Please note that as of April 1 st 2006, a new Internal Audit Policy and related instruments is in effect.
This document contains the entire text of the Policy as revised on
April 1, 2001. This policy replaces Chapters 1 and 2 of the
"Review" volume of the Treasury Board Manual dated
July 31, 1994.
The tabling in March 2000 of "Results for Canadians: A Management
Framework for the Government of Canada" reinforced the Government's
commitment to continuous management improvement and accountability for results.
In this context, it identified the need for a better-positioned and strengthened
internal audit function. An effective internal audit function across government
will contribute significantly to the achievement of the government's management
framework and support key objectives such as the implementation of modern
comptrollership and results-based management.
Historically, the internal audit function in the federal government has
primarily focused on reporting on identified problems and providing
recommendations for remedial action. While these will continue to be important
elements of internal audit, this Policy affirms the repositioning of the
function as a provider of assurance services to departmental senior management.
Essentially, assurance services are objective examinations of evidence for the
purpose of providing an independent assessment of the soundness of risk
management strategies and practices, management control frameworks and
practices, and information used for decision-making and reporting. Internal
audit differs from evaluation, which focuses on helping managers track and
report on actual performance, and on helping decision-makers objectively assess
program or policy results.
Assurances provided by the internal auditor, through audit engagements,
provide management confidence on the soundness of management processes within
the organization. They will also guide management in determining where the
organization is most exposed to risk, and what remedial actions are available
and appropriate. As the relevance of assurances provided are dependant on their
timeliness, areas of higher risk and fundamental departmental financial and
management systems need careful consideration in the department's risk
assessment processes to ensure that assurances provided in these areas are still
relevant.
The provision of assurance services by internal audit can only be properly
implemented over time, as the capacity to meet the objectives and standards
contained in this policy is developed and as departmental management practices
and performance information improve. To be effective in this regard, the
internal audit function requires the active involvement and support of senior
management.
Within the context of "Results for Canadians", Treasury Board
Secretariat has a responsibility to actively monitor the soundness of the
government-wide management and control frameworks. In this regard, the
Secretariat will rely heavily on the assurance work performed by departmental
internal audit groups. This active monitoring process will also require the
Secretariat to work closely with departments to ensure that Treasury Board is
aware of significant issues of risk or other problems in a timely manner, and
that appropriate remedial action plans are developed and successfully
implemented.
To provide departmental management with objective assessments about the
design and operation of management practices, control systems, and information,
in keeping with modern comptrollership principles and thereby contributing to
the government's continuous management improvement program and accountability
for results.
It is government policy that departments:
- have an effective, independent and objective internal audit function that
is properly resourced to provide sufficient and timely assurance services
(as defined in Appendix A) on all important
aspects of its risk management strategy and practices, management control
frameworks and practices, and information used for decision-making and
reporting;
- incorporate internal audit results into their priority setting, planning
and decision-making processes; and
- issue completed reports in a timely manner and make them accessible to the
public with minimal formality in both official languages.
This policy applies to organizations considered to be departments within the
meaning of section 2 of the Financial Administration Act.
Deputy heads are accountable for establishing an appropriately resourced
internal audit function that operates in accordance with this policy, including
the standards contained in Appendix B. Deputy
heads must also:
- establish an active audit committee that is chaired by a senior
departmental executive and meets the intent of the guidelines in Appendix C;
- ensure that their head of internal audit has an unimpaired ability to
carry out his or her responsibilities, including reporting audit findings to
the deputy head and, as appropriate, to the Deputy Comptroller General;
- ensure that their internal audit function has unlimited access to all
departmental documents;
- ensure that their internal audit function in its operations respects the
spirit and intent of the Access to Information and Privacy Acts;
- ensure that management action plans that adequately address the
recommendations contained in internal audit reports are developed and
included as part of the completed internal audit report; and
- establish monitoring systems to ensure that management action plans
responding to internal audit observations are successfully implemented.
Deputy heads must also ensure that the Treasury Board Secretariat is:
- informed on a timely basis of significant issues of risk, control, or
other problems with management practices following their being reported to
senior management;
- provided in a timely manner with electronic copies in both official
languages of all completed internal audit reports;
- provided with copies of annual internal audit plans that describe internal
audit activities, as approved by the departmental audit committee; and
- provided with access to internal audit working papers upon request.
