Practice Review and Internal Audit—Multi-year Plan for Fiscal Years 2010–11 to 2012–13

Executive Summary

The Practice Review and Internal Audit (PRIA) team conducts practice reviews of audit products and internal audits of management and administration within the Office of the Auditor General. This is part of the Office’s governance and internal control framework.

The PRIA team provides independent and objective information, advice, consulting, and assurance services to the Auditor General to improve and add value to audit practices and Office operations, through learning and continuous improvement.

In consultation with the Auditor General, the PRIA team develops an annual plan that is consistent with the Office’s objectives and is based on a risk assessment that considers the input of senior Office management and the Audit Committee. The proposed final plan is discussed with the Auditor General, the Executive Committee, and the Audit Committee, before the Auditor General approves the plan.

This document sets out an updated three-year Practice Review and Internal Audit Plan. It is based on an environmental scan and risk assessment. Interviews were conducted with senior management and product leaders. Key documents, such as strategic plans and the Office’s reports on plans and priorities and the Office’s Departmental Performance Report, were reviewed. The following factors have been taken into account in this plan:

• Overall, the Office has good controls in place. The Office has no high-risk areas that the PRIA team should consider priorities. However, the transition to new assurance and financial reporting standards, along with the observations of the peer reviewers and the practice reviews conducted in the 2008–09 and 2009–10 fiscal years, represent an increased risk to meeting audit standards and to the success of the Office’s Quality Management System (QMS) for the annual audit practice.
• Because we follow the Canadian Institute of Chartered Accountants (CICA) quality control standards, we must conduct a certain number of practice reviews every year. As well, our audit products represent areas of higher risk than our management and administrative practices. As a result, we devote most of our energies to practice reviews.

During the 2010–11 fiscal year, we will conduct practice reviews that will involve four performance audit principals, eleven financial audit principals, and two special examination principals. We will not be doing any Office-wide practice reviews and will not review any assessments of agency performance reports. We will

• review management’s actions in response to previous years’ practice review recommendations;
• monitor how previous years’ recommendations are considered, as part of the Renewal of Audit Methodology (RAM) strategic priority; and
• monitor how overall progress, on this project, is reported to the Executive Committee.

We expect similar practice review coverage in the 2011–12 and 2012–13 fiscal years.

We will continue monitoring the Office’s activities leading up to the adoption of the Canadian Auditing Standards (CAS), beginning in 2010, and the International Financial Reporting Standards (IFRS), beginning in 2011. We will adjust relevant practice review programs accordingly.

In the 2011–12 fiscal year, depending on the progress made on the RAM project and the status of the QMS being developed, we will consider reviewing the design of the new QMS. We will consider the nature, extent, and timing of such a review, as it relates to the Office’s adoption of the new assurance standards on quality controls for firms, which are more commonly referred to as CSQC‑1 (Canadian Standard on Quality Control—Quality control for firms that perform audits and reviews of financial statements, and other assurance engagements). A review of the role that the Information Technology (IT) team plays in helping annual audit teams conduct their audits will be considered in the 2012–13 fiscal year.

Internal audit work is minimal, due to the relatively low control risk and the emphasis given to practice reviews. In addition to following up on outstanding recommendations, our current plan for internal audit is as follows:

• In the 2010–11 fiscal year, complete the follow-up on hospitality.
• In the 2011–12 fiscal year, consider examining contracting and procurement, including IT purchases.
• In the 2012–13 fiscal year, consider examining the performance management information reporting system.

We have implemented the requirements of the Treasury Board’s Policy on Internal Audit, which follows the Standards for Professional Practice of Internal Auditing set by the Institute of Internal Auditors.

In the 2010–11 fiscal year, we plan to invest about 9,000 hours in practice reviews and internal audits. About two-thirds of this work will be performed by the core PRIA team; the remaining third will be assigned to others in the Office. Individual practice reviews will be carried out internally, by principals and directors.

As in the past, we count on senior management to provide staff at the principal and director levels, so we can carry out practice reviews. External resources are retained to assist in areas of special expertise as necessary.

This plan will be summarized in our Report on Plans and Priorities, and the results will be summarized in our Performance Report. Both documents will be posted on the Office’s website.

