A Summary of the Requirements of the Policy on Internal Audit, the Internal
Auditing Standards of the Government of Canada and the IIA Standards
Introduction
This document brings together the basic requirements concerning internal
audit plans from the Policy on Internal Audit, the Internal Auditing Standards
of the Government of Canada and the IIA Standards. Its purpose is to provide an
easy and accessible means for deputy heads, audit committees and heads of audit
to ensure that audit plans meet these minimum requirements.
There are two broad components required for an audit plan:
- an assessment of risk and materiality related to departmental risk
management strategy and practices, management control framework and
practices, and financial and performance information
- identification, justification and scheduling of the work to be undertaken
by the internal audit function within the plan period
A plan should clearly explain the relationship of the planned work to the
organization's goals and to the areas of identified highest risk and
significance.
A plan should also demonstrate that audit resources are used efficiently and
effectively, and are adequate to provide sufficient and timely assurance
services.
Appendic A: Requirements for Audit Plans
The requirements of the Policy and the Standards
relating to audit plans are summarized below (Note PDF and RTF versions are in
tabular form).
This summary condenses the requirements and reconciles any overlap between the
Government of Canada and IIA standards. It also provides brief
commentary on TBS expectations about audit plan content arising from each
requirement.
The references are to the Appendix below, which sets out the full text of all
requirements of the Policy and internal auditing standards relating to audit
plans.
1. Timing
1.1 An audit plan should be prepared at least annually. (References: 2,4)
Comment - While an annual plan is a requirement, a multi-year plan
may be necessary to ensure sufficient internal audit coverage.
2. Contents
2.1 An audit plan should summarize an assessment of overall materiality
and risk related to departmental
- risk management strategy and practices
- management control framework and practices
- financial and performance information. (References: 6,7)
Comment - In preparing their assessment, heads of audit may draw on
the results of audit work completed by internal audit or others, on
departmental risk assessment activities, on analysis of strategic and
operational plans, on senior management input or on other sources of relevant
information.
The assessment should be a major driver in the selection of engagements to
be undertaken and should show the relationship between planned engagements and
risk and materiality.
The assessment should be structured to reflect the three broad areas on
which the policy requires internal audit to provide assurance services - risk
management, control frameworks and information for decision making and
reporting.
2.2 An audit plan should
- identify and schedule planned assurance or other engagements to be
provided during the period of the plan
- explain the nature of each proposed engagement (assurance, consulting)
and the rationale for selection (e.g. risk, materiality, management
direction or request). (Reference: 6)
Comment - The audit plan should describe all engagements planned for
the period covered by the plan. The description of each should include
- the nature of the engagement (assurance, consulting, other)
- the general objectives of the engagement
2.3 An audit plan should demonstrate that the planned work is
consistent with departmental and governmental goals. (Reference: 7)
Comment - This requirement aims at ensuring that audit planning is
consistent with and supportive of both the department's and the government's
goals and strategic objectives. It emphasises the need for an audit planning
process that is informed by a broad knowledge of the department, significant
consultation with senior management and awareness of government priorities
2003-04-11.
The audit plan should describe this process.
2.4 An audit plan should demonstrate that areas of highest risk and
significance are addressed. (References: 3,5)
Comment - The plan should discuss and demonstrate the manner in
which the selection of engagements addresses the areas of highest risk and
significance.
2.5 An audit plan should demonstrate that sufficient and timely
assurance services are to be provided on all important aspects of
- risk management strategy and practices
- management control framework and practices
- information for reporting and decision-making. (Reference: 1)
Comment - While the plan may contain a balance of assurance
services, consulting services and other work, it must discuss how the basic
requirement of the Policy on Internal Audit is to be met: i.e. that there will
be sufficient and timely assurance services provided on risk management,
management control frameworks and information to support decision-making and
reporting.
2.6 An audit plan should provide for follow-up of management
commitments arising from earlier internal and external audit work. (Reference: 12)
Comment - The audit plan should allocate resources to ensure that
there is a systematic monitoring and effective implementation of management
action plans arising from earlier audit and consulting activities.
2.7 An audit plan should
- provide estimates of resources to meet the plan
- communicate the impact of resource limitations. (References: 6,8,9)
Comment - The audit plan should demonstrate to the audit committee
that the internal audit function has sufficient and adequate resources to
carry out the planned engagements. Secondly, the audit plan should clearly
show how the resources made available to the internal audit function are to be
utilized. The plan should identify reasonable allowance for unplanned work
that normally arises.
2.8 An audit plan should show that planned work is coordinated with the
activities of other internal and external providers of relevant assurance and
consulting services to avoid duplication. (Reference: 10)
Comment - Recent or planned assurance or consulting services carried
out or to be carried out by other professionals should be taken into account
in considering the adequacy and cost effectiveness of planned internal audit
coverage. Such services might include work carried out by the Auditor General
or by auditors or consultants retained by management.
Heads of internal audit must exercise professional judgement in assessing
the reliance to be placed on the work of others.
The audit plan should identify any such work and place it in the context of
the overall internal audit effort.
3. Approval
3.1 An audit plan must be approved by the audit committee. (References:
6,8)
Comment - The audit plan must be approved by the audit committee.
Any significant changes to the plan should also be approved by the audit
committee and communicated to TBS and senior management.