The Treasury Board Secretariat, through its Centre of Excellence for Internal
Audit and following a horizontal management process with departments will:
- seek and provide advice to deputy heads, heads of internal audit, and
internal audit practitioners on the implementation of this policy, the
development of departmental internal audit policies, annual audit plans and
the application of professional standards;
- establish an active monitoring process that provides timely information to
Treasury Board on significant issues of risk, control, or other problems
with management practices in departments;
- develop a human resource strategy for the internal audit community to
support departments in implementing this policy;
- establish a framework to guide a formal evaluation, within five years, of
the effectiveness of this policy; and
- provide assistance to departments in evaluating the performance of their
internal audit functions.
Deputy heads are responsible for monitoring the performance of their
department in respect to this policy.
In monitoring the effectiveness of this policy, the Treasury Board
Secretariat will be guided by the requirements of the Internal Auditing
Standards for the Government of Canada (Appendix B)
and guidelines for departmental internal audit committees and departmental
internal audit management practices (Appendices C
and D respectively).
An internal audit advisory committee comprised of government and
private-sector senior executives will be established to provide advice to the
Treasury Board Secretariat on internal audit policy, standards, community
development strategies and benchmarks to be used in examining government-wide
performance in meeting the objectives of this policy.
This policy will be evaluated and reviewed within 5 years. The Treasury Board
Secretariat Centre of Excellence for Internal Audit is to establish the
framework that will guide the evaluation of the policy.
This policy is issued pursuant to paragraph 7(1)(a) of the Financial
Administration Act.
Official Languages Act
Access to Information Act
Privacy Act
Institute of Internal Auditors (IIA). Standards for the Professional
Practice of Internal Auditing
Canadian Institute of Chartered Accountants (CICA) Handbook
Results for Canadians: A Management Framework for the Government of
Canada
Study of Internal Audit in the Federal Government, January 2000
Report of the Independent Panel on Modernization of Comptrollership in
the Government of Canada
Enquiries about this policy should be directed to:
Centre of Excellence for Internal Audit
Comptrollership Branch
Treasury Board of Canada Secretariat
L'Esplanade Laurier
140 O'Connor Street
Ottawa, Ontario
K1A OR5
e-mail: ias-svi@tbs-sct.gc.ca
facsimile: (613) 952-3247
This policy identifies the prime role and responsibility of the internal
audit function in the Government of Canada, as the provider of professional
assurance services to departmental senior management. Assurance services are
objective examinations of evidence for the purpose of providing an independent
assessment of risk management strategies and practices, management control
frameworks and practices, and information used for decision-making and
reporting.
Assurance services are provided through audit engagements, where the internal
auditor is mandated to issue a report that contains an overall conclusion in
relation to specific and suitable criteria. Generally, there are two types of
audit engagement:
- One that provides a conclusion on a subject (organization, system,
function, etc.) for which departmental management is responsible; or,
- It can provide a conclusion on the appropriateness or accuracy of a
written assertion prepared by departmental management.
Audit engagements performed by departmental internal audit functions have in
the past been mostly to identify problems and recommend corrective action. In
providing assurance services, the provision of specific findings and
recommendations continue to be an important part of the overall internal audit
report.
Audit engagements should be structured to the specific needs of the
organization, as determined through risk assessment analysis and consultation
with senior management. The deputy head of the organization should be recognized
as the principal user of the audit engagement, although central agencies,
Parliament, and the general public should also be recognized as potential users.
A number of prerequisites must be met before an audit engagement can be
properly provided by the internal auditor, including:
- the availability of appropriate criteria to be used in the assessment;
- the level of assurance that the auditor is being requested to provide,
higher or more moderate, makes sense in relation to the amount of risk
associated with the subject being assessed, the needs of management, and the
budget for the audit; and
- the internal audit organization has or can contract the expertise and
capacity necessary to properly conduct the particular assurance engagement.
It would not be cost-effective to undertake an audit engagement to provide
assurance where it is clear at the outset that it is highly unlikely that the
expected conclusion, in relation to appropriate criteria for the engagement, can
be provided. In such cases a consulting engagement focused specifically on
identifying problems and deficiencies that need to be corrected, and making
appropriate recommendations to raise the capacity of operations to the
appropriate level, would be a better use of internal audit resources.
Over time, as the capacity of departmental and agency operations and the
capacity of the internal audit function increases, it is expected that most
audit engagements would include a statement of assurance by the internal
auditor.
Assurances To Be Provided
In theory, the internal audit practitioner is able to vary infinitely the
level of assurance being provided in an audit. Absolute assurance is not
attainable as a result of factors such as the use of judgement, the use of
testing, the inherent limitations of control and the fact that much of the
evidence available to the internal auditor may be persuasive rather than
conclusive in nature. Assurance will also be influenced by the degree of
precision associated with the subject matter itself.
In order to help the users better understand the level of assurance being
provided, it is suggested that assurance be provided at one of two levels of
assurance, a higher level and a more moderate level.