Introduction

1. The Office of the Auditor General of Canada (the Office) conducts independent audits and provides objective information, advice, and assurance to Parliament, territorial legislatures, and Canadians. It has several product lines, including performance audits, financial audits, and special examinations. Its audit work is guided by established methodology and a Quality Management System (QMS) for each product line.

2. The Auditor General is the client for practice review and internal audit reports. The Auditor General approves the scope and coverage of the practice review and internal audit plans, taking into account the advice of the Audit Committee.

3. While the primary purpose of practice reviews and internal audits is to provide assurance to the Auditor General, they are also a learning opportunity for the rest of the Office to improve the overall audit practice and quality of operations.

4. This document provides a plan for Practice Review and Internal Audit (PRIA) team activities for the 2010–11, 2011–12, and 2012–13 fiscal years. The Office has a rolling three-year PRIA plan. Specific audits for the 2011–12 and 2012–13 fiscal years will be reviewed and approved each year.

5. The proposed PRIA plan was developed in compliance with the spirit of the Treasury Board’s Policy on Internal Audit, as captured in the Office’s Practice Review and Internal Audit Charter. The Charter requires preparing a plan based on an environmental scan and a systematic identification of business risks.

Background

6. The Office’s audit work is guided by a rigorous methodology and a Quality Management System (QMS). Internal and external reviews of audit practices and audit operations provide the Office with independent assurance that audits and operations are conducted according to established standards of professional practice. The Office’s internal and external review regime includes practice reviews, internal audits, peer reviews, professional inspections by provincial institutes, and external audit of the Office’s financial statements. The results of these reviews, combined with a risk assessment, serve to guide the work of the Practice Review and Internal Audit (PRIA) team.

7. The PRIA team conducts internal practice reviews of the Office’s audit products, as well as internal audits of the Office’s management and administrative systems and practices. The purpose of the PRIA function is to provide the Auditor General with objective and timely information, advice, consultations, and assurance—to improve and add value to the Office’s operations. This includes determining whether the Office’s management systems for audit products, administrative activities, and management processes are appropriately designed and effectively operated, and whether they comply with legislative requirements and professional standards, as well as the Office’s

• policies and guiding principles;
• Code of Values, Ethics, and Professional Conduct; and
• Quality Management System.

(See Appendix A for more information.)

8. Annual internal reviews are also used to draw conclusions on whether the opinions and conclusions presented in our audit reports are appropriate and supported.

9. Practice reviews. Any Office product can be subject to a practice review. However, the majority of practice reviews are of selected performance audits, financial audits, special examinations, and assessments of agency performance reports. These reviews are conducted according to the monitoring section of the General Standards of Quality Control for Firms Performing Assurance Engagements of The Canadian Institute of Chartered Accountants (CICA) Handbook (Section GSF-QC, December 2005). They are used to monitor compliance with quality control policies and procedures to evaluate whether

• professional standards and regulatory and legal requirements have been adhered to;
• the quality control system has been appropriately designed and effectively implemented; and
• the Office’s quality control policies and procedures have been appropriately applied, so that reports that are issued are appropriate in the circumstances.

10. Practice reviews can be used to examine selected elements of the Office’s QMS, as they apply to individual audits or to multiple product lines. At the end of the year, a summary report is prepared for each audit product line.

11. Internal Audits. Internal audits are conducted according to the Office’s Practice Review and Internal Audit Charter, which is based on the standards of the Institute of Internal Auditors and the Treasury Board Policy on Internal Audit and takes into account the Office’s mandate and ability to maintain its independent status.

12. The results of internal audits or practice reviews are shared with the responsible assistant auditor general, product leader, Assistant Auditor General of the Professional Practices Group and responsible manager when applicable. The appropriate managers and assistant auditors general prepare the management response and an action plan. The report then goes to the Audit Committee for review and recommendation for approval by the Auditor General, then to the Auditor General for her approval, and then to the Executive Committee.

13. Our PRIA plans are summarized in our reports on plans and priorities, and the results are summarized in our departmental performance reports. Both documents are posted on the Office’s website.

Key Success Factors

14. The Practice Review and Internal Audit (PRIA) team could not do its work without the collaboration of the Office’s management and staff. In order to ensure that internal reviews and audits are conducted efficiently and effectively and that they result in meaningful outcomes, a number of key requirements need to be in place, notably,

• sufficient and appropriate resources to carry out its core mandate;
• available and competent Office staff assigned to practice reviews and internal audits;
• timely access to all necessary information and documentation;
• timely feedback from management and practitioners on report drafts and recommendations for improvement; and
• a focus on learning and continuous improvement.

