Practice Review and Internal Audit Plan—2008-09

1.0 Executive Summary

The Practice Review and Internal Audit Team of the Strategic Planning and Professional Practices (SPPP) Group conducts practice reviews of audit products and internal audits of management and administration within the Office of the Auditor General (OAG). The objective of the program is to provide the Auditor General with timely information, advice, and assurance about whether Office management systems, both for audit and administrative activities, are suitably designed and effectively operated.

Practice reviews and internal audits are part of an external and internal review regime of Office products and management systems. The regime consists of peer reviews of audit products, reviews by provincial institutes, practice reviews, internal audits, management reviews, and external audits.

The focus of this document is on the Practice Review and Internal Audit Plan for the 2008–09 fiscal year. The Auditor General, with the advice of the Audit Committee, approves the scope, coverage, and resourcing of the practice review and internal audit plan.

In the context of a rapidly changing environment that is characterized by new standards, methodologies, and audit tools, the Practice Review and Internal Audit Plan takes into consideration the following factors:

• Our risk assessment indicates that the Office has good controls in place and has no high risk areas that practice review and internal audit must address.
• Because we follow Canadian Institute of Chartered Accountants (CICA) quality control standards, we must conduct a certain number of practice reviews every year. As well, our audit products represent areas of “higher” risk when compared with our management and administrative practices. As a result, we spend the majority of our resources on practice reviews of audit products and conduct one or two internal audits per year.
• The work of OAG principals is one of the key elements of audit quality. The practice review coverage of our legislative auditing practice is based on systematic monitoring of the work of all principals on a cyclical basis. We will continue to review at least one product of every principal who completes a legislative audit product every four years.
• For each practice review, we conduct a highly focused review on higher-risk areas.
• Internal audits are selected based on an annual risk assessment.
• We plan to commit about 80 percent of our practice review and internal audit resources to “core” reviews of compliance with CICA accounting and auditing standards, high-risk quality management system elements, and internal audits or other significant areas. The remaining 20 percent of our resources will be used for flexible responses to practice issues brought to us by senior management.

For the 2008–09 fiscal year, approaches to practice review and internal audit include

• helping the Office prepare for a peer review of all product lines, covering all regions over a four-year period;
• integrating practice review and internal audit work to the fullest extent possible; and
• focusing attention on practice advisories applicable to all product lines.

We also plan to monitor internal activities that relate to the upcoming peer review to assess the Office’s preparedness for this review. 

In the context of a rapidly changing environment that is characterized by new standards, methodology, and technology, the need for effective practice review and continuous improvement continues. The standards require us to review each principal at least once every four years. In order to meet these standards, we will need to carry out more reviews than we intended this year to catch up on last year’s plan. We had planned to carry out about 10 reviews in the 2007–08 fiscal year. However, we were not able to complete our work plan for several reasons, including

• the retirement of the Chief Audit Executive, in early 2008;
• staff vacancies; and
• the diversion of our resources to other Office priorities.

We will therefore conduct practice reviews that involve four performance audit principals, nine financial audit principals, three special examinations; however, we will not do any assessment of Agency Performance reports. We will also follow up on observations and recommendations for improvement for all products lines and internal audits that were made in previous years.

The Office implemented GX Financials, a new financial information system, on 1 April 2008. We plan to conduct an internal audit of financial controls over transactions.

Finally, we will be performing an assessment of the Office’s Internal Audit practice, as required by the Institute of Internal Auditors (IIA) Standards and by our own Internal Audit Charter.

We operate with a core complement of four full-time equivalents: a principal, two directors, and one audit project leader. We currently have three full-time staff. We will also have to borrow staff from other teams within the Office to complete our work. Our ability to deliver the current audit plan is dependant on our ability to continue borrowing staff to assist with practice reviews. In order to further enhance our independence, internal audits are performed with the assistance of consultants. Resource requirements for internal audits for the 2008–09 fiscal year are currently budgeted for $50,000. We will seek additional funding as required to complete the planned work.

This plan will be publicly disclosed on the Office’s website and summarized in the Office’s 2008–09 Report on Plans and Priorities, and the results of the plan will be presented in the Office’s 2008–09 Performance Report.

2.0 Introduction

The Office of the Auditor General of Canada (OAG) conducts independent audits and provides objective information, advice, and assurance to Parliament, territorial legislatures, government, and Canadians. The Office has several product lines, including performance audits, financial audits, and special examinations; and, its audit work is guided by a rigorous methodology and a quality management framework.

This document outlines the external and internal review regime of OAG audit products and management systems. It presents the Office’s Practice Review and Internal Audit Plan for the 2008–09 fiscal year. The Auditor General, with the advice of the Audit Committee, approves the scope, coverage, and resourcing of the practice review and internal audit plan.

The Introduction includes background information on OAG products and practices and outlines our approaches to planning and conducting practice reviews and internal audits. The remainder of the document describes individual plans for the

• Performance Audit Practice,
• Audits of Summary Financial Statements and Crown corporations,
• Special Examination Practice,
• Assessment of Agency Performance Reports, and
• Internal Audit.

2.1 The Practice Review and Internal Audit Team

At the Office of the Auditor General, the Strategic Planning and Professional Practices (SPPP) group includes a Practice Review and Internal Audit team. This team of auditors is in charge of conducting practice reviews of the Office’s audit products as well as internal audits of the Office’s management and administrative practices. The team’s goal is to provide the Auditor General with timely information and advice and to offer assurance that important OAG management systems for audit products and administrative activities are suitably designed and effectively operated, as described in the OAG Practice Review and Internal Audit Charter (Appendix 1). The team also provides administrative support to the Office’s Audit Committee and assists with the peer review process when required.

