History of Internal Audit in the Federal Government

Ancient Roots of Auditing

The presence of auditing has been inferred from records of a Mesopotamian civilization going back as early as 3500 BC. These records, involving financial transactions displayed various markings, which may be construed as a system of verification. Internal controls and separation of duties probably arose at the same time. Records of other early civilizations, including early Egyptian, Greek, Chinese, Persian and Hebrew, display similar systems.

Ancient Rome employed the "hearing of accounts", where one official would compare his records with those of another, an application of both separation of duties and verification. It is this practice, of hearing of accounts, which probably gave rise to the term "audit", from the Latin "auditus".

With the fall of the Roman Empire many of the financial systems, including verification, disappeared. However, they reappeared as the volume of financial activity recovered towards the end of the dark ages.

It was not until the Industrial Revolution in Europe that auditing with characteristics similar to current auditing, i.e. that went beyond the hearing of accounts to include verification of accounting records and associated supporting documentation, came into being. The Europeans then brought over these practices to the north-American colonies.

More Recent Antecedents of the Practice of Modern Internal Auditing

The proliferation of large, dispersed, complex corporations, starting early in the twentieth century, spurred the accelerated development of the internal audit function. The Institute of Internal Auditors (IIA) was founded, in 1941, largely in response to this development and modern internal auditing owes much of its early progress to the IIA. This includes the gradual expansion of the scope of internal audit activities and of the professionalization of the practice of internal auditing.

The development of professional underpinnings for the profession, however, did not come all at once. It was not until 1947 that the IIA issued its first Statement of Responsibilities. The Code of Ethics was issued in 1968 and the Standards in 1979. The first Certified Internal Auditor (CIA) exams were written in 1974, indicating that there was, that time, deemed to be a recognized body of knowledge available for internal audit professionals.

The Beginnings of the Practice of Internal Auditing in the Federal Government

Recognition of the potential value of the internal audit function came later to the public sector than to the private sector, but with similar motivation. The US Congress first recognized the potential contribution of internal audit in 1950 in requiring, by statute, that each executive agency include internal audit in the agency's system of internal controls.

In Canada, the Report of the Royal Commission on Government Organizations (the GLASSCO Report), in 1962, recommended that departmental management be responsible for the establishment of proper systems of internal audit, rather than relying exclusively on the Auditor General to identify inadequate financial control.

The Treasury Board's Guide on Financial Management, issued in 1966, stated that "as the process of decentralizing control to departments proceeds, the need emerges for - - - audits specifically designed to inform both the department and the executive branch of government whether resources are being used legally and effectively". It went on to say that the audit function "has an important place in all departments to review and appraise the soundness, adequacy and application of all accounting, financial and operating controls".

In 1973, the Treasury Board made it mandatory for all departments and agencies to have internal audits performed on their systems of financial administration. Directive 9.1 of the policy stated:

Departments shall have financial audits performed, which include:

• Reviewing and appraising the effectiveness and efficiency of departmental systems of financial administration, including the safeguarding of assets, and
• Ascertaining the extent of compliance of departmental systems and procedures with financial policies, regulations and other instructions of Parliament, Treasury Board and the department or agency.

The practice of internal audit in federal government departments and agencies in the 60s and 70s was not by any means restricted to financial audit, Treasury Board pronouncements notwithstanding. During this period the scope of the practice varied from narrowly based, financial auditing to Operational Auditing, with virtually unlimited scope. As would be expected, the rigour of internal audit practice varied considerably as well, remembering that when you moved any distance from the financial auditing domain, methodology and standards were sparse.

Not surprisingly, reports of Treasury Board and Auditor General reviews, in 1975 and 1976, indicated that internal audit, where established, was largely ineffective. In response to these and many other challenges, in 1976 Treasury Board approved the creation of a Financial Administration Branch, within the Secretariat, to strengthen financial administration, including internal audit.

For internal audit, this culminated, initially, in a 1976 Treasury Board Circular, reasserting the role of internal audit. In 1978, partly in response to the Royal Commission on Financial Management and Accountability (Lambert Commission; 1976 to 1979), the federal government created the Office of the Comptroller General, within Treasury Board, and issued the "Standards for Internal Financial Audit". This latter document was meant to both standardize the scope and provide standards of performance for the practice of internal auditing in the federal government.

The Standards did, however, recognize the existence of other forms of internal auditing and review (e.g. Operational Auditing, Management Review) and coexisted with the practice of Program Evaluation, launched through Treasury Board Circular 1977-47, aimed at the provision of services, which evaluated the effectiveness of programs. At that time the frequency of audits advocated was such that each major financial component in a department or agency was to be examined within a three-year period.

