Archived - Policy on Internal Audit
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
1. Effective Date
1.1 This policy takes effect on July 1, 2009. It replaces the Treasury Board Policy on Internal Audit, dated April 1, 2006.
1.2 An evaluation of the policy is to occur and a report provided to the Treasury Board, by April 1, 2011.
2. Application
2.1 Subject to subsection 2.3, this policy applies to departments and agencies defined as departments within the meaning of section 2 of the Financial Administration Act. Throughout this policy, the terms "government-wide" and "across government" refer to these departments.
2.2 For the purposes of this policy, Treasury Board has established criteria for designating departments as small departments and agencies (SDAs). These criteria are provided in section 5.5.1 below. All other departments are referred to as large departments and agencies (LDAs).
2.3 The principles of this policy, as it applies to LDAs, will apply to the offices of agents of Parliament (the Office of the Auditor General, the Office of the Privacy Commissioner, the Office of the Information Commissioner, the Office of the Chief Electoral Officer, the Office of the Commissioner of Lobbying, the Office of the Commissioner of Official Languages and the Office of the Public Sector Integrity Officer) and to the Public Service Commission. In this respect, deputy heads of these organizations may authorize any departures from specific policy requirements as they may deem appropriate in light of the governance arrangements, statutory mandate and risk profile of the organization.
2.4 Notwithstanding the above, the agents of Parliament and the President of the Public Service Commission are responsible for establishing an audit committee with a majority of external members recruited from outside of the federal public administration.
2.5 Agents of Parliament and the Public Service Commission are also responsible for compliance with section 16.1 of the Financial Administration Act regarding the requirement to ensure an appropriate internal audit capacity.
3. Context
3.1 This policy is issued pursuant to section 7.(1) (a) and (e.2) of the Financial Administration Act. Also pertinent are sections 16.1 and 16.2 of the Act that respectively refer to requirements regarding departmental internal audit capacity and the establishment of an audit committee.
3.2 This policy is designed to ensure that, at both departmental and government-wide levels, internal audit and audit committees provide deputy heads and the Comptroller General, respectively, with added assurance and advice, independent from line management, on risk management, control and governance processes. The terms "risk management", "control" and "governance" are defined in The International Professional Practices Framework published by the Institute of Internal Auditors (IIA), January 2009.
3.3 Internal audit in the Government of Canada is a professional, independent appraisal function that provides objective, substantiated conclusions as to how well the organization's risk management, control and governance processes are designed and working.
3.4 The focus of internal audit is on all management systems, processes and practices, including the integrity of financial and non-financial information.
3.5 Internal audit adds value by assessing and making recommendations on the effectiveness of mechanisms in place to ensure that the organization achieves its objectives and in a way that demonstrates informed, accountable decision-making with regard to ethics, compliance, risk, economy and efficiency.
3.6 For the internal audit profession, the above-described role is referred to as providing assurance. It is intended to contribute to the basis by which decision-makers achieve oversight and control of their organizations, apply sound risk management, target their attention to areas in need of improvement and demonstrate accountability. Accordingly, internal audit takes a disciplined, evidence-based approach to determining whether or not assurance can be provided that key systems and processes are appropriately designed and are functioning as intended.
3.7 Principally as an adjunct to the assurance role, and within their sphere of expertise, internal auditors will also provide advisory services to their organizations. In this respect, internal auditors are also expected to offer solution-oriented recommendations.
3.8 This policy directly supports and recognizes the role and responsibilities of deputy heads as accounting officers, as laid out in Part I.1 of the Financial Administration Act.
3.9 While deputy heads are responsible for the management systems in their departments, this policy provides a clear and integrated assignment of responsibilities for internal auditing between deputy heads and the Comptroller General that supports strong internal auditing across government.
3.10The President of the Treasury Board is delegated the authority to amend, issue and rescind directives pursuant to this policy.
3.11 The Comptroller General will provide guidance and standards necessary to ensure the effective implementation of this policy.
4. Policy Statement
4.1 The objective of the policy is to support strong and accountable public sector management by ensuring effective internal auditing within departments and across government.
4.2 In that context, Treasury Board has decided that:
4.2.1 The Government of Canada sustain a strong, credible internal audit regime that has the confidence of the government, contributes directly to sound risk management, control and governance and is positioned as a key underpinning of governance within departments and across government.
4.2.2 The government ensure the independence, real and perceived, of internal audit from line management, principally through:
- Independent audit committees that will include competent and experienced members drawn from outside the federal public administration; and
- The organizational independence of chief audit executives who lead audit functions.