Internal practice reviews of audit products. The Practice Review and Internal Audit team conducts practice reviews of selected performance audits, financial audits, special examinations, and assessments of agency performance reports. The team also reviews and assesses the overall quality control system to determine whether it has been appropriately designed and effectively implemented. These reviews are conducted according to the monitoring section of the quality control standards that are set by the Canadian Institute of Chartered Accountants (CICA); they are used to

• assess the quality of audit products and their compliance with the Office’s quality management frameworks, which are based on Office policies and professional standards;
• assure the Auditor General of the quality of our audits; and
• provide managers with suggestions for improvement.

Internal audits of management and administration. The Practice Review and Internal Audit team audits management and administration within the Office. This work is conducted according to the Office’s Practice Review and Internal Audit Charter, which is based on the standards of the Institute of Internal Auditors and Treasury Board Policy on Internal Audit and which takes into account the Office’s mandate and ability to maintain its independent status. These audits are conducted mainly by consultants to enhance their independence. They assure the Auditor General that the Office is complying with relevant government and Office policies. They also provide managers with assessments and recommendations.

2.2 External and internal reviews of Office audit products and management systems, and external audit of financial statements

External and internal reviews based on our quality management framework provide reasonable assurance that our audits are conducted according to established standards of professional practice. Management control systems guide the Office’s management and administration. The Office’s external and internal review regime consists of peer reviews of audit products, reviews by provincial institutes, practice reviews, internal audits, management reviews, external audit of financial statements, and lessons learned from international peers.

External review of audit products. In 1999, the Office hired an audit firm to assess the quality management system for annual financial audits. In 2003, an international team of legislative auditors carried out a peer review of the Office’s quality management framework (QMF) for performance auditing.

The reviews found that the system and framework were suitably designed and operating effectively. The review of the QMF for performance auditing highlighted some good practices and made suggestions for improvement. The action plan to make the improvements has been completed and is available on the OAG website. The Office has started planning for the next external peer review of the quality management framework for all audit product lines and related services, which it plans to conduct in the 2009–10 fiscal year.

In addition, about every four years, the provincial institutes of chartered accountants visit the OAG headquarters and regional offices to determine whether the Office is compliant with professional standards for financial audits and to determine whether the training of chartered accounting students meets their requirements. The most recent reviews concluded that the Office was following professional standards and met the provincial institutes’ requirements.

Management review of audit products and management systems. Management of the Office continually seeks to improve the way work is conducted by doing management reviews. There are two types of review: internal and external. An example of an internal management review is the recent exercise of re-visioning the performance audit practice. This review resulted in finding ways to improve the performance audit practice. An example of an external management review is the Independent Green Ribbon Panel Review of the Environment and Sustainable Development Practice of the Office of the Auditor General of Canada. The Green Ribbon Panel found that the OAG and the Commissioner of the Environment and Sustainable Development (CESD) have had a positive impact on the federal government’s management of environmental and sustainable development issues. It also found that the OAG and CESD have served an important educational role and have developed a strong domestic and international reputation. The Panel made some recommendations for improvement. In response, a list of options is being prepared for the Auditor General and Commissioner to consider.

External audit of financial statements. Each year, an external auditor appointed by the Treasury Board audits the Office’s financial statements. The most recent auditor’s opinion was that

the financial statements were presented fairly, in all material respects, the financial position of the Office as at 31 March 2007 and the results of its operations and its cash flows for the year then ended, in accordance with Canadian generally accepted accounting principles.

The auditor also stated that the Office was in compliance with its authorities. The 2007–08 financial audit is currently underway and will be reported to the Audit Committee at their July meeting. Results of the audit will be reported in the OAG Departmental Performance Report.

Participation in peer reviews of international audit offices. The Office also conducts peer reviews of international legislative audit offices and uses these reviews as an opportunity to learn and improve Office practices and procedures.

2.3 Developing the 2008–09 Practice Review and Internal Audit Plan

In preparing our 2008–09 Practice Review and Internal Audit Plan, we consulted with the product line leaders to determine whether they have any particular areas of concern that should be included in our reviews and audits. We also met with corporate service leaders, to better understand their activities and concerns.

Our plan for the 2008–09 fiscal year builds on the experience and lessons learned in previous years. It also builds on the key changes in each audit practice. For more information about the key changes in the various audit practices, see sections 3 to 6.

In the context of a rapidly changing environment that is characterized by new standards, methodology, and technology, the need for effective practice review continues. With practitioners using new methodology and new tools, our intention is to mitigate the risk associated with introducing such changes. We believe that we can add value to the practices by ensuring that Office practitioners have a culture of being actively conscious of quality.

Risk management. This plan was developed taking into consideration the Office’s Integrated Risk Management (IRM) Framework. The major elements of the Framework are outlined in Appendix 2.

To follow the spirit of the Treasury Board’s policy on Internal Audit, the OAG Charter requires us to prepare an Internal Audit Plan that is based on a systematic identification of business risks. This plan identifies the relevant key systems and practices in Appendix 3. (The Office’s Financial Management Capability Model is considered when this model of the Office’s Key Systems and Practices is prepared). Auditable components are identified in Appendix 4, along with a risk and control assessment. Low-risk activities and activities not scheduled for audit as well as the reasons they are not included for audit are identified in Appendix 5. This forms the basis for selecting internal audits annually.

