PACP Committee Report

INTRODUCTION

Internal audit is a professional appraisal function that looks at management systems, processes and practices. An effective internal audit activity can provide senior management with objective, independent assurance that an organization’s key financial and administrative activities, operational controls and management practices are working properly. Internal audits can suggest improvements to these activities, controls and practices. They can help senior managers exercise oversight and control, manage risk in an informed manner and give attention to areas that need improvement.

In 2004, the Office of the Auditor General of Canada (OAG) conducted a government-wide assessment of the federal government’s internal audit activities and found wide variations in the extent to which the internal audit activity in six departments met relevant standards and policies. In its 2011 Status Report, the OAG released a performance audit that examined the progress made by the government in acting on the observations and recommendations in the OAG’s 2004 report.^[1]

The House of Commons Standing Committee on Public Accounts (the Committee) has long recognized the contribution of internal audit to effective management practices. The Committee heard from a number of witnesses on October 26, 2011: from the OAG, John Wiersema, Interim Auditor General; Nancy Cheng, Assistant Auditor General; and Bruce Sloan, Principal; from the Treasury Board of Canada Secretariat Jim Ralston, Comptroller General of Canada, and Brian Aiken, Assistant Comptroller General, Internal Audit; from the Department of Foreign Affairs and International Trade, Yves Vaillancourt, Chief Audit Executive; from the Canadian International Development Agency, Jorge da Silva, Chief Audit Executive; from the Royal Canadian Mounted Police, Dennis Watters, Chief Audit Executive; and from the Department of Veterans Affairs, Don Love, Director General, Audit and Evaluation Division. A second hearing with these witnesses was held on November 16, 2011, with the exception that the Department of Foreign Affairs and International Trade was represented by Barbara Sliter, Director, Assurance.

POLICY ON INTERNAL AUDIT

To strengthen the government’s internal audit activity, the Treasury Board adopted a revised Policy on Internal Audit (the policy) in April 2006. This policy and its related guidance were updated in July 2009. The policy requires the creation of independent departmental audit committees for the 24 largest federal departments and agencies, and sets out specific responsibilities for internal audit activities, deputy heads, departmental audit committees and the Office of the Comptroller General of Canada (OCG).

The Comptroller General, Jim Ralston, told the Committee that the policy has made a significant contribution to internal audit in the government:

Thanks in large part to this policy, significant strides have been made in improving internal audit in the government. ... Five years after bringing in the policy, we did an evaluation of the implementation—and the results have been extremely positive. They demonstrate that the policy has helped to improve risk management, governance, internal control and the stewardship of resources in departments and agencies.^[2]

He noted that the success of the policy was due, in part, to a couple of key structural changes. He said, “Perhaps the most important structural feature that we put in place was ensuring that chief audit executives reported directly to deputy ministers.”^[3] He later commented that “Another important structural element was requiring that departmental audit committees be put in place and that the committees have a majority of members who come from outside the public service.”^[4]

AUDIT FINDINGS

Overall, the OAG concluded that the government had made satisfactory progress in addressing the recommendations from its previous audit on internal audit. In fact, the Interim Auditor General, John Wiersema, said that the audit was a success story, stating that “I'm very pleased to say that the government has significantly strengthened its internal audit capacity since we last reported on this issue in 2004.”^[5] He also said:

The government ... has made a significant investment in strengthening its internal audit capacity. In my opinion, it's important that the government maintain that investment. We would encourage government not to repeat past decisions to reduce funding for internal audit in an attempt to save money. Internal audit is an important management tool, particularly in times of fiscal restraint.^[6]

The OAG had specific findings on departmental audit committees, internal audit activities and the role of the OCG.

A.           DEPARTMENTAL AUDIT COMMITTEES

The policy requires the 24 largest federal departments, representing 95% of the Government of Canada’s total assets, liabilities, revenues and expenses, to establish independent audit committees. These committees offer objective advice and recommendations to the deputy head on whether the department’s risk management, control and governance frameworks and processes are working well. Prior to the adoption of revisions to the policy, audit committees tended to be members of senior management, and thus were not independent.

The OAG’s follow-up audit found that the 24 largest departments had established departmental audit committees. In each case, the appointed members were independent of the federal public administration, at least one member had financial expertise, and the committees had created and adopted charters that set out their responsibilities. The majority of committee members had taken part in training provided by the OCG.