A higher, though not absolute, level of assurance is provided by designing
procedures so that in the internal auditor's professional judgement, the risk of
an inappropriate conclusion is reduced to a lower level through procedures such
as inspection, observation, enquiry, confirmation, computation, analysis and
discussion.
A more moderate level of assurance is provided by designing procedures so
that, in the internal auditor's professional judgement, the risk of an
inappropriate conclusion is reduced to a more moderate level through procedures
which are normally limited to enquiry, analysis and discussion.
Both types of audit engagements can be completed with either a higher or a
more moderate level of assurance. The level of assurance appropriate for a
particular engagement will depend on the needs of departmental or agency
management, and the nature of the subject matter.
Criteria
In an audit engagement, in order for meaningful conclusions to be reached,
they need to be made in relation to a set of suitable criteria. Criteria are
benchmarks against which the subject matter can be assessed.
The internal auditor should always attempt to identify criteria that yield
useful information to departmental or agency management. The lack of suitable
criteria may result in inappropriate conclusions being drawn by the internal
auditor. When examining possible criteria for an audit engagement, the internal
auditor is to assess the reliability, neutrality, understandability, and
completeness of the criteria. Preference is to be given to the use of generally
accepted criteria when they are consistent with the objective of the audit
engagement. In the federal government environment, generally accepted criteria
could be those established by:
- acts and regulations;
- government policy, guidelines or standards;
- risk management, management control framework, performance information,
and other guidance provided by the Government of Canada; and
- recognized bodies of experts.
When there are no generally accepted criteria consistent with the objective
of the audit engagement, and criteria from other sources are identified, then
the internal auditor should obtain from departmental or agency management an
acknowledgement that the criteria are suitable for the engagement.
When Assurance Cannot be Provided Without Reservation
In some circumstances, the internal auditor may not be able to provide the
desired level of assurance, without reservation, in an audit engagement. When in
the professional judgement of the internal auditor there is insufficient
appropriate evidence to provide assurance or there is evidence that one or more
of the audit criteria are not met, then a reservation is to be included in the
audit report. In all other regards the report should respect the reporting
standard as described in Appendix B of this policy.
When the Planned Level of Assurance Will Not be Provided
If, in the professional judgement of the internal auditor, the level of
assurance originally planned in an audit engagement cannot be provided or it is
not cost-effective to do so, then the internal auditor should advise the
departmental or agency audit committee. The internal auditor should provide the
internal audit committee with and explanation of why the planned level of
assurance cannot be provided and indicate if another level of assurance or
another type of engagement is more appropriate.
Internal Audit Consulting Engagements that are NOT designed to Provide
Assurance
There will continue to be engagements undertaken by internal audit, that are
planned and conducted for reasons other than providing assurance. Examples
are control self-assessment activities, forensic auditing, and other management
assistance engagements.
Internal audit consulting engagements that do not provide an overall
conclusion, should clearly state that fact in the report that is issued.
The following are the internal auditing standards to be met by each
department. Deputy heads are accountable for ensuring that their department's
internal audit function accomplishes its responsibilities and:
- is organizationally independent, by reporting at an appropriate level in
the organization;
- is objective by being staffed with individuals who have an impartial,
unbiased attitude and avoid conflicts of interest;
- has the capacity to accomplish its responsibilities, by having sufficient
resources and being staffed with competent people, effectively deployed, who
work to professional standards, utilize good communication practices, and
adhere to public service and professional ethics, values and codes of
conduct;
- has the breadth of knowledge to accomplish its responsibilities, by
utilizing work teams that collectively possess or have access to sufficient
expertise of the subject matter being audited;
- is managed effectively with approved plans that address areas of highest
risk and significance (see Appendix D),
and provides periodic summary reports to management on the activities and
performance of the function and on any significant risks and control issues;
- conducts individual audits in an effective and efficient manner with
risk-based plans that address the scope of the engagement, work programs
that meet the objectives of the engagement, and sufficient appropriate
evidence that supports the findings and conclusions.
The following are the reporting standards to be met by each department.
Deputy heads are accountable for ensuring that departmental internal
audit reports:
- are written so that management can readily focus on and understand the
important issues being reported;
- are clear and concise by including only information that is needed for a
proper understanding of the conclusion and any significant problems
identified;
- identify to whom the recommendations are directed;
- provide context by describing the area that has been examined, how it fits
into the overall operations of the organization, and its importance;
- describe the objective(s), scope and timing of the engagement;
- identify the criteria used in the engagement;
- describe compliance with relevant laws, regulations, policies and
standards;
- provide relevant analysis and explanation of the exposure to risks for any
significant problems and key recommendations;
- state for an audit engagement a conclusion that conveys to management a
clear understanding of what is being assessed, the criteria assessed, the
level of assurance that the auditor is providing, and any reservations (see Appendix A);
- integrate a management action plan that clearly identifies, for each
recommendation, the actions to be taken and their timing.