Modernizing management practices. The Treasury Board of Canada Secretariat led an initiative to modernize government management practices. To support this initiative, the Office conducted a Comptrollership Capacity Assessment in the 2003–04 fiscal year. The Office also developed an action plan to address opportunities for improvements that were identified during the assessment.

We considered the results of the Office’s Comptrollership Capacity Assessment and recent developments, such as the impact of the implementation of the new financial system, when we prepared the 2008–09 Internal Audit Plan.

Our 2008–09 Practice Review and Internal Audit Plan also takes into consideration the following factors:

• Our risk assessment and review of controls indicates that the Office has good controls in place and has no high-risk areas that practice review and internal audit should address. Because we follow Canadian Institute of Chartered Accountants (CICA) quality control standards, we must conduct a certain number of practice reviews every year. As well, our audit products represent areas of higher risk as compared with our management and administrative practices. As a result, we spend the majority of our resources on practice review of audit products and conduct one or two internal audits a year.
• The work done by principals (the position title of the senior audit professionals of our audit teams) is one of the key elements of audit quality. The practice review coverage of the legislative auditing practice is based on systematic monitoring of the work of all principals on a cyclical basis. Our selection also considers higher-risk audit products, as well as principals that are newly appointed.
• Currently, the Office employs 58 principals, 46 of whom produce one or more audit products each year (Appendix 6). We plan to do about 11 practice reviews each year, so we can cover all principals in a four-year cycle. By adhering to a four-year timeframe, we will comply with the new CICA General Standards of Quality Control for Firms Performing Assurance Engagements (December 2005).
• There is a plan for cyclical regional office coverage. All regions are to be covered over a four-year cycle for practice review and internal audit work.

We will integrate the focus of practice review and internal audit work where possible. Integration of practice review and internal audit work helps to ensure effective coverage, on a cyclical basis, of all Quality Management Framework elements (Appendix 7).

We also consider new professional standards, Office practice advisories, and new methodology when we update our review methodology for all product lines, which we do annually. When they conduct their audits, teams must adhere to new methodology, which often includes professional or Office guidance or practice advisories. 

2.4 2008–09 Practice Review and Internal Audit Plan

Our 2008–09 Practice Review and Internal Audit Plan includes the following:

• We will continue to review at least one product of every principal who completes a legislative audit product every four years. We will review performance audits, annual audits, special examinations, and agency performance reports. In the last few years, our reviews of Office products has been thorough. However, due to the reassignment of our staff to other Office priorities in the 2007–08 fiscal year and to staff vacancies, we need to catch up to meet our obligation to review every principal at least once every four years.
  With the current number of principals (46 in all) responsible for such products, we now are conducting about 11 practice reviews a year. For more detail on the plan for each product line, see sections 3 to 5.
• For each practice review conducted, we will strive to conduct a review that focuses on high-risk areas, and we will only do more in-depth work when circumstances warrant. We will also strive to identify potential efficiencies in the audits that are being carried out.
• Internal audits are selected based on an annual risk assessment. Following the implementation of a new financial system on 1 April 2008, we will conduct an internal audit of financial controls over transactions. For more details on the internal audit plan, see section 7.
• We will continue to follow-up on the implementation of previous years recommendations.
• We will cover some regional offices this year.
• We plan to commit about 80 percent of our practice review and internal audit resources to our core reviews of compliance with CICA accounting and auditing standards, higher-risk Quality Management Framework elements, internal audits, and other significant matters. The remaining 20 percent of our resources will be used for flexible response to practice issues brought to us by senior management.
• We will incorporate all practice advisories and any new CICA standards and methodology requirements into our review methodology for the upcoming year, and we will place a special emphasis on reviewing compliance with them.

Practice reviews are not done on activities of the Forensic Audit Team (other than performance audits), discussion papers, and the Auditor General’s Matters of Special Importance and the Commissioner’s Perspective.

In the 2006–07 fiscal year, our practice review of the special examination practice was more extensive than usual. In addition to practice reviews of individual special examinations, we interviewed OAG senior management that were involved in the practice. We also reviewed the methodology used and professional development offered for the practice.

During the 2008–09 fiscal year, we will follow up on the progress made on recommendations to management with respect to the special examination practice. We will also perform our planned practice reviews in this area.  

The assessment of Agency Performance reports is relatively new for the Office. To ensure consistency and to optimize lessons learned, a practice review of all three assessments of Agency Performance reports was conducted in the 2005–06 fiscal year. This was a major practice review that included the development of methodology to review the assessment of Agency Performance reports. In the 2008–09 fiscal year, we intend to follow-up on the progress made in addressing the observations and the opportunities for improvement in our April 2006 practice review report. We will not be conducting any practice reviews of the assessment of Agency Performance reports For more details on the plan for the assessments, see section 6.

Part of the role of the Practice Review and Internal Audit team is to help ensure that the Office is ready for external peer reviews of the legislative auditing practice. This peer review will take place before the end of the current Auditor General’s mandate. The planning phase will occur in 2009, followed by the examination and reporting phases planned for mid-2010. When we prepare for this peer review, our focus will be on the implementation of practice advisories that are applicable to all product lines. We will also regularly monitor internal activities that relate to the upcoming peer review to assess the Office’s preparedness for the review.

