• Cart
Log in

Log in

home page banner blank


Voices from the Field


February 13, 2020
DARE TO BE DIFFERENT: TIPS FOR CONDUCTING AGILE AUDITS

Introduction

In 2011, Shared Services Canada was created to modernize the delivery of information technology (IT) infrastructure services in the federal government. The scope of the transformation being led by Shared Services Canada was massive. There were initially five major transformation programs:

  • Email Transformation
  • Workplace Technology Devices
  • Data Centre Consolidation
  • Telecom Transformation
  • Cyber and IT Security Transformation.

Each program involved millions of dollars in expenditures, had an aggressive schedule and multiple project interdependencies, and was being delivered across 43 departments and agencies. This was not only a new way of doing business for Shared Services Canada, but also for the federal government at large.

Amidst all these transformations, the Shared Services Canada internal audit shop was also being established. Employees were being recruited, processes were being developed, and audits were being delivered. We conducted an initial audit of the Email Transformation program using traditional audit methods. Audit managers quickly realized that traditional audits taking 12 to 18 months to report to management were not going to deliver value and address the risks presented by large, complex transformations. Because information technology changes rapidly, to provide value-added assurance, we would need to be just as rapid and agile as the programs themselves.

In this article, we explain how the Shared Services Canada internal audit team successfully streamlined and transformed its traditional processes to deliver assurance on large transformation programs in a timely and valuable manner.

What was our new approach to assurance audits?

In 2015, Shared Services Canada’s Office of Audit and Evaluation launched a new series of assurance audits. These audits were meant to be quick, agile, and timely assessments of the five transformation programs.

This new approach to assurance audits focused on three main characteristics:

  • Quarterly audits of systems under development in the five programs would be done using a top-down, agile, risk-based approach.
  • Quarterly reporting would be delivered to senior management and the Audit Committee.
  • Audit results would be publicly reported once a year.

The objective of the new audit approach was to provide management with a timely assessment of:

  • the progress and attainment of each transformation program’s objectives (at defined milestones within each program and across the transformation agenda as a whole); and
  • key internal controls, governance processes, and the transformation risk management framework (at a point in the development cycle when enhancements could be implemented and processes adapted).

About the Author

Chantal Hewston

Chantal Hewston is Internal Audit Principal at Shared Services Canada. She has been working in public sector internal audit for the last 10 years and has been fortunate to play a leading role in a line of agile audits launched by Shared Services Canada in 2016 to provide assurance on major IT programs and projects. Chantal also has experience conducting IT, governance and security audits in a variety of federal departments.

Chantal is an active supporter of the Institute of Internal Auditors and ISACA (formerly known as the Information Systems Audit and Control Association). She was formerly Director, Government and Regulatory Advocacy, for ISACA Ottawa.

Her article reflects her experience and the opinions expressed in it are her own.

Contact the author at:

chantal.hewston@canada.ca

The scope of the new audits would be refined on an ongoing basis as the five transformation programs evolved. These programs effectively became our mini audit universe, which included the enabling governance structure, as well as financial, project, and risk management, and the oversight, monitoring, and reporting processes.

A traditional audit was taking 18 months from initial planning to reporting to the Departmental Audit Committee. With this new assurance methodology in place, we would essentially cut our audit time in half; audits would now take between eight and nine months to complete (see Figure 1). It had never been done before in the department and we were committing to use this new methodology to audit our largest, riskiest, and most complex topics.

Figure 1 – Shared Services Canada’s Internal Audit Process Before and After the Transformation

Figure 1 – Shared Services Canada’s Internal Audit Process Before and After the Transformation

How did we do things differently?

Everyone wants to complete audits faster, but is everyone willing to make the changes necessary to streamline their processes? We decided that we were willing to make these changes and so we used a principles-based approach to redesign the audit process around our new timeline.

At any given time during the year, we were planning the next quarterly audit, during the examination of another quarterly audit, and while reporting on a third audit, so that there were always three audits in progress simultaneously.

Working with our quality assurance colleagues, documents that would be shared with our audit clients (such as the terms of reference for the audit and the audit report) were streamlined to only contain critical components required by the Institute of Internal Auditors’ standards. For example, our main audit report was a one-page dashboard document, which was accompanied by a more detailed plain-language findings assessment document. Internal documents and structures such as audit folder structures, templates, and risk assessment tools were also streamlined.

We continually assessed risks against project management principles (including A Guide to the Project Management Body of Knowledge [PMBOK® Guide] and The Open Group Architecture Framework) and government best practices (such as the Government of Canada’s Management Accountability Framework). This included discussions with senior management and dialogue and documentation from governance committee meetings. This continual risk assessment process was used to drive audit priorities and select future risk-based audits in real time from within our defined universe of transformation programs. We also completed an in-depth risk assessment on the topic selected for audit during the planning phase of each new audit, as per our standard process.

We selected audit topics based on this rolling risk assessment and on consultations with audit management and senior management at Shared Services Canada. Considerations were given to risk, timing within the programs, interdependencies, and management priorities. We prepared a list of topics each quarter and shared it with audit management, and sent the final selected topic to the President of Shared Services Canada for approval. This methodology gave us the freedom to focus our audits on the areas of highest risk at any given time as the transformation programs and projects went through different stages.

We executed the planning and examination phases of these audits in the same way as any other assurance audit. Compared with the more traditional audits also underway, the only change was in using streamlined tools for risk assessment and communication of audit results. The biggest factor affecting the progress of these new audits was enforcing strict compliance with due dates along the critical path to deliver the audit. Those key milestones were the completion of planning documents, findings sheets, audit reports, quality assurance reviews, and lessons learned. Particularly in the first few quarters of using our new methodology, meeting those deadlines meant overtime for the audit team. However, we delivered these audits for two years straight without missing a deadline.

The audit team and audit management were committed to reviewing documents within a standard time of three days. The shortened key planning and reporting documents also contributed to greater efficiency. This three-day turnaround also extended to auditee deadlines. We followed up with auditees by email, phone, and in person to ensure our timelines were met.

Preparing reports for publication (including validation and administration) used to take the most time in the process, so a decision was made to separate publication from the audit process. The audit team now focused on delivering audits and providing management with the real-time findings, recommendations, and details needed to improve the delivery of transformation programs. A summary of the four audits completed in the year, their recommendations, and the context for the audit findings was prepared annually for publication by a separate audit team.

Page 1 of 2