AOVS - Standing Committee

Audit and Oversight

Past Session: Past Session:
44-1 44th Parliament, 1st Session (November 22, 2021 - January 6, 2025)
Select a different session
Download as PDF

THE STANDING COMMITTEE ON AUDIT AND OVERSIGHT

EVIDENCE

OTTAWA, Tuesday, March 8, 2022

The Standing Committee on Audit and Oversight met with videoconference this day at 1 p.m. [ET] to supervise and report on the Senate’s internal and external audits and related matters; and, in camera, to supervise and report on the Senate’s internal and external audits and related matters.

Senator Marty Klyne (Chair) in the chair.

[English]

The Chair: Honourable senators, we’re starting our meeting in public, and I welcome our viewers who are watching on the parliamentary network.

I am Marty Klyne, a senator from Saskatchewan and chair of the Standing Senate Committee on Audit and Oversight. I’m speaking to you from Regina, situated on Treaty 4 territory and homeland of the Métis.

I’m joined today by the other committee members: Senator Renée Dupuis, deputy chair, from Quebec; Senator Percy Downe from Prince Edward Island; Ms. Hélène Fortin, external member from Quebec; and Mr. Robert Plamondon, external member from Ontario. Senator David Wells, deputy chair from Newfoundland and Labrador, sends his regrets and is unable to join us today.

For the first portion of the meeting, we’ll hear from the following witnesses: First, from the Chartered Professional Accountants of Canada, we’re welcoming Charles‑Antoine St‑Jean, President and Chief Executive Officer. From the Treasury Board of Canada Secretariat, we welcome Mike Milito, Assistant Comptroller General, Internal Audit; Jennifer Robinson, Executive Director, Policy and Communities; and Raffaella Bertorelli, Executive Director, Audit Operations. Thank you for accepting the committee’s invitation and being with us here today.

We have invited you to share your experiences and expertise which will assist committee members on the choice of an internal audit model and to hear your perspective on the responsibilities, competencies and attributes of a chief audit executive position.

We will start with opening remarks and then move on to questions from the members of the committee. Mr. St‑Jean, the floor is yours.

[Translation]

Charles-Antoine St-Jean, President and Chief Executive Officer, CPA Canada: Good afternoon, Mr. Chair and members of the committee.

Thank you for inviting me to join you today. It is a pleasure to be part of this meeting in my role as President and CEO of Chartered Professional Accountants of Canada, also known as CPA Canada.

[English]

CPA Canada represents the Canadian accounting profession both nationally and internationally. It supports the country’s provincial and territorial accounting bodies which have statutory authority to regulate a profession of more than 220,000 members. Among its many activities, CPA Canada’s mission is to act in the public interest and contribute to economic and social development.

Before joining CPA Canada, I spent many years advancing the cause of sound financial management in the public sector. Some of my previous roles include that of former Comptroller General of Canada and chair of the Public Sector Accounting Board.

During my time as chair of the Ontario Government Internal Audit Committee, I supported the Ontario Public Service in its mission to strengthen trust and accountability in the province’s financial performance.

I also had the opportunity to participate in discussions around the role of an audit of the Senate when this notion first came to light during my time at EY where I was the national managing partner for the public sector.

[Translation]

I would like to take this opportunity to applaud the establishment of the Senate Standing Committee on Audit and Oversight. The value of your work in providing a clear line of sight into Senate expenditures cannot be overstated.

It is exciting to see the groundbreaking appointment of two external committee members — both CPAs and esteemed colleagues.

Having become well-acquainted with Mr. Plamondon and Ms. Fortin over the course of my career, I have no doubt that their expertise and arm's-length accountability will only add to the confidence Canadians have in the Senate.

[English]

CPA Canada has always maintained that improving fiscal transparency and oversight is key to building greater trust in public institutions and the stewardship of public funds.

Over the years, our organization has developed guidance for Canadian CPAs and board directors on how best to promote the overall effectiveness and efficiency of operations and the transparency of decision making. More specifically, these resources explore the evolving role and value of internal audit, which is the topic of today’s meeting.

While CPA Canada’s guidance is generally oriented towards corporations, there are distinct parallels with internal audit in the public sector. For that reason, I will share some recent best practices we have cited.

Across all sectors, audit committees have had to become increasingly alert and responsive to help their organization navigate today’s ever-changing landscape of risk and disruptions.

What makes internal audit unique is its strength in managing uncertainty. An internal audit function plays a critical role in helping an audit committee and the board seeking to discharge its oversight responsibilities by providing independent, objective assurance over the quality of an organizational internal control system to manage risk.

Among the typical responsibilities of an audit committee with respect to internal audit is the approval of the internal audit function’s charter. This formal document clearly outlines what is expected of the internal audit function, including its mandate, budget, the scope of work and nature of the reporting criteria.

The audit committee should define the process to be adopted for the annual review of the effectiveness of internal controls and risk management systems. This annual review normally takes into consideration the issues dealt with during the year.

The audit committee also has an important role to play in the appointment of the chief audit executive, frequently referred to as the CAE in audit parlance. This individual is responsible for shaping the strategy and culture of the internal audit function, namely, designing it to be agile, informed, collaborative and with the risk focus centred around integrity and ethics.

[Translation]

A strong relationship between the chair of the audit committee and the chief audit executive will enable healthy and honest discussions that maximize internal audit’s value to the audit committee.

[English]

When filling the chief audit executive role, the qualities of high integrity, a strong understanding of the operating environment and the ability to manage expectations should be non-negotiable.

These are important as this individual is often relied upon to be an independent, objective leader who reports to the committee to help guide and support fraud and other misconduct investigations. In such cases, it is imperative that the committee establish a protocol that protects the chief audit executive internal audit when sensitive issues or key findings are brought to its attention.