4.2.3 Departments and agencies, and the government as a whole, be supported by professional and risk-targeted internal audit coverage through a delivery model in which:
- Deputy heads remain fully responsible for the adequacy of internal audit coverage in their departments; and
- The Comptroller General is responsible for ensuring horizontal and sectoral audits.
4.2.3.1 As part of this mandate, the Comptroller General undertakes focused horizontal or sectoral auditing in SDAs and facilitates access to professional internal audit resources for SDAs that need additional internal audit work.
4.2.4 The Comptroller General is responsible for focused, sustained functional leadership of internal audit across government in order to: build and develop capacity; ensure adequate levels of professionally qualified resources; and ensure adherence to professional standards and rigour in the delivery of internal audits.
4.2.5 Chief audit executives establish plans and perform risk-based internal audits necessary to provide an independent annual assurance report to the deputy head on the adequacy and effectiveness of risk management, control and governance processes within the department. This overviewassurance reporting will progress over time in terms of comprehensiveness and rigour and will be in addition to the reporting on individual risk-based audits. Based on this, as well as completed horizontal or sector audits, the Comptroller General will report periodically to the Treasury Board on the state of risk management, control and governance processes across government. This will be done in conjunction with similar reporting on financial management.
5. Policy Requirements
5.1 The term "deputy head" is used in this policy in the broad sense assigned to it by section 11 of the Financial Administration Act. It includes deputy ministers, heads of agencies, chief executive officers and statutory or designated deputy heads.
5.2 This policy recognizes that departments are diverse in size and risk.
5.3 The requirements below distinguish among those applicable to deputy heads of LDAs, deputy heads of SDAs and those that apply to all deputy heads.
5.4 Deputy heads of large departments (all departments other than those designated as SDAs) are responsible for:
5.4.1 Ensuring an internal audit capacity appropriate to the needs of the department and that operates in accordance with this policy and professional internal auditing standards.
5.4.2 Establishing an independent departmental audit committee that includes a majority of external members who have been recruited from outside the federal public administration. (Requirements relating to the role, responsibilities and membership of the departmental audit committee are described in the Directive on Departmental Audit Committees.)
5.4.3 Appointing a qualified chief audit executive at a senior executive level, reporting directly to the deputy head, to lead and direct the internal audit function. The Directive on Chief Audit Executives, Internal Audit Plans, and Support to the Comptroller General sets out additional requirements for chief audit executives. The ComptrollerGeneral's Guidelines on the Responsibilities of Chief Audit Executives and Guidelines on Expected Qualifications of Chief Audit Executivesprovide advice on the responsibilities and expected qualifications of chief audit executives.
5.4.4 Approving a departmental internal audit plan that appropriately addresses areas of higher risk and significance. This internal audit plan will also address risks and incorporate audits that may be identified by the Comptroller General as part of government-wide or sectoral coverage. The plan will include individual internal audit engagements as well as being designed to support separate annual assurance overview reporting by the chief audit executive on departmental risk management, control and governance processes. The Directive on Chief Audit Executives, Internal Audit Plans and Support to the Comptroller Generalsets out additional requirements for departmental internal audit plans.
5.4.5 Ensuring appropriate internal audit coverage for special operating agencies and other entities within their departments and under their control.
5.5 Small departments and agencies
5.5.1 For the purpose of designating departments as SDAs under this policy, the two criteria of fewer than 500 full-time equivalents and a reference level of less than $300 million per year will apply for all departments except the offices of the agents of Parliament and the Public Service Commission.
(see 5.5.2 re other exclusions)
5.5.2 Additional parameters on the application of the criteria distinguishing LDAs from SDAs will be defined by the Comptroller General. These parameters will address circumstances whereby departments or agencies may be on the margin in terms of the defined criteria of fewer than 500 full-time equivalents and less than a reference level of $300 million. Otherwise, any exclusions to the application of these criteria will require the approval of the Treasury Board, providing the SDA has the demonstrated capacity to fully meet the expectations set out in this policy for LDAs, on an ongoing basis, either on its own or via the provisions of such capacity by the leadership of the portfolio of the departments/agencies to which the SDA is accountable. Similarly, any exceptional additions to the list of SDAs will require the approval of Treasury Board and will be treated on a case-by-case basis. For both exclusions and additions, the Comptroller General will provide an independent assessment.
5.5.3 The Comptroller General will conduct horizontal and other audits on SDAs each year and will provide deputy heads with copies of all relevant audit reports. Recognizing that SDAs vary in terms of size and risk, in many cases deputy heads may decide that the work performed by the Comptroller General fully meets their internal auditing requirements. However, considering the risk profile and control environment of their departments, deputy heads must decide whether further internal audits are necessary. If further work is needed, the deputy head shall approve an internal audit plan.
5.5.4 When deputy heads of SDAs determine a need for internal auditing work beyond that conducted by the Comptroller General, but do not have enough work or resources to sustain a credible, professional internal audit function, the Comptroller General will facilitate access to independent, qualified internal auditing resources.
5.5.5 When an SDA conducts an internal audit, the deputy head is responsible for ensuring that the internal auditing work meets the Internal Auditing Standards of the Government of Canada as prescribed by the Comptroller General.
5.5.6 When an SDA conducts an internal audit, the deputy head is to ensure that the audit work is subject to review by an independent audit committee prior to the audit being finalized. The deputy head may establish a departmental audit committee in accordance with the Directive on Departmental Audit Committees, or a joint independent audit committee with other portfolio-related departments. Alternatively, specific arrangements can be made with the Chair of the SDA Audit Committee for access to that committee.
5.6 Deputy heads of all departments are responsible for:
5.6.1 Putting in place effective procedures to ensure systematic monitoring and assurance regarding the soundness of risk management, control and accountability processes within their departments. The Treasury Board Policy on Internal Control defines additional requirements with respect to the pertinent responsibilities of deputy heads.
5.6.2 Taking into account the results of internal audits directed, led and/or performed by the Office of the Comptroller General. This includes a requirement to ensure that departmental internal audit plans appropriately address horizontal risks identified by the Office of the Comptroller General.
5.6.3 Ensuring that the audit committee receives all of the information and documentation necessary to fulfill its responsibilities, subject to applicable legislation.
5.6.4 Ensuring that management action plans are prepared that adequately address the recommendations and findings arising from audits and that the action plans have been effectively implemented.
5.6.5 Ensuring that completed internal audit reports are:
- Issued in a timely manner and made accessible to the public with minimal formality; and
- Posted on departmental web sites in a timely manner, in both official languages. Reports posted on the departmental web site must respect the Access to Information Act and the Privacy Act.
5.6.6 Ensuring that the respective Minister is briefed periodically on significant matters arising from the work of internal audit and the audit committee. It is expected that audit committees will routinely provide the deputy head with advice and recommendations on the sufficiency, quality and results of assurances respecting departmental risk management, control and governance (including accountability and auditing systems) frameworks and processes. Further, it is expected that the Minister will be offered the opportunity to meet with the audit committee, along with the deputy head, at least annually, to discuss the annual report of the audit committee and any significant concerns that may be raised therein or that may otherwise arise.
5.6.7 Ensuring that the Office of the Comptroller General and its agents, for the purpose of carrying out assigned responsibilities, are given:
- Full access to departmental records, databases, workplaces and employees, and have the right to obtain information and explanations from departmental employees and contractors; and
- Management representations pertinent to supporting the planning, conduct and reporting of audits by the Comptroller General.
5.7 Responsibilities of the Comptroller General
5.7.1 Treasury Board has assigned specific responsibilities to the Comptroller General for the functional leadership and monitoring of internal auditing across government, for directing or performing horizontal auditing in LDAs and SDAs, and for the support to auditing information management and technology and to auditing that is performed in a fact-finding or forensic mode. The responsibilities of the Comptroller General are further described in the Appendix.
5.7.2 Treasury Board also requires that it be briefed periodically by the Comptroller General on:
- Significant issues of risk, control or management arising from internal auditing across government;
- Horizontal and SDA auditing; and
- The overall state of risk management, control and governance, including accountability and internal auditing processes, across government.
5.7.2.1 The timing of such reporting by the Comptroller General will be determined by the significance of identified risks and concerns. However, a fulsome report will occur at least every three years.
5.7.3 The Comptroller General will issue such operational guidance and standards as are necessary to support this policy.
5.8 Monitoring and Reporting
5.8.1 Deputy heads are responsible for monitoring adherence to this policy in their departments. Departments should have measures in place, as appropriate, to ensure:
- The independence, professionalism and performance of the internal audit function;
- That internal audit activities address areas of higher risk and significance;
- The timeliness of the internal audit process and reporting on internal auditing engagements;
- The effectiveness of follow-up action;
- The independence, competence and performance of the audit committee; and
- The adequacy of support to the Comptroller General in carrying out horizontal or directed audits.
5.8.2 Departmental audit committees will prepare annual reports to their deputies on their activities, including assessments of the internal audit function. These reports will be made available to the Comptroller General.
5.8.3 With respect to the offices of agents of Parliament and the Public Service Commission, the deputy heads of these organizations are solely responsible for monitoring within their organizations to ensure appropriate adherence to the general principles and applicable requirements of this policy.
5.8.4 The Comptroller General is responsible for government-wide leadership of the internal audit function, and for informing departmental internal audit plans to ensure appropriate audit attention to horizontal risks affecting LDAs as well as performing focused horizontal and other audits in SDAs. At a minimum, the Comptroller General will have measures in place to support and monitor:
- The capacity, expertise and sustainability of the internal audit community across government;
- The extent of risk-based audit coverage across government;
- The effectiveness of internal audit methodology;
- The performance of departmental and Comptroller General internal audit functions;
- The effectiveness of liaison with departments and in addressing and resolving issues; and
- The level of satisfaction of deputy heads with internal auditing services conducted by the Office of the Comptroller General.
5.8.5 The Comptroller General's periodic reporting to the Treasury Board will provide an assessment of the implementation of this policy and the effectiveness of the internal audit function across government. This will be based on analysis of internal audit plans and reports, practice inspections that may be performed on departmental internal audit functions, audit committee reports and work undertaken directly by the Comptroller General.
5.8.6 The Comptroller General will establish a framework to guide the evaluation of the policy; Treasury Board Secretariat will make sure an evaluation is conducted and reported by April 1, 2011.
6. Consequences
6.1 If, as a result of this monitoring, it is apparent that a department has not complied with this policy, consequences that are applicable to all Treasury Board policies, and as set out in the Financial Administration Act, will apply.
7. References
7.1 Other Relevant Legislation
7.2 Related Publications
- Institute of Internal Auditors (IIA): The International Professional Practices Framework
- Canadian Institute of Chartered Accountants (CICA) Handbook
- Results for Canadians: A Management Framework for the Government of Canada
- Treasury Board of Canada Secretariat Management Accountability Framework
- Treasury Board of Canada Secretariat Integrated Risk Management Framework
- Policy on Internal Control
8. Enquiries
Please send any questions about this policy to:
Office of the Assistant Comptroller General, Internal Audit
Treasury Board of Canada Secretariat
L'Esplanade Laurier
300 Laurier Avenue West
Ottawa, Ontario
K1A 0R5
Email: ias-svi@tbs-sct.gc.ca
Fax: (613) 952-3698
Appendix - Responsibilities of the Comptroller General for Internal Audit
As directed by the Treasury Board, the Comptroller General is responsible for:
- Providing effective functional leadership of internal auditing across government;
- Developing and supporting effective human resources strategies and plans to ensure the necessary capacity, proficiency and sustainability of the internal audit community across government;
- Determining the professional standards to be used for internal auditing in the federal government;
- Developing and supporting the implementation of effective internal auditing methodologies and procedures across government;
- Supporting the implementation of appropriately qualified audit committees, as well as providing guidance on expected committee practices across government;
- Ensuring ongoing practice inspections and assessments of the entire spectrum of departmental internal audit activities as set out in the Policy on Internal Audit. These inspections are to be carried out by independent and qualified professionals who will communicate the results to respective deputy heads, departmental audit committees, chief audit executives and the Office of the Comptroller General;
- Identifying, and indicating to deputy heads, horizontal risks as well as audits to be included in departmental internal audit plans as part of government-wide coverage;
- Conducting horizontal and other internal audits focused on SDAs, and communicating the results to the appropriate deputy heads and the SDA Audit Committee;
- Establishing an independent SDA Audit Committee to provide the Comptroller General with guidance and advice on internal auditing in SDAs. (Requirements relating to the role, responsibilities and membership of the SDA Audit Committee are set out in the Directive on Small Departments and Agencies Audit Committee);
- Undertaking or leading horizontal audits that address government-wide, sectoral or thematic risks or issues in accordance with government-wide audit plans, as recommended by the Treasury Board/Government of Canada Audit Committee, and approved by the Secretary of the Treasury Board;
- Supporting departments in undertaking internal audits of information management and technology as well as audits that are conducted in a fact-finding or forensic mode;
- Conferring with, and providing advice to, deputy heads, audit committees, chief audit executives and internal auditors on the application of the Policy on Internal Audit and professional internal auditing standards;
- Maintaining active liaison with chief audit executives and deputy heads on significant issues of risk, control or management practices in departments, particularly in determining that effective and timely action is taken where there are serious issues to be resolved;
- Maintaining effective liaison with agents of Parliament, the Public Service Commission and other central agencies on audit issues; and
- Making available to the offices of the agents of Parliament, and to the Public Service Commission, training and development programs that are offered generally to the internal auditors and external audit committee members for other departments.