The departmental audit committees were in varying stages of development, but all had created work schedules that would allow them to address all areas of their mandate each year. Internal auditors and senior management told the OAG that the creation of independent audit committees had strengthened the independence of departments’ internal audit activities.

The Interim Auditor General told the Committee that he supported the creation of independent audit committees, indicating that “I believe that this initiative is a good one. It's taken hold in the Government of Canada, and I think that this committee and government can expect to see the benefits of time. I agree it's too early to declare a victory, but I think the initiative is well under way.”^[7]

B.           INTERNAL AUDIT ACTIVITIES

The OAG examined the internal audit activity of 12 of the 24 largest departments. The follow-up audit found that, in each case, the head of the internal audit activity reported directly to the departmental deputy head and had developed a risk-based audit plan. The OAG noted that some internal audit activities had developed good practices to report on their findings, while others had a reporting style that made it difficult to understand the level of seriousness of audit observations.

The audit found that only 3 of the 12 departments had completed a quality assessment review of their internal audit activity. The OAG concluded that quality assurance and improvement programs for the internal audit activities needed to be improved. It recommended that departments that have not had an external quality assessment should have one conducted, as required under the policy.

The Comptroller General described the importance of these reviews, stating:

We do ask, in the policy, that internal audit shops subject themselves to a review by the Institute of Internal Auditors to verify their compliance with standards. It's a way of assuring me, or assuring the audit committees, that what the internal auditors are saying about their own performance and conformity to standards is in fact a reliable statement on their part.^[8]

He also outlined the progress that has been made in conducting these reviews:

Basically by the end of next year, we would expect to have the bulk of the large departments covered, if not all of them, and would be into the second tier. I just want to point out that the reason for the delay was that the expectation was that there would be an inspection about once every five years, and it just so happened that the policy came into force in 2006, so some people were ahead of the curve and were already having inspections. Many were not late, but the inspections were just coming in due course and we're now seeing them fall into place.^[9]

The Interim Auditor General suggested that “One area of interest for the committee might well be whether those departments are on track to meet those timelines for getting the external reviews done.”^[10] The Committee agrees, and notes that the departmental responses to the OAG’s recommendation provided a range of dates for the completion of their reviews, from fall 2011 to the 2013-2014 fiscal year. The Committee recommends:

RECOMMENDATION 1

That, upon completion, the Treasury Board of Canada Secretariat, the Canada Border Services Agency, Canadian Heritage, Correctional Services Canada, the Department of Finance Canada, Human Resources and Skills Development Canada, Industry Canada and the Department of Justice Canada provide the Public Accounts Committee with the results of the external quality assessment of their internal audit activity.

The OAG also carried out a detailed quality assessment of six departmental internal audit activities. The audit found that five of the six departments generally conformed to the policy and the Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing. One organization, the Royal Canadian Mounted Police (RCMP), partially conformed to the policy and standards. The Chief Audit Executive for the RCMP, Dennis Watters, described the actions being taken to bring the RCMP’s internal audit activity to a rating of “generally conforms”:

We have now completed a comprehensive review of our quality assurance and improvement program, which includes all internal audit policies, procedures, and practices. We have initiated a process whereby all ongoing audits will be subject to an internal quality assurance review at the end of each phase of the audit, whether it's planning, conducting, or reporting. We are planning for another external quality assurance assessment within the next 18 to 24 months. I am committed to returning the RCMP internal audit function to a “generally conforms” rating. We have the full support of our departmental audit committee and the senior management of the RCMP.^[11]

The Committee notes that the RCMP is working to address this issue. As the Committee would like to monitor the RCMP’s progress, it recommends:

RECOMMENDATION 2

That the Royal Canadian Mounted Police inform the Public Accounts Committee when it achieves a rating of “generally conforms” to the Policy on Internal Audit and the Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing.

C.         THE ROLE OF THE OFFICE OF THE COMPTROLLER GENERAL OF CANADA

Under the policy, the OCG is required to provide strategic direction, leadership, advice and assistance on issues related to internal audit. It also monitors how relevant policies are being implemented, and conducts horizontal and sectoral audits in large and small departments.

