Practice Review and Internal Audit—Multi-year Plan for Fiscal Years 2011–12 to 2013–14

Executive Summary

The Practice Review and Internal Audit (PRIA) team conducts practice reviews of audit products and conducts internal audits of management and administration within the Office of the Auditor General. This is part of the Office’s governance and internal control framework.

The PRIA team provides independent and objective information, advice, consulting, and assurance services to the Auditor General to improve and add value to audit practices and Office operations, through learning and continuous improvement.

This document sets out an updated three-year Practice Review and Internal Audit Plan. The following factors have been taken into account in this plan:

  • Overall, the Office has good controls in place. The Office has no high-risk areas related to the administrative systems and practices that the PRIA team should consider priorities. However, the implementation of new audit and financial reporting standards increase the risk exposure to the success of the Office’s Quality Management System (QMS) for financial audits.
  • Because we follow The Canadian Institute of Chartered Accountants (CICA) quality control standards, we must conduct a certain number of practice reviews every year. As well, our audit products represent areas of higher risk than our administrative practices. As a result, we devote most of our resources to practice reviews.

Practice review work. During the 2011–12 fiscal year, we will

  • conduct practice reviews that will involve five performance audit principals and eight financial audit principals (but conduct no practice reviews of special examinations);
  • conduct a financial audit practice-wide review of the application of the new auditing standard, CAS 600, Special Considerations—Audits of Financial Statements (Including the Work of Component Auditors);
  • follow up on outstanding actions to be taken by management on previous Practice Review and Peer Review observations and recommendations;
  • follow up on actions taken by management to address previous practice review observations on agency performance reports (but not review any assessments of agency performance reports); and
  • update our practice review programs to reflect the new Canadian Assurance standards and financial reporting standards—Public Sector Accounting (PSA) and International Financial Reporting Standards (IFRS) requirements.

For the 2012–13 fiscal year, we are considering a review of implementation of the standards on quality controls for firms, which are more commonly referred to as CSQC-1 (Canadian Standard on Quality Control—Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements). For the 2013–14 fiscal year, we are considering a review of the role of the Information Technology and Controls Assurance teams in assisting financial audit teams.

We expect similar practice review coverage in the 2012–13 and 2013–14 fiscal years for performance and financial audits. A total of four special examinations practice reviews are expected to be performed from 2011–12 to 2013–14.

Internal audit work. Internal audit work is minimal due to the relatively low control risk and the emphasis given to practice reviews. In addition to following up on outstanding recommendations, our current plan for internal audit is as follows:

  • In the 2011–12 fiscal year, we will conduct an audit of financial budgeting and management. This internal audit will review the adequacy of budgetary planning, control, and reporting cycles. It will also assess whether financial planning and budgeting is supported by timely, complete, and accurate information.
  • In the 2012–13 fiscal year, we will consider examining the management of performance information.
  • In the 2013–14 fiscal year, we will consider examining contracting and procurement.

In the 2011–12 fiscal year, we plan to invest about 9,000 hours in practice reviews and internal audits. About two-thirds of this work will be performed by the core PRIA team; the remaining third will be assigned to others in the Office. Individual practice reviews will be carried out internally, by principals and directors.

As in the past, we count on senior management to provide us with staff at the principal and director levels, so we can carry out practice reviews. External resources are retained to assist in areas of special expertise as necessary.

This plan will be summarized in our Report on Plans and Priorities, and the results will be summarized in our Performance Report. Both documents will be posted on the Office’s website.

Introduction

1. The Office of the Auditor General of Canada (the Office) conducts independent audits and provides objective information, advice, and assurance to Parliament, territorial legislatures, and Canadians. It has several product lines, including financial audits, performance audits, and special examinations. Its audit work is guided by a Quality Management System (QMS).

2. The Auditor General is the client for practice review and internal audit reports. The Auditor General approves the scope and coverage of the practice review and internal audit plans, taking into account the advice of the Audit Committee.

3. While the primary purpose of practice reviews and internal audits is to provide assurance to the Auditor General, they are also a learning opportunity for the rest of the Office to improve the overall audit practice and quality of operations.

4. This document provides a rolling three-year plan for Practice Review and Internal Audit (PRIA) team activities for the 2011–12, 2012–13, and 2013–14 fiscal years. Specific audits for the 2012–13 and 2013–14 fiscal years will be reviewed and approved in each of those years.