Developing the Multi-year Plan

15. In developing the Multi-year Plan for Practice Review and Internal Audit (PRIA), we consulted with the audit product leaders, corporate service leaders, and selected individuals, including those in charge of audit methodology and strategic planning. We requested their input so that we could better understand their upcoming plans and priorities, the operational risk, and identify areas of audit. We also considered the findings from internal and external reviews, notably,

• preliminary peer review results,
• past provincial institutes of chartered accountants inspections and external audit results,
• upcoming changes to professional standards and Office policies and methodology, and
• any special requests from the Auditor General.

16. We considered the Office’s integrated risk management system, in which management had assessed that most areas were well managed but that some areas, related to ensuring compliance with audit standards and controlling audit costs, still required attention. Various management plans have been initiated to address these areas. Most notable is the Renewal of Audit Methodology (RAM) project. Over the next two years, four audit manuals will be developed that contain up-to-date methodology and will be completely integrated into audit practice by December 2011.

17. We recognize that the Office is in a period of change. Our risk assessment and review of controls indicates that the Office has good controls in place and that there are no high-risk areas related to the administrative systems and practices.

18. However, in the 2008–09 fiscal year, practice reviews identified a number of instances where the Quality Management System (QMS) was not consistently and rigorously applied or where its design needed improvement. As a result, the Office made updating and strengthening the design and implementation of the QMS a strategic priority. Moreover, changes are being made to the reporting standards for assurance and financial statements, such as the adoption of Canadian Auditing Standards (CAS) and the transition to International Financial Reporting Standards (IFRS). These changes, along with the observations raised by the peer reviewers and the practice reviews conducted in the 2008–09 and 2009–10 fiscal years, represent an increased risk for annual audits.

19. Our proposed three-year plan will help ensure effective coverage, on a cyclical basis, of all QMS elements.

Upcoming practice reviews

Principles and criteria for selection of engagements to be reviewed

20. Audit practices for performance audits, special examinations, and annual audits are well established. For each product line, there is a methodology that guides auditors and ensures the quality of the practice. The guidance includes

• a quality management system (QMS),
• audit manuals,
• practice advisories, and
• numerous templates and guidelines.

21. All engagements are subject to practice review, including

• performance audits of departments and agencies;
• financial audits of the Government of Canada, Crown corporations, territorial governments and corporations, and other entities—including departmental financial statements;
• special examinations of Crown corporations;
• sustainable development monitoring activities;
• studies;
• assessments of agency performance reports; and
• forensic audits.

22. The Auditor General’s Report on Matters of Special Importance and the Commissioner’s Perspective are not subject to practice reviews. The practice review coverage of the legislative auditing practice is based on a risk assessment of audit products and on systematic monitoring of the work of all principals. Practice reviews are conducted over a monitoring cycle that spans three years for annual audits and five years for performance audits. Special examinations and other office products will be reviewed, as required. The following criteria are used to select engagements to be reviewed:

• The type of engagement (special examination, forensic, or other)
• Whether the audit principal has had an engagement reviewed in the monitoring cycle
• Public sensitivity of the engagement
• Risk associated with the engagement
• Results of previous review procedures
• Audit cost
• Whether or not there is a quality reviewer assigned to the audit
• Experience of the audit principal
• Complexity of the engagement
• Whether the product is the result of a special request from the Executive Committee, the Auditor General, or the Audit Committee
• Any other criteria determined and documented by PRIA

23. To be consistent with Canadian Auditing Standards, each principal (the senior audit professional of an audit team) will usually have at least one engagement reviewed in a monitoring cycle. If deficiencies are noted in a practice review of a principal or if there are specific risks to the Office, the next practice review of that principal could be accelerated. If a principal is responsible for more than one type of engagement (for example, financial audit and performance audit), there may be a review of more than one type of engagement in a single monitoring cycle.