[Translation]

Emerging risks should dictate what capabilities an internal audit group invests in to ensure it is adapting its procedures to keep pace with changes in its operating environment. Today, this could mean upskilling in areas of data, social sustainability, supply chain disruption, or cybersecurity knowledge, for example.

Because internal audit must balance the needs and expectations of many stakeholders and communities, strong relationship management and communication skills carry equal weight to technical auditing capabilities.

[English]

CPA Canada’s research has determined that internal audit independence and objectivity are optimized when it reports administratively to a CEO or an equivalent leader, and functionally to the audit committee. Meetings between the chair of the audit committee and the CAE should be periodic, multiple times during the year.

It is also essential that the CAE should have unfettered access to the chair of the audit committee. Significant audit findings such as risk exposure and control issues should be reported to the audit committee. The internal audit function then develops programs to monitor and report on the status of action plans resulting from these key audit findings.

[Translation]

Internal controls should be used to maintain the risk facing the organization within the risk tolerance levels set by the audit committee. The audit committee needs to be satisfied that proper controls, procedures and so forth are in place and are operating.

As you can see, there is a great deal of information to delve into on the topic of internal audit. I commend the important work your committee is embarking on to achieve its mandate.

I welcome your questions during this meeting. Thank you, Mr. Chair.

[English]

The Chair: Thank you, Mr. St‑Jean. I will now turn to Mr. Milito.

Mike Milito, Assistant Comptroller General, Internal Audit, Treasury Board of Canada Secretariat: Good afternoon, Mr. Chair and committee members. Thank you very much for the opportunity to speak with you all today about how internal audit is organized and conducted in the core federal public service.

My name is Mike Milito, Assistant Comptroller General for Internal Audit at the Office of the Comptroller General. I’m here with my two colleagues, Jennifer Robinson and Raffaella Bertorelli. I’m also pleased to be appearing today alongside Charles‑Antoine St‑Jean, who laid the foundation for strong, independent and professional internal audit in the federal context when he was Comptroller General a number of years ago.

There is so much that I could cover on the subject of internal audit, but I thought it would be helpful to start with a little context and to highlight a few aspects of the functions that might be of interest to this committee prior to the question-and-answer session.

First, I would say that internal audit is a mature discipline that is practiced globally and is governed by international professional standards. By the same token, it has been continuously evolving, especially in recent years, in order to keep pace with the complexity of risks and challenges that organizations face.

Internal audit’s mandate is to provide independent and objective assurance and advice in the three areas of risk management, control and governance, but there is a real focus there in providing real value to organizations and improving an organization’s operations. In practice, this means that internal audit must be very attuned to the context, needs, business and risks of the organization, and then develop nimble plans that are updated frequently to address the more significant areas. Then, of course, since the hallmark of audit is its independence and objectivity, auditors are to report their findings directly to the audit committee. In the case of the federal context, the chief audit executives do report directly to the head of the organization as well.

Given the mandate that I have just described for internal audit, you would expect to see a number of areas being covered on a regular basis, and they are. None of these should be a surprise, but corporate services processes and controls around corporate governance, financial management and reporting, procurement, privacy, travel and hospitality, HR management, information management and, of course, the growing risks around information technology, including cybersecurity, are increasingly covered by auditors, and internal auditors in particular.

At the same time, in addition to these corporate functions, there is a growing demand to expand the scope and suite of services of internal audit globally to cover a broader range of risks that organizations are facing and to do so in more agile and innovative ways. For example, internal auditors are increasingly being called upon to sit at key governance tables to better understand the context and the needs of the organization and to provide input and advice, and challenge, as appropriate.

They are also increasingly expanding the coverage of what they look at in terms of newer topics, such as assessing organizational culture, or in supporting departments or organizations in managing very complex transformation initiatives.

Internal auditors are also increasingly using data analytics, as Charles-Antoine mentioned, and other service offerings to provide more timely insight and foresight to inform decision making. In other words, chief audit executives are increasingly becoming key contributors to organizational success and providing a real balance of advice and assurance across all significant areas of the organization.

With that overview of audit in mind, I want to spend a minute outlining the role of our own sector at the Office of the Comptroller General and my sector in particular, the Internal Audit Branch.

First, what we do is set out the rules of internal audit conducted across federal departments, of course, based upon international standards. We do this through the issuance of policies and guidance.

Second, we provide leadership and support to the broad functional community of internal auditors across the large departments and all departments that have their own functions, including efforts to recruit and develop talent and support the professionalization of the function. We also recruit and support the appointment of external individuals to departmental audit committees, and we conduct some audit work to top up what some of the large departments do. We do some horizontal audit work that touches on multiple departments, and we also conduct audits for smaller organizations that do not have their own functions.

The central direction and support that we provide the Office of the Comptroller General is particularly important because internal audit in the core federal administration is largely decentralized. For example, each large department with a budget of over $300 million must have their own internal audit function that’s appropriate to the needs of the organization. So we do spend a fair amount of time helping organizations assess their developing needs so that we can provide them with advice on how best to structure, resource and staff their functions.

On that front, I would say that it’s definitely not a one-size-fits-all approach. Certainly, the type of internal audit function that would best meet the needs of one organization versus another would depend upon a couple of factors, especially the risk profile of that organization. For example, in terms of their size, budget, number of employees, the complexity of their business lines, the volatility of their operating environment, their public profile and so on.

Also relevant is what the vision would be that the organization has for the use of internal audit. As I mentioned, it is evolving. It is becoming more nimble and proactive. An internal audit function that would be more traditional and maybe based more on a compliance type of scope would look a bit different than one that might be looking at a broader set of risks and using different sets of tools.