2.5 Control framework of the Office of the Auditor General

Management controls. The Office has a strong internal control system. For example, leadership is provided from the top by the Auditor General. The Executive Committee sets policy and provides overall professional and administrative direction for the Office. An Audit Committee has been established; the majority of its voting members are external. The Auditor General and the Commissioner of the Environment and Sustainable Development receive advice from a number of committees with external members on the objectives, approach, and reports of many audit products.

The Office has a clearly defined vision, focus areas, and values that align with its mandate. It also has operational plans in place that align with its objectives. The Office monitors external and internal environments through surveys of parliamentarians, audited organizations, and employees. The Office has a Code of Values, Ethics, and Professional Conduct that sets out in detail the values and the ethical, professional, and other standards that guide staff, on a daily basis, in their work for the Office. Employees formally acknowledge compliance with the Code annually. The Office also has a documented approach to risk management that includes both a risk management policy and profile, and an integrated risk management framework.

Controls over audit products. An Assistant Auditor General is appointed product leader for each product line. The Office establishes policies and procedures to guide its work in accordance with the standards of the Canadian Institute of Chartered Accountants (CICA). This includes a manual and a Quality Management Framework (QMF) for each product line, which ensures that quality is built into the examination process. It guides auditors through a set of required steps to ensure that audits are conducted according to professional standards and Office policies. The manual and the QMF are complemented by templates and checklists for each product line. Process controls, such as quality reviewer and committees that review key documents and decisions, help to build quality into the process.

2.6 Recommended resources

A key question for any audit institution committed to excellence and professionalism is “How many resources should be devoted to the Practice Review and Internal Audit function?” In July 2005, the Office did a benchmarking study that compared OAG corporate services with public sector audit offices and the Canadian public sector. It found that the OAG spends less than its counterparts on internal audit, but spends more time on practice reviews than its counterparts.

In the past, we have operated with a core complement of four full-time equivalents, supported by two temporary employees. We currently have three full-time staff—a principal and two directors. Our ability to deliver the 2008–09 plan and to catch up on last year’s plan depends on the Practice Review and Internal Audit team having a full staff complement throughout the year. We have experienced some difficulty maintaining that complement, because staff members are sometimes diverted to other Office priorities.     

As we indicated earlier, we are still catching up from a number of delays in the last year, including the retirement of the Chief Audit Executive in early 2008, staff vacancies, and some of our staff being diverted to other Office priorities. We will therefore seek external resources to carry out practice review work for annual audits and will continue to borrow staff from other groups, as we have done in the past. We will count on senior management’s support to help us get the resources we need. 

In order to further enhance our independence, internal audits are performed with the assistance of contractors who are supervised by the Principal of the Practice Review and Internal Audit team. Resource requirements for internal audits during the 2008–09 fiscal year are currently budgeted for at $50,000. We will seek additional funding as required to complete the planned work. Funding requirements for the practice review work for annual audits have not yet been finalized.

2.7 Reporting of results

Our 2008–09 Practice Review and Internal Audit Plan will be publicly disclosed on the Office’s website and summarized in the Office’s 2008–09 Report on Plans and Priorities. Our results will be presented in the Office’s 2008–09 Performance Report. The Auditor General is the client for the reports of the Practice Review and Internal Audit team.

Practice reviews. For individual practice reviews, comments are shared with the Auditor General, the appropriate Assistant Auditor General and Principal. For practice reviews of each product line, a summary report is prepared that focuses attention on the matters we believe are significant from a practice-wide perspective. These summary reports are reviewed and responded to by the appropriate product leader. The product leader and relevant principal in charge of methodology approve management’s response to the report findings. The report then goes to the Audit Committee for review before being sent to the Auditor General for her approval and, following approval, to the Executive Committee. Finally, the summary reports are posted on the Office’s website and INTRAnet.

Internal audits. The results of internal audits are shared with the responsible Assistant Auditor General and Principal. The appropriate principal prepares the management response. The report then goes to the Audit Committee for review and recommendation before being sent to the Auditor General for her approval and, following approval, to the Executive Committee. Finally, the internal audit report is posted on the Office’s website and INTRAnet.

3.0 Performance Audit Practice

3.1 Background and overview of key changes

Performance audits examine, against established criteria, whether government programs are being managed with due regard for economy, efficiency, and environmental impact, and whether measures are in place to determine their effectiveness.

This practice is well established and has a robust methodology that guides auditors and ensures the quality of this practice. The guidance includes the Quality Management Framework for performance audits, the Performance Audit Manual and practice advisories, and numerous templates and guidelines. As well, for each performance audit, the Performance Audit Management Committee and quality reviewer perform key process controls.

Territorial performance audits are reported to the legislative assemblies of the territorial governments. They follow the Quality Management Framework for performance audits and are considered part of the Performance Audit Practice.

The Performance Audit Practice is in the final phase of a four-phase rollout of TeamMate (an electronic file management system that is being piloted in the Office to organize and document audit products). The evaluation of this pilot project will be completed in September 2008. The Executive Committee is expected to make a decision about the mandatory usage of TeamMate for performance audits in the fall.

It is now mandatory to use the audit logic matrix for performance audits. The audit logic matrix is a tool that enables the Office to better plan audits and resource requirements. We will modify our practice review methodology to reflect the use of TeamMate and of the audit logic matrix in our performance audits.

