Internal Audit in Departments and Agencies

Main Points

1.1 We assessed the extent to which internal audit groups in six federal organizations had met professional standards and complied with the Treasury Board Policy on Internal Audit. We found that it varied considerably across these organizations.

• In two organizations (Public Works and Government Services Canada and the Royal Canadian Mounted Police), the internal audit group generally met the International Standards for the Professional Practice of Internal Auditing.
• Three departments partially met the standards (Foreign Affairs and International Trade, Human Resources Development Canada, and Natural Resources Canada).
• One agency did not meet many of the standards (Canadian International Development Agency).

1.2 Our work identified a number of important factors that, if implemented, could have a positive influence on the quality of internal audit across government:

• a consistent understanding on the part of senior management of the role that internal audit can and should play;
• a departmental audit committee with external members who are independent of management;
• a clear human resource strategy at the department, central agency, and government level that sets out the qualifications and appropriate number of staff for the internal audit community;
• a focus on assurance services; and
• a strategy to ensure appropriate internal audit coverage and capacity in small entities.

1.3 We found that the Treasury Board Secretariat has yet to establish and fund a strategy that will enable it to meet the requirements of the Policy on Internal Audit and the expectations of the internal audit community.

Background and other observations

1.4 Internal audit is an important element in enabling deputy heads to ensure that their departments have an effective internal control system. Internal auditors conduct risk-based audits and identify, where necessary, improvements in an organization's risk management strategy and practices, in its management control framework, and in the information systems it uses for decision making and reporting.

1.5 Effective 1 June 2004, the government re-established the Office of the Comptroller General to strengthen comptrollership and oversight across the federal government. The Comptroller General's key duties include setting or reviewing auditing standards and policies of the Government of Canada, providing leadership to ensure and enforce appropriate financial controls, and promoting sound resource stewardship at all levels across the federal government.

The Treasury Board Secretariat has responded. The Secretariat agrees that improvement is required. The government has directed the Secretariat to establish a more effective government internal audit function. As a result, the Comptroller General is currently developing proposals to ensure that the Canadian public service has a high performance internal audit regime. These proposals address many of our recommendations and are described following the conclusion.

Introduction

1.6 An effective internal audit function is a fundamental component of good governance. It can provide senior management and audit committees with assurance about the efficiency and effectiveness of key financial, administrative, and operational activities and the organization's management practices, along with suggestions for improvement.

1.7 Internal audit is one of several tools that an organization may use to assess and monitor management practices and the achievement of its objectives. Other tools include program evaluation, studies, and management's efforts to monitor how adequate and effective its own practices are.

1.8 What distinguishes internal audit from other activities that review departmental practices are its attributes of independence and objectivity.

1.9 In recent years, the professional practice of internal auditing has undergone tremendous change. In June 1999, the Institute of Internal Auditors adopted a new definition for internal auditing. This definition incorporated an assurance and consulting role for internal audit. In January 2002, the Institute also adopted a new professional practices framework.

1.10 While the federal government's internal audit community has had to respond to changes within the profession, it has also had to respond to issues within the federal government. Among these are initiatives such as the Independent Panel's Report on the Modernization of Comptrollership within the Government of Canada, which emphasized the role of internal audit in providing assurance services to senior management.

1.11 In responding to these issues and in trying to strengthen the government's internal audit capacity, the Treasury Board of Canada adopted a revised Policy on Internal Audit in April 2001.

1.12 The revised Policy was to be a first step toward fulfilling the government's commitment to have a stronger, better-positioned internal audit function. To this end, the Treasury Board Secretariat invested more than $33 million over the four-year period 2001–02 to 2004–05 to help implement the Policy in departments and agencies. It used another $11 million to fund the Centre of Excellence for Internal Audit. In 2002–03 the total budgeted expenditure for internal audit was $54 million, which included $15 million of supplementary funding provided by the Secretariat.

Roles and responsibilities of internal audit

1.13 The revised Policy on Internal Audit requires departments to

• have an effective, independent, and objective internal audit function that has the resources necessary to provide sufficient and timely assurance services on all important aspects of their risk management strategies and practices, their management control frameworks and practices, and the information used for decision making and reporting;
• incorporate internal audit results into their priority-setting, planning, and decision-making processes; and
• issue completed reports in a timely manner and make them accessible to the public with minimal formality in both official languages.

1.14 The Policy sets out specific requirements for internal audit groups, deputy heads, and the Treasury Board Secretariat's Centre of Excellence for Internal Audit. Internal audit groups are to conduct their work according to the Policy and the International Standards for the Professional Practice of Internal Auditing, established by the Institute of Internal Auditors. According to the Policy, the focus of the work of internal audit groups is to provide assurance services to departmental senior management on the effectiveness of risk management strategy and practices, management control frameworks and practices, and information used for decision making and reporting.

1.15 Under the Policy, deputy heads' responsibilities include

• establishing an active audit committee;
• ensuring independence in their organization and in the activities of their internal audit groups;
• ensuring that internal audit reports describe management action plans to address any weaknesses that internal audit has identified;
• following up to ensure that recommendations have been acted on;
• providing the Secretariat with copies of annual internal audit plans and completed internal audit reports; and
• informing the Secretariat, on a timely basis, of significant issues relating to risk, control, or problems with management practices.

1.16 The Secretariat, through its Centre of Excellence for Internal Audit, is to provide advice to deputy heads, heads of internal audit, and internal audit practitioners on the Policy and practices of internal audit. The Policy on Internal Audit also directs the Centre

• to establish an active monitoring process to provide the Secretariat with timely information on significant issues of risk,
• to develop a human resource strategy for the internal audit community, and
• to establish a framework for evaluating whether the objectives of the Policy on Internal Audit are being achieved.

