PACP Committee Report

OBSERVATIONS AND RECOMMENDATIONS

The practical wisdom of having a robust internal audit regime can be demonstrated by examples that show what can happen when the function is weak or when senior managers fail to make full use of it.

In 2000, the Auditor General reported the results of an audit of grant and contribution programs managed by Human Resources Development Canada. The then-Auditor General, Denis Desautels, wrote that the audit by his office had found “breaches of authority, payments made improperly, very limited monitoring of finances and activities, and approvals not based on established processes.” ^[5]

A reduced emphasis on control measures in the name of improved client services and consequent reductions to the Department’s internal audit function were among the leading factors in the Department’s mismanagement of its grant and contribution programs. Senior management compounded this failure of judgement by paying scant attention to the concerns raised by the remaining internal auditors about the weak controls surrounding grant and contributions programs. As a result, the Department lost track of a significant portion of its grants and contributions, provoking a crisis that was costly to resolve and injurious to the Department, its employees, and many of its “clients.”

In a more recent example, the Committee learned through its review of the Sponsorship Program, that the findings of initial audits regarding the unit inside Public Works and Government Services Canada (PWGSC) responsible for the Program were not met with a rigorous response by the Department.

The Committee was concerned that PWGSC paid no particular attention to a 1996 internal audit review and that a final report of an external audit commissioned from Ernst and Young was altered in response to pressure from the Department to show that no particular problems had been found. Both internal audit and external audit professionals must stand by the results of their work and report what they have found.

In both of these examples, the fault lay not in the policy framework for internal audit, but in its application. And the source of the failure was also the same in both instances: lack of full management appreciation of and support for internal audit as a means of keeping their departments on track and accountable.

Sadly, the results of the Auditor General’s latest audit of the status of internal audit in the government have borne out the Committee’s concerns. Speaking four years after the revised Policy on Internal Audit came into force, Mrs. Fraser testified that internal audit remains a “function of government that is too often overlooked and undervalued” and that problems her office had reported on a decade ago — lack of support from senior management, difficulties in attracting and retaining qualified staff, a limited number of assurance audits conducted — remain unresolved. Indeed, the Auditor General’s 2005 findings are eerily similar to those expressed in a paragraph in the 1993 report that was cited during the Committee’s hearing:

Thirty years of effort to establish effective internal auditing have not resulted in a uniformly high standard of internal audit throughout the government. All the major stakeholders — central agencies, departmental management and departmental internal audit units — need to change their views on internal audit and to look for more innovative and effective ways of using the resources associated with it before the full benefits of internal auditing can be realized ^[6].

It being now 2005, the effort to establish effective internal auditing has lasted for approximately 42 years without producing the hoped for results. When all factors are considered — the time that has elapsed and money spent since commitments were first made to implement an effective internal audit function across government, the obvious benefits it offers to senior management, continual pressure from the Auditor General and this committee, and the many examples of what can go wrong when the function is weak or absent — it is both confounding and deeply frustrating that the government still does not have an internal audit function that operates with sufficient resources, whose practices are consistent, that meets all professional standards, and whose work is used to its fullest potential.

There are some signs, however, that after so many years of effort, the government may be moving in the right direction when it comes to internal audit.

On 18 November 2004 in advance of the tabling of the Auditor General’s Report, the President of Treasury Board announced a multi-year effort under the leadership of the Comptroller General to strengthen internal audit. Under this initiative, the Comptroller General will assume responsibility for reorganizing, supporting, and strengthening the internal audit function across government. As part of this effort, the Comptroller General will preside over a revision of the Internal Audit Policy that will address some of the recommendations made by the Auditor General including a requirement that departments name an independent, properly qualified, member to their internal audit committees.

The Comptroller General has been given a number of new tools to help achieve the goals of this initiative. He has been assigned an expanded role in staffing that includes certification of chief audit executives and their senior audit staff. The Comptroller General will also now have the responsibility (shared with deputy ministers) for appointing and removing the heads of departmental audit units. Heads of departmental internal audit units will still have a direct reporting relationship with deputy ministers (to be made obligatory in the revised Policy) but this accountability will be accompanied by a functional reporting relationship with the Comptroller General. This, along with a heightened role for the Comptroller General in training and certification, it is hoped, will help address the lack of consistency in the way that the Policy is applied and internal audit practiced across government.