The Independent Green Ribbon Panel Review of the Environment and Sustainable Development Practice of the Office of the Auditor General of Canada was released in December 2007. The Green Ribbon Panel found that the Office of the Auditor General (OAG) and the Commissioner of the Environment and Sustainable Development (CESD) have had a positive impact on the federal government’s management of environmental and sustainable development issues. It also found that the OAG and CESD have served an important educational role and have developed a strong domestic and international reputation. The Panel made several recommendations, including a recommendation that the next Commissioner make it a priority, early in his mandate, to explain how sustainable development will be factored into his work plan. In response to these recommendations, a list of options is being devised for the Auditor General and Commissioner to consider.

As noted in the introduction section, the Office undergoes periodic external reviews. The most recent external peer review of the Performance Audit Practice was completed in the 2003–04 fiscal year. The external peer review had and will continue to have a significant impact, as the practice is updated in response to suggestions for improvement. The major suggestions and our proposed follow-up are summarized in Appendix 8, and the outcome of our follow-up is included in our annual Report on a Review of the Performance Audit Practice of the Office of the Auditor General of Canada—Audits Reported in 2007, which is posted on our website.

3.2 Practitioners

There are 32 principals who are responsible for performance audits; 22 will be tabling performance audits during the 2008–09 fiscal year (Appendix 6, section 2). Some of these principals will be tabling

• territorial performance audits reports,
• long-form reports for international organizations,
• environmental petitions, or
• reports on sustainable development monitoring of activities.

3.3 2008–09 plan

We plan to check compliance with selected elements of the Quality Management Framework for performance audits and with key process controls performed by the Performance Audit Management Committee and the quality reviewer.

We will conduct focused practice reviews of performance audits reported in the 2008–09 fiscal year. We intend to do practice reviews of performance audits conducted by four principals.

We will pay particular attention to the following:

• compliance with practice advisories,
• the role of the quality reviewer,
• adequacy of documentation,
• the role of internal specialists in providing comments to the audit team and the way the comments are addressed, and
• senior management involvement in the planning phase.

4.0 Annual Audit Practice

4.1 Background and overview of key changes

Annual audits of financial statements comply with Canadian generally accepted auditing standards and provide an opinion on whether

• financial statements are presented fairly in accordance with Canadian generally accepted accounting principles that are applied on a basis consistent with the preceding year; and
• the transactions examined conform to laws and regulations.

This practice is well established and has a robust methodology that guides auditors and ensures the quality of this practice. The guidance includes the following:

• the Quality Management System for annual audits,
• the Annual Audit Manual,
• practice advisories,
• pre-established audit programs, and
• numerous templates and guidelines.

The Annual Audit Practice and Information Technology Financial teams, along with the product leaders responsible for annual audits and public accounts, guide auditors on the application of CICA standards and reporting requirements. A quality reviewer conducts key process controls for those annual audits that are considered higher risk.

During the 2005–06 fiscal year, the Office revised audit policies and procedures to fully incorporate the new CICA quality assurance standards for individual engagements. During 2006–07, the CICA standards respecting assessment of risk and documentation requirements were fully implemented by the Office. Also, in January 2006, the Annual Audit and Special Examination Management Committee approved practice guidance for the work of Quality Reviewers on Annual Attest Audits as well as revised guidance on applying a control-reliant approach. We anticipate fewer changes in the 2008–09 fiscal year. We will adapt our practice review methodology to reflect any changes made by the practice.   

As noted in the Introduction, the Office’s annual audit practice undergoes periodic external reviews by the provincial institutes of chartered accountants. Currently, institutes in British Columbia, Alberta, Ontario, Quebec, and Nova Scotia perform reviews on our annual audit files about every four years, depending on the requirements of each provincial institute. The most recent reviews were completed in early 2008, and the review reports indicated compliance with practice requirements.

4.2 Practitioners

There are 26 principals responsible for annual audits of Crown corporations, territorial, international, and other entities. Twenty principals are responsible for the annual audits of the large entities that form part of the Section 6 of the Auditor General Act—Audit of the Summary Financial Statements of the Government of Canada. Thirteen of these principals audit more than one product. For more information, see Appendix 6, section 3.

4.3 2008–09 plan

In 2008–09, we plan to carry out detailed practice reviews of nine annual audit engagements. Our reviews will focus on the following:

• ensuring compliance with selected elements of the Quality Management System for annual audits;
• checking compliance with key process controls performed by the quality reviewer;
• reviewing the quality reviewer function to ensure that it is working as intended;
• reviewing the function of internal specialists in the areas of attest audit information technology and financial instruments;
• reviewing audits that are contracted out to private firms to ensure that they meet the quality assurance standards of the Office;
• assessing compliance with practice advisories and new CICA standards; and
• following up on previous years recommendations

As indicated earlier in this document, we will seek external assistance to carry out this work.

5.0 Special Examination Practice

5.1 Background and overview of key changes

The Financial Administration Act (FAA) requires each parent Crown corporation (with certain exceptions) to have a special examination of its organization conducted by the Office every five years (a round).

The Office is required by the FAA to determine whether the financial and management control and information systems and management practices of the organization were maintained in a manner that provides reasonable assurance that

• the assets of the organization are safeguarded and controlled; and
• the financial, human, and physical resources of the organization are managed economically and efficiently, and that the operations of the organization are carried out effectively.

The Office has a lengthy history of special examination experience that dates back to the mid-1980s. Round 5 is starting and is expected to run from 2007–08 to 2011–12. The Office expects to conduct about 43 special examinations during Round 5. Due to recent changes to the legislation, the number of special examinations that the Office is required to conduct has increased since Round 4.