When we advise individual departments that are examining their needs, we typically begin by describing the renewed vision that we’ve been implementing across federal departments in collaboration with us of how internal audit could be in terms of being more nimble, innovative, data driven and multidisciplinary in approach. We’ve been implementing this in collaboration with our various departments for a number of years, and we monitor the progress against that vision as well as compliance standards through our ongoing activities with these departments.

Before concluding my introductory remarks, I thought it would be helpful to touch on a couple of factors that we have identified as being especially critical to internal audit providing maximum value to organizations.

The first is having senior management being aware of and buying into internal audit’s role and its full value proposition. In other words, not seeing internal audit as fulfilling a policing role but one that’s more enabling.

The second is having a chief audit executive in place that not only understands internal audit, but just as importantly — as Charles-Antoine mentioned — having a seasoned leader with strong, strategic people management, interpersonal and communication skills.

Finally, I would say that establishing formal and well-understood mechanisms to ensure independence and support to the function is critical. That would include, of course, a strong audit committee with a clear mandate, providing internal audit with direct and unfettered access to the committee and the organizational head and also ensuring that the audit functions have all of the resources that they need to do their work, whether they be financial, information or the individuals that they need to speak to.

Mr. Chair and members, I hope that these brief remarks were helpful in terms of providing some context. My team and I would be happy to elaborate and share best practices tools with you going forward. Thank you.

The Chair: Thank you, gentlemen, for the opening remarks. They were very informative and a great way to start off. You have built us a nice platform to lift off from.

We will now go to questions from the committee.

Hélène F. Fortin, external committee member: We are glad to have you with us today. I personally know most of the witnesses, having worked all these years in federal Crown corporations and also being a chartered professional accountant myself. I know Mr. St-Jean, having also been a member of DACs, the Department Audit Committees, for close to 15 years. I also say hello to Jennifer, who takes good care of us.

So all that to say that everything that both Mr. St-Jean and Mr. Milito have just said is totally accurate. It is a great description of the role, requirements, what we should look for and the mandate that should be awarded to this function.

We need to remember it is one of the most important lines of defence within an organization. Therefore, it deserves the proper attention, which has been completely given by both CPA Canada, in recognizing the importance of this function, and definitely by the Treasury Board.

Thank you all. I just wanted to reinforce everything that has been said. Thank you.

The Chair: Thank you, Madame Fortin. Senator Downe?

Senator Downe: Thank you for the presentations. I found them very informative and very thought-provoking on the issues before us.

This question isn’t directed to anyone, but anybody can comment on it.

I’m concerned about the cost — really, the cost-benefits. As you know — it was in the media over the last number of years about all of the troubles in the Senate and so on — we had the Auditor General come in. Many of us were shocked at the size of the bill versus how much was actually identified owing at the end of the day. The bill from the Auditor General for the cost incurred was well over $20 million, and that doesn’t include the costs incurred by the Senate for staff time, senators’ offices, the Senate administration and getting the information required.

At the end of the day, they identified $600,000, which is not an insignificant amount, and anyone who did anything wrong obviously had to pay it back. But I’m concerned about explaining that to the good citizens of P.E.I. — $20 million recovering $600,000.

So I’m concerned about how we control the cost as we meet the standards required.

Mr. Milito: I could certainly start with an answer.

I can’t speak to what was done in the audit you mentioned, but from an internal audit perspective, the costs are quite transparent. In the federal context at least, when a risk is identified to be reviewed by the internal audit function, that risk then translates into the scope of a particular engagement.

For example, if contracting was an issue and an area of concern, the audit function would prepare a plan to say, “We will spend this much, this many resources and this many audit hours over the next two or three months to address that area, and look at the design and effectiveness of the controls in that area.”

So the cost-benefit should be pretty transparent and evident on an engagement-by-engagement basis. Auditors track their time; that is a standard in the government and is pretty well established in other jurisdictions. Time reporting allows auditors to be — even if it is a relatively new area they are auditing, they can certainly come in with decent estimates in terms of how much it would cost and how long it would take to do a certain engagement.

That can be weighted against the risks. Not all risks can be measured. Avoiding future problems in contracts cannot be measured, but one can get a sense from that. For example, if the findings come out that there isn’t sufficient oversight or maybe there is a committee in place that is not operating as intended to review large dollar value contracts, the samples brought forward could give a picture of the types of risks that could be better managed going forward, and you can get a sense of the cost-benefit.

More broadly in terms of an audit function, there are enough benchmarks out there to allow heads of organizations to establish a function that meets their needs within a reasonable cost. The benefits can be assessed and adjusted over time, as well.

I’m not sure if that fully answers your question, but I thought I would begin.

Senator Downe: Yes. That’s very helpful, actually.

If I understand you correctly, because this is not my area, but in essence, there would be a basic summary of the costs before the audit would start, subject, of course, to something unexpected popping up in the audit — there would be additional costs to pursue that — but there would be a sense of what the exercise would cost prior to committing to it. Did I understand that correctly?

Mr. Milito: In terms of the internal audit context in the federal government, that is pretty much a standard practice in the organizations that I’m familiar with. It would be a planned set of hours, and that might include internal time — internal auditors, for example, who work for the department — and then external advisers who might be needed, or consultants. Sometimes those are plans, but, of course, things change. In addition to the example you gave, it’s possible to have some additional scope that creeps in and requires more testing.

There could also be some uncertainties. For example, if it is a new area that is being reviewed and it is just more complex than the auditors imagined, then it might take more time and that variance could range, of course. But I think it would be rare to see — not impossible — large order of magnitude deviations.

As I mentioned earlier — the role of the department of audit committees — the audit committees provide oversight around such things, so they would see the plans typically upfront prior to an engagement being started. They would also get updates during the year as well, which might allow for some of the discussions around going too far or expanding explanations for various elements.