Focus of the audit

1.17 Our audit focussed on assessing the extent to which a sample of departments and agencies were complying with the Treasury Board's Policy on Internal Audit, which requires departmental internal audit groups to meet professional standards. We also looked at the role of the Secretariat's Centre of Excellence for Internal Audit in providing leadership and direction to the internal audit function in departments and agencies.

1.18 The organizations in which we conducted a quality assessment review were

• the Canadian International Development Agency,
• Foreign Affairs and International Trade (on 12 December 2003, this Department was divided into two departments—Foreign Affairs Canada and International Trade Canada),
• Human Resources Development Canada (on 12 December 2003, this Department was divided into two departments—Human Resources and Skills Development Canada and Social Development Canada),
• Natural Resources Canada,
• Public Works and Government Services Canada, and
• the Royal Canadian Mounted Police.

For more information about our objectives, scope, approach, and criteria, please see About the Audit at the end of the chapter.

Observations and Recommendations

1.19 Our audit involved carrying out quality assessment reviews in six departments and agencies (Exhibit 1.1). These reviews allowed us to rate the extent to which the organizations in our sample were meeting the International Standards for the Professional Practice of Internal Auditing and complied with the Treasury Board's Policy on Internal Audit. We found that two departments generally met the professional standards, while three partially met them. One agency did not meet many of the standards. Exhibit 1.2 provides a definition of the rating scale used in our audit.

1.20 The primary reasons for the ratings given to the internal audit groups in each department or agency include, but are not limited to, those described below:

• Public Works and Government Services Canada generally conformed to professional standards. There was organizational independence and strong support from senior management. The internal audit group reports directly to the deputy head. The audit committee also includes one external independent member. A review of a sample of audit working papers revealed that the auditors exercised due professional care. The Department has also developed a management control framework that assists the internal auditors in evaluating the effectiveness of key areas of management, such as risk management, control, and governance processes. Its internal audit manual establishes quality assurance practices. The Department plans to strengthen its quality assurance and improvement program for the internal audit function.
• The Royal Canadian Mounted Police generally conformed to professional standards. We saw strong support from senior management. The head of internal audit reports administratively to the Deputy Commissioner, Corporate Management and Comptrollership and functionally to the Commissioner (deputy head). The internal audit function also has direct access to a well-functioning audit committee, which contributes to the independence of internal audit. The Commissioner is leading efforts to strengthen the internal audit function at the RCMP. A review of a sample of audit files revealed well-prepared audit working-papers and that the auditors had exercised due professional care. One of the strengths of the internal audit group is the operational experience and professional qualifications of the internal auditors. A strong internal quality assurance program has been established within the internal audit group. Further, a comprehensive internal audit professional training plan is being developed to ensure that audit staff develop the qualities and competencies of an effective "best in class" internal audit organization.
• Foreign Affairs and International Trade partially conformed to professional standards. In December 2003, the Department was reorganized and split into two departments: Foreign Affairs Canada and International Trade Canada. Our work relates to the previous organizational structure. Under the reorganized structure, the internal audit group will audit both entities. The internal audit function has a clearly established mandate and is independent with direct reporting to the deputy head. The Department's internal audit group also has a strong professional development program for its staff and a requirement for new junior staff to supplement their existing background and skills with a professional designation. However, the group lacks a formal quality assurance process, which, if implemented, could strengthen the effectiveness of the internal audit function. The Department develops its audit plan through a consultation process with senior management. It has started to develop a formal, risk-based audit plan to identify areas of risk.
• Human Resources Development Canada partially conformed to professional standards. In December 2003, the Department reorganized and split into two departments: Human Resources and Skills Development Canada, and Social Development Canada. Our work relates to the previous organizational structure. The previous department had a strong quality assurance process. The effectiveness of internal audit could be improved by strengthening its organizational independence and having the group report directly to the deputy head. Internal audit spends considerable time developing management standards documents which will serve as criteria for future audits and in assisting the Department to implement integrated risk management as part of the comptrollership initiative. As a result of these efforts, the amount of assurance audit work being carried out is limited.
• Natural Resources Canada partially conformed to professional standards. The internal audit group has gone through significant and continuous turnover during the last three years. The Department met many of the components of standards, such as organizational independence, proficiency and due care, and performance standards. However, the departmental policy for audit and evaluation is very broadly stated. The purpose, authority, and responsibility for internal audit should be defined and consistent with the Treasury Board's Policy on Internal Audit and the professional standards. Natural Resources Canada lacks a formal, internal, quality-assurance process, which could strengthen the effectiveness of internal audit. A review of a sample of audit files indicated that recently completed audits had appropriate supporting working-paper files, while older files did not.
• The Canadian International Development Agency did not meet many professional standards. Its internal audit group reports to a person who is responsible for other management activities. This does not in our opinion provide sufficient independence for the group. Also internal audit has not established internal quality assurance processes that cover all aspects of the internal audit activity as required by professional standards. We reviewed a sample of audit files. We found that, for two of the three files, the documentation for the audit work completed was not maintained in a way that clearly demonstrates the work conducted and that the evidence collected supported the internal audit report at the time the report was issued. The Agency has recently made changes that demonstrate its commitment to strengthen its internal audit function. For example, the audit committee, now chaired by the President, is demanding a shorter audit cycle and quicker management responses to concerns raised by internal audit. Since our audit, the Agency has taken steps to address our concerns. We will conduct another quality assessment review to follow up on progress made by the Agency.

1.21 Overall, the quality of the internal audit function varies widely in these organizations.

1.22 A number of factors have contributed to preventing internal audit groups from contributing as much as they could. These include a lack of support from senior management, difficulties in attracting and retaining qualified staff, and limited number of assurance audits being conducted. Our previous audits have highlighted these challenges, which continue to adversely affect the internal audit function.