4. Communications
4.1 An audit plan should be communicated to senior management. (Reference:
8)
Comment - While senior management will have been consulted in the
drafting of the audit plan, it is good practice to ensure that it is also
fully aware of the audit committee's approved plan.
4.2 An audit plan should be copied to TBS. (Reference: 2)
Comment - The Policy on Internal Audit requires that TBS be sent
copies of all audit plans. This includes any changes to the plan subsequently
approved by the audit committee.
5. Reporting
5.1 An audit plan should be reported upon regularly. (References: 3,11)
Comment - Periodic reports on internal audit activities and
performance relative to the plan are required by internal audit standards.
Appendix B: Abstracts from the Policy on Internal Audit and Internal Audit Standards Relating to Audit Plans
Referenced Below
Reference 1: Policy on Internal Audit - 4. Policy Statements
Requirement:
It is government policy that departments have an effective, independent and
objective internal audit function that is properly resourced to provide
sufficient and timely assurance services on all important aspects of its risk
management strategy and practices, management control frameworks and
practices, and information used for decision making and reporting.
Reference 2: Policy on Internal Audit - 6. Policy Requirements
Requirement:
Deputy heads must also ensure that the Treasury Board Secretariat is
provided with copies of annual internal audit plans that describe internal
audit activities, as approved by the departmental audit committee.
Reference 3: Policy on Internal Audit - Appendix B - Internal Auditing Standards for the Government of Canada
Requirement:
Deputy heads are accountable for ensuring that their departments' internal
audit functions accomplish departmental responsibilities, are managed
effectively with approved plans that address areas of highest risk and
significance, and provide periodic summary reports to management on the
activities and performance of the function and on any significant risks and
control issues.
Reference 4: Policy on Internal Audit - Appendix C - Guidelines for Departmental Internal Audit Committees
Requirements:
The responsibilities of each internal audit committee need to be determined
by each department. Within the department these responsibilities could include
- approving the annual internal audit plan and budget
- approving the annual assessment of overall materiality and risks
associated with the annual internal audit plan
Reference 5: Policy on Internal Audit - Appendix D - Guidelines for Departmental Internal Audit Management
Practices
Requirement:
In addition to meeting the requirements of this policy, including the
standards contained in Appendix B, departments should consider developing
their own departmental internal audit policies. The departmental internal
audit policy should set out the mandate of the internal audit function, and
identify the internal audit planning processes and the priority to be given to
the coverage of areas of higher materiality and risk, fundamental departmental
financial, administrative or control systems, and external performance
reporting processes.
Reference 6: Policy on Internal Audit - Appendix D - Guidelines for Departmental Internal Audit Management
Practices
Requirements:
The departmental internal audit annual plans that outline the planned
activities for the year should
- summarize an annual assessment of the overall materiality and risks
associated with the departmental risk management strategy and practices,
management control frameworks and practices, and financial and performance
information
- identify and schedule planned audit engagements or other services to be
provided by the internal audit function during the period of the plan
- identify for audit engagements the expected level of assurance to be
provided and where possible the criteria to be assessed
- provide estimates of resources to meet the plan
- be approved by the internal audit committee.
Reference 7: IIA Performance Standards
Requirements:
2010 - Planning - The chief audit executive should establish
risk-based plans to determine the priorities of the internal audit activity
consistent with the organization's goals.
2010.A1 - The internal audit activity's plan of engagements should
be based on a risk assessment, undertaken at least annually. The input of
senior management and the Board should be considered in this process.
2010.C1 - The chief audit executive should consider accepting
proposed consulting engagements based on the engagement's potential to improve
management of risks, add value, and improve the organization's operations.
Those engagements that have been accepted should be included in the plan.
Reference 8: IIA Performance Standards
Requirement:
2020 - Communication and Approval - The chief audit executive should
communicate the internal audit activity's plans and resource requirements,
including significant interim changes, to senior management and to the board
for review and approval. The chief audit executive should also communicate the
impact of resource limitations.
Reference 9: IIA Performance Standards
Requirement:
2030 - Resource Management - The chief audit executive should ensure
that internal audit resources are appropriate, sufficient, and effectively
deployed to achieve the approved plan.
Reference 10: IIA Performance Standards
Requirement:
2050 - Coordination - The chief audit executive should share
information and coordinate activities with other internal and external
providers of relevant assurance and consulting services to ensure proper
coverage and minimize duplication of efforts.
Reference 11: IIA Performance Standards
Requirement:
2060 - Reporting to the Board and Senior Management - The chief
audit executive should report periodically to the Board and senior management
on the internal audit activity's purpose, authority, responsibility, and
performance relative to its plan. Reporting should also include significant
risk exposures and control issues, corporate governance issues, and other
matters needed or requested by the Board and senior management.
Reference 12: IIA Performance Standards
Requirements:
2500 - Monitoring Progress - The chief audit executive should
establish and maintain a system to monitor the disposition of results
communicated to management.
2500.A1 - The chief audit executive should establish a follow-up
process to monitor and ensure that management actions have been effectively
implemented or that senior management has accepted the risk of not taking
action.
2500.C1 - The internal audit activity should monitor the disposition
of results of consulting engagements to the extent agreed upon with the
client.
|