A fair amount of oversight and transparency are involved.

Mr. St-Jean: Mr. Chair, maybe I could complement the answer?

Are you agreeable for me to complement his answer?

Senator Downe: I think that the chair may be muted.

Mr. St-Jean: Okay. If the chair, gives me permission, then I would be glad to help.

Senator Downe: I think the chair may be gone; he is not on the screen. I asked the question, so go ahead.

Mr. St-Jean: Okay, thank you.

Just to build on the perspective shared by my former colleague, Mike Milito, knowing the costs of internal audits should be an exercise that should be done annually. There should be a multi-year plan on a no-surprise basis. You have some benchmarking data also that would be helpful to guide you in terms of the type of operation, complexity, the risk and so on. Those would not be unreasonable amounts in terms of resources that should be devoted to the internal audit.

All of this data is available within the Treasury Board. That gives you a sense of what to expect.

I also remember that when I was in that role and when I have been chairing audit committees over the years, I was also asking the internal auditors to say make sure they come back cost-neutral at the end of the year; make sure that you find enough opportunity for improvements or savings that will cover your costs. Generally speaking, a good internal auditor will find a multiple — the culture of internal audit, the culture of risk management and so on that will bring additional benefits. But I was always saying that they make sure they are cost-neutral in the budgeting to see that they do that for your operation.

Size does matter in an internal audit. The bigger you are, the bigger the economy of scale you can get. The smaller you are, it will be a bit more expensive. But there is a good benchmark there to give you good data points in terms of what you should normally expect on a year-in, year-out basis.

Senator Downe: I have just one final comment, and then I know others want to ask their questions.

Thank you, both of you, for those answers. It is very important.

One thing that struck me, first, was that we didn’t know how much the Auditor General would cost, and second, didn’t want any sense of any cover-up. We wanted the audit to go where the audit went, so whatever was found had to be pursued. For the vast majority of senators, there was absolutely no problem, but I was surprised that the audit kept going on and on.

For example, Senator Marshall, one of our colleagues from Newfoundland and Labrador, is not only a chartered accountant and former Auditor General, there was absolutely no problem in her operation. Senator Callbeck — a whole host of us had no problems. But the audit didn’t seem to do a surface analysis and then say that we’d better drill down on this person. Everybody was drilled down on, and hence the cost was what it was.

I don’t want the Senate spending taxpayers’ money. We’re not interested in any type of cover-up or prevention of any problem being identified and addressed, but we have to be much more conscious of the cost, and the answers today were very reassuring as we go forward.

Robert Plamondon, external committee member: Thank you, Mr. Chair.

Similar to Ms. Fortin, I am acquainted with the witnesses professionally, both directly and indirectly, over many years of work that I’ve done with the Treasury Board, particularly on leadership development in the Office of the Comptroller General in connection with my role at the University of Ottawa. I’ve also done some work with CPA Canada, so I know the value and experience that the witnesses bring to this table in the committee today. I’m very grateful for their appearances.

In the opening remarks, you’ve set out a framework for internal audit, the scope of the work, the qualities of the chief audit executives and the importance of independence. In that context, if I could ask a question about the governance that we would have, or at least the model that we would use, to fulfill the internal audit function, specifically related to the chief audit executive being either a full-time or part-time member of the Senate staff as opposed to someone who would be an external contractor. I note in particular that Mr. Antoine talked about the importance of understanding the environment, so I can see some clear benefits to having someone who is, in effect, in the building. Mr. Melito referred to the importance of not just doing compliance work, but actually improving the organizations in fulfilling their mandate and goal.

In that regard, the question is about having the chief audit executive being part of the Senate’s staff. Then maybe you could also talk about, if that’s the case, the reporting relationship to this committee versus to the senior leadership team in the Senate. This would be a question for both of our witnesses.

Mr. St-Jean: On that front, you see that there are different models that exist. You can outsource the audit, or you can build it inside. You have to take into account the peculiarities of the organization, and I know a bit about the Senate from having worked with the Senate in the past and also having worked within the public sector in multiple environments over the years.

Given the complexity of the role, the complexity of the organization and the sensitivity of the organization, having someone who is recruited to the staff who understands the business, the players, the dynamics and the risks, in my mind, would probably be the best approach to guide the committee. I think I made reference to this in my opening remarks, but that person needs to be a seasoned, experienced person who is also credible, can have some difficult discussions and will not shy away from them. That person will do so diplomatically, respectfully and so on, but that person will have those discussions.

In terms of reporting, I would see the chief audit executive reporting directly to the chair of the committee, functionally. We were talking about unfettered access. It is important that the chief audit executive has this unfettered access. It means, though, that the chief audit executive must perform. I remember having that discussion with Mr. Milito to say that we are putting you in direct contact with the senior leadership of the organization, but there’s no place to hide. You have to perform. You need to be good at what you do.

I would really encourage seeing that kind of relationship with the chair of the audit committee and, administratively, with the leader of the Senate and the administration of the Senate. But in terms of function itself, the chair of the audit committee would be my first recommendation.

Mr. Milito: Just to build on what Mr. St-Jean mentioned, the models exist. There are three broad models. You have completely outsourced, all internal auditors and staff members and then you could have a mix, which is a very common model across many of the departments. You would have a permanent chief audit executive and a good complement of staff. For a smaller organization, which could be as few as perhaps three or four people, and then have contracts in place with different providers of audit services. Experts in the field, for example, of IT security or what have you, depending on the risks. That’s a very common model to have professional services supporting an audit function of staff.

I would agree, too, that so much depends on the context and the needs of the organization at play to inform that model. If one has a high public profile in all that they do and there are high public expectations, and it also depends on the risk appetite of those running the organization. If the risk appetite is not very high, then I would say that might point to a model where one might have people, or at least some of the audit team, be part of the organization. It certainly has some advantages.