Sustained support from senior management

1.23 Strong, sustained support from senior management is the single most important element in building an effective, independent internal audit function. Ideally, the head of internal audit should report directly to the deputy head. This positions internal audit to play a more independent and strategic role, which extends beyond performing audits. It also reflects the attitude and expectations of senior management with respect to internal audit, and promotes independence and objectivity by placing an appropriate distance between the auditor and operational managers.

1.24 Having a properly staffed and positioned internal audit allows the auditors to review activities with an independent and objective perspective because they are not responsible for those activities. Internal audit should provide an organization with assessments and opinions on the accuracy, completeness, and effectiveness of processes and information. If internal auditors are too heavily involved in developing a process or overseeing operational effectiveness (for which management is responsible), then their independence and objectivity are compromised.

1.25 The Treasury Board's Policy on Internal Audit recognizes the value of strong support from senior management. It requires deputy heads to institute an effective audit function that plays a strategic role, including providing assurance on the quality of

• a department's risk management and control frameworks, and
• the information that managers use to make decisions and report on the organization's performance.

1.26 The Policy also expects senior management to use the results of internal audits in planning and setting priorities. Meeting these requirements would require the deputy head to create an appropriate reporting relationship and to understand and value what internal audit does. Best practices for internal audit support direct reporting to the most senior level of management.

Senior management support is strong in some departments

1.27 We found that three (Foreign Affairs and International Trade, Natural Resources Canada, and Public Works and Government Services Canada) of the six organizations had internal audit groups that reported to their deputy head.

1.28 The senior management of some government organizations strongly and visibly support their internal audit group. This was particularly evident for the Royal Canadian Mounted Police (RCMP) and Public Works and Government Services Canada (PWGSC). For both organizations, senior management clearly understood and supported the role of internal audit in the management process.

1.29 For example, the RCMP's senior management decided that it wanted to create a stronger, more effective, and highly professional internal audit group. To achieve this goal, senior management purposely recruited a number of audit staff with strong credentials and appropriate professional designations. This enabled the internal audit staff to assume a more strategic role in supporting senior management and demonstrated the value they added to the organization.

1.30 Internal audit in PWGSC and the RCMP generally conformed to the International Standards for the Professional Practice of Internal Auditing. An effective internal audit function correlates strongly with clear support from senior management and direct reporting to the deputy head.

Strategic orientation of internal audit

1.31 If internal audit in the government is to operate effectively and contribute to improving the management of departments, it must have a strategic orientation. Whether it achieves this orientation will depend on two important factors: internal audit's positioning and reporting relationship within the department and viewing its role as strategic.

1.32 The proper positioning (or organizational alignment) can give an internal audit group the organizational independence and the mandate to deal with significant, strategic business risks.

1.33 Internal audit contributes to better governance when it assumes a strategic orientation by working closely with the audit committee and senior management to address organization-wide risk, governance, and control issues. To be effective, internal audit groups need to move from a tactical level to a strategic level. They need to align their resources and provide assurance on risk, governance, and control of business processes that support the organization's objectives and that demonstrate the value that internal audit adds.

1.34 A close working relationship with senior management, along with their visible support, signals that they value the expertise that internal audit brings to their organization. Such a relationship can strengthen the perception of the independence and objectivity of an internal audit function. Equally, its absence can diminish the perception of a strong, independent internal audit.

Audit committees and internal audit

1.35 Another key factor that influences the quality and effectiveness of the internal audit function is the departmental audit committee. According to the Treasury Board's Policy on Internal Audit, a departmental audit committee has an important oversight role to play in internal audit. This includes oversight of the internal audit group, strengthening its independence, and monitoring its performance.

1.36 Audit committees in private firms and various public organizations are commonly responsible for overseeing other areas in which the internal audit group is involved. These areas include the oversight of the organization's risk management, governance, and management control frameworks, and ensuring the integrity of financial and performance information used for decision making and external reporting. Given these responsibilities, audit committees play a key role in corporate governance.

Departmental audit committees lack independence

1.37 The degree of independence of internal audit in an organization reflects the independence of the audit committee that oversees it. In the private sector and Crown corporations, audit committees consist of members who are independent and are separate from management (Exhibit 1.3). Given that private sector audit committees are responsible for overseeing internal audit, their independence, in turn, helps ensure that internal audit remains independent. In the private sector, the expectations placed on audit committees has increased after recent financial collapses in several high-profile corporations.

1.38 Under the Treasury Board's Policy on Internal Audit, the deputy head either chairs the audit committee or chooses a senior executive (usually the associate deputy minister) to chair the committee. The committee is to consist of three to five other members at the assistant deputy minister level. Accordingly, committee members may sometimes be audited, which places them in a position of conflict of interest and may diminish their objectivity. In our view, this independence would be less at risk if departmental audit committees were required to include members from outside the organization. Exhibit 1.4 shows the membership in the audit committees of the six organizations we audited. In other jurisdictions such as the United Kingdom and the United States, steps are being taken to strengthen the independence of departmental audit committees by establishing requirements for independent members and measuring the performance of the audit committee.

1.39 In past audits we have recommended that departmental audit committees include outside members to add to their independence. However, only Public Works and Government Services Canada has acted on the recommendation. The Policy on Internal Audit is silent on this matter, although a Treasury Board Secretariat reference document does recommend that deputy heads consider appointing suitably qualified external members to audit committees.

1.40 Recommendation. The Treasury Board Secretariat should establish in the Treasury Board's Policy on Internal Audit a requirement for external membership on departmental audit committees.

The Secretariat's response. The Secretariat agrees that external members could make a significant contribution to supporting the independence of departmental internal audit functions and providing deputy heads with objective advice and guidance. This recommendation will be addressed through revision of the Policy on Internal Audit.

Not all audit committee members understand their role

1.41 The Policy on Internal Audit sets out the roles and responsibilities of audit committees. We found that senior management and members of audit committees do not always fully understand their roles and responsibilities. Exhibit 1.5 lists the roles and responsibilities of departmental audit committees for internal audit, as set out in the Policy.