5. The proposed PRIA plan was developed in compliance with the spirit of the Treasury Board’s Policy on Internal Audit, as captured in the Office’s Practice Review and Internal Audit Charter. The Charter requires preparing a plan based on an environmental scan and a systematic identification of business risks.

6. The plan is discussed with the Executive Committee and the Audit Committee before being approved by the Auditor General.

Background

7. The Office’s audit work is guided by a rigorous methodology and a Quality Management System (QMS). Internal and external reviews of audit practices and audit operations provide the Office with independent assurance that audits and operations are conducted according to established standards of professional practice. The Office’s internal and external review regime includes practice reviews, internal audits, peer reviews, professional inspections by provincial institutes, and external audit of the Office’s financial statements. The results of these reviews, combined with a risk assessment, serve to guide the work of the Practice Review and Internal Audit (PRIA) team.

8. The PRIA team conducts internal practice reviews of the Office’s audit products, as well as internal audits of the Office’s management and administrative systems and practices. The purpose of the PRIA function is to provide the Auditor General with objective and timely information, advice, consultations, and assurance to improve and add value to the Office’s operations. This includes determining whether the Office’s management systems for audit products, administrative activities, and management processes are appropriately designed and effectively operated. It also involves determining whether these systems comply with legislative requirements and professional standards, as well as the Office’s

  • policies and guiding principles;
  • Code of Values, Ethics, and Professional Conduct; and
  • Quality Management System.

(See Appendix A for more information.)

9. Internal practice reviews also assess whether the opinions and conclusions presented in our audit reports are appropriate and supported.

10. Practice reviews. Any Office product can be subject to a practice review. However, the majority of practice reviews are of selected financial audits, performance audits, special examinations, and assessments of agency performance reports. These reviews are conducted according to the monitoring section of the Canadian Standard on Quality Control—Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and other assurance engagements, a standard of The Canadian Institute of Chartered Accountants (CICA) Handbook (Section CSQC–1, December 2009). The reviews are used to monitor compliance with quality control policies and procedures to evaluate whether

  • professional standards and regulatory and legal requirements have been adhered to;
  • the quality control system has been appropriately designed and effectively implemented; and
  • the Office’s quality control policies and procedures have been appropriately applied, so that reports that are issued are appropriate in the circumstances.

11. Practice reviews can be used to examine selected elements of the Office’s QMS, as they apply to individual audits or to multiple product lines. At the end of the year, a summary report is prepared for each audit product line.

12. Internal Audits. Internal audits are conducted according to the Office’s Practice Review and Internal Audit Charter, which is based on the standards of the Institute of Internal Auditors and the Treasury Board Policy on Internal Audit and takes into account the Office’s mandate and ability to maintain its independent status.

13. The results of internal audits or practice reviews are shared with the responsible assistant auditor general, product leader, Assistant Auditor General of the Professional Practices Group, and responsible manager, when applicable. The appropriate managers and assistant auditors general prepare the management response and an action plan. The report then goes to the Audit Committee for review and recommendation for approval by the Auditor General, then to the Auditor General for her approval, and then to the Executive Committee.

14. Our PRIA plans are summarized in our reports on plans and priorities, and the results are summarized in our departmental performance reports. Both documents are posted on the Office’s website.

Key Success Factors

15. The Practice Review and Internal Audit (PRIA) team could not do its work without the collaboration of the Office’s management and staff. In order to ensure that internal reviews and audits are conducted efficiently and effectively and that they result in meaningful outcomes, a number of key requirements need to be in place, notably,

  • sufficient and appropriate resources to carry out PRIA’s core mandate,
  • available and competent Office staff assigned to practice reviews and internal audits,
  • timely access to all necessary information and documentation,
  • timely feedback from management and practitioners on report drafts and recommendations for improvement, and
  • a focus on learning and continuous improvement.

Developing the Multi-year Plan

16. In developing the Multi-year Plan for Practice Review and Internal Audit (PRIA), we consulted with the audit product leaders, corporate service leaders, and selected individuals, including those in charge of audit methodology and strategic planning. We requested their input so that we could better understand their upcoming plans and priorities, and the operational risk, as well as identify areas of audit. Our plan builds on the experience and lessons learned from previous years. In developing the plan, we have also considered the Office’s Integrated Risk Management Framework. We also considered the findings from internal and external reviews, notably,

  • the 2010 international peer review results,
  • past provincial institutes of chartered accountants inspections and external audit results,
  • upcoming changes to professional standards and Office policies and methodology, and
  • any special requests from the Auditor General.

