Treasury Board of Canada Secretariat - Government of Canada
Skip to Side MenuSkip to Content Area
Français Contact Us Help Search Canada Site
What's New About Us Policies Site Map Home

Internal Audit
Policies & Guidance
Links
Learning Events
Groups
Career Opportunities
 
Alternate Format(s)
InstructionsPDF (133 Kb)RTF (118 Kb)
Printable Version

Internal Audit Plans

A Summary of the Requirements of the Policy on Internal Audit, the Internal Auditing Standards of the Government of Canada and the IIA Standards

Introduction

This document brings together the basic requirements concerning internal audit plans from the Policy on Internal Audit, the Internal Auditing Standards of the Government of Canada and the IIA Standards. Its purpose is to provide an easy and accessible means for deputy heads, audit committees and heads of audit to ensure that audit plans meet these minimum requirements.

There are two broad components required for an audit plan:

  • an assessment of risk and materiality related to departmental risk management strategy and practices, management control framework and practices, and financial and performance information
  • identification, justification and scheduling of the work to be undertaken by the internal audit function within the plan period

A plan should clearly explain the relationship of the planned work to the organization's goals and to the areas of identified highest risk and significance.

A plan should also demonstrate that audit resources are used efficiently and effectively, and are adequate to provide sufficient and timely assurance services.

Appendic A: Requirements for Audit Plans

The requirements of the Policy and the Standards relating to audit plans are summarized below (Note PDF and RTF versions are in tabular form).

This summary condenses the requirements and reconciles any overlap between the Government of Canada and IIA standards. It also provides brief commentary on TBS expectations about audit plan content arising from each requirement.

The references are to the Appendix below, which sets out the full text of all requirements of the Policy and internal auditing standards relating to audit plans.

1. Timing

1.1 An audit plan should be prepared at least annually. (References: 2,4)

Comment - While an annual plan is a requirement, a multi-year plan may be necessary to ensure sufficient internal audit coverage.

2. Contents

2.1 An audit plan should summarize an assessment of overall materiality and risk related to departmental

  • risk management strategy and practices
  • management control framework and practices
  • financial and performance information. (References: 6,7)

Comment - In preparing their assessment, heads of audit may draw on the results of audit work completed by internal audit or others, on departmental risk assessment activities, on analysis of strategic and operational plans, on senior management input or on other sources of relevant information.

The assessment should be a major driver in the selection of engagements to be undertaken and should show the relationship between planned engagements and risk and materiality.

The assessment should be structured to reflect the three broad areas on which the policy requires internal audit to provide assurance services - risk management, control frameworks and information for decision making and reporting.

2.2 An audit plan should

  • identify and schedule planned assurance or other engagements to be provided during the period of the plan
  • explain the nature of each proposed engagement (assurance, consulting) and the rationale for selection (e.g. risk, materiality, management direction or request). (Reference: 6)

Comment - The audit plan should describe all engagements planned for the period covered by the plan. The description of each should include

  • the nature of the engagement (assurance, consulting, other)
  • the general objectives of the engagement

2.3 An audit plan should demonstrate that the planned work is consistent with departmental and governmental goals. (Reference: 7)

Comment - This requirement aims at ensuring that audit planning is consistent with and supportive of both the department's and the government's goals and strategic objectives. It emphasises the need for an audit planning process that is informed by a broad knowledge of the department, significant consultation with senior management and awareness of government priorities 2003-04-11.

The audit plan should describe this process.

2.4 An audit plan should demonstrate that areas of highest risk and significance are addressed. (References: 3,5)

Comment - The plan should discuss and demonstrate the manner in which the selection of engagements addresses the areas of highest risk and significance.

2.5 An audit plan should demonstrate that sufficient and timely assurance services are to be provided on all important aspects of

  • risk management strategy and practices
  • management control framework and practices
  • information for reporting and decision-making. (Reference: 1)

Comment - While the plan may contain a balance of assurance services, consulting services and other work, it must discuss how the basic requirement of the Policy on Internal Audit is to be met: i.e. that there will be sufficient and timely assurance services provided on risk management, management control frameworks and information to support decision-making and reporting.

2.6 An audit plan should provide for follow-up of management commitments arising from earlier internal and external audit work. (Reference: 12)

Comment - The audit plan should allocate resources to ensure that there is a systematic monitoring and effective implementation of management action plans arising from earlier audit and consulting activities.

2.7 An audit plan should

  • provide estimates of resources to meet the plan
  • communicate the impact of resource limitations. (References: 6,8,9)

Comment - The audit plan should demonstrate to the audit committee that the internal audit function has sufficient and adequate resources to carry out the planned engagements. Secondly, the audit plan should clearly show how the resources made available to the internal audit function are to be utilized. The plan should identify reasonable allowance for unplanned work that normally arises.

2.8 An audit plan should show that planned work is coordinated with the activities of other internal and external providers of relevant assurance and consulting services to avoid duplication. (Reference: 10)

Comment - Recent or planned assurance or consulting services carried out or to be carried out by other professionals should be taken into account in considering the adequacy and cost effectiveness of planned internal audit coverage. Such services might include work carried out by the Auditor General or by auditors or consultants retained by management.

Heads of internal audit must exercise professional judgement in assessing the reliance to be placed on the work of others.

The audit plan should identify any such work and place it in the context of the overall internal audit effort.

3. Approval

3.1 An audit plan must be approved by the audit committee. (References: 6,8)

Comment - The audit plan must be approved by the audit committee. Any significant changes to the plan should also be approved by the audit committee and communicated to TBS and senior management.

4. Communications

4.1 An audit plan should be communicated to senior management. (Reference: 8)

Comment - While senior management will have been consulted in the drafting of the audit plan, it is good practice to ensure that it is also fully aware of the audit committee's approved plan.

4.2 An audit plan should be copied to TBS. (Reference: 2)

Comment - The Policy on Internal Audit requires that TBS be sent copies of all audit plans. This includes any changes to the plan subsequently approved by the audit committee.

5. Reporting

5.1 An audit plan should be reported upon regularly. (References: 3,11)

Comment - Periodic reports on internal audit activities and performance relative to the plan are required by internal audit standards.

Appendix B: Abstracts from the Policy on Internal Audit and Internal Audit Standards Relating to Audit Plans Referenced Below

Reference 1: Policy on Internal Audit - 4. Policy Statements

Requirement:

It is government policy that departments have an effective, independent and objective internal audit function that is properly resourced to provide sufficient and timely assurance services on all important aspects of its risk management strategy and practices, management control frameworks and practices, and information used for decision making and reporting.

Reference 2: Policy on Internal Audit - 6. Policy Requirements

Requirement:

Deputy heads must also ensure that the Treasury Board Secretariat is provided with copies of annual internal audit plans that describe internal audit activities, as approved by the departmental audit committee.

Reference 3: Policy on Internal Audit - Appendix B - Internal Auditing Standards for the Government of Canada

Requirement:

Deputy heads are accountable for ensuring that their departments' internal audit functions accomplish departmental responsibilities, are managed effectively with approved plans that address areas of highest risk and significance, and provide periodic summary reports to management on the activities and performance of the function and on any significant risks and control issues.

Reference 4: Policy on Internal Audit - Appendix C - Guidelines for Departmental Internal Audit Committees

Requirements:

The responsibilities of each internal audit committee need to be determined by each department. Within the department these responsibilities could include

  • approving the annual internal audit plan and budget
  • approving the annual assessment of overall materiality and risks associated with the annual internal audit plan

Reference 5: Policy on Internal Audit - Appendix D - Guidelines for Departmental Internal Audit Management Practices

Requirement:

In addition to meeting the requirements of this policy, including the standards contained in Appendix B, departments should consider developing their own departmental internal audit policies. The departmental internal audit policy should set out the mandate of the internal audit function, and identify the internal audit planning processes and the priority to be given to the coverage of areas of higher materiality and risk, fundamental departmental financial, administrative or control systems, and external performance reporting processes.

Reference 6: Policy on Internal Audit - Appendix D - Guidelines for Departmental Internal Audit Management Practices

Requirements:

The departmental internal audit annual plans that outline the planned activities for the year should

  • summarize an annual assessment of the overall materiality and risks associated with the departmental risk management strategy and practices, management control frameworks and practices, and financial and performance information
  • identify and schedule planned audit engagements or other services to be provided by the internal audit function during the period of the plan
  • identify for audit engagements the expected level of assurance to be provided and where possible the criteria to be assessed
  • provide estimates of resources to meet the plan
  • be approved by the internal audit committee.

Reference 7: IIA Performance Standards

Requirements:

2010 - Planning - The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity consistent with the organization's goals.

2010.A1 - The internal audit activity's plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the Board should be considered in this process.

2010.C1 - The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks, add value, and improve the organization's operations. Those engagements that have been accepted should be included in the plan.

Reference 8: IIA Performance Standards

Requirement:

2020 - Communication and Approval - The chief audit executive should communicate the internal audit activity's plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations.

Reference 9: IIA Performance Standards

Requirement:

2030 - Resource Management - The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.

Reference 10: IIA Performance Standards

Requirement:

2050 - Coordination - The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

Reference 11: IIA Performance Standards

Requirement:

2060 - Reporting to the Board and Senior Management - The chief audit executive should report periodically to the Board and senior management on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the Board and senior management.

Reference 12: IIA Performance Standards

Requirements:

2500 - Monitoring Progress - The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 - The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

2500.C1 - The internal audit activity should monitor the disposition of results of consulting engagements to the extent agreed upon with the client.

 
Date Modified:  2003-04-11 Top of Page Important Notices