Evolution of the Internal Audit Function Since 1978

By the seventies, internal audit practice had been expanding in scope in many parts of the world for some time, in many guises. In the U.S., financial auditing was being stretched to the review of all areas where money was being spent, which led the auditors, inevitably, into the examination of operations; in the U.K., the thrust was value-for-money auditing; in Canada and elsewhere, the practice of Operational Auditing was gaining a following, while the Auditor General coined the term "Comprehensive Auditing", with characteristics similar to Operational Auditing.

The Comptroller General of Canada came to the conclusion, in the early 1980s, that it was time for the federal government to follow suit, for two reasons. First, it seemed to make sense to provide the same, independent review service to all managers that was being provided to financial managers. Second, there seemed to be a need to provide more rigour, in the form of standards, for such an expanded internal audit practice.

The result was the "Standards for Internal Audit in the Government of Canada", published in 1982. This Policy and Standards, however, coexisted with the "Principles for the Evaluation of Programs" and its companion "Guide for the Program Evaluation Function", which effectively limited the scope of internal audit to the examination of all things within the boundaries of the host organization, while the evaluation function took on the role of evaluation program effects, beyond the borders of the host organization. There was some overlap, in that evaluation was also to examine the efficacy of the program delivery platform. At this time, the frequency of audits of all major components was lengthened form within three years to every three to five years.

The impetus for the next change in the review regime in the federal government came, at least in part, from the 1993 Auditor General's audits of the internal audit and evaluation functions in departments and agencies. The Auditor General's Report concluded the internal audit and evaluation functions were, generally, not meeting expectations and that the information for decision-making and for reporting results, provided by the internal audit and evaluation functions, could be better integrated with that provided by management.

Parenthetically, the downsizing years resulted in a reduction of, between two-thirds and three-quarters of the federal government audit and evaluation population, a development which, no doubt, contributed considerably to its deteriorating performance during this time period.

The Treasury Board's response was the Review Policy, issued in 1994. This policy brought together various, Treasury Board performance and review requirements. It was intended to support the principles of managing for results through:

• Emphasizing the responsibility line managers have for demonstrating performance and acting on performance information, and
• Creating a productive alliance between managers and review professionals that will link review more visibly to management decision-making and innovation, as well as accountability practices.

The new policy promoted the use of review to help introduce and credibly assess innovative uses of management reforms and incentives, such as single-window service delivery; strategic use of new information technologies; Special Operating Agencies; quality management; delayering, decentralization and empowerment; forming service delivery alliances with third parties; new approaches to manage risks better; and flexible operating budgets.

The Internal Audit Policy component of the Review Policy made no substantive changes to the scope of internal audit but bolstered the professional underpinnings of the practice by integrating Treasury Board and IIA Standards and Ethics provisions. Also, in this policy, frequency requirements were dropped and the concept of risk-based audit planning was introduced.

The most recent phase of the evolution of the internal audit practice in the federal government was launched as part of the "Results for Canadians" and "Comptrollership Modernization" initiatives.

The main thrusts of the new approach to internal auditing (aside from, once again, separating the Internal Audit and Evaluation functions, includes:

• A new Policy on Internal audit, which repositions the function as a provider of "assurance" services to senior management, which focuses on:
  • Risk management strategy and practices;
  • Management control framework and practices; and
  • Information for decision-making and reporting.

  (This policy aims to changes the mix of services to encourage greater use of assurance services, as compared to advise and assist engagements (e.g. consulting services); it also recognizes that internal auditors will be called upon to provide other, related services, such as investigations, control self-assessment facilitation, special reviews, as well. This policy not only shares the review universe with the evaluation function, but with management as well.)

• The establishment of a Centre of Excellence for Internal Audit, at Treasury Board, which will provide the following support to the internal audit community:
  • Policy advice, as well as advice on standards, methodology, practices tools and techniques;
  • Foster the development of audit guidance in key areas;
  • Seek funding for rebuilding departmental internal audit capability;
  • Initiate an omnibus recruitment initiative, to help departments to acquire new staff in an expeditious manner;
  • Develop internal audit training courses, and
  • Provide a liaison service, which deals with internal audit ad-hoc issues in a timely manner and provides a convenient means for feeding important issues from departments to policy authorities and vice-versa.

In many respects, the evolution of internal audit practice over the last forty to fifty years is a case of "back to the future", in that "assurance" auditing draws heavily on the methodology and standards of private sector, external auditing, which is the genesis of the early practice of internal auditing. The differences, however, are significant. The early internal audit practice was established, in no small way, as much for the support of external audit activities (in order to minimize growing external audit costs) as for the benefit of management. On the other hand, the current version of assurance retains the broad scope of previous versions, while adding the rigour typically associated with the private sector external audit practice.