1.42 One of the responsibilities of an audit committee is to monitor the performance of internal audit. We noted that the RCMP regularly provided the audit committee with information on the performance of internal audit with a balanced scorecard.

1.43 Another responsibility of audit committees is to approve the annual audit plan and the overall risks associated with the plan. We found that organizations are preparing risk-based plans for audit committee approval. In approving these audit plans, committee members need to be aware of the relationship between the plans and the risks that could affect departmental operations. We found that members did not consistently have a good understanding of this relationship.

1.44 From time to time it is expected that audit committee members will need to act in a challenge role. In five of the six organizations that we audited, the membership of the audit committee was substantially the same as the executive committee. This does not allow the audit committee to effectively fulfill its challenge role. If management and the audit committee are substantially the same, the committee may lack the necessary objectivity.

1.45 A number of audit committee members that we interviewed expressed a need to better understand their role. Only the RCMP offers formal training to help its members understand their roles and responsibilities. The Director General, Audit and Evaluation, provides training to committee members on internal audit's mandate and organizational structure, the services it provides, the concept of a risk-based audit plan, and the performance measures for internal audit. Also, audit committee members are given a "walk-through" of the Internal Audit Charter and their terms of reference.

1.46 We reviewed the guidelines for audit committees in the Treasury Board Policy on Internal Audit and found that the Treasury Board has adopted a narrower role for audit committees than the private sector and other jurisdictions. Also, the expectations of audit committees in the private sector and in other jurisdictions has evolved in recent years. For example, departments will, within the next five years, be required to prepare annual financial statements that can withstand the test of an audit. In addition, the Treasury Board Accounting Standard 1.2—Departmental and Agency Financial Statements requires the deputy head and the senior financial officer to sign off on the financial statements—this acknowledges management's responsibility for the financial statements and the processes that produce the information in the statements. In other jurisdictions and in the private sector, the audit committee plays a key role in supporting management in discharging this responsibility and in ensuring the accuracy, integrity, and completeness of the financial reporting. Fulfilling this role will require audit committee members to have a certain degree of financial expertise and knowledge of generally accepted accounting principles.

1.47 A summary of some key expectations in other jurisdictions and not covered by the Policy on Internal Audit is provided in Exhibit 1.6.

1.48 Recommendation. The Treasury Board Secretariat should, as necessary, provide guidance on better practices for audit committee performance and provide guidance on appropriate training for departmental audit committee members.

The Secretariat's response. The current Policy on Internal Audit envisages a wide role for departmental audit committees in providing oversight and advising deputy heads on departmental control and accountability systems. The Secretariat agrees that further guidance and training for committee members are required and will provide support to departments in this area.

1.49 Recommendation. The Treasury Board Secretariat should update the roles and responsibilities of the audit committee and its members.

The Secretariat's response. Agreed. The Secretariat is currently developing proposals that will redefine the roles and responsibilities of the audit committee and its members, and will accommodate the involvement of external members.

Staffing internal audit

1.50 For most internal audit groups, human resources management poses the greatest challenge. Internal audit groups require an appropriate number of staff who have a broad range of skills, knowledge, and experience. The number of staff depends on the risk and on the activities to be audited.

1.51 The Policy on Internal Audit requires deputy heads to establish an internal audit group that has appropriate resources and meets professional standards. Under the Policy, deputy heads are accountable for ensuring that the internal audit group has the capacity to fulfill its responsibilities—sufficient resources and appropriately qualified staff—and that staff work to professional standards.

1.52 The internal audit community faces significant challenges with human resources. Departments have generally had difficulty attracting and retaining enough qualified people to fill positions in internal audit and to meet the requirements of the Policy on Internal Audit. In February 2003, the Secretariat released a report on the Interim Evaluation of the Implementation of the Revised Policy on Internal Audit. The report noted many of the same concerns that we raise in this chapter.

1.53 From 1992–93 to 1999–2000, the number of internal audit staff working in departments and agencies decreased sharply—from 700 to 400 (Exhibit 1.7). Since the Treasury Board issued its revised Policy in 2001, the number of audit staff has recovered to about 464 in 2002–03. For consistent presentation these figures include resources at Canada Customs and Revenue Agency, which became a separate agency in 1999. Of the 400 staff in 1999–2000, 285 were from departments and agencies subject to the Policy and 115 were from the Agency. Of the 464 staff in 2002–03, 350 were from departments and agencies subject to the Policy and 114 were from the Agency.

1.54 The increase in internal audit staff from 1999–2000 to 2002–03 was a result of interim supplementary funding from the Secretariat. Over the last three years, audit groups have used some of these funds to hire and train new people.

1.55 To date, the Secretariat, in conjunction with departments, has not established what the appropriate number of internal auditors should be within the federal government. However, in signed memoranda of understanding between the Secretariat and most departments, there has been a commitment to "fill a persistent gap that remains between the current level of permanent resources devoted to the function and the level required to support a mature or sustainable function." This "sustainable function" is to be achieved by 2005–06.

1.56 We recognize that establishing the appropriate number of auditors is difficult and can never be precise; it is nevertheless critical that clear targets be set. One impact of the shortfall in the number of auditors is that departments may not be carrying out all planned audits of high-risk areas. As a result, departments may be operating with levels of risk that exceed their risk-tolerance levels.

1.57 Recommendation. The Treasury Board Secretariat, in collaboration with departments, should establish benchmarks to determine the number of internal auditors that the federal government and each department needs to provide a reasonable level of audit coverage and a sustainable audit function.

The Secretariat's response. Benchmarking across departments and agencies that have widely different risk profiles is extremely difficult. There is no easy formula that will meet everyone's needs. Nonetheless, the Secretariat will work with departments to assist them in determining adequate levels of resources for their internal audit functions.