17. In compliance with the spirit of the Treasury Board Policy on Internal Audit, the OAG’s Practice Review and Internal Audit Charter requires us to prepare an internal audit plan that is based on a systematic identification of business risks. This plan identifies relevant key systems and practices (Appendix E). Auditable components are identified, along with a risk and control assessment. Appendix F identifies low-risk activities and activities not scheduled for audit, as well as the reasons they are not included for audit. This forms the basis for selecting internal audits annually.

18. We considered the Office’s integrated risk management system, in which management had assessed that most areas were well managed but that some areas, related to ensuring compliance with audit standards and controlling audit costs, still required attention. The most notable plan to address these areas is the Renewal of Audit Methodology (RAM) project launched in 2009.

19. The purpose of the RAM project is to revise and update the audit methodology for all products and the OAG’s system of quality control. The project also includes revising and updating related audit tools and checklists, as well as delivering specific training. In addition, it has a change management component to ensure that the methodology is put into practice. Management has established a target completion date of December 2011 for the following audit product streams: System of Quality Control, Performance Audits, and Special Examinations. The Renewal of Audit Methodology for the Annual Audit Practice is being done in two phases. The first phase has been completed. Methodology compliant with Canadian Auditing Standards (CAS) was prepared and training provided. Planning for the second phase was under way at the end of November 2010 and is expected to be completed by December 2012.

20. We recognize that the Office is in a period of change. Our risk assessment and review of controls indicates that the Office has good controls in place and that there are no high-risk areas related to administrative systems and practices.

21. However, we recognize that significant changes in Canadian auditing standards and the introduction of International Financial Reporting Standards (IFRS) affect our activities and constitute the biggest change to standards in recent times. A large number of the entities we audit are changing the basis of accounting used to prepare their financial statements—some to IFRS and others to Public Sector Accounting (PSA) Standards. As a result, the financial statements that we are responsible for auditing are changing, as well as the manner in which we conduct and report our audits. These changes, along with the observations raised by the peer reviewers and the practice reviews conducted this year and in previous fiscal years, pose an increased risk for financial audits.

22. Our proposed three-year plan will help ensure effective coverage, on a cyclical basis, of all QMS elements.

Upcoming practice reviews

Principles and criteria for selection of engagements to be reviewed

23. Audit practices for financial audits, performance audits, and special examinations are well established. For each product line, there is a methodology that guides auditors and ensures the quality of the practice. The guidance includes

  • a quality management system (QMS),
  • audit manuals,
  • practice advisories, and
  • numerous templates and guidelines.

24. All engagements are subject to practice review, including

  • performance audits of departments and agencies;
  • financial audits of the Government of Canada, Crown corporations, territorial governments and corporations, and other entities—including departmental financial statements;
  • special examinations of Crown corporations;
  • sustainable development monitoring activities;
  • studies;
  • assessments of agency performance reports; and
  • any other assurance products.

25. The Auditor General’s Report on Matters of Special Importance and the Commissioner’s Perspective are not subject to practice reviews. The practice review coverage of the legislative auditing practice is based on a risk assessment of audit products and on systematic monitoring of the work of all principals (the senior audit professional of an audit team). Practice reviews are normally conducted over a monitoring cycle that spans three years for financial audits and five years for performance audits. Special examinations and other office products are reviewed as required. The selection of engagements to be reviewed is based on a set of criteria (see Appendix B).

26. To be consistent with Canadian Auditing Standards, each principal will usually have at least one engagement reviewed in a monitoring cycle. If deficiencies are noted in a practice review of a principal or if there are specific risks to the Office, the next practice review of that principal could be accelerated. If a principal is responsible for more than one type of engagement (for example, financial audit and performance audit), the principal is subject to a review of engagements in each monitoring cycle. Regional offices are subject to the same monitoring cycle.