The special examination practice has changed in another way: Although there is no legislative requirement for Crown corporations to make their special examination reports public, many Crown corporations are voluntarily posting special examination reports on their website and, thus, making them public documents.

Additional resources were recently allotted to the special examination methodology team; this includes the appointment of a product leader at the Assistant Auditor General level. We expect that more methodology and internal courses on special examinations will be developed to guide practitioners in their work.

5.2 Practitioners

There are 17 principals responsible for special examinations, and there are 43 special examinations in Round 5 (Appendix 6, section 4).

5.3 2008–09 plan

As we do with practice reviews for all product lines, during Round 5 of special examinations, we plan to check compliance with selected elements of the Office’s Quality Management System (QMS) for special examinations. We will closely monitor the results of the external review that was initiated by management to determine whether the design of the quality management framework meets CICA standards. We will also check compliance with the key process controls performed by the quality reviewer, if one was appointed to the special examination undergoing a practice review.

In the 2006–07 fiscal year, our practice review of the special examination practice was more extensive than usual. In addition to practice reviews of individual special examinations, we interviewed OAG senior management that were involved in the practice and reviewed the methodology used and professional development offered. The practice review report identified several opportunities for improvement. During the 2008–09 fiscal year, the Practice Review and Internal Audit Team will follow-up on progress made on recommendations.

In our 2007–08 plan, we stated our intention to perform three practice reviews of special examinations: one in the 2007–08 fiscal year and two in 2008–09. Since we were not able to complete the one planned for 2007–08, we intend to perform all three practice reviews, as part of Round 5, in 2008–09. We will pay particular attention to

• compliance with practice advisories,  
• progress made on recommendations in our previous reports,
• the role of internal specialists, and
• the involvement of senior management in planning and conducting the audits.

6.0 Assessment of Agency Performance Reports

6.1 Background and overview of key changes

Assessments of Agency Performance Reports are a relatively new activity for the Office. This work enables the Office to determine whether the Canadian Food Inspection Agency, the Parks Canada Agency, and the Canada Revenue Agency present their performance information (published in their statutory reports) in a fair and reliable way.

Since the 2006–07 fiscal year, the Office has conducted a review level of assurance engagement for the three agencies. These assessments are now part of the performance audit practice.

All three assessments of Agency Performance reports were subject to a practice review in the 2005–06 fiscal year to ensure consistency and value to the Office and to optimize lessons learned. The practice review report raised several observations and opportunities for improvement. We will follow follow-up on progress made to date.  

6.2 Practitioners

There are currently three principals responsible for three assessments of Agency Performance reports subject to a review level of assurance by the Office. The reviews of two agencies are conducted annually, and reviews of the third are conducted periodically.

6.3 2008–09 plan

We will conduct a follow-up of the observations raised in our previous practice review reports and will not conduct any practice reviews of assessment of Agency Performance reports.

7.0 Internal Audit

7.1 Background

Over the last several years, internal audit has had good coverage of low- and medium-risk areas, which include

• professional service contracts;
• security at headquarters and in the regions;
• travel, compensation, and classification;
• hospitality expenses;
• management of the human resources; and
• professional development function and staffing.

There are no high-risk areas. We plan to do one or two internal audits per year.

7.2 Internal audit, risk assessment, and alignment of risks with key systems and practices

To follow Treasury Board’s Policy on Internal Audit, the Practice Review and Internal Audit team has prepared an Internal Audit Plan that addresses areas of higher risk:

• First, we defined the key systems and practices.
• Second, we identified, classified, and analyzed business risks.
• Third, we aligned the risks with key business systems.

Appendix 2. The OAG Integrated Risk Management Framework Identification and Risk Assessment Worksheet is used to assess risks and controls. All of the risks described in the OAG Risk Framework were deemed to be significant. Also identified in the OAG Risk Framework is which risk is most amenable to internal audit or practice review. As a general rule, we consider that the highest potential impact of the risks relevant to practice review is higher than highest potential impact of risks relevant to internal audit. Therefore, we focus most of our efforts on practice review.

Appendix 3. The Overview of OAG Key Systems and Practices identifies key administrative systems and practices in the Office. It is broadly based on the OAG Financial Management Capability Model, and it provides an overview of most of Office activities as they relate to Office systems and practices. While this is a high-level overview, it illustrates most of the major systems and can be linked to the Office’s organizational structure.

Appendix 4. The Alignment of OAG Risk Profile with Office Systems and Practices table shows the alignment of risks relevant to internal audit with the control and risk assessment and the relevant internal office systems and practices (Appendix 3). The potential impact, the likelihood of the risk event occurring, and risk management effectiveness are listed according to the risk category and statement There are two categories of relevant systems and practices listed: low and medium risk.

In our analysis of risk assessment, we found that there are no high-risk areas. For the Auditor General’s information, we have charted the low- and medium-risk areas over a cycle, taking into account our internal audit resources. We estimate that it would take about nine years to cover all of the low- and medium-risk areas. This means that within the mandate of an Auditor General, which is 10 years, we could do an internal audit on all low- and medium-risk activities if we chose to do so. The potential coverage is suitable to the Auditor General.

Our intention is to do an annual risk assessment and to conduct internal audits on areas of higher risk. However, we will keep the charted cycle in mind, to provide the Auditor General with the assurance she needs.