Impediments to recruiting and retaining internal audit staff

1.58 In the interim evaluation report, the Secretariat noted that departments have offered various reasons for their problems in staffing auditors. They include

• The classification category does not appropriately reflect the skills and competencies required of a professional in the internal audit group. The salary structure is not competitive enough to attract and retain staff with professional designations, appropriate business knowledge, and other specialized skills appropriate to the department.
• The Secretariat's interim funding has created many term positions in departments. The temporary nature of these positions may not be attractive to some employees with professional designations.

1.59 The Secretariat has yet to resolve these issues. The Secretariat's interim evaluation report cited the lack of sufficient staff with appropriate skills in internal audit groups as one of the primary barriers to implementing its Policy on Internal Audit. We concur with this assessment.

A broad mix of skills is needed

1.60 A broad range of skills is needed for an effective internal audit group. The necessary skills include staff with a professional designation and staff with specialized knowledge and expertise and whose skills correspond to the business side of a department.

1.61 The proportion of internal audit staff with a professional designation in the Canadian federal government is comparable to those in government organizations that participate in the Institute of Internal Auditors' Global Audit Information Network, a benchmarking service of the Institute. Participants in the network reported that 40 percent of staff had a professional designation; in the Canadian federal government, 37 percent of staff had a professional designation.

1.62 What is important is to determine the appropriate number of internal auditors and the mix of skills and experience needed to provide the optimal internal audit coverage on a department and government-wide basis, and the training that would be needed to maintain these skills at an appropriate level. Both the Interim Evaluation of the Implementation of the Revised Policy on Internal Audit and the heads of internal audit that we interviewed noted difficulties in attracting and retaining staff.

1.63 Recommendation. The Treasury Board Secretariat, in collaboration with departments, should determine the appropriate mix of qualifications, experience, and skills required for internal audit on a department and government-wide basis.

The Secretariat's response. The appropriate mix of qualifications, experience, and skills will vary from department to department. However, as with recommendation 1.57, the Secretariat will work with departments to ensure that internal audit groups have the qualifications, experience, and skills to provide internal audit services at a professional level.

1.64 Recommendation. The Treasury Board, in collaboration with departments, should ensure that internal auditors receive the necessary training to maintain their skills at an appropriate level.

The Secretariat's response. The Secretariat currently provides a series of professional internal audit courses for departmental internal auditors, some in conjunction with the Institute of Internal Auditors. These complement the many training opportunities provided by departments. The Secretariat fully recognizes the necessity of training to maintain and enhance the professionalism of internal audit and plans to augment its professional development initiatives.

Audit coverage

1.65 The term "audit coverage" refers to the areas that internal auditors are responsible for examining in their audits. The Policy on Internal Audit identifies the primary role and responsibility of internal audit in the government as the provider of professional assurance services to senior management.

Limited assurance work is being done

1.66 In the private sector, an internal audit group would spend most of its time doing assurance work. Other activities, such as "directed audits" (audits requested by management) and assignments that include consulting work, account for a relatively small percentage of its work. However, in the federal government, in general only a limited amount of time is spent providing assurance services to inform senior management on how well its risk management strategies and practices, management control frameworks and practices, and information for decision making and reporting systems are working.

1.67 Work other than assurance services may provide some useful information for senior management. However, according to the Treasury Board's Policy on Internal Audit, providing assurance through audits is the core expectation of internal audit. If internal audit is not focussing on assurance, it is not doing what it is supposed to. Departments are not benefiting from systematic assessments of their management systems, and senior management is not getting independent assurance that those systems, critical to program delivery, are operating effectively and as intended.

Internal audit coverage in small entities

1.68 Our audit also considered the extent of audit work being carried out in small entities. The federal government has numerous small agencies, boards, and commissions. The activities of these organizations are diverse—from environmental assessment to transportation safety. They perform investigatory, regulatory, and quasi-judicial roles. Although they have relatively few staff and small budgets, these organizations affect the health, safety, and quality of life of Canadians. For example, some agencies provide Canadians with recourse to perceived unfairness and inequity; others strive to make Canadian industry more competitive.

1.69 A key characteristic of these small agencies is that their staff, because they are few in number, may be responsible for more than one area. This differs from larger organizations where roles and responsibilities are generally discrete or segregated. Another characteristic is their informal structures and governance mechanisms.

1.70 Our Office, in developing a new strategy for auditing small entities, looked at the nature and extent of these entities' internal audit capacity. We found that, given their small size, none had a permanent full-time internal audit function. We did note that some small agencies had contracted out audits to meet the specific needs of their management. In general, however, internal audit coverage was very limited.

1.71 In our view, small entities do require some internal audit coverage to provide assurances to management that they are effectively managing the key risks that they face. The Standing Committee on Public Accounts expressed a similar view in its report on our audit of the Office of the Privacy Commissioner of Canada, presented to Parliament in April 2004. It recommended "that the Treasury Board Secretariat create a pool of resources to make central internal audit services available to small departments and agencies, including the Office of the Privacy Commissioner of Canada."

1.72 We reviewed the activities of the Secretariat to determine what it had done to respond to the Public Accounts Committee's recommendation. While the Secretariat has provided some tools and support to small entities, it has to yet develop a capacity for providing internal audit services to small entities.

1.73 Recommendation. The Treasury Board Secretariat, in consultation with small entities, should develop a risk-based strategy and establish, within government, a capacity for providing internal audit services to small entities.

The Secretariat's response. Agreed. The Secretariat is currently developing proposals to establish a capacity to provide internal audit services to small entities.

Audit reports

1.74 An audit report is the end product of an internal audit and has two important purposes:

• First, it informs senior management of the findings or results of an audit.
• Second, it provides a basis for program managers to deal with problems identified by the internal auditor.