Activities planned

27. Activities planned for the 2011–12 fiscal year include the following:

  • An update of the practice review programs for all product lines to reflect changes in the methodology and professional standards.
  • Practice reviews of
    • five performance audits, and
    • eight financial audits.
  • No special examination practice reviews. In March 2009, the Financial Administration Act was amended to change the five year reporting cycle to ten years. More than forty special examinations are expected to be carried out between 2011–12 and 2017–18 for an average of about five per year. Twelve special examinations are expected to be finalized between 2011–12 and 2013–14. Due to their infrequency, special examinations will be the subject of only four practice reviews, which will be conducted in the latter period.
  • A financial audit practice-wide review focused on the application of the new auditing standard, CAS 600, Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditor). More specifically, this review will focus on the application of the specific requirements regarding the nature, timing, and extent of procedures to be performed in the context of group audits (i.e. audit strategy, plan, component auditors, materiality, communications with component auditor, group management and those charged with governance) in conducting the audits.
  • Follow up on recommendations stemming from reviews in prior years (although no reviews of assessment of agency performance reports are planned).
  • Follow up on outstanding actions to be taken by management on previous Practice Review and Peer Review observations and recommendations.

28. For each practice review, a review that focuses on key or risky elements of the QMS and professional standards will be conducted. For the 2011–12 fiscal year, special attention will be given to

  • observations raised in previous practice review reports and peer review observations,
  • new practice advisories issued, standards, and methodology requirements,
  • implementation of the CASs for financial audits,
  • the role of the quality reviewer and of internal specialists,
  • risk analysis and development of the strategic audit approach, and
  • senior management involvement.

29. We will also continue striving to identify potential opportunities to improve efficiencies in the audits that are being carried out.

30. Performance reports tabled between December 2010 and December 2011 will be included in the period under review. Financial audits with a year-end between July 2010 and July 2011 will be subject to practice reviews.

Overview of the Office’s Legislative Auditing Practice
Total Legislative Auditing Principals 44 leading one product or more
Performance Audit Practice
  • Number of principals responsible: 29
  • Number of performance audits to be reported in 2011–12: 33
  • Number of principals reporting a performance audit in 2011–12: 24
  • Number of principals to undergo a practice review during the 2011–12 fiscal year: 5
Financial Audit Practice Crown corporations and other entities, territorial entities, and international entities for which the Office performs an audit each year
  • Number of annual audits: 124
  • Number of principals responsible: 28
Audit of the summary financial statements of the Government of Canada
  • Number of large entities: 26
  • Number of principals responsible: 16
  • Number of principals to undergo a practice review during the 2010–11 fiscal year: 8
Special Examinations Audit Practice for Round 5 (between the 2007–08 and 2017–18 fiscal years) Crown corporations for which a special examination is currently conducted every 10 years
  • Number of Round 5 special examinations: 42
  • Number of principals responsible: 15
  • Number of special examinations to be completed in the 2011–12 fiscal year: 2
  • Number of principals to undergo a practice review during the 2011–12 fiscal year: 0
Office or product-wide practice reviews

31. In our 2010–11 PRIA plan, we indicated our intention, depending on the progress made on RAM and the status of the product-wide QMS project, to review the design of the new QMS as it relates to the CSQC–1 (Canadian Standard on Quality Control—Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and other Assurance Engagements). We are of the view that it is too soon to conduct such a review since the Office does not anticipate to complete this project before the end of December 2011. We therefore recommend delaying this project to 2012–13.

32. A review of the role that the Information Technology (IT) and Controls Assurance teams play in helping financial audit teams conduct their audits will be considered in the 2013–14 fiscal year given the recent approval of the strategic plan on control assurance in financial audits.

Upcoming internal audits

33. Over the last several years, internal audit has covered areas considered low- and medium-risk, such as

  • professional service contracts,
  • security at headquarters and in the regions,
  • travel,
  • compensation and classification,
  • hospitality expenses,
  • human resource management and staffing, and
  • controls over financial transactions and the reporting system.

Appendix D lists past internal audits.

34. In planning upcoming internal audits, we consider the areas of highest risk. The Overview of OAG Key Systems and Practices (Appendix E) identifies our key systems and practices. It is broadly based on the Office’s Financial Management Capability Model. It provides an overview of the Office’s activities as they relate to its systems and practices. While this is a high-level overview, it highlights the major systems and can be linked to the Office’s organizational structure.

