Policy on Internal Audit (Archived)

Table of Contents

1. Effective Date

2. Preface

3. Policy Objective and Results

4. Policy Statements

5. Application

6. Policy Requirements

7. Treasury Board Secretariat Centre of Excellence for Internal Audit

8. Monitoring

9. References

10. Enquiries

Appendix A - Definition of Assurance Services

Appendix B - Internal Auditing Standards for the Government of Canada

Appendix C - Guidelines for Departmental Internal Audit Committees

Appendix D - Guidelines for Departmental Internal Audit Management Practices

1. Effective Date

This document contains the entire text of the Policy as revised on April 1, 2001. This policy replaces Chapters 1 and 2 of the "Review" volume of the Treasury Board Manual dated July 31, 1994.

2. Preface

The tabling in March 2000 of "Results for Canadians: A Management Framework for the Government of Canada" reinforced the Government's commitment to continuous management improvement and accountability for results. In this context, it identified the need for a better-positioned and strengthened internal audit function. An effective internal audit function across government will contribute significantly to the achievement of the government's management framework and support key objectives such as the implementation of modern comptrollership and results-based management.

Historically, the internal audit function in the federal government has primarily focused on reporting on identified problems and providing recommendations for remedial action. While these will continue to be important elements of internal audit, this Policy affirms the repositioning of the function as a provider of assurance services to departmental senior management. Essentially, assurance services are objective examinations of evidence for the purpose of providing an independent assessment of the soundness of risk management strategies and practices, management control frameworks and practices, and information used for decision-making and reporting. Internal audit differs from evaluation, which focuses on helping managers track and report on actual performance, and on helping decision-makers objectively assess program or policy results.

Assurances provided by the internal auditor, through audit engagements, provide management confidence on the soundness of management processes within the organization. They will also guide management in determining where the organization is most exposed to risk, and what remedial actions are available and appropriate. As the relevance of assurances provided are dependant on their timeliness, areas of higher risk and fundamental departmental financial and management systems need careful consideration in the department's risk assessment processes to ensure that assurances provided in these areas are still relevant.

The provision of assurance services by internal audit can only be properly implemented over time, as the capacity to meet the objectives and standards contained in this policy is developed and as departmental management practices and performance information improve. To be effective in this regard, the internal audit function requires the active involvement and support of senior management.

Within the context of "Results for Canadians", Treasury Board Secretariat has a responsibility to actively monitor the soundness of the government-wide management and control frameworks. In this regard, the Secretariat will rely heavily on the assurance work performed by departmental internal audit groups. This active monitoring process will also require the Secretariat to work closely with departments to ensure that Treasury Board is aware of significant issues of risk or other problems in a timely manner, and that appropriate remedial action plans are developed and successfully implemented.

3. Policy Objective and Results

To provide departmental management with objective assessments about the design and operation of management practices, control systems, and information, in keeping with modern comptrollership principles and thereby contributing to the government's continuous management improvement program and accountability for results.

4. Policy Statements

It is government policy that departments:

• have an effective, independent and objective internal audit function that is properly resourced to provide sufficient and timely assurance services (as defined in Appendix A) on all important aspects of its risk management strategy and practices, management control frameworks and practices, and information used for decision-making and reporting;
• incorporate internal audit results into their priority setting, planning and decision-making processes; and
• issue completed reports in a timely manner and make them accessible to the public with minimal formality in both official languages.

5. Application

This policy applies to organizations considered to be departments within the meaning of section 2 of the Financial Administration Act.

6. Policy Requirements

Deputy heads are accountable for establishing an appropriately resourced internal audit function that operates in accordance with this policy, including the standards contained in Appendix B. Deputy heads must also:

• establish an active audit committee that is chaired by a senior departmental executive and meets the intent of the guidelines in Appendix C;
• ensure that their head of internal audit has an unimpaired ability to carry out his or her responsibilities, including reporting audit findings to the deputy head and, as appropriate, to the Deputy Comptroller General;
• ensure that their internal audit function has unlimited access to all departmental documents;
• ensure that their internal audit function in its operations respects the spirit and intent of the Access to Information and Privacy Acts;
• ensure that management action plans that adequately address the recommendations contained in internal audit reports are developed and included as part of the completed internal audit report; and
• establish monitoring systems to ensure that management action plans responding to internal audit observations are successfully implemented.

Deputy heads must also ensure that the Treasury Board Secretariat is:

• informed on a timely basis of significant issues of risk, control, or other problems with management practices following their being reported to senior management;
• provided in a timely manner with electronic copies in both official languages of all completed internal audit reports;
• provided with copies of annual internal audit plans that describe internal audit activities, as approved by the departmental audit committee; and
• provided with access to internal audit working papers upon request.