1.75 The Institute of Internal Auditors has published detailed standards for communicating the results of internal audits. Internal auditors are encouraged to report that their activities are "conducted in accordance with the International Standards for the Professional Practice of Internal Auditing." The Treasury Board Policy on Internal Audit also contains standards for internal audit reports. It is important that audit reports communicate the results of an audit and contain a statement of assurance. This statement informs the reader of the quality and rigour of the auditors' work and the sufficiency and quality of the evidence supporting the findings and conclusions.

Access to information needs to be addressed

1.76 Nearly all the internal audit managers and entity senior officials that we met indicated that internal auditing is affected by access to information laws and policies. The requirement to make the results of an audit available to the public affects the timing of the audit, the issues addressed, and how the results are reported. While the managers we interviewed supported the current practice of posting completed internal audit reports on departmental Web sites, they did express concern over providing draft reports and supporting working papers. Similar concerns were raised at the time of our 1996 government-wide assessment of internal audit.

1.77 In 2000 the government established the Task Force on Access to Information to review access to information legislation. The task force recommended that Section 22 of the Access to Information Act be amended so that the head of a government institution would not have to disclose draft internal audit reports and supporting working papers until the earliest of the following:

• the date the report is completed,
• six months after the audit is completed, or
• two years after the internal audit began.

1.78 To date, the government has not acted upon the recommendations of its task force. While posting completed internal audit reports on departmental Web sites is appropriate, we are concerned that access to audit working papers may impair the ability of audit groups to discharge their duties.

1.79 Recommendation. The Treasury Board Secretariat should take action to deal with the impact of access to information on internal audit groups.

The Secretariat's response. The Secretariat fully supports the principle of full access to all completed internal audit reports. However, the Secretariat also agrees with the Auditor General's concern about the unintended impact of access to information on the ability of internal auditors to discharge their duties. The Public Accounts Committee also considered the impact of access on internal audit to be an important issue (Seventh Report 2001–02).

The Secretariat agrees that action is necessary to deal with the matter and will pursue opportunities to seek the same protection for internal audit as is available to the Office of the Auditor General.

Audit reports are not timely

1.80 To be useful, audit reports should be completed without delay and be easily accessible to the public in a timely manner. To make the reports easily accessible, most departments are posting internal audit reports on their Web sites. In our view, the reporting process takes too long.

1.81 The total time it takes from the planning phase of an audit to the release of the final report and its posting on the Web site ranges from 11 to 24 months (Exhibit 1.8). The delays occur in the reporting phase of the audit, as this stage involves a departmental review of the report before it is released.

The Secretariat and its Centre of Excellence for Internal Audit

1.82 The expectations for the Secretariat's Centre of Excellence for Internal Audit are set out in the Treasury Board Policy on Internal Audit. It requires the Centre of Excellence for Internal Audit to do a number of things:

• provide advice to deputy heads, heads of internal audit, and internal audit practitioners on the implementation of the Policy, the development of departmental internal audit policies, annual audit plans, and the application of professional standards;
• establish an active monitoring process that provides timely information to the Treasury Board on significant issues of risk, control, or other problems with management practices in departments;
• develop a human resource strategy for the internal audit community to support departments in implementing the Policy;
• establish a framework to guide a formal evaluation, within five years, of the effectiveness of the Policy; and
• provide assistance to departments in evaluating the performance of their internal audit functions.

1.83 We assessed the progress that the Centre of Excellence for Internal Audit had made in each of these areas.

1.84 The Centre has expended considerable effort to work with the internal audit community to develop tools and guidance and to sponsor workshops and courses to improve internal audit practice. However, the internal audit community expects more leadership from the Centre. It wants the Centre to assume an advocacy role for internal audit, to provide more guidance and direction on government priorities and community-wide issues, to educate senior management on the role and value of internal audit, and to provide more timely tools and advice to the community. In our interviews, many did not believe that the Centre met their needs in providing guidance to the community and timely information on government-wide issues.

1.85 The Centre of Excellence for Internal Audit carries out its monitoring role by holding discussions with heads of internal audit, reviewing and analyzing internal audit plans and reports, and by visiting departmental internal audit groups. In assessing the nature and extent of monitoring by the Secretariat, we found that the Centre had reviewed the audit plans and reports that departments had submitted, as required by the Policy on Internal Audit. However, the Centre does not compare the number of audits planned with the number of reports submitted. This step is essential to ensuring that departments have carried out their audit plans and provided all reports to the Centre.

1.86 Under the Policy on Internal Audit, the Centre is responsible for providing advice to the internal audit community and establishing an active monitoring process that provides timely information to Treasury Board. An important aspect of these responsibilities is the review and analysis of all internal audit reports. This allows the Centre to detect emerging weaknesses in departments that the documents might bring to light. However, because departments do not consistently submit their reports to the Centre and the Centre does not compare planned audits with the number of reports it receives, it does not know the extent of the weaknesses. If departments do not submit their reports for review and analysis, the Centre cannot detect the emerging weaknesses identified in the audit reports and alert departments and their auditors to these problems. Accordingly, the government may be deprived of valuable information that could help in reducing risk and improving management practices in departments and agencies. For those reports that the Centre analyzed, the analysis was complete and the results were shared with the internal audit community and with the Secretariat.

1.87 Recommendation. The Treasury Board Secretariat should ensure that it receives all departmental internal audit reports so that they can be analyzed for emerging weaknesses and that it shares the analysis with the internal audit community.

The Secretariat's response. The Secretariat will work closely with departments to ensure they provide copies of all completed audit reports to the Secretariat in a timely manner, as required by the Policy on Internal Audit.

1.88 The Policy on Internal Audit states that an internal audit advisory committee consisting of government and private-sector senior executives will be established. The committee will advise the Secretariat on internal audit policy, standards, community development strategies, and benchmarks to be used in examining government-wide performance in meeting the objectives of the Policy. At the time of our audit, an advisory committee had not been established.