The Office of the Comptroller General will also now assume the responsibility for internal audit in approximately 63 small agencies and departments that lack internal audit capacity of their own — as recommended by both this committee and the Auditor General.

As part of the revised Policy, departments will be required to place an independent person from outside government — who knows what internal audit is and can accomplish — on their audit committees. It is hoped that this change will create more independent audit committees and lessen the possibility that senior managers might pressure audit committees to sidestep audit in sensitive areas or modify internal audit reports to avoid controversy.

All of these measures represent welcome improvement at the level of policy and open the door to better, more effective, internal audit. And it is noteworthy that Treasury Board Secretariat has said that it will act favourably in response to the Auditor General’s recommendation that it monitor progress toward meeting the objectives of the Policy and reporting the results to Parliament.

However, the Committee retains a major concern. It has witnessed a series of policy adjustments, each an improvement over its predecessor. And it has heard statements of good intent combined with optimistic forecasts of success. As noted above, good policy and good intentions have so far failed to deliver a satisfactory outcome. It is essential therefore that Parliament be able to subject the implementation of the revised Policy to close scrutiny and hold to account those responsible should the initiative begin to lose momentum. Accordingly, the Committee recommends:

RECOMMENDATION 1

That Treasury Board Secretariat submit a detailed plan, that includes timelines, to the Standing Committee on Public Accounts that shows how and when it will produce a revised Policy on Internal Audit. The revised Policy must contain a specific clause prohibiting revisions to final internal audit reports, or reports commissioned from outside auditors, that result in changes to audit opinions.

RECOMMENDATION 2

That Treasury Board Secretariat set benchmarks for the implementation of the revised Policy on Internal Audit, monitor departmental progress against these benchmarks, take corrective action in the event of slippage, and report the results to Parliament in its annual departmental performance report beginning with the report for the period ending 31 March of the year following the coming into force of the revised Policy on Internal Audit.

The Committee notes that the Auditor General intends to conduct a follow up audit within one to two years to assess how her recommendations — which this committee fully endorses and the Treasury Board Secretariat has accepted — have been implemented. While the Committee assumes this audit will have a broad focus, it recommends for the purpose of certainty:

RECOMMENDATION 3

That when the Office of the Auditor General conducts a follow-up audit focused on the implementation of recommendations contained in Chapter 1 of the Report of the Auditor General to the House of Commons, November 2004, implementation of the revised Policy on Internal Audit and the changes related to internal audit announced by the President of Treasury Board on 18 November 2004 must also be taken into account.

The failure of internal audit to live up to its potential can, in part, be explained by an absence of leadership. The government has attempted to rectify this shortcoming through the re-establishment of the position of Comptroller General and the endowment of that position with enhanced authorities with regard to internal audit throughout government. Yet prior to these developments, Treasury Board Secretariat with its Centre for Excellence in Internal Auditing had coordinating and leadership responsibilities specified under the Policy that were not fulfilled as desired, as demonstrated by this recent audit. Thus there is no guarantee that simply shifting responsibilities to the newly restored Comptroller General will result in an improvement.

In her report, the Auditor General noted that Treasury Board Secretariat had not established and funded a strategy that would “enable it to meet the requirements of the Policy on internal audit and the expectations of the internal audit community.” (1.3) In other words, the uneven implementation of the Policy was due not only to the absence of leadership, but as well to the lack of any plan setting forth how that leadership would be exercised. In the Committee’s view, policy revisions and good intentions will continue to deliver disappointing results without the appropriate strategy. The Committee therefore recommends:

RECOMMENDATION 4

That the Office of the Comptroller General develop a strategy that details how it will meet the requirements of the revised Policy on Internal Audit and how it will ensure that internal audits are conducted on a regular basis, and table that strategy with the Standing Committee on Public Accounts no later than 30 days following the coming into force of the revised Policy on Internal Audit.