35. As mentioned before, we have not identified any high-risk areas. We estimate that it would take about nine years to cover all of the low- and medium-risk areas. This means that within the 10-year mandate of an Auditor General, we could perform an internal audit of most low- and medium-risk areas.

36. The table entitled Systems and Practices Not Scheduled for Audit (Appendix F) identifies the systems and practices that were deemed to be low-risk and are not scheduled for internal audit at this time. Also identified are areas that are reviewed by another audit or review organization. For example, the audit of our financial statements is covered by external audit.

Activities planned

37. The following table identifies the proposed three-year plan for internal audits.

Proposed internal audits for the next three years
Fiscal year Internal audit project Estimated hours
2011–12 Financial budgeting and management 1,000
2012–13 Management of performance information 1,000
2013–14 Contracting and procurement, including IT purchases 1,000

38. Our audit activities will also include following up on recommendations made in previous internal audits. Following is a description of the recommended internal audits over the next three fiscal years. They will be reassessed on a yearly basis and are based on our risk assessment, discussions with management, and resources available.

39. Due to other pressing priorities, the PRIA self-assessment against the Internal Audit Capability Model developed by the Institute of Internal Auditors will be postponed to 2012–13.

40. Financial budgeting and management. This internal audit will review the adequacy of budgetary planning, control, and reporting cycles. It will also include whether financial planning and budgeting is supported by timely, complete, and accurate information.

41. Management of performance information. The Office reports on its operations using a set of external performance indicators and measures. Internal indicators for management are also used as part of its control framework. The internal audit will review the completeness, accuracy, and timeliness of performance information and indicators, which are used to support the Office’s business planning, risk management, resource decisions, and cost control.

42. Contracting and procurement. The Office must maintain a high level of compliance with contracting and procurement policies and guidelines. The Office spends about $10 million on service contracts and capital acquisitions (for example, furniture and equipment, IT software and hardware). We will review the compliance with contracting and procurement requirements along with office service standards. Our work will also examine processes for acquiring or replacing new technology and equipment.

Resources

43. The Office’s Practice Review and Internal Audit (PRIA) team operates with a core complement of three full-time equivalents—one principal, one director, and one audit project leader. To deliver our plan, we require temporary resources to help us conduct practice reviews. As in the past, we will continue counting on senior management to provide people at the principal and director levels. All practice reviews will be carried out internally.

44. External resources will be retained to assist in areas of special expertise and for internal audits, when necessary. Financial resources will be made available to the PRIA team, when necessary.

45. The following table summarizes PRIA team activities and the total level of effort planned for the 2011–12 fiscal year. A similar level of activity and effort is expected for the 2012–13 and 2013–14 fiscal years.

PRIA team activities and effort planned for the 2011–12 fiscal year
Activity PRIA team hours Others Total hours
Practice Review 4,000 3,500 7,500
Internal Audit 1,000 0 1,000
PRIA subtotal 5,000 3,500 8,500
Management and administration, including planning, meetings, and stakeholder relationships 500 0 500
Total hours for the 2011–12 fiscal year 5,500 3,500 9,000

46. The PRIA team has 5,500 hours available. We will need additional resources (equivalent to 3,500 hours) to be provided by other internal groups to complete our planned activities for the year.

43. Individual practice reviews are expected to be mainly carried out during the following periods:

  • Financial audits. From mid-September to mid-November 2011. All reviews are expected to be completed by the end of November 2011.
  • Performance audits. From September 2011 to October 2011 for the spring 2011 tablings, and from early January to mid-February 2012 for the fall 2011 tabling. All reviews will be completed by the end of February 2012.
  • Special examinations. No reviews are expected to be conducted in 2011–12.

Appendix A—Practice Review and Internal Audit Charter

Mission and scope of work

The purpose of the Practice Review and Internal Audit (PRIA) function is to provide independent and objective information, advice, consulting, and assurance services to the Auditor General to add value and improve the Office’s operations. This includes determining whether important OAG management systems for audit practices, administrative services, and management processes are appropriately designed and effectively operated to comply with legislative requirements, professional standards, the OAG’s policies, guiding principles, and Code of Values, Ethics and Professional Conduct and Quality Management System.

PRIA helps the Office accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of the risk management, control, and governance processes.

The spirit of the Treasury Board Policy on Internal Audit (1 July 2009) is followed taking into consideration the special circumstances of the OAG mandate and the need to maintain the Office’s independent status.

