May is International Internal Audit Awareness Month. Let’s Talk recently sat down with CSC’s Chief Audit Executive, Sylvie Soucy, to learn more about internal audit. After 26 years in the field, Sylvie wants you to know one thing: internal audit isn’t boring! Here’s what she had to say.
Let’s start with the basics. What is internal audit?
Internal audit is an independent and objective function which assesses how an organization achieves its objectives. It identifies areas where we are doing well and areas where we need to improve.
What is your role as the Chief Audit Executive?
My role is to provide assurance to the Commissioner and his management team that CSC is delivering its mandate with due regard to efficiency, the law, financial controls, and in compliance with policy. The Commissioner calls it the validation that work is being done as it should.
How often do you perform audits?
We do audits on an ongoing basis. We start with an annual risk-based audit plan. This plan identifies the areas we will audit over a three year period. These areas are chosen based on current strategic priorities and risks identified by management, but also as part of our past audits. Check out the latest one to see what we are working on now. We also do financial audits, including asset management.
What should people know about audits?
It’s important to know that internal audit is mandated by the Financial Administration Act. In many ways, though, it is the eyes and ears of the Commissioner. We believe it’s important to really understand our business and to provide the best information to the Commissioner on how well the organisation is working. To do this, audit staff travels to institutions, parole offices, and any other sites to speak to the people who are doing the work on the frontline. Good audits cannot be done if we stay in an office in Ottawa.
What sorts of things do you audit at CSC?
I mentioned the financial audits we do, like the one on asset management, but it’s much more than that. We audit all aspects of CSC’s operations. This has included processes related to entry and exit to our facilities, the management of contraband, the management of security incidents, as well as case management. This year we are looking at staff safety in the community, offender transfers, the detector dog program, and segregation.
What have been your favorite audits to perform at CSC and why?
We did one on IT security here at CSC and it was quite interesting. Another one was community accommodations and how we as an organization interact with our partners in the community. We also did one on employment and employability and how we could better prepare our offenders for employment upon release. Another was on medication management. There were other ones that were security driven, as mentioned, but not publicly communicated due to security issues. All I can say is that they were fascinating because we got a glimpse into how exactly our organization functions at the deepest level – not everyone can say that.
How long does it take to perform an audit and what is involved?
On average, 6-8 months. That includes planning (i.e. identifying key issues, developing tools for testing, testing those tools), conducting the audit work, analysing the results, preparing a report, and working with management to develop responses and solutions to problems identified. The conduct of the audit usually means that we visit all five regions to interview employees, observe how they do their work, look at files, and compile information. For auditors, this is usually the part that is the most fun and interesting. We often have a person from the operations side of things to help us with audits. We welcome their knowledge because it grounds us in reality as we do our work.
What happens with the information gathered during an audit?
Management is mandated, by policy, to develop action plans to address areas identified as requiring improvement in an audit. My role is to follow up with management to ensure that what they said they were going to do to improve a situation is being done. We are also required to post all audits on our public website except those that involve security matters that may put our facilities or staff at risk.
What makes a good auditor?
Auditors should be certified in internal audit according to international auditing standards. As we often look at financial issues, a strong understanding of financial matters is also important. I frequently say, however, that above and beyond the obvious skills and certifications needed, there are key character traits that make for good auditors: first, curiosity and a thirst for learning new things and second, respect. Good auditors should take a real interest in the subject matter they are examining; they have to be open-minded and objective, and they cannot have pre-conceived notions towards what they are auditing. Everything we do needs to be rooted in a genuine interest about the topic and a respect for the people who work in that field.
Do you participate in any audits or just oversee them?
I mostly oversee but I will go into the field from time to time to help with an audit. In those instances, I will not lead it – I go as a worker. This helps me to avoid the “ivory tower” view that you can often develop as a manager at NHQ. Doing the work keeps me connected to the reality of CSC so that I maintain a good understanding of how things are going in our institutions and sites.
You’ve been doing this for 26 years. Why?
Because I love learning and I love understanding how people do their work. Also, I find it gives me a voice with which to express ideas for where and how we can improve. I feel like I am actually contributing to making things better at CSC. People think auditing is just numbers and processes. It’s so much more than that.