Treasury Board of Canada Secretariat - Government of Canada
Skip to Side MenuSkip to Content Area
Français Contact Us Help Search Canada Site
What's New About Us Policies Site Map Home

Internal Audit
Policies & Guidance
Links
Learning Events
Groups
Career Opportunities
 
Alternate Format(s)
InstructionsPDF (287 Kb)PPT (177 Kb)
Printable Version

TBS Perspective - Assurance Services

Presentation by the Centre of Excellence for Internal Audit, Treasury Board Secretariat of Canada on February 12, 2002.

Standards

  • Level of quality.
  • Example against which one is judged or measured.
  • Accepted as correct.
  • Of recognized authority.
  • Degree of excellence, etc., required for particular purpose.

(Some dictionary definitions from Colins and Oxford)

Internal auditors in the Canadian Government are to utilise the IIA Standards for the Professional Practice of Internal Auditing in carrying out their internal auditing responsibilities.

(TB Policy on Internal Audit, Appendix B)

"Assurance services are objective examinations of evidence for the purpose of providing an independent assessment of...

  • risk management strategies and practices
  • management control frameworks and practices
  • information used for decision-making and reporting."

(TB Policy, Section 2 and Appendix A)

"Assurance services - An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements."

(IIA Standards for the Professional Practice of Internal Auditing)

Key principles of the definition

  • objective examination.
  • evidence based.
  • independent assessment.

Internal Audit services for Assurance and Advisory

The "WHAT"

Assurance provided by the internal auditor, through audit engagements, provide management confidence on the soundness of management processes within the organization. They will also guide management in determining where the organization is most exposed to risk,...

(TB Policy, Section 2)

2100 - Nature of Work - The IA activity evaluates and contributes to the improvement of risk management, control and governance systems.

2110 - Risk Management - The IA activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.

2120.A1 - Based on the results of the risk assessment, the IA activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. This should include:

  • reliability and integrity of financial and operational information;
  • effectiveness and efficiency of operations;
  • safeguarding of assets; and
  • compliance with laws, regulations, and contracts.

(IIA Performance Standards)

A Caution

1220.A2 - The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

(IIA Attribute Standards)

The "HOW"

The IA function

  • conducts individual audits in an effective and efficient manner with risk-based plans that address the scope of the engagement, work programs that meet the objectives of the engagement, and sufficient appropriate evidence that supports the findings and conclusions.

(TB Policy, Appendix B)

2200 - Engagement Planning - Internal auditors should develop and record a plan for each engagement.

2201 - Planning Consideration - In planning the engagement, internal auditors should consider:

  • the objectives of the activity being reviewed and the means by which the activity controls its performance;
  • the significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level;
  • the adequacy and effectiveness of the activity's risk management and control systems compared to a relevant control framework or model; and
  • the opportunities for making significant improvements to the activity's risk management and control systems.

2210 - Engagement Objectives - The engagement's objectives should address the risks, controls, and governance processes associated with the activities under review.

2220 - Engagement Scope - The established scope should be sufficient to satisfy the objectives of the engagement.

2240 - Engagement Work Program - Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded.

2240.A1 - Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to the commencement of work, and any adjustments approved accordingly.

2120.A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria.

(IIA Performance Standards)

Criteria

"In an audit engagement, in order for meaningful conclusions to be reached, they need to be made in relation to a set of suitable criteria."

"Criteria are benchmarks against which the subject matter can be assessed."

"The internal auditor should always attempt to identify criteria that yield useful information to departmental or agency management."

"Preference is to be given to the use of generally accepted criteria when they are consistent with the objective of the audit engagement."

"In the federal government environment, generally accepted criteria could be those established by:

  • acts and regulations;
  • government policy, guidelines or standards; risk management, management control framework, performance information, and other guidance provided by the Government of Canada; and
  • recognized bodies of experts."

"When there are no generally accepted criteria consistent with the objective of the audit engagement, and criteria from other sources are identified, then the internal auditor should obtain from departmental or agency management an acknowledgement that the criteria are suitable for the engagement."

(TB Policy, Appendix A)

2300 - Performing the Engagement - Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives.

2310 - Identifying Information - Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives.

2320 - Analysis and Evaluation - Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.

2330 - Recording Information - Internal auditors should record relevant information to support the conclusions and engagement results.

(IIA Performance Standards)

Seven steps of a internal audit

The "WHY"

"...assurance is provided by designing procedures so that in the internal auditor's professional judgement, the risk of an inappropriate conclusion is...low...through procedures such as inspection, observation, enquiry, confirmation, computation, analysis and discussion."

(adaptation from TB Policy on Internal Audit, Appendix B)

assurance

= not absolute.

= low risk of inappropriate conclusion.

= judgement

Key Principle = Replicability

ie. consistency that others would arrive at the same conclusion(s) based on the criteria, testing methods and evidence.

The "CAPACITY"

The IA function has the capacity to accomplish its responsibilities, by having sufficient resources and being staffed with competent people, effectively deployed, who work to professional standards, utilize good communication practices, and adhere to public service and professional ethics, values and codes of conduct.

The IA function has the breadth of knowledge to accomplish its responsibilities, by utilizing work teams that collectively possess or have access to sufficient expertise the subject matter being audited.

(TB Policy, Appendix B)

1200 - Proficiency and Due Professional Care - Engagements should be performed with proficiency and due professional care.

1210 - Proficiency - Internal auditors should possess the knowledge, skills and other competencies needed to perform their individual responsibilities. The IA activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

1210.A1 - The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.

1220 - Due Professional Care - Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

1220.A1 - The internal auditor should exercise due professional care by considering the:

  • extent of work needed to achieve the engagement's objectives;
  • relative complexity, materiality, or significance of matters to which assurance services are applied;
  • adequacy and effectiveness of risk management, control, and governance processes;
  • probability of significant errors; and
  • cost of assurance in relation to potential benefits.

(IIA Attribute Standards)

The "PRODUCT"

Reporting Standards:

  • are written so that the important issues are easily understood; and only include information needed to properly understand the conclusion and any significant problems identified;
  • identify to whom the recommendations are directed;
  • describe what was examined, how it fits into overall operations of the organization, and its importance;
  • describe the objective(s), scope and timing of the engagement;
  • identify criteria used in the engagement;
  • describe compliance with relevant laws, regulations, policies and standards;
  • provide relevant analysis and explanation of the exposure to risks;
  • state a conclusion that conveys a clear understanding of what is being assessed, the criteria assessed, the level of assurance provided, and any reservations (see Appendix A)
  • integrate an action plan that identifies the actions to be taken and their timing.

(TB Policy, Appendix B)

2400 - Communicating Results - Internal auditors should communicate the engagement results promptly.

2410 - Criteria for Communicating - Communications should include the engagement's objectives and scope as well as applicable conclusions, recommendations, and action plans.

2410.A1 - The final communication of results should, where appropriate, contain the internal auditor's overall opinion.

2500 - Monitoring Progress - The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 - The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

2600 - Management's Acceptance of Risks - When the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.

(IIA Performance Standards)

 
Date Modified:  2002-10-28 Top of Page Important Notices