Completed internal audit reports are ones that have been approved by the
internal audit committee, and have the required management action plans if such
are required. In any situation where a management action plan is not
forthcoming, the reports are to be presented without further delay to the audit
committee for timely approval as a completed report, and to the deputy head to
ensure that necessary actions are taken. All completed reports are to be made
easily accessible to the public in a timely manner and in both official
languages.
The Institute of Internal Auditors maintains and continually updates Standards
for the Professional Practice of Internal Auditing. These standards are
recognised internationally as containing sound guidance for internal auditors.
Internal auditors in the Canadian Government are to utilise these standards in
carrying out their internal auditing responsibilities, wherever these standards
are not in conflict with this policy and any related guidelines or other
guidance provided by TBS.
Policy Requirements
The internal audit policy requirements call for an active audit committee
that is chaired by a senior departmental executive.
Role
The role of the departmental internal audit committee includes:
- providing advice and counsel to assist the deputy head in discharging his
or her responsibilities for risk management, the design and operation of
management control frameworks, and the quality of financial and other
performance information used for decision-making and reporting;
- ensuring that the results of internal audit are incorporated into the
departmental priority setting, planning and decision-making processes;
- strengthening the independence and effectiveness of the internal audit
function;
- emphasizing the accountability of managers;
- providing the deputy head advice on the impacts of government-wide
initiatives aimed at improving management practices; and
- facilitating communication between senior management, the internal audit
function, central agencies and the Office of the Auditor General (OAG).
Responsibilities
The responsibilities of each internal audit committee need to be determined
by each department. Within the department these responsibilities could include:
- approving the internal audit policy;
- approving the annual internal audit plan and budget;
- approving the annual assessment of overall materiality and risks
associated with the annual internal audit plan;
- approving internal audit reports, and the management action plans
developed to address the recommendations made in these reports;
- approving management action plans developed to address recommendations
contained in reports of the Office of the Auditor General;
- monitoring the adequacy and timeliness of actions taken in relation to
management action plans;
- identifying the implications of audit related issues and priorities raised
by central agencies and other government organizations; and
- monitoring the performance of the department's internal audit function.
Membership
The deputy head has the responsibility for deciding who will be the chair of
the audit committee. In most departments, the deputy head or associate deputy
head chairs the committee. It is important that the chair bring as much
independence and objectivity to the committee as possible, and not be an
individual whose direct responsibilities include department-wide functional
activities subject to frequent audit.
Committee members should generally be at the assistant deputy head level or
equivalent, and are selected, on the basis of their individual abilities,
experiences and interest, as being most able to effectively contribute to the
activities of the committee. An audit committee composed of members below these
levels risks the perception that there is little support for internal audit by
senior management and the likelihood that internal audit will be focused on
matters of little interest to the deputy head.
The size of an effective internal audit committee varies, from three to five
members plus the chair, depending on the size of the department.
As required, the Treasury Board Secretariat and the Office of the Auditor
General are to be provided with access to the audit committee to address matters
of mutual interest or concern.
In addition to meeting the requirements of this policy, including the
standards contained in Appendix B, departments
should consider developping their own departmental internal audit policy. The
departmental internal audit policy should set out the mandate of the internal
audit function and identify the:
- scope of their internal audit function and how it meets the requirements
of this policy;
- roles and responsibilities of the internal audit committee, departmental
management and the internal audit function;
- internal audit planning processes and the priority to be given to the
coverage of areas of higher materiality and risk, fundamental departmental
financial, administrative or control systems, and external performance
reporting processes;
- internal audit reporting processes, particularly the process for
integrating management action plans into completed audit reports and the
subsequent monitoring of the follow-up to these plans; and
- types of internal audit assurance and consulting services that will be
provided and when applicable, standards that will be followed for services
not described in this policy.
The departmental internal audit annual plans that outline the planned
activities for the year should:
- summarize an annual assessment of the overall materiality and risks
associated with the departmental risk management strategy and practices,
management control frameworks and practices, and financial and performance
information;
- identify and schedule planned audit engagements or other services to be
provided by the internal audit function during the period of the plan;
- identify for audit engagements the expected level of assurance to be
provided and where possible the criteria to be assessed;
- provide estimates of resources to meet the plan; and
- be approved by the internal audit committee.
|