Activities planned

24. Activities planned for the 2010–11 fiscal year include the following:

• Given current and upcoming changes to the Office methodology and professional standards, practice review programs for all product lines will be updated.
• All regional offices are subject to the same monitoring cycle.
• The following number of practice reviews are planned for the 2010–11 fiscal year:
  • 4 performance audits
  • 11 annual audits
  • 2 special examinations
• Although no reviews of assessment of agency performance reports are planned, recommendations stemming from reviews in prior years will be followed up on.
• Given the higher risk identified in the annual audit practice, the coverage of principals and entities reviewed will be increased.
• For each practice review, a review that focuses on key elements of the QMS will be conducted; more in-depth work will be done only when circumstances warrant it. For the 2010–11 fiscal year, special attention will be given to the following elements of the QMS:
  • The Role of the quality reviewer and of internal specialists
  • New practice advisories issued, standards, and methodology requirements
  • Risk analysis and development of the strategic audit approach
  • Senior management involvement

25. We will also continue striving to identify potential opportunities to improve efficiencies in the audits that are being carried out.

26. Performance reports tabled after November 2009 and before December 2010 will be included in the period under review. Annual audits with a year-end between September 2009 and August 2010 will be subject to practice reviews. Any special examination finalized between December 2009 and December 2010 will also be included in our period under review.

Office or product-wide practice reviews

27. In October 2008, we assessed the design of the Office’s Quality Management System for audits. We examined whether the Office’s QMS design met the General Standards of Quality Control for Firms Performing Assurance Engagements in TheCanadian Institute of Chartered Accountants (CICA) Handbook. We found areas that need to be improved to fully comply with professional standards and to ensure that the QMS is applied consistently across the Office. In April 2009, a management action plan was established to address all recommendations.

28. As mentioned earlier, in light of the 2008–09 practice review findings and upcoming changes in the assurance and financial reporting standards, the Office made updating and implementing its renewed methodology a strategic priority. Therefore, we do not plan any Office-wide practice reviews in the 2010–11 fiscal year. However, given the size and complexity of the Renewal of Audit Methodology (RAM) and related projects, the PRIA team will continue to monitor how recommendations in previous years are taken into consideration during the project and how overall progress on the project is reported to the Executive Committee.

29. In the 2011–12 fiscal year, depending on the progress made on the RAM project and the status of the QMS being developed, we will consider reviewing the design of the new QMS. We will consider the nature, extent, and timing of such a review, as it relates to the Office’s adoption of the new assurance standards on quality controls for firms. These standards are more commonly referred to as CSQC-1 (Canadian Standard on Quality Control—Quality control for firms that perform audits and reviews of financial statements, and other assurance engagements). A review of the role that the Information Technology (IT) team plays in helping annual audit teams conduct their audits will be considered in the 2012–13 fiscal year.

30. In addition, we will

• continue to follow up on management’s actions in response to the observations and recommendations made in practice review summary reports in previous years;
• consider the recommendations in the peer review report;
• continue monitoring the progress made on the RAM project;
• review the Office’s activities leading up to the adoption of the Canadian Auditing Standards, beginning in 2010, and International Financial Reporting Standards, beginning in 2011, and adjust our review programs accordingly; and
• place further emphasis on being on time and on budget in conducting PRIA activities.

Upcoming internal audits

31. Over the last several years, internal audit has covered areas considered low- and medium-risk, such as

• professional service contracts,
• security at headquarters and in the regions,
• travel,
• compensation and classification,
• hospitality expenses,
• human resource management and staffing, and
• controls over the GX financial transactions and reporting system.

Appendix C lists past internal audits.

32. In planning upcoming internal audits, we consider the areas of highest risk. The Overview of the Office’s Key Systems and Practices (Appendix D) identifies our key systems and practices. It is broadly based on the Office’s Financial Management Capability Model. It provides an overview of the Office’s activities as they relate to its systems and practices. While this is a high-level overview, it highlights the major systems and can be linked to the Office’s organizational structure.

33. As mentioned before, we have not identified any high-risk areas. We estimate that it would take about nine years to cover all of the low- and medium-risk areas. This means that within a 10-year mandate of an Auditor General, we could perform an internal audit of most low- and medium-risk areas.

34. The table entitled Systems and Practices Not Scheduled for Audit (Appendix E) identifies the systems and practices that were deemed to be low-risk and are not scheduled for internal audit at this time. Also identified are areas that are reviewed by another audit or review organization. For example, the audit of our financial statements is covered by external audit.

35. The following table identifies the proposed three-year plan for internal audits.

36. Our audit activities will also include following up on recommendations made in previous internal audits. Below is a description of the recommended internal audits over the next three fiscal years. They will be reassessed on a yearly basis and are based on our risk assessment, discussions with management, and resources available.

37. Contracting and procurement. The Office must maintain a high level of compliance in contracting and procurement. The Office spends more than $10.5 million on service contracts and capital acquisitions (for example, furniture and equipment, IT software and hardware). We will review the compliance with contracting and procurement requirements. Our work will also examine processes for acquiring or replacing new technology and equipment.

38. Management performance information. The Office reports on its operations using a set of external performance indicators and measures. Internal indicators for management are also used as part of its control framework. The internal audit will review the completeness, accuracy, and timeliness of performance information and indicators, which are used to support the Office’s business planning, risk management, resource decisions, and cost control.

Resources

39. The Office’s Practice Review and Internal Audit (PRIA) team operates with a core complement of three full-time equivalents—one principal, one director, and one audit project leader. To deliver our plan, we require temporary resources to help us conduct practice reviews. As in the past, we will continue counting on senior management to provide people at the principal and director levels. All practice reviews will be carried out internally.

40. External resources will be retained to assist in areas of special expertise and for internal audits, when necessary. Financial resources will be made available to the PRIA team, when necessary.

41. The following table summarizes PRIA team activity and the total level of effort planned for the 2010–11 fiscal year. A similar level of activity and effort is expected for the 2011–12 and 2012–13 fiscal years.

42. The PRIA team has 5,500 hours available. We will need additional resources (equivalent to 3,500 hours) to be provided by other internal groups to complete our planned activities for the year.

43. Individual practice reviews are expected to be mainly carried out during the following periods:

• Annual audits. From mid-September to end of October 2010. All reviews are expected to be completed by the end of October 2010.
• Performance audits. From mid-June to end of July 2010 for the spring 2010 tabling, and from early January to mid-February 2011 for the fall 2010 tabling. All reviews will be completed by the end of February 2011.
• Special examinations. Practice reviews will be conducted throughout the year because tabling of these reports is infrequent. All reviews are expected to be completed by December 2010.

Appendix A—Practice Review and Internal Audit Charter

Mission and scope of work

The purpose of the Practice Review and Internal Audit (PRIA) function is to provide independent and objective information, advice, consulting, and assurance services to the Auditor General to add value and improve the Office’s operations. This includes determining whether important OAG management systems for audit practices, administrative services, and management processes are appropriately designed and effectively operated to comply with legislative requirements, professional standards, the OAG’s policies, guiding principles, and Code of Values, Ethics and Professional Conduct and Quality Management System.

PRIA helps the Office accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of the risk management, control, and governance processes.

The spirit of the Treasury Board Policy on Internal Audit (April 1, 2006) is followed taking into consideration the special circumstances of the OAG mandate and the need to maintain the Office’s independent status.

PRIA follows The Canadian Institute of Chartered Accountants (CICA’s) General Standards of Quality Control for Firms Performing Assurance Engagements and other related CICA standards.

Accountability

The Auditor General is the client for practice review and internal audit reports. The Auditor General approves the scope and coverage of the practice review and internal audit plans, taking into account the advice of the Audit Committee. The plan focuses primarily on the provision of assurance services for the conduct of internal audits and practice reviews. Other services are provided by Practice Review and Internal Audit only as an exception.

Independence and Professional Qualifications

The Principal, Practice Review and Internal Audit, is responsible for the practice review and internal audit function and acts as the Chief Audit Executive (CAE) for the Office. The CAE is appointed by the Executive Committee. This position is independent from the Office’s management and operations. The CAE reports to the Deputy Auditor General and functionally to the Audit Committee, and has direct access to the Auditor General.

The CAE is required to hold an accounting designation (CA/CMA/CGA) or to be a Certified Internal Auditor.

The CAE has unfettered access to the Audit Committee.

PRIA will ensure that individuals involved in internal audits and practice reviews are sufficiently qualified and independent of the activities under examination.

Generally, the Office’s practices will meet the intent and spirit of the Treasury Board’s Internal Audit Policy. However, the Office will not provide the Comptroller General with access to internal audit staff and working papers as required by the Policy. By doing so, this access would put the Comptroller General in a management role in the implementation of the Policy and would compromise the independence of the Office if it were followed. The Office will not normally participate in government-wide audits initiated by the Comptroller General.