In 1997, the Independent Review Panel on Modernization of Comptrollership in the Government of Canada reported that:

The two fundamental ingredients for effective internal audit are having the right standards and the right people who have the capacity to meet the standards ^[7].

Yet, in the years that preceded the Review Panel’s work, the government was reducing funding and there was no formal linkage between internal audit policies and existing professional standards. Now, some of this funding has been restored, positions for internal auditors are being opened up and a search has begun for qualified individuals to fill them, and the goal of greater consistency in the management of internal audit’s human resources has been advanced by giving the Comptroller General an enhanced role in this area. Also, the Policy on Internal Audit now incorporates specific references to existing professional standards for internal audits and auditors.

A number of gaps, however, remain. Principal among them is the lack of a classification system tailored to the needs of internal audit and capable of acknowledging and rewarding talent and performance. As Mr. St-Jean admitted, government is “having difficulty creating an environment in which our people see that they are valued and can really develop,” and problems with classification have “made the internal audit profession less desirable to join.” Given the private sector demand for internal auditors, the Committee believes that this issue needs to be resolved if government is to attract and retain qualified internal auditors. The Committee therefore recommends:

RECOMMENDATION 5

That Treasury Board Secretariat create, on a priority basis, a new classification system for internal auditors that recognizes and rewards the unique skills they offer and make that system operational to coincide with the implementation of the revised Policy on Internal Audit.

The Committee also maintains a concern regarding the adequacy of funding devoted to internal audit at both the central agency (Office of the Comptroller General) and departmental levels.

At the central level, the Committee notes that in the Main Estimates for 2005 06, the Comptrollership activity at Treasury Board Secretariat is authorized to spend up to $27.9 million, a considerable increase over the $12.4 million that was allocated in the previous fiscal year. At the departmental level, the funding specifically allocated for internal audit in departmental estimates is not separated from operating expenditures and is not available as a distinct sum.

Because it is crucial that internal audit be supported by adequate funding, the Committee recommends:

RECOMMENDATION 6

That either in its Main Estimates or in its annual report on plans and priorities, Treasury Board Secretariat include information on the funding to be allocated to the Office of Comptroller General for the specific purposes of meeting its obligations under the Policy on Internal Audit. This reporting should commence in fiscal year 2006-07.

RECOMMENDATION 7

That each department and agency of government with an internal audit function include information on the funding to be devoted to function in either its Main Estimates or in its annual report on plans and priorities. This reporting should commence in fiscal year 2006-07.

One of the changes that was made to the Policy on Internal Audit in 2001 involved the inclusion of a requirement obliging departments and agencies to post completed internal audit reports on their websites. Seen by many as a positive development, this disclosure provoked concerns about potential access to internal audit working papers, draft reports, and other documents, principally in relation to access to information laws and policies.

In its final report, dated 12 June 2002, the Access to Information Review Task Force appointed by the government took into account the concerns of the internal audit community and recommended in its recommendation number 4.24:

that Section 22 of the [Access to Information] Act be amended to give the head of government institution discretion to refuse to disclose draft internal audit reports and related audit working papers until the earliest of:

• the date the report is completed;
• six months after work on the audit has ceased; or
• two years following commencement of the internal audit. ^[8]

The government has not yet responded to the recommendations of the Task Force. In the interim, the Committee firmly believes that it is vital that the working papers, draft reports, and other documents used by internal audit be protected against premature release and therefore recommends:

RECOMMENDATION 8

That the Government of Canada table an amendment to the Access to Information Act as called for by the Access to Information Review Task Force in its recommendation 4.24, at the earliest possible opportunity.

An important goal sought by both the Auditor General and the Committee involves enhancing the independence of internal audit units. Indeed, most definitions of internal audit include a reference to its independence from management as a key defining characteristic. It is for that reason that the Auditor General has called for the mandatory inclusion of at least one member on departmental internal audit committees who is outside government.