PRIA follows the Canadian Institute of Chartered Accountants (CICA’s) General Standards of Quality Control for Firms Performing Assurance Engagements and other related standards.

Accountability

The Auditor General is the client for practice review and internal audit reports. The Auditor General approves the scope and coverage of the practice review and internal audit plans, taking into account the advice of the Audit Committee. The plan focuses primarily on the provision of assurance services for the conduct of internal audits and practice reviews. Other services are provided by Practice Review and Internal Audit only as an exception.

Independence and Professional Qualifications

The Principal, Practice Review and Internal Audit, is responsible for the practice review and internal audit function and acts as the Chief Audit Executive (CAE) for the Office. The CAE is appointed by the Executive Committee. This position is independent from the Office’s management and operations. The CAE reports to the Deputy Auditor General and functionally to the Audit Committee, and has direct access to the Auditor General.

The CAE is required to hold an accounting designation (CA/CMA/CGA) or to be a Certified Internal Auditor.

The CAE has unfettered access to the Audit Committee.

PRIA will ensure that individuals involved in internal audits and practice reviews are sufficiently qualified and independent of the activities under examination.

Generally the Office’s practices will meet the intent and spirit of the Treasury Board’s Internal Audit Policy. However, the Office will not provide the Comptroller General with access to internal audit staff and working papers as required by the Policy. By doing so, this access would put the Comptroller General in a management role in the implementation of the Policy and would compromise the independence of the Office if it were followed. The Office will not normally participate in government-wide audits initiated by the Comptroller General.

Practice review and internal audit reports will be made available to the public.

PRIA plans and results will be shared, on request, with the Advisory Panel on the Funding of Officers of Parliament and with the appropriate standing committees of the House of Commons.

Responsibilities and Operating Principles

Specifically, the Principal, Practice Review and Internal Audit, is responsible for:

  • developing and periodically reviewing PRIA’s charter, and obtaining Audit Committee approval;
  • developing a practice review and internal audit plan that is consistent with the Office’s objectives, based on a risk assessment, done at least annually, and that considers the input of senior Office management and the Audit Committee;
  • developing the guidance and tools to be used in carrying out reviews and audits;
  • conducting practice reviews and internal audits;
  • coordinating internal audit activities and plans with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of effort;
  • meeting quarterly with the Auditor General;
  • attending all meetings of the Audit Committee;
  • reporting the results of practice reviews and internal audits to the Auditor General after review by the Audit Committee and where applicable providing the Audit Committee and the Auditor General with an annual assurance report; and
  • developing and maintaining a quality assurance and improvement process/practices that covers all aspects of PRIA and that continuously monitors its effectiveness.

All engagements are subject to practice review including:

  • performance audits of departments and agencies;
  • financial audits of the Government of Canada, Crown corporations, territorial governments and corporations and other entities;
  • special examinations of Crown corporations;
  • sustainable development monitoring activities;
  • studies;
  • assessments of agency performance reports; and
  • forensic audits.

Practice reviews of a selection of completed audits will be performed on a cyclical basis and will include at least one engagement by product line for each Principal over the monitoring cycles approved by the Auditor General.

Engagements are selected without prior notification to management.

Results of the practice reviews are communicated to the audit teams and others as appropriate and should be communicated at least annually to the Auditor General. The reports follow the CICA’s monitoring section of the general standards of quality control of the CICA’s General Standards of Quality Control for Firms Performing Assurance Engagements and include:

  • a description of the review procedures performed;
  • the conclusions drawn from the review procedures;
  • where relevant, a description of systemic, repetitive or other significant deficiencies and of actions taken to resolve or amend those deficiencies; and
  • recommendations for appropriate remedial action.

Practice Review and Internal Audit will be periodically subject to independent reviews and findings will be presented to the Audit Committee.

In selecting areas for internal audit and practice review, PRIA uses a risk-based methodology and the criteria of significance, relevance, and auditability. As well, the scope includes all important aspects of the OAG’s risk management strategy and practices, management control frameworks and practices, and information used for decision-making and reporting.

PRIA has access to all OAG information needed to carry out its practice reviews and internal audits. All OAG employees are expected to cooperate fully with PRIA staff and staff assigned to conduct the work under the direction of PRIA.