Treasury Board Secretariat Centre of Excellence for Internal Audit

The Treasury Board Secretariat, through its Centre of Excellence for Internal Audit and following a horizontal management process with departments will:

• seek and provide advice to deputy heads, heads of internal audit, and internal audit practitioners on the implementation of this policy, the development of departmental internal audit policies, annual audit plans and the application of professional standards;
• establish an active monitoring process that provides timely information to Treasury Board on significant issues of risk, control, or other problems with management practices in departments;
• develop a human resource strategy for the internal audit community to support departments in implementing this policy;
• establish a framework to guide a formal evaluation, within five years, of the effectiveness of this policy; and
• provide assistance to departments in evaluating the performance of their internal audit functions.

8. Monitoring

Deputy heads are responsible for monitoring the performance of their department in respect to this policy.

In monitoring the effectiveness of this policy, the Treasury Board Secretariat will be guided by the requirements of the Internal Auditing Standards for the Government of Canada (Appendix B) and guidelines for departmental internal audit committees and departmental internal audit management practices (Appendices C and D respectively).

An internal audit advisory committee comprised of government and private-sector senior executives will be established to provide advice to the Treasury Board Secretariat on internal audit policy, standards, community development strategies and benchmarks to be used in examining government-wide performance in meeting the objectives of this policy.

This policy will be evaluated and reviewed within 5 years. The Treasury Board Secretariat Centre of Excellence for Internal Audit is to establish the framework that will guide the evaluation of the policy.

9. References

9.1 Authority

This policy is issued pursuant to paragraph 7(1)(a) of the Financial Administration Act.

9.2 Relevant Legislation

Official Languages Act

Access to Information Act

Privacy Act

9.3 Other Publications

Institute of Internal Auditors (IIA). Standards for the Professional Practice of Internal Auditing

Canadian Institute of Chartered Accountants (CICA) Handbook

Results for Canadians: A Management Framework for the Government of Canada

Study of Internal Audit in the Federal Government, January 2000

Report of the Independent Panel on Modernization of Comptrollership in the Government of Canada

10. Enquiries

Enquiries about this policy should be directed to:

Centre of Excellence for Internal Audit
Comptrollership Branch
Treasury Board of Canada Secretariat
L'Esplanade Laurier
140 O'Connor Street
Ottawa, Ontario
K1A OR5

e-mail: ias-svi@tbs-sct.gc.ca

facsimile: (613) 952-3247

Appendix A - Definition of Assurance Services

This policy identifies the prime role and responsibility of the internal audit function in the Government of Canada, as the provider of professional assurance services to departmental senior management. Assurance services are objective examinations of evidence for the purpose of providing an independent assessment of risk management strategies and practices, management control frameworks and practices, and information used for decision-making and reporting.

Assurance services are provided through audit engagements, where the internal auditor is mandated to issue a report that contains an overall conclusion in relation to specific and suitable criteria. Generally, there are two types of audit engagement:

• One that provides a conclusion on a subject (organization, system, function, etc.) for which departmental management is responsible; or,
• It can provide a conclusion on the appropriateness or accuracy of a written assertion prepared by departmental management.

Audit engagements performed by departmental internal audit functions have in the past been mostly to identify problems and recommend corrective action. In providing assurance services, the provision of specific findings and recommendations continue to be an important part of the overall internal audit report.

Audit engagements should be structured to the specific needs of the organization, as determined through risk assessment analysis and consultation with senior management. The deputy head of the organization should be recognized as the principal user of the audit engagement, although central agencies, Parliament, and the general public should also be recognized as potential users.

A number of prerequisites must be met before an audit engagement can be properly provided by the internal auditor, including:

• the availability of appropriate criteria to be used in the assessment;
• the level of assurance that the auditor is being requested to provide, higher or more moderate, makes sense in relation to the amount of risk associated with the subject being assessed, the needs of management, and the budget for the audit; and
• the internal audit organization has or can contract the expertise and capacity necessary to properly conduct the particular assurance engagement.

It would not be cost-effective to undertake an audit engagement to provide assurance where it is clear at the outset that it is highly unlikely that the expected conclusion, in relation to appropriate criteria for the engagement, can be provided. In such cases a consulting engagement focused specifically on identifying problems and deficiencies that need to be corrected, and making appropriate recommendations to raise the capacity of operations to the appropriate level, would be a better use of internal audit resources.

Over time, as the capacity of departmental and agency operations and the capacity of the internal audit function increases, it is expected that most audit engagements would include a statement of assurance by the internal auditor.

Assurances To Be Provided

In theory, the internal audit practitioner is able to vary infinitely the level of assurance being provided in an audit. Absolute assurance is not attainable as a result of factors such as the use of judgement, the use of testing, the inherent limitations of control and the fact that much of the evidence available to the internal auditor may be persuasive rather than conclusive in nature. Assurance will also be influenced by the degree of precision associated with the subject matter itself.

In order to help the users better understand the level of assurance being provided, it is suggested that assurance be provided at one of two levels of assurance, a higher level and a more moderate level.

A higher, though not absolute, level of assurance is provided by designing procedures so that in the internal auditor's professional judgement, the risk of an inappropriate conclusion is reduced to a lower level through procedures such as inspection, observation, enquiry, confirmation, computation, analysis and discussion.

A more moderate level of assurance is provided by designing procedures so that, in the internal auditor's professional judgement, the risk of an inappropriate conclusion is reduced to a more moderate level through procedures which are normally limited to enquiry, analysis and discussion.

Both types of audit engagements can be completed with either a higher or a more moderate level of assurance. The level of assurance appropriate for a particular engagement will depend on the needs of departmental or agency management, and the nature of the subject matter.

Criteria

In an audit engagement, in order for meaningful conclusions to be reached, they need to be made in relation to a set of suitable criteria. Criteria are benchmarks against which the subject matter can be assessed.

The internal auditor should always attempt to identify criteria that yield useful information to departmental or agency management. The lack of suitable criteria may result in inappropriate conclusions being drawn by the internal auditor. When examining possible criteria for an audit engagement, the internal auditor is to assess the reliability, neutrality, understandability, and completeness of the criteria. Preference is to be given to the use of generally accepted criteria when they are consistent with the objective of the audit engagement. In the federal government environment, generally accepted criteria could be those established by:

• acts and regulations;
• government policy, guidelines or standards;
• risk management, management control framework, performance information, and other guidance provided by the Government of Canada; and
• recognized bodies of experts.

When there are no generally accepted criteria consistent with the objective of the audit engagement, and criteria from other sources are identified, then the internal auditor should obtain from departmental or agency management an acknowledgement that the criteria are suitable for the engagement.

When Assurance Cannot be Provided Without Reservation

In some circumstances, the internal auditor may not be able to provide the desired level of assurance, without reservation, in an audit engagement. When in the professional judgement of the internal auditor there is insufficient appropriate evidence to provide assurance or there is evidence that one or more of the audit criteria are not met, then a reservation is to be included in the audit report. In all other regards the report should respect the reporting standard as described in Appendix B of this policy.

When the Planned Level of Assurance Will Not be Provided

If, in the professional judgement of the internal auditor, the level of assurance originally planned in an audit engagement cannot be provided or it is not cost-effective to do so, then the internal auditor should advise the departmental or agency audit committee. The internal auditor should provide the internal audit committee with and explanation of why the planned level of assurance cannot be provided and indicate if another level of assurance or another type of engagement is more appropriate.

Internal Audit Consulting Engagements that are NOT designed to Provide Assurance

There will continue to be engagements undertaken by internal audit, that are planned and conducted for reasons other than providing assurance. Examples are control self-assessment activities, forensic auditing, and other management assistance engagements.

Internal audit consulting engagements that do not provide an overall conclusion, should clearly state that fact in the report that is issued.

Appendix B - Internal Auditing Standards for the Government of Canada

The following are the internal auditing standards to be met by each department. Deputy heads are accountable for ensuring that their department's internal audit function accomplishes its responsibilities and:

• is organizationally independent, by reporting at an appropriate level in the organization;
• is objective by being staffed with individuals who have an impartial, unbiased attitude and avoid conflicts of interest;
• has the capacity to accomplish its responsibilities, by having sufficient resources and being staffed with competent people, effectively deployed, who work to professional standards, utilize good communication practices, and adhere to public service and professional ethics, values and codes of conduct;
• has the breadth of knowledge to accomplish its responsibilities, by utilizing work teams that collectively possess or have access to sufficient expertise of the subject matter being audited;
• is managed effectively with approved plans that address areas of highest risk and significance (see Appendix D), and provides periodic summary reports to management on the activities and performance of the function and on any significant risks and control issues;
• conducts individual audits in an effective and efficient manner with risk-based plans that address the scope of the engagement, work programs that meet the objectives of the engagement, and sufficient appropriate evidence that supports the findings and conclusions.

The following are the reporting standards to be met by each department. Deputy heads are accountable for ensuring that departmental internal audit reports:

• are written so that management can readily focus on and understand the important issues being reported;
• are clear and concise by including only information that is needed for a proper understanding of the conclusion and any significant problems identified;
• identify to whom the recommendations are directed;
• provide context by describing the area that has been examined, how it fits into the overall operations of the organization, and its importance;
• describe the objective(s), scope and timing of the engagement;
• identify the criteria used in the engagement;
• describe compliance with relevant laws, regulations, policies and standards;
• provide relevant analysis and explanation of the exposure to risks for any significant problems and key recommendations;
• state for an audit engagement a conclusion that conveys to management a clear understanding of what is being assessed, the criteria assessed, the level of assurance that the auditor is providing, and any reservations (see Appendix A);
• integrate a management action plan that clearly identifies, for each recommendation, the actions to be taken and their timing.

Completed internal audit reports are ones that have been approved by the internal audit committee, and have the required management action plans if such are required. In any situation where a management action plan is not forthcoming, the reports are to be presented without further delay to the audit committee for timely approval as a completed report, and to the deputy head to ensure that necessary actions are taken. All completed reports are to be made easily accessible to the public in a timely manner and in both official languages.

The Institute of Internal Auditors maintains and continually updates Standards for the Professional Practice of Internal Auditing. These standards are recognised internationally as containing sound guidance for internal auditors. Internal auditors in the Canadian Government are to utilise these standards in carrying out their internal auditing responsibilities, wherever these standards are not in conflict with this policy and any related guidelines or other guidance provided by TBS.

Appendix C - Guidelines for Departmental Internal Audit Committees

Policy Requirements

The internal audit policy requirements call for an active audit committee that is chaired by a senior departmental executive.

Role

The role of the departmental internal audit committee includes:

• providing advice and counsel to assist the deputy head in discharging his or her responsibilities for risk management, the design and operation of management control frameworks, and the quality of financial and other performance information used for decision-making and reporting;
• ensuring that the results of internal audit are incorporated into the departmental priority setting, planning and decision-making processes;
• strengthening the independence and effectiveness of the internal audit function;
• emphasizing the accountability of managers;
• providing the deputy head advice on the impacts of government-wide initiatives aimed at improving management practices; and
• facilitating communication between senior management, the internal audit function, central agencies and the Office of the Auditor General (OAG).

Responsibilities

The responsibilities of each internal audit committee need to be determined by each department. Within the department these responsibilities could include:

• approving the internal audit policy;
• approving the annual internal audit plan and budget;
• approving the annual assessment of overall materiality and risks associated with the annual internal audit plan;
• approving internal audit reports, and the management action plans developed to address the recommendations made in these reports;
• approving management action plans developed to address recommendations contained in reports of the Office of the Auditor General;
• monitoring the adequacy and timeliness of actions taken in relation to management action plans;
• identifying the implications of audit related issues and priorities raised by central agencies and other government organizations; and
• monitoring the performance of the department's internal audit function.

Membership

The deputy head has the responsibility for deciding who will be the chair of the audit committee. In most departments, the deputy head or associate deputy head chairs the committee. It is important that the chair bring as much independence and objectivity to the committee as possible, and not be an individual whose direct responsibilities include department-wide functional activities subject to frequent audit.

Committee members should generally be at the assistant deputy head level or equivalent, and are selected, on the basis of their individual abilities, experiences and interest, as being most able to effectively contribute to the activities of the committee. An audit committee composed of members below these levels risks the perception that there is little support for internal audit by senior management and the likelihood that internal audit will be focused on matters of little interest to the deputy head.

The size of an effective internal audit committee varies, from three to five members plus the chair, depending on the size of the department.

As required, the Treasury Board Secretariat and the Office of the Auditor General are to be provided with access to the audit committee to address matters of mutual interest or concern.

Appendix D - Guidelines for Departmental Internal Audit Management Practices

In addition to meeting the requirements of this policy, including the standards contained in Appendix B, departments should consider developping their own departmental internal audit policy. The departmental internal audit policy should set out the mandate of the internal audit function and identify the:

• scope of their internal audit function and how it meets the requirements of this policy;
• roles and responsibilities of the internal audit committee, departmental management and the internal audit function;
• internal audit planning processes and the priority to be given to the coverage of areas of higher materiality and risk, fundamental departmental financial, administrative or control systems, and external performance reporting processes;
• internal audit reporting processes, particularly the process for integrating management action plans into completed audit reports and the subsequent monitoring of the follow-up to these plans; and
• types of internal audit assurance and consulting services that will be provided and when applicable, standards that will be followed for services not described in this policy.

The departmental internal audit annual plans that outline the planned activities for the year should:

• summarize an annual assessment of the overall materiality and risks associated with the departmental risk management strategy and practices, management control frameworks and practices, and financial and performance information;
• identify and schedule planned audit engagements or other services to be provided by the internal audit function during the period of the plan;
• identify for audit engagements the expected level of assurance to be provided and where possible the criteria to be assessed;
• provide estimates of resources to meet the plan; and
• be approved by the internal audit committee.
  
  

Date Modified: 2001-04-01