Practice review and internal audit reports will be made available to the public.

PRIA plans and results will be shared, on request, with the Advisory Panel on the Funding of Officers of Parliament and with the appropriate standing committees of the House of Commons.

Responsibilities and Operating Principles

Specifically, the Principal, Practice Review and Internal Audit, is responsible for

• developing and periodically reviewing PRIA’s charter, and obtaining Audit Committee approval;
• developing a practice review and internal audit plan that is consistent with the Office’s objectives, based on a risk assessment, done at least annually, and that considers the input of senior Office management and the Audit Committee;
• developing the guidance and tools to be used in carrying out reviews and audits;
• conducting practice reviews and internal audits;
• coordinating internal audit activities and plans with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of effort;
• meeting quarterly with the Auditor General;
• attending all meetings of the Audit Committee;
• reporting the results of practice reviews and internal audits to the Auditor General after review by the Audit Committee; and
• developing and maintaining a quality assurance and improvement process/practices that covers all aspects of PRIA and that continuously monitors its effectiveness.

All audit and other derived practices are subject to practice review, including

• performance audits of departments and agencies;
• financial audits of the Government of Canada, Crown corporations, territorial governments and corporations, and other entities;
• special examinations of Crown corporations;
• sustainable development monitoring activities;
• studies; and
• assessments of agency performance reports.

Practice reviews of a selection of completed audits will be performed on a cyclical basis and will include at least one engagement for each principal over three years (previously four).

Engagements are selected without prior notification to management.

Results of the practice reviews should be communicated at least annually to the Auditor General. The reports follow the CICA’s monitoring section of the general standards of quality control of the CICA’s General Standards of Quality Control for Firms Performing Assurance Engagements and include

• a description of the review procedures performed;
• the conclusions drawn from the review procedures;
• where relevant, a description of systemic, repetitive or other significant deficiencies and of actions taken to resolve or amend those deficiencies; and
• recommendations for appropriate remedial action.

Practice Review and Internal Audit will be periodically subject to independent reviews and findings will be presented to the Audit Committee.

In selecting areas for internal audit and practice review, PRIA uses a risk-based methodology and the criteria of significance, relevance, and auditability. As well, the scope includes all important aspects of the OAG’s risk management strategy and practices, management control frameworks and practices, and information used for decision-making and reporting.

PRIA has access to all OAG information needed to carry out its practice reviews and internal audits. All OAG employees are expected to cooperate fully with PRIA staff and staff assigned to conduct the work under the direction of PRIA.

Practice review and internal audit are elements of continuous improvement. They identify areas where improvements in systems, practices, or professional development can be made.

Openness and communication with management and staff characterize all practice reviews and internal audits. The views of key players are sought before a PRIA report is finalized.

Practice reviews and internal audit reports together with management responses are presented to the Executive Committee for information.

PRIA will follow up and report semi-annually to the Audit Committee and the Auditor General on management’s action plans resulting from practice review and internal audit recommendations, to ensure that necessary corrective actions are implemented.

The Office will ensure that the necessary financial and human resources, including staff at an appropriate level and with appropriate experience, are made available to the principal, Practice Review and Internal Audit to conduct the reviews and audits based on approved plans.

PRIA follows the OAG’s Code of Values, Ethics, and Professional Conduct, which is intended to be consistent with that of professional associations, and in some cases may be more specific or demanding.

Secretarial Support

The Office will provide a secretary to the Audit Committee. The Chief Audit Executive will assist the secretary in facilitating the work of the Audit Committee.

Appendix B—Coverage of Quality Management System Elements

Appendix C—Past Internal Audits

Over the last several years, internal audit has covered areas considered low- and medium‑risk. No high risk areas were identified.

1. Professional services contracting—December 2001
2. Security at Headquarters—August 2003
3. Security at Regional offices—January 2004
4. Travel—January 2004
5. Classification and Compensation—December 2004
6. Hospitality expenses—December 2005
7. Management of Human resources and Professional Development Function—April 2006
8. Staffing—May 2008
9. Assessment of the design of the OAG’s Quality Management System—October 2008
10. Controls over financial transactions and GX financial reporting system—November 2009

Appendix D—Overview of OAG Key Systems and Practices

Lead Organizational Unit

[text version]

Appendix E—Systems and Practices Not Scheduled for Audit