As I mentioned earlier, one of the biggest advantages would be, for example, if the chief audit executive could sit on key governance tables, not just to provide advice when they hear or see things or pose some good questions, but also to learn about the strategy, priorities, context and needs of the organization. And the more that they know — we often say to our departmental deputy ministers, you get what you pay for. If you invest in the function and they have a strategic lens, then they are better able to help you address the risks once they understand what they are. That is all I would add at this point. Thank you.

[Translation]

Senator Dupuis: Thank you both for being with us today, and thank you to the people accompanying Mr. Milito. I’m trying to see how, as a committee, we can create a mentality among our colleagues. In this case, we’re talking about colleagues who are our equals, the senators. Each of us is a senator among a group of senators. How can we overcome the trauma of the Auditor General’s operation in a situation of not only financial but political crisis? How can we get our colleagues thinking and understanding exactly what internal audit is intended to do?

I would like to know what recommendations you can make. Senator Downe said it — and he’s not the only one to have done so — and I also understand very well that we are dealing with people who have been traumatized. That isn’t what we want to do in the internal audit function and as the Standing Committee on Audit and Oversight. There are a number of things that need to be addressed, and I think the Senate has made that clear by creating our committee. Surely there are things we should know or things we should do.

I’d like to know what each of you suggests. My second question has to do with Mr. Milito’s statement about risk appetite. Could you be more specific about what you mean by “risk appetite?” Thank you.

[English]

Mr. St-Jean: I was going to pass the baton to Mr. Milito, but I can start.

In terms of the culture, I do appreciate the event of many years ago and that it was traumatic for the Senate. Those were difficult times, but that is not what internal audit is about. Internal audit is very much a tool for management to help ensure that the policy you put in place for good governance and good management of resources is executed. It is an insurance policy for you, members of the Senate, so you can keep doing your important work at the Senate and not be distracted by something as traumatic as what came your way a number of years ago.

When you look at it, it’s a tool to enable you to do your job — to have the peace of mind of ensuring that you can do your work. It goes a long way. Sure, they will be asking some questions from time to time, but they have to ask those questions because they have to give you the assurance that the policy for good governance or good management of resources is being put in place.

It’s a tool for you to enable you to do your job; it will go a long way.

It also means that the chief audit executive needs to be very sensitive to the environment. When we are talking about somebody that understands the dynamic, the culture, the issues and the history, there is some diplomacy that is needed and there are some real people skills that need to be brought to the table. But if the chief audit executive is doing their work, they can also bring some new opportunity to do things differently, and people will realize that they didn’t think about it that way. You can free up more resources or time to do the important work that you do.

On the subject of risk appetite, I know you asked the question for Mr. Milito but that is always a question that we ask. We don’t live in a zero-risk environment. If you’re talking about cybersecurity, for example, and you were a nuclear reactor organization or a hospital with very sensitive personal data, your tolerance for risk in terms of privacy and so on will probably be extremely low.

Depending on the nature of your operation, you will accept that there is some risk that you will be taking on, but you need to have an adult discussion on this. It’s not because there will be a deviation or some deviations so that the system is not functioning as intended. There are not enough resources to get to a zero-risk environment.

These are adult discussions that need to be had up front when conducting the internal audit and when you design the control process.

I will turn to my colleague Mr. Milito to see if he wants to complement that.

Mr. Milito: Sure. Thank you. I definitely agree with what was just mentioned.

I will just build on that to say that the value proposition of internal audit has been discussed already. It’s easy to say that, but it’s another thing for people in the organization to truly understand it and believe it, because they may have had other experiences that maybe weren’t positive, whether it was done through internal audit or others. “Audit” can be a broad term. So internal audit could be painted with a brush right from the get-go without even having delivered anything.

Based on some of the context shared today, my advice would be that if an audit function is being brought in and if the value proposition can be explained, not just in a presentation or in a static way — I would think that, given that the word “trauma” was used, that there would have to be some discussion, some engagement and not necessarily a promotional campaign but real discussions on what the audit function is there to do and why it would be of benefit to the organization. A broad discussion or discussions like that at the outset would at least hopefully provide the function a chance to prove their value.

There may be some sceptics in a scenario such as this, but I think if people understand what the value is supposed to be and then, through a good change management process, really continually share what that value is and share the results as you go along, then I would say that’s probably going to increase one’s odds of success.

From a risk appetite or a risk-tolerance perspective — and what Charles-Antoine St-Jean explained was a perfect example. There are going to be some organizations where the tolerance for a certain thing occurring would be very low. We talked about a nuclear-related issue, but privacy is a really good example where one privacy breach, depending on the nature of that particular organization, could be devastating for its reputation and maybe have legal consequences.

I can use IT security as another example, because it is talked about so much. Even those who run IT security and prevention programs, they are looking at risk appetite all the time. Increasingly, the literature is showing that you can’t prevent a breach, necessarily; you can invest and invest, but at the end of the day, the risk appetite might be allowing certain types of breaches but then putting resources into quick detection and responses to those breaches.

That is an example of a risk appetite being a little bit more in one area but then it allows you to shift your resources to something else.

Hopefully that’s helpful.

Risk appetite is considered by internal auditors as they set up their engagements because if you have a disconnect and the auditors have zero tolerance for risk in their minds and management has a bigger appetite to take risks, then that would be a recipe for an audit not meeting the needs of the organization. Thank you.

[Translation]

Senator Dupuis: Thank you; this clarifies the questions I asked earlier. I have a follow-up question on this notion of “risk appetite.”