Appendix 5. The Systems and Practices with Low Risk—Not Scheduled for Audit or Covered by Practice Review table identifies systems and practices that were deemed to be of low risk and are not scheduled for internal audit. Also identified are areas that are reviewed by another audit or review organization. For example, the audit of our financial statements is covered by external audit and is excluded from our plan.

Risk management is reviewed by the Audit Committee once a year, and the Practice Review and Internal Audit team also reviews risk management every year when it prepares this plan. The practice review function is audited as part of the External Peer Review. In addition, as required by the Institute of Internal Auditors Standards, the Internal Audit function is assessed every four years; the next assessment is planned for the 2008–09 fiscal year.

7.3 Where we spend our dollars

Appendix 9 includes a summary of Office expenses by major classification. Of particular interest are the discretionary expenditures, which exclude salaries, employee benefits, and Office accommodations. For the purpose of planning internal audits, we included professional services, travel, communication, information technology, and printing and publication services. This information helps us to decide which categories of discretionary expenditures to audit over time.

7.4 Office’s strategic challenges

In planning our internal audits, we are mindful of the Office’s strategic challenges:

• integrating changes to professional standards into our policies, methodology, training, and practices;
• sustaining our capacity as an office; and
• enhancing entity relations.

7.5 Types of audit we will do

Most of our internal audits will be a mix of compliance and performance audits. We will start out reviewing compliance with relevant Office policies and or central agency policies, and then move into performance auditing issues that are of relevance to the Office.

Internal audit generally does not review best practices in other jurisdictions. We rely on corporate service leaders to do this benchmarking work.

7.6 2008–09 plan

During the 2008–09 fiscal year, since a new financial system (GX financials) was implemented, we will conduct an internal audit of the internal controls over transactions.  

We will also

• follow up on previous internal audits.
• request that the responsible principals provide an update on progress made in addressing the observations and recommendations in these internal audit reports
• review the responses to determine whether they are adequate and whether more in-depth internal audit work needs to be done
• plan any necessary future follow up the internal audit, including timelines and recommendations on the type and depth of follow-up work.

Appendix 1—Office of the Auditor General Practice Review and Internal Audit Charter

Mission and scope of work

• The purpose of the Practice Review and Internal Audit (PR&IA) function is to provide information, advice, and assurance to the Auditor General as to whether important OAG management systems for audit practices, administrative services, and management processes are appropriately designed and effectively operated to comply with the OAG’s policies, guiding principles, Mission, and Vision.
• PR&IA helps the Office accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of the risk management, control, and governance processes.
• The spirit of the Treasury Board Policy on Internal Audit (1 April 2006) is followed taking into consideration the special circumstances of the OAG mandate and the need to maintain the Office’s independent status.
• PR&IA follows the CICA general assurance standards of quality control for firms performing assurance engagements (December 2005).

Accountability

• The Auditor General is the client for practice review and internal audit reports. The Auditor General approves the scope and coverage of the practice review and internal audit plans, taking into account the advice of the Audit Committee. The plans focus primarily on the provision of assurance services. Other services are provided only as an exception.

Independence and Professional Qualifications

• The Principal, Practice Review and Internal Audit, is responsible for the practice review and internal audit function and acts as the Chief Audit Executive (CAE) for the Office. The CAE is appointed by the Executive Committee. This position is independent from the Office’s management and operations. The CAE reports administratively to the Assistant Auditor General, Strategic Planning and Professional Practices (SPPP) and functionally to the Auditor General.  
• The CAE is required to hold an accounting designation (CA/CMA/CGA) or to be a Certified Internal Auditor.
• The CAE has unfettered access to the Audit Committee.
• SPPP will ensure that individuals involved in internal audits and practice reviews are sufficiently qualified and independent of the activities under examination.
• Generally the Office’s practices will meet the intent and spirit of the Treasury Board’s Internal Audit Policy. However, the Office will not provide the Comptroller General with access to internal audit staff and working papers as required by the Policy. Because this access would put the Comptroller General in a management role in the implementation of the Policy, it would compromise the independence of the Office if it were followed. The Office will not normally participate in government-wide audits initiated by the Comptroller General. Practice review and internal audit reports will be made available to the public.
• PR&IA plans and results will be shared, on request, with the Advisory Panel on the Funding of Officers of Parliament and with the appropriate standing committees of the House of Commons.