The OAG noted, in its follow-up audit, that the OCG had developed a number of tools and guidance for internal audit activities, given strategic direction to the audit community, developed a human resource strategy to enhance the professionalism of internal audit activities, sponsored regular conferences and internal audit forums, and designed a maturity model to identify current internal audit capacity and to serve as a roadmap for further development.

The OCG primarily used the Management Accountability Framework to monitor the implementation of the policy. It also developed a government-wide, risk-based audit plan to conduct horizontal audits of large departments and identify areas of risk in small departments.

The Comptroller General described his office’s activities, stating, “I'd point out that we've produced a lot of guidance tools for auditors in the form of guides and directives and things of that nature. We are also active in supporting the community through training events to keep them up to date. We try to make sure there's a strong network among the auditors so they can exchange ideas and best practices.”^[12]

The Committee trusts that the OCG will continue to provide strong direction and leadership to the internal audit community, as well as monitor the progress made by departments in developing their internal audit activity.

CONCLUSION

The Committee notes that the government has made a number of improvements to its internal audit activity since the Policy on Internal Audit was revised in 2006. The Comptroller General summarized the progress that has been made over the past five years:

With regard to the most significant changes in internal audit, first of all I would say that the chief audit executives are now members of the executive committee. They're directly reporting to deputy heads. It gives them access and status that causes their work to command greater respect. We've made steps to enhance their independence in the same way by relieving them of any connection to the activities they might be called upon to audit. That independence is reinforced by the audit committees that are now present, the external members of the audit committees. In the emphasis that we now place on adherence to audit standards the Government of Canada’s audit standards are based on the standards of the Institute of Internal Auditors. Finally, we are actively promoting training and certification, basically the professionalization of the function. Frankly, with better people we yield better products.^[13]

The Interim Auditor General described the value provided by an improved internal activity, indicating that “The improvements in internal audit have absolutely contributed to better accountability in government. I believe that deputy ministers are now well served, for the most part, where there are internal audit functions, and they are also well served by their departmental audit committees.”^[14]

In its follow-up audit, the OAG concluded that the government had made satisfactory progress in response to recommendations it made in 2004. The Interim Auditor General called the audit a “good news story.” The Committee recognizes the work done by the OCG to provide leadership and direction to departments on internal audit, and the improvements that departments have made in their internal audit activities. These improvements should contribute to stronger governance as well as management oversight of financial and administrative practices within the federal government.

The Committee also recognizes that the government will face challenges in maintaining its progress and that there are areas for improvement. The Comptroller General told the Committee:

First of all, it's a professional function, so just the maintenance of a population of auditors who are qualified and up to date and certified is an ongoing challenge. Recruitment, development, and encouraging the certification of new auditors will be an ongoing activity. Similarly, the ongoing verification that standards are being followed will always be required. Some of the areas we see for improvements are things that would improve the actual efficiency of the audit. We've been exploring things like better use of electronic tools for documenting audits, keeping records of the evidence we use, and better use of computerized analytic tools to make auditors more efficient. We're looking at ways we might gain efficiencies through the reporting process.^[15]

The Interim Auditor General added, “So I believe that one of the challenges will be maintaining the momentum that has been established in internal audit, that we do not repeat decisions of the past to look for easy opportunities for short-term savings but weaken what I consider to be an important management tool.”^[16]

The Committee encourages the government to continue to strengthen internal audit and to maintain the improvements that have been made to this important function.

^[1] Auditor General of Canada, 2011 Status Report, Chapter 3, “Internal Audit” (Ottawa, 2011).

^[2] House of Commons, Standing Committee on Public Accounts, Evidence, 1^st Session, 41^st Parliament, October 26, 2011,  Meeting 10, 1540.

^[3] Meeting 10, 1605.

^[4] Meeting 10, 1610.

^[5] Meeting 10, 1535.

^[6] Ibid.

^[7] House of Commons, Standing Committee on Public Accounts, Evidence, 1^st Session, 41^st Parliament, November 16, 2011, Meeting 14, 1550.

^[8] Meeting 10, 1600.

^[9] Meeting 14, 1545.

^[10] Ibid.

^[11] Meeting 10, 1545.

^[12] Meeting 14, 1555.

^[13] Meeting 14, 1540.

^[14] Meeting 10, 1555.

^[15] Meeting 10, 1600.

^[16] Meeting 10, 1550.