Practice review and internal audit are elements of learning and continuous improvement. They identify areas where improvements in systems, practices, or professional development can be made.

Openness and communication with management and staff characterize all practice reviews and internal audits. The views of key players are sought before a PRIA report is finalized.

Practice reviews and internal audit reports together with management responses are presented to the Executive Committee for information.

PRIA will follow up and report semi-annually to the Audit Committee and the Auditor General on management’s action plans resulting from practice review and internal audit recommendations, to ensure that necessary corrective actions are implemented.

The Office will ensure that the necessary financial and human resources, including staff at an appropriate level and with appropriate experience, are made available to the Principal, Practice Review and Internal Audit to conduct the reviews and audits based on approved plans.

PRIA follows the OAG’s Code of Values, Ethics, and Professional Conduct which is intended to be consistent with that of professional associations, and in some cases may be more specific or demanding.

Secretarial Support

The Office will provide a secretary to the Audit Committee. The Chief Audit Executive will assist the secretary facilitating the work of the Audit Committee.

Appendix B—Criteria for Selection of Engagements for Review

The selection of engagements to be reviewed is determined based on the following criteria:

  • type of engagement (financial audit, performance audit, special examination, forensic audit, or other);
  • whether the practitioner has had an engagement reviewed in the monitoring cycle;
  • public sensitivity of the engagement;
  • risk associated with the engagement;
  • results of previous review procedures;
  • audit cost;
  • whether or not there is a quality reviewer assigned to the audit;
  • experience of the practitioner;
  • complexity of the engagement;
  • special request from the Executive Committee, the Auditor General, or the Audit Committee; and
  • any other criteria determined and documented by Practice Review.

Engagements will usually be selected without prior notification to the assurance team. Engagements selected for review are confidential.

Appendix C—Coverage of Quality Management System Elements

Quality Management System Element Coverage
Practice Review Internal Audit
Leadership and Planning
Strategic direction   N/A
Selecting the audit X  
Operational planning   X
Methodology X  
Audit Management
Conducting the audit X  
Managing the project X X
Planning the audit X  
Obtaining accessible, sufficient, and appropriate evidence X  
Reporting the audit X  
Consultation X  
Independence, objectivity, and integrity X  
Security, access, and file retention X X
Client Focus
Communicating audit message X  
Feedback from clients and stakeholders   X
Effective reporting X  
People Management
Resourcing X X
Leadership and supervision X  
Respectful workplace X  
Performance management   X
Professional development   X
Continuous Improvement
Practice review N/A N/A
Lessons learned X X

Appendix D—Past Internal Audits

Over the last several years, internal audit has covered areas considered low- and medium risk. No high risk areas were identified.

  1. Professional services contracting—December 2001
  2. Security at Headquarters—August 2003
  3. Security at Regional offices—January 2004
  4. Travel—January 2004
  5. Classification and Compensation—December 2004
  6. Hospitality expenses—December 2005
  7. Management of Human resources and Professional Development Function—April 2006
  8. Staffing—May 2008
  9. Assessment of the design of the OAG’s Quality Management System—October 2008
  10. Controls over financial transactions and GX financial reporting system—November 2009
  11. Hospitality Spending—December 2010

Appendix E—Overview of OAG Key Systems and Practices

Lead Organizational Unit

Diagram

[text version]

Appendix F—Systems and Practices Not Scheduled for Audit

Excluded System/Practice Exclusion Code1
Corporate Office  
  • Internal Audit (subject to external review)
E2
  • Practice Review (subject to peer review)
E2
  • International Relations
E1
Human Resources Group  
  • Employee Relations
E1
  • Official Languages
E2
  • Employment Equity
E2
  • Mentoring, Awards, and Recognition
E1
  • Access to Information
E2
Comptroller’s Group  
  • Facilities Management
E1
  • Public Accounts and Financial Statements (audited by external auditors)
E2
Knowledge Management Group  
  • Library/Records Management
E1
Information Technology  
  • Hardware/Software
E1
Communications  
  • Internal
E1
  • Media Relations
E1
  • Public Enquiries
E1
Parliamentary Liaison  
  • Liaison
E1
  • Parliamentary Appearances
E1
1The exclusion code gives the reason for exclusion from audit, as follows:

E1: low risk
E2: audit or review by another organization

 

PDF Versions

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet: