and the mix of skills and experience needed to provide optimal audit coverage. They also need to know what training is needed to maintain these skills.

In the private sector, an internal audit group would spend most of its time doing assurance work. In the federal government, however, only a limited amount of time is spent on assurance to inform senior management about how well its risk management strategies and practices are working.

While other work may provide some useful information for senior management, providing assurance through audits is the core expectation of internal audit.

If it is not focussing on assurance, internal audit is not doing what it is supposed to do. Departments are not benefiting from systematic assessments of the management systems that are critical to program delivery.

And senior management is not receiving independent assurance that those systems are operating effectively and as they should.

How effective will the new Policy on Internal Audit be in strengthening governance? In future audits, we will look at how well this policy is being implemented.

Exemption of internal audit papers

As you may know, I reported in November 2004 that having internal audit papers accessible through the Access to Information Act compromises the ability of internal auditors to do their job.

It's important that the nature and content of internal audit reports are not affected by concerns about public disclosure.

As the government's external auditor, my audit papers have never been subject to requests under the Access to Information Act. This ensures that my ability to audit is not compromised.

Under the Federal Accountability Act, access to information requests will apply to the Office of the Auditor General for the first time. However, our audit working papers will still be exempt from disclosure.

What may interest you more is that the Act provides for a new, time-limited exemption of draft internal audit reports and related working papers.

While not as broad as the exemption for my Office, the internal audit exemptions will allow most draft internal audit reports to be protected, along with internal audit working papers.

A draft internal audit report and any related working papers will be exempt for 15 years. However, if a final audit report is not produced within two years after the start of an internal audit, the most recent draft report will be accessible.

I am pleased that the government has taken steps to protect internal audit working papers and draft reports. These changes will aid the work of internal auditors, as the entity being audited will be less reluctant to provide information that is critical to the audit.

This morning I've outlined some major changes on the internal audit landscape. Before closing, I would like to put these changes in a post-Enron and post-Gomery context.

Effective financial controls

In the private sector, the reaction to Enron and WorldCom was to create more rules. But more rules don't guarantee better governance. And the multiplication of rules doesn't add up to more effective financial controls.

In the federal public sector, the sponsorship program was not a matter of too few rules. It was an example of a profound lack of respect for existing rules and for sound management principles. When rules are broken, the solution is not more rules. It's making sure that the rules supporting good stewardship of public funds are applied consistently.

Internal controls need to be appropriate to the level of risk they are set up to manage. An appropriate balance between risk and control is key to efficiency.

Effective financial controls put federal departments and agencies in a better position to manage risks and exercise good stewardship over the resources entrusted to them.

In today's environment, it's crucial that financial information systems have effective controls in place and that decisions be based on information the government knows is accurate and complete.

Controls that are reliable are more likely than ineffective rules to contribute to efficient stewardship of public funds.

Conclusion

Ladies and gentlemen, the work of internal auditors has always been important. But today, with the dramatic changes around governance in both the private and public sectors, your work has a much higher profile. It's moved out of the back room to centre stage.

In the public sector, too, internal audits have received a lot of media attention. With this higher profile come higher expectations. In the private and public sectors alike, your stakeholders count on your professionalism and integrity to protect their interests. They want you to rise to the occasion. I know that you will.

Though the roles of internal auditors and external auditors are different, we all have the same interests at heart—achieving and maintaining good governance. Collaboration between internal and external auditors contributes to the quality and credibility of financial information.

We are all partners in serving the interests of Canadians. Without strong internal audit, accountability and transparency would be greatly compromised.

Thank you. I would be pleased to answer your questions.