For several years now, the Committee has contended that full and meaningful independence of internal auditors cannot be achieved until internal audit units in departments are brought under the full authority of an outside entity located in Treasury Board Secretariat.

Both the Auditor General and the Comptroller General argued against making such a change. They asserted that deputy ministers need to be directly involved in setting the internal audit agenda and in obtaining its results. This, in their view, will ensure that internal audit is directed to where it is most needed, that its efforts are linked to the achievement of departmental strategic objectives, and that its recommendations will be implemented. For its part, the Committee has seen no empirical evidence to suggest that these objectives are currently being satisfied. Indeed, evidence from the Committee’s review of the Sponsorship Program clearly shows that the current arrangement leaves internal audit vulnerable to undesirable direction from senior management in departments and agencies.

Creating greater independence on internal audit committees that oversee the work of internal audit units is a good step. But, the Committee fears that it is not sufficient.

In an interview reproduced by the Canadian Comprehensive Auditing Foundation (now known as CCAF-FCVI), Mr. Nick Shandro, Chief Internal Auditor of Alberta, observed that the independence of the internal audit function could be adversely influenced when those who control the budget and the audit plan are also senior managers of areas subject to internal audit ^[9]. Mr. Shandro’s concerns mirror those held by this committee.

Mr. Shandro suggested that one option available to strengthen the independence of internal auditors in government would be for chief internal auditors to report to a higher level than a deputy minister or senior departmental auditor. He indicated that most chief internal auditors in provincial and territorial governments now report to the provincial or territorial Comptroller and that their units reside within the Comptroller’s organization.

From the Committee’s perspective, a direct reporting relationship between the heads of internal audit units in departments and the Comptroller General would in no way impair the ability of deputy ministers to have input in setting audit agendas, receiving the results, and acting on recommendations.

Furthermore, it is noteworthy that under the current arrangement deputy ministers have the discretion to establish the levels of funding allocated to internal audit units yet, as the Auditor General has repeatedly pointed out, one of the seemingly intractable problems surrounding internal audit is the lack of appreciation or support given it by deputy ministers. Under such circumstances, the Committee finds it difficult to accept assurances that the function is properly funded.

Accordingly the Committee adheres to the view that the internal audit function must be centralized in order that it may achieve its full potential. It therefore recommends:

RECOMMENDATION 9

That in conjunction with the revision of the Policy on Internal Audit, all internal audit units in departments and agencies be placed under the authority of the Comptroller General of Canada.

As noted above, the Policy on Internal Audit has incorporated professional internal auditing standards as of 2001. The International Standards for the Professional Practice of Internal Auditing requires that internal audit groups conduct an external quality assessment to determine if they conform to the standards, at least every five years. The standards require that such an assessment be carried out no later than 1 January 2007. The discovery, by the Auditor General, that the Policy has been unevenly applied in six federal organizations places in doubt the ability of internal audit units in all departments and agencies to fully satisfy an external assessment.

In response to a recommendation by the Auditor General, Treasury Board Secretariat has indicated that it will work with departments to make sure that they meet the requirement for an external quality assessment. While the Committee welcomes this commitment, reservations remain given that there are less than two years left before departments must meet this requirement - especially in light of the lack of funding and the disappointing progress made so far. Because the Committee believes that Treasury Board Secretariat needs a detailed plan showing how internal audit units will be brought to the level of quality needed to meet the requirements of the external assessment, it recommends:

RECOMMENDATION 10

That Treasury Board Secretariat develop a detailed action plan showing the steps that will be taken to ensure that internal audit units are fully prepared, prior to 1 January 2007, for an external quality assessment as called for by the International Standards for the Professional Practice of Internal Auditing. This action plan must include the date(s) set for the external assessment, specific reference to the actions that will be taken, and target implementation and completion dates for each phase of the plan, and be submitted to the Standing Committee on Public Accounts no later than 31 December 2005.

RECOMMENDATION 11

That Treasury Board Secretariat monitor the progress made by internal audit units leading up to the external assessment, and report the results to the Standing Committee on Public Accounts on a semi-annual basis beginning 30 June 2006.