The issue you both raised is very important, namely the work we will have to do as a committee to clearly explain the function of an internal audit. You explained that, with multi-year management, people will have a better idea of what is coming. This isn’t the same context that the Senate has already experienced, when for years, problems were allowed to drag on, until suddenly a sort of fire brigade was sent to do all kinds of things.

I guess there’s the issue of “risk appetite” and the issue of priorities. To give a specific example, there’s a joint review of the House of Commons and Senate cybersecurity system. However, we were told that this review is strictly technical, to determine whether the right wires are connected in the right place. Cybersecurity, of course, is broader than that. As for setting priorities, I imagine that a committee such as ours will have to take an interest, for example, in... When we know that certain foreign states have a stated policy of identifying public parliamentary figures to influence them, that implies that operations are being carried out. Beyond the strictly technical issues, there are also content issues that will lead us to make decisions and prioritize certain issues other than their strictly... My comments aren’t very clear. I’m trying to understand what you explained to us.

I’m also trying to see how a discussion within our committee on the conduct, attitudes and tools that must be put in place in the Senate would prevent foreign states from interfering in the work of senators.

Mr. St-Jean: I can answer the question. Cybersecurity isn’t just about wires. It’s about the management framework in general; we’re also talking about social engineering.

We have put in place cybersecurity programs. These are multi-year programs with social engineering components that test our people with phishing in order to develop their reflexes. Will they respond to it?

Penetration strategies are now very well developed by those who want to do bad things. We really need to increase our threshold for resilience. This is about training our people and good technology. When we talk about good technology, for many years people were keen to buy new applications and so on. It opens the door to all kinds of things. There really has to be a good technology strategy in general through policies, training, and so on.

Generally, audit committees — we are seeing this now — spend about 20% to 25% of their time on cybersecurity. It’s the number one topic studied by all audit committees for financial organizations and large institutions. They spend all this time on cybersecurity because it’s an important hot topic. We’re not just talking about technology, but about how you organize yourself. So this committee will have to look at that seriously.

Senator Dupuis: Thank you.

[English]

Mr. Milito: If I may add to that, there are multiple layers of defence in any organization that has things to protect from a cybersecurity perspective, and yes, a lot of it is technical. But as Mr. St-Jean mentioned, the management framework would be looked at as well: Is there broader risk management happening? Are those risks monitored? Are issues also monitored? Are there logs that are kept, for example, of risks and issues, and are those resolved? What governance committees do they go to, et cetera? How much is spent on defence or on that type of defence?

Also, to elaborate on the phishing example and social engineering, there are non-technical pieces. A lot of the weaknesses have to do with human behaviour, so then you’re getting into auditing people’s awareness. It’s a very non-technical thing to survey people to find out what they would do if they got certain types of emails or actually put emails into the system to see if people click on certain things.

There is also monitoring detection controls, which are more on the technical side, and if there is an intruder, would there be a quick response, is there encryption, et cetera.

I would say a blend of technical and non-technical aspects are part of any good defence. Risk appetite plays into all of that, and that just depends on the value of what’s being protected versus the cost. Because I think, as Mr. St-Jean mentioned earlier, it’s almost impossible to bring something to zero. It’s usually more costly to reduce that risk lower and lower, so there is a trade-off at some point and I think that’s what we’re trying to get across using this example.

Mr. St-Jean: If I may, maybe just one comment, in terms of the role of the audit committee to come up with some control features — we’re talking about social engineering — there are some business practices that will need to be put in place, for example, double authentications and the like, and people say, “This is again the technology folks that are dumping all their controls on us.” They are not doing it because it’s fun, and this is where the leadership of the audit committee will be very important in saying: “We have assessed the risk and so on, and these are the levels of controls that we need to put in place.”

So having your support for some of those recommendations and those practices will also be very important. The leadership role of the audit committee should not be underestimated.

The Chair: Very good points, thank you.

[Translation]

Ms. F. Fortin: Given that the work will focus largely on controls identified as important to mitigate risks that have been identified — this is what is meant by “risk-based audit plan” — we should also not overlook the fact that if the internal auditor arrives with a very positive report and there are not many observations or elements to be corrected, this will give us the assurance that our controls are working well and that they are serving a purpose, which is quite important.

So there’s a lot of education that goes on through this whole process, and it provides a better understanding of the ecosystem, which is essentially the identification of risks and internal controls, followed by the audit, to ensure it’s all properly addressed. So it’s a positive aspect, and cost-neutral, as Mr. St-Jean was saying.

There are also a lot of savings to be made, even if you don’t necessarily find criticism or observations. Of course, the main advantage of all this is to make corrections.

I have a question for our witnesses. We know that the success of this function depends largely on the empowerment that is granted to the internal auditor and their team. There are many challenges in recognizing this empowerment, such as communication, for example. What are the most effective ways to do this from the start? Let’s not forget that we’re dealing with an institution that has never evolved with an internal audit function. So there will be a lot of challenges not in terms of acceptance, but in terms of recognition of all the benefits that come with it. How could this transfer of authority be improved more easily?

[English]

Mr. Milito: I would say that in my experience, of course, assuming that you’re able to bring in a chief audit executive who has those qualities we mentioned earlier, it is just as important to have somebody who is a very seasoned, strong leader, somebody who is an excellent briefer, can speak truth to power, has high integrity. You want the whole package, and that’s probably even more important in an organization where there may not be a history, where someone can speak the language of the senior executives, can be compelling in what they say so that the value that they want to provide is crystal clear. They are strategic. They are very compelling in what they say.

I can’t overemphasize that. When you have somebody like that in place, I think as Mr. St-Jean mentioned earlier, the audit committee can play a big role, as can senior management and most senior people in the organization, giving the signals about what the value proposition really is.