1.89 A key requirement established for the Centre was to develop a human resource strategy for the community. We noted that a strategy had been developed in 2002. However, in our interviews, many heads of audit and members of the internal audit community noted that the Centre has not resolved a number of critical, strategic human resource management issues. These include determining the classification category for internal auditors, and most importantly, determining the appropriate number of internal audit staff.

1.90 In 2001, the Secretariat published an evaluation framework for assessing whether the Policy on Internal Audit had achieved its stated policy objectives. The framework recommended a two-phase evaluation. The first phase was completed in 2002. We saw some evidence of an action plan to address some of the issues identified in this evaluation; however, the action plan developed was not comprehensive. The second phase requires a comprehensive evaluation within five years of the implementation of the revised Policy on Internal Audit. Secretariat officials have indicated that the comprehensive evaluation will not be carried out until the new Comptroller General has reviewed the state of internal audit in the federal government.

1.91 A key requirement of the revised International Standards for the Professional Practice of Internal Auditing is for internal audit groups to conduct an external quality assessment to see if they conform to the standards, at least once every five years. The revised standards require that this assessment be conducted no later than 1 January 2007. We are concerned that the Secretariat has not yet developed a plan for enabling departments and agencies to meet this requirement.

1.92 Recommendation. Departments should ensure that their internal audit groups conduct an external quality assessment by 1 January 2007.

The Secretariat's response. The Secretariat has already alerted departments to the requirement of the International Standards for the Professional Practice of Internal Auditing for external quality assessments. The Secretariat will work with departments to ensure that they meet this requirement.

1.93 Recommendation. The Treasury Board Secretariat should, in its performance report, report progress made in meeting the objectives of the Policy on Internal Audit. This should include reporting the results of departmental quality assessments.

The Secretariat's response. The Secretariat proposes to monitor the performance of internal audit in departments by assessing a number of departmental internal audit functions each year and by conducting a government-wide evaluation of the implementation of Treasury Board's Policy on Internal Audit periodically. The results of these activities will be incorporated in the Treasury Board Secretariat's reporting.

1.94 The Centre of Excellence for Internal Audit has developed a tool for reviewing the content and assessing the extent to which internal audit plans and reports meet the requirements of the Policy on Internal Audit. But, it has not yet developed tools for assessing other components of the Policy. The Centre has shared the results of its analysis of internal audit plans and reports with the internal audit community. However, as noted earlier, not all internal audit reports are provided to the Secretariat.

1.95 While the Centre has a number of initiatives in progress to assist the internal audit community, it generally does not have the community's confidence. The community has developed its own approaches to developing methodologies and sharing practices among its members. Many heads of internal audit commented on the absence of strategic leadership from the Centre. In particular, a number of departmental internal audit groups have developed strategies for working collaboratively among themselves to resolve issues. This exercise involves dedicating resources and contract funds to address such issues as quality assurance reviews, benchmarks for internal audit, and developing methodologies. Such activity reflects, in our opinion, a lack of confidence in the Centre to resolve key issues facing the internal audit community.

1.96 Overall, the Centre is not adequately discharging its obligation under the Policy on Internal Audit. Why has it not provided leadership? The Centre's staff suggested a number of reasons. They told us that funding for the Centre was uncertain. This has led the Centre to cut back or eliminate key activities such as the Heads of Internal Audit Conference and makes it difficult for the Centre to attract and retain staff and develop any long-range plans.

1.97 To assess this, we reviewed the budget for the Centre. In 2001–02, the Centre spent $1,488,203 of its $1,563,255 operating and maintenance budget; in 2002–03, it spent $1,291,661 of its $1,342,000 budget. For 2003–04, the Centre's approved operating and maintenance budget was $627,347—it only received $136,100. The remaining $491,247 was shifted to other areas of the Secretariat. At the time of our audit, the 2004–05 budget for the Centre had not been approved.

1.98 The effectiveness of the Centre has been affected by frequent changes in leadership. Since 2000, it has had five executive directors and five deputy comptrollers general, until the appointment of the new Comptroller General in 2004. The Centre's Executive Director reports to this position. This turnover has meant that sustained, committed leadership at the Centre has been lacking.

1.99 Recommendation. The Treasury Board Secretariat should evaluate the Centre of Excellence for Internal Audit's capacity to meet the responsibilities established for it by the Policy on Internal Audit and take actions to address any gaps in their capacity.

The Secretariat's response. Agreed. The Secretariat recognizes that it has to take on a stronger role. There is now underway a thorough analysis of the role that the Secretariat should play in the overall government internal audit regime and of the capacity that will be required to deliver.

1.100 Effective 1 June 2004 the government re-established the Office of the Comptroller General to strengthen comptrollership and oversight across the federal government. The Comptroller General's key duties include setting or reviewing the auditing standards and policies of the Government of Canada, providing leadership to ensure and enforce appropriate financial controls, and promoting sound resource stewardship at all levels across the federal government. This will necessitate taking clear steps to strengthen internal audit within the Canadian federal government.

Conclusion

1.101 While investments have been made and steps taken to strengthen the internal audit community within the federal government, considerable work remains to be done if the government is to achieve the objectives established in the Policy on Internal Audit. The effectiveness of internal audit varies considerably within the federal government. It is dependent upon the nature and extent of departmental senior management's understanding of the role that internal audit can and should play within an organization and the level of support that senior management provides. The success of internal audit depends upon the professionalism of the internal audit activity and the value that it adds to the department. Both are fundamental prerequisites.

1.102 On a government-wide basis the Treasury Board Secretariat's Centre of Excellence for Internal Audit must establish a clear strategic direction for government departments and the internal audit community. As well, the Centre must develop the necessary capacity if it is to effectively meet its responsibilities as established by the Policy on Internal Audit. Achieving these objectives will require consistent execution of the Centre's mandate, and consistent, stable funding and support for the mandate from the Secretariat's senior management.