Responsibilities and Operating Principles

• Specifically, the Principal, Practice Review and Internal Audit, is responsible for:
  • developing and obtaining approval for the practice review and internal audit charter;
  • ensuring that professional (Institute of Internal Auditors) internal auditing standards are followed by 2009;
  • developing a practice review and internal audit plan that is consistent with the Office’s objectives, based on a risk assessment, done at least annually, and that considers the input of senior Office management and the Audit Committee;
  • developing the guidance and tools to be used in carrying out reviews and audits;
  • conducting the reviews and audits;
  • coordinating internal audit activities and plans with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of effort;
  • arranging for Audit Committee briefings on values and ethics, risk management, and internal controls that meet the Audit Committee’s needs;
  • meeting quarterly with the Auditor General;
  • attending all meetings of the Audit Committee;
  • reporting the results of practice reviews and internal audits to the Auditor General after review by the Audit Committee; and
  • developing and maintaining a quality assurance and improvement program that covers all aspects of internal audit and that continuously monitors its effectiveness by 2009.
• All audit practices are subject to practice review including
  • performance audits of departments and agencies,
  • financial audits of the Financial Statements of the Government of Canada,
  • financial audits of Crown corporations, territories and other entities,
  • special examinations of Crown corporations,
  • sustainable development monitoring activities, and
  • assessments of agency performance reports.
• Practice reviews of a selection of completed assurance engagements will be performed on a cyclical basis and will include at least one engagement for each Principal over four years.
• Engagements are selected without prior notification.
• Results of the practice reviews should be communicated at least annually to the Auditor General. The reports should follow the monitoring section of the general standards of quality control of the Canadian Institute of Chartered Accountants and  include
  • a description of the review procedures performed;
  • the conclusions drawn from the review procedures;
  • where relevant, a description of systemic, repetitive or other significant deficiencies and of actions taken to resolve or amend those deficiencies; and
  • recommendations for appropriate remedial action.
• The internal audit function is periodically subject to review by an external organization. The external review reports are subject to review and approval by the Executive Committee.
• The practice review function is periodically subject to review by an external organization as part of a peer review of audit practices. The peer review reports are subject to review and approval by the Executive Committee.
• In selecting areas for internal audit and practice review, PR&IA uses the criteria of significance, relevance, and auditability. As well, the scope includes all important aspects of the OAG’s risk management strategy and practices, management control frameworks and practices, and information used for decision-making and reporting.
• PR&IA has access to all OAG information needed to carry out its practice reviews and internal audits. All OAG employees are expected to cooperate fully with PR&IA staff and staff assigned to conduct the work under the direction of PR&IA.
• Practice review and internal audit are elements of continuous improvement. They identify areas where improvements in systems, practices, or professional development can be made. Particular instances will be discussed with the responsible managers.
• Openness and communication with management and staff characterize all practice reviews and internal audits. The views of key players are sought before a PR&IA report is finalized.
• Practice review and internal audit reports are presented to the Executive Committee for information.
• PR&IA will follow up and report on practice review and internal audit recommendations, to ensure that necessary corrective actions are implemented.
• The Office will ensure that the necessary financial and human resources, including staff at an appropriate level and with appropriate experience, are made available to the Principal, Practice Review and Internal Audit to conduct the reviews and audits based on its plans.

Appendix 2—Integrated Risk Management Framework Identification and Risk Assessment Worksheet

Appendix 3—Overview of the Office’s Key Systems and Practices

Lead Organizational Unit

[text version]

Appendix 4—Alignment of the Office Risk Profile with the Office’s Systems and Practices

Appendix 5—Systems and Practices with Low Risk—Not Scheduled for Audit or Covered by Practice Review

Appendix 6—Overview of the Office’s Legislative Auditing Practice

1. Total Legislative Auditing Practitioners

• Total number of practitioners: 46 leading one or more products
• Annual practice reviews (4-year cycle): about 11 per year

2. Performance Audit Practice

• Total number of principals responsible: 32
• Total number of performance audits to be reported in 2008–09: 41
• Total number of principals reporting a performance audit in 2008–09: 22
• Total number of principals to be practiced reviewed: 4

3. Annual Audit Practice

Crown corporations and other entities, territorial entities, and international entities for which an audit is performed annually by the Office

• Number of annual audits: 132
• Number of principals responsible: 26
• Number of annual audits with an audit budget of (used as a guide for selection)
  • 2,000 to 3,000 hrs: 12
  • over 3,000 hrs: 13
• Number of annual audits to be subject to a practice review: 7

Section 6, Audit of the Summary Financial Statements of the Government of Canada performed every year

• Number of large entities: 23
• Number of principals responsible: 20
• Number of large entities to be subject to a practice review: 2
• Number of audits contracted out in the 2007–08 and 2008–09 fiscal years: 2 and 6, respectively

4. Special Examinations Audit Practice for Round 5¹ (2007–08 to 2011–12)

Crown corporations for which a special exam is currently conducted every five years

• Number of special examinations in the fifth round: 43
• Number of Principals responsible: 17
• Number of fifth-round special examinations already completed and to be completed in 2008–09: 23
• Number of special examinations to be practice reviewed during 2008–09: 3

5. Assessments of Agency Performance Reports

• Assessments of agency performance reports conducted in 2008–09: 2
• Number of principals responsible: 3
• Number of assessments to be subject to a practice review in 2008–09: 0

Exclusions:

Activities of the Forensic Audit Team other than performance audits
Discussion Papers
Auditor General’s Report on Matters of Special Importance
Report on the Commissioner’s Perspective

¹ The Financial Administration Act (FAA) requires each parent Crown corporation (with certain exceptions) to have a special examination of its organization conducted by the Office every five years. Each five-year period is referred to as a “Round.”

Appendix 7—Coverage of Quality Management Framework Elements

Quality Management Framework Element	Coverage
	Practice Review	Internal Audit
Leadership and Planning
1. Strategic direction		N/A
2. Selecting the audit
3. Operational planning
4. Methodology
Audit Management
5. Conducting the audit
6. Managing the project
7. Planning the audit
8. Obtaining accessible, sufficient, and appropriate evidence
9. Reporting the audit
10. Consultation
11. Independence, objectivity, and integrity
12. Security, access, and file retention
Client Focus
13. Communicating audit message
14. Feedback from clients and stakeholders
15. Effective reporting
People Management
16. Resourcing
17. Leadership
18. Respectful workplace
19. Performance management
20. Professional development
Continuous Improvement
21. Practice review	N/A	N/A
22. Lessons learned

Appendix 8—External Peer Review of Performance Audit Practice

Appendix 9—Expenses at the Office of the Auditor General