What is the full scope of the internal audit function? Why is it being brought in? What are the expected benefits here that everyone can actually see?

Those signals can then be very tangible as well, not just an audit charter. An audit charter is important and should be there. It is the formal, written acknowledgement of what the powers are, but then bringing that to life in terms of the kinds of questions that an audit committee asks, the kinds of access and profile given to the audit function, the transparency and what the auditors are doing and really having that communicated and having people consulted in the process of developing a risk-based audit plan before it comes up for approval.

Those are just some of the things that I think would be important. If people, from afar, believe that something is being done to them and they don’t see what the benefit is to the organization, I think that is where there can be issues. That is why I referred earlier to more of a change-management plan that goes beyond simple awareness, and it would be multi-faceted. That is something that I would be more than happy also to discuss offline if there is an interest in learning more of what we might do. Thank you.

[Translation]

Mr. St-Jean: Just to add to Mr. Milito’s comments, there’s a whole educational component to the role of the chief audit executive. It is all very well to explain the role, to have good judgment and to set things straight. We’re not looking for perfection, but we are looking for something reasonable that will protect the institution and protect senators, because the work done by the Senate is essential, and we do not want it to be distracted by minor things. You have to have someone who can sort things out and guide the organization in accepting the internal audit tool.

As for what was mentioned a little earlier, if there is no deviation, if there are good notes to receive, the internal audit is really very important, and sometimes, when we create programs for three, four or five years, we will focus on a few processes where we think everything is working well to reassure senior management. It also creates a certain amount of pride among employees, who see their work recognized.

So we have to balance things out and balance the work to encourage people to welcome internal audit. I’ve had this same discussion with my internal colleagues. The internal audit is there to help you. If there are things that need to be highlighted, we need to use internal audit to do that. Let’s face it, managers all have great ideas that they would like to see adopted, but for various reasons, they’re not successful. If internal audit confirms that certain things can be improved, it can be an excellent lever to move things in the right direction. It’s a matter of diplomacy and balance. Internal audit is people who work with people. You have to have finesse to do it well.

[English]

The Chair: Thank you. Mr. Plamondon, do you have a question?

Mr. Plamondon: Just mindful of the time and the incredible expertise that we have here at the table among our witnesses, if we could quickly cover some practical matters because ultimately we’re going to be looking to have in front of us, as a committee, a risk-based, multi-year, committee-approved audit plan. So we need to address what we’re going to audit, the level of investment that will make an audit and getting the right people in place, which you have both talked about as being critical.

On the first issue of what we’re going to audit, Mr. St-Jean just spoke about the value-add component, which is going beyond the compliance work of internal audit and going into areas of strategic or advisory services.

What is the balance there between compliance versus strategic advisory service while ensuring that we maintain the independence of the internal audit function so that we’re not ultimately auditing areas on which we’ve given recommendations? There is that question of balance.

Our level of investment, Mr. Milito earlier referred to a chief audit executive with some support. Given what you know about the size of the Senate and our profile, if you can give us any benchmarks or suggestions on what we might follow in terms of establishing our level of investment.

On the recruitment side, as with any board, their most important decision is the engagement and the hiring of the CEO. You’ve spoken of the qualities of the person that we would need in the chief audit executive, but that whole area of recruitment and where we might find that person — Jennifer Robinson is here with us, and she has that ongoing responsibility at the Office of the Comptroller General — if you could give us some advice and help us on those three questions. Thank you.

Mr. Milito: Thank you for the question. In terms of balance of compliance and other work, I would say that depends on the organization and what they do. I would also ask what else is going on? How strong are the other controls or checks and balances in the organization? How mature are they? Do they exist?

To give an example in the federal context, internal audit, yes, there are a lot of assessments that are done, but there are also internal control units, for example, in many of the chief financial officer branches. In some cases, they are quite mature. They do a lot of compliance-type work. They test controls around financial management reporting, but they also get into other things as well, including some IT-related controls.

In an organization where they might have some of those checks and balances and risk-based compliance work already happening, audit would look at that and say, “We know that is happening. We have a general sense of how it is working. We will then shift our focus to some other things.” Maybe that is other areas of compliance, or maybe to back away and spend some of those resources on other types of assessments.

For example, maybe there is a new head of the organization and they feel that they want to look at how decisions are made or how robust the governance structure throughout the organization is. That might be something that’s done rather than a compliance piece, if there are some resources that are available to do that.

The bottom line is that is a major factor there. There is no set answer. You go where the risks are, but you also go where there may already be other providers at play providing some assurance.

In terms of benchmarks, I’m not fully familiar with all of what happens in the organization that you are in, but I would say that based upon a budget, which is not insignificant — a $100 to $115 million budget, if I’m correct — I believe that you have some arrangements. If you have a shared services arrangement or partial services arrangement with another organization to provide some corporate supports, that could be simpler but it could also be more complicated in terms of assessing risks.

There are things in there that would impact the size of a function, but I would say that for the budget and the full-time equivalent employees that you have, probably a function under five employees if you were to have some staff members. It could be as few as having a chief audit executive, maybe a project or an audit lead or manager, possibly an analyst underneath that and then, kind of like an accordion, having a budget that may increase or decrease for external resources depending on what’s in the actual risk-based audit plan for a given year.

That could involve, for example, if you were concerned about a risk such as IT security — which tends to involve more expensive resources because they are in high demand — in a particular year when there is more of a focus on something like that, the professional services budget might be a little bit higher than in other years. Then, of course, that is complemented by whatever internal folks that you would have. So there is no set number. It really would depend upon the arrangements that you have with other partners, if they are providing services and also the size and complexity of your department and your risk appetite, as mentioned earlier.

You spoke about recruitment. I would say that skill shortages are there. To have somebody who understands auditing, but going beyond a career auditor and actually having somebody who is really good in the boardroom and understands strategy and communication, they are out there. The key there is that, in my experience, the person who is hiring is also selling what kind of — I think that the people in this business really want to make a difference. They are trained to sift through complexity and provide value-added recommendations. So if someone knows that they are coming in to an organization, even if it is an organization that is starting from a less mature state from an audit perspective, but they are being given those tools and support that they need and that the value proposition is clear and they feel supported, I think that is actually the biggest key. Certainly, an organization with the types of risks the Senate manages would be of interest because it would be a challenge. It would be of interest. But it is something that people would look for, they would be looking for the signals of support. Thank you.

Mr. St-Jean: Maybe I could also provide a certain perspective. About 15 years ago, when internal audit was being rejuvenated both in the private and public sector, I think that there was a focus that was, at least for the first four or five years, 100% in compliance. Don’t forget that we’re talking about the Sarbanes-Oxley kind of leftover, and do not forget that we were also talking about the sponsorship issues. That brought up some bad memories of control weaknesses. The compliance was very much the focus of both the public and private sectors.

Now we’re talking about a more balanced approach between the compliance and the advisory function. Could it be 70 compliance, 30 advisory, or 60-40? This is in the realm of what is now expected with a good internal audit function. It could be a good component to say that it will be of an advisory nature. So it is no longer the 100% compliance, it is more 70-30 or 60-40. That would not be a bad number.

I would also like to caution you, you are coming in during a time when talent is becoming scarce. I’m having those discussions with many clients who are hiring chartered professional accountants, but with all of the firms, shortage of talent is — we’re talking about compensation increases of 10% to 15% just to attract and retain in this coming year. That is just to get the talent. I have talked with many of the firms and they are declining work like they have never declined work for over 20 years. You are really coming into an environment where talent is short. So whatever talent that you get, make sure that it is focused on where the most value is provided for.

Just to give you an idea, CPA Canada is a $125 million organization. We do spend about $300,000 on internal audits per year. Sometimes it is a bit less, sometimes it is a bit more if we have some special project. This is the order of magnitude that we are talking about for the function. But I must say that you are in the high-profile environment. The Senate is high profile, so I think that is an element. Do not discount that. It may cost you a bit more because of the high profile. If you are in the media and something goes bad, people don’t have a lot of mercy on the public institutions. That might mean that you might have to spend a bit more.

The Chair: Thank you for that.

[Translation]

Senator Dupuis: I was wondering if you had noticed anything about the impact of the pandemic that we have been going through for the past two years. Do you think that the pandemic has had any influence on the type of function we’re talking about here, internal audit, in your respective areas?

[English]

Mr. Milito: I would say that it is interesting. I mentioned that we’ve been implementing a vision for internal audit, a modern one, since 2018. When the pandemic hit, we just brought our chief audit executives together virtually. We already had something to build on. We were already talking about applying a suite of services. Balance this, as Mr. St-Jean mentioned, in terms of not just compliance but looking more proactively at what could be done. What happened was interesting. They were very well positioned to fulfill the immediate needs of the deputy ministers. At first, it was how do we get connections and business continuity planning? Are they robust? How do they need to be adapted? And then it was very quickly getting into, you know, employees. How are they handling this? Are they supported? Mental health issues — are there supports in place? And some audit work was being done there. Not traditional audit work. Sometimes it was advisory. Sometimes it was a lighter review, something that was not as deep as an audit but it gave enough assurance to proceed.

There was a lot of work, for example, up front. If there was a new program for Canadians who needed the funds to pay their bills, auditors may have been called — and they were — early, in some cases. While the program management was developing, the program audit was there to ask, “Have you thought about this? Have you thought about that?” Instead of taking months or more to develop a program, they were sometimes done in a matter of weeks. So audit maybe wasn’t providing deep assurances, but they were doing what they could up front.

I would say it almost supercharged our efforts. We were already talking about a vision for internal audit, and when this hit, many of the deputy ministers asked us to come in and help them. What that did was raise the profile of audit, but that was the by-product. The important thing was that audit came in and provided risk assessment support and data analytics support. Where were some of the issues or the risks at play with the new programs being implemented or with people working remotely? It really allowed many functions to shine and gave traction to some of the functions that maybe did not quite have that traction because they had immediately jumped in.

I’m sounding very positive because I think that it was, from an audit perspective, providing value. But it has been challenging as well, I have to say. Having people working remotely and the stresses from my own staff perspective, but that is true for everybody during this pandemic.

Mr. St-Jean: If I may just say a couple of additional comments on this, the pandemic has provided a unique opportunity to accelerate our ability to audit remotely. Before that, nobody talked about how we could do an internal audit or traditional audit remotely. Two and a half years ago you would not have said that you could provide an internal audit for the Royal Bank or TD or the CPPIB. All of that was done remotely, overnight. So it really accelerated the ability to provide the internal audit service immediately.

What it also did — we’re talking about the Senate. The Senate is Canada. So it also enables access to talent across the country — to participate. With many of the audit controls or external audits, before that, there used to be a team in Toronto or Montréal. Now you will get to see where the talent is and we can get people to participate. You have access to talent we didn’t have before because they were not in the right city or the right place. Now they can participate in this.

So it really helps in many ways. No doubt it caused a lot of stress, but there are some good aspects to it as well.

The Chair: Okay. I certainly appreciate your attendance here today. Thanks to our witnesses for their value-added advice. There was a lot of key information to consider, and I’m sure the committee will benefit from the witness testimony given here. Thank you so much.

Colleagues, we’ll now suspend while we make a transition to in camera. Thank you so much to our witnesses.

Mr. Milito: Thank you.

Mr. St-Jean: Thank you.

(The committee continued in camera.)