The Secretariat's response. The Treasury Board of Canada introduced a new Policy on Internal Audit in April 2001 aimed at repositioning internal audit in the public service as a provider of assurance services to departmental management. Good progress has been made, but it was always anticipated that full implementation would take several years. The report on internal audit in departments and agencies highlights a number of opportunities for improvement. The Secretariat agrees that improvement is required.

Early this year the government announced a number of initiatives to strengthen comptrollership in the public service, including the re-establishment of the Comptroller General within the Treasury Board Secretariat. In this context, the government signaled its commitment to strengthening internal audit across the public service and has directed Treasury Board Secretariat to establish a more effective government internal audit function. As a result, the Comptroller General is currently developing proposals that are aimed at ensuring that the Canadian public service has a high performance internal audit regime. These proposals include

• strengthening internal audit capacity across the public service in terms of both resources and skills;
• a more structured role for departmental audit committees, and measures to enhance the independence and qualifications of audit committee members;
• defining the role of the departmental head of audit and emphasizing the need for independence and professionalism in that role;
• new roles for the Comptroller General in carrying out cross-departmental internal audits and supporting internal audits in small departments and agencies; and
• strengthened roles for the Comptroller General in monitoring and supporting internal audit performance in departments, including the introduction of uniform, proven operating processes for internal auditing in all departments.

These proposals address many recommendations directly. The Policy on Internal Audit will be amended to the extent necessary to implement them. Implementation will be a multi-year initiative, requiring a carefully planned transition and monitoring of results.

About the Audit

Objectives

The objective of the audit was to assess whether departmental internal audit groups and the Treasury Board Secretariat's Centre of Excellence for Internal Audit met the objectives set out for them in the Policy on Internal Audit.

The audit also considered the nature and extent of the Secretariat's active monitoring and the completeness of its human resource strategy for the internal audit community.

Scope and approach

To assess the compliance of departmental internal audit groups, we conducted quality assessments in a sample of departments and agencies to determine whether the objectives of the Policy, which incorporate the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing, were being met. We assessed the work of the internal audit groups that was completed after the introduction of the revised Policy.

The organizations selected for a detailed quality assessment were

• the Canadian International Development Agency,
• Foreign Affairs and International Trade (on 12 December 2003, this Department was divided into two departments—Foreign Affairs Canada and International Trade Canada),
• Human Resources Development Canada (on 12 December 2003, this Department was divided into two departments—Human Resources and Skills Development Canada and Social Development Canada),
• Natural Resources Canada,
• Public Works and Government Services Canada, and
• the Royal Canadian Mounted Police.

Criteria

The criteria for the audit are based on the Policy on Internal Audit issued by the Treasury Board. The Policy requires that internal audit groups:

• be organizationally independent and staffed with individuals who have an impartial, unbiased attitude and avoid conflicts of interest;
• have the capacity to accomplish its responsibilities, by having sufficient resources and being staffed with competent people, effectively deployed, who work to professional standards; use good communication practices; and adhere to public service and professional ethics, values, and codes of conduct;
• have the breadth of knowledge to accomplish its responsibilities, by using work teams that collectively possess or have access to sufficient expertise of the subject matter being audited;
• be managed effectively with approved plans that address areas of highest risk and significance and provide periodic summary reports to management on the activities and performance of the internal audit function and on any significant risks and control issues;
• conduct individual audits in an effective and efficient manner with risk-based plans that address the scope of the engagement, with work programs that meet the objectives of the engagement, and sufficient appropriate evidence that supports the findings and conclusions;
• prepare clear concise reports on a timely basis so that management can readily focus on and understand the important issues being reported. Reports should provide context for the observations and identify to whom the recommendations are directed;
• ensure that the Treasury Board Secretariat is provided with annual internal audit plans and completed reports; and
• ensure reports are made accessible to the public in an efficient and effective manner.

The Treasury Board's Policy on Internal Audit has adopted the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors as its standard. Accordingly, we used the Institute's standards to elaborate and provide detail for the criteria statements.

The criteria for assessing departmental audit committees are similarly based on the requirements of the Policy on Internal Audit. Departmental audit committees should

• strengthen the independence and effectiveness of the internal audit function;
• provide complete, accurate, and timely advice and counsel to the deputy head on the adequacy, design, and operation of management control frameworks, and the quality of financial and other performance information used for decision making and reporting;
• provide the deputy head with adequate information that allows him/her to inform the Treasury Board Secretariat, as necessary, on significant issues of risk, control, or weaknesses in management practices;
• ensure that management action plans incorporate the results of internal audit into the departmental priority setting, planning, and decision-making processes;
• ensure that management action plans, if implemented, are sufficient to address the weaknesses identified in the internal audit report; and
• monitor the performance of the internal audit group to ensure the objectives of the Policy on Internal Audit are met.

The Secretariat, through its Centre of Excellence for Internal Audit should

• monitor progress in departments and agencies on a government-wide basis. Strategic intervention should be exercised as appropriate to support the implementation of the Policy on Internal Audit;
• provide sound professional advice to deputy heads, heads of internal audit, and internal audit practitioners, which will support efforts to implement the Policy on Internal Audit; and
• keep Parliament informed about matters of significance and the progress made in achieving the objectives of the Policy on Internal Audit.

Audit team

Assistant Auditor General: Doug Timmins
Principal: Bruce C. Sloan
Directors: Frank Cotroneo and Gaëtan Poitras

Brian Brisson
Heather Miller

For information, please contact Communications at (613) 995-3708 or
1-888-761-5953 (toll-free).

Definitions:

Independence—The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. (Back)

Objectivity—An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgement on audit matters to that of others. (Back)

Internal auditing—Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Source: The Institute of Internal Auditors, The Professional Practices Framework (Back)

Assurance services—An objective examination of evidence for the purpose of providing an independent assessment on risk management strategies and practices, control frameworks and practices, and information used for decision making and reporting.
Source: Treasury Board Policy on Internal Audit (Back)