2011 June Status Report of the Auditor General of Canada

Chapter 3—Internal Audit

Main Points

Introduction

What we found in 2004
Events since 2004
Focus of the audit

Observations and Recommendation

Departmental audit committees

Independent departmental audit committees have been established
Audit committee charters were created in keeping with the Policy on Internal Audit
Audit committee members received appropriate training
Audit committees are at varying stages of development
Independent departmental audit committees have had a positive effect

Internal audit

Reporting relationships support the independence of internal audit
Annual audit plans focus on key risks
The results of internal audit work need to be reported clearly
Few departments have had an external quality assessment review

Office of the Comptroller General of Canada

The Office of the Comptroller General provides leadership and guidance to the internal audit community

Conclusion

About the Audit

Appendix—List of recommendations

Exhibits:

3.1—Roles and responsibilities for implementing the Policy on Internal Audit

3.2—Purpose of a quality assessment review

3.3—Progress in addressing our recommendations on departmental audit committees

3.4—Canadian Heritage uses a rating system to identify whether controls are adequate

3.5—Quality assessment reviews use three categories to assess conformity to the IIA Standards

3.6—Most of the departments we selected met the requirements of the Policy on Internal Audit and the IIA Standards

3.7—Progress in addressing our recommendation on external quality assessments

3.8—Departments did not use all of the funds they received for continuing professional development of internal audit staff

3.9—Progress in addressing our recommendations on staffing internal audit and audit coverage

Main Points

What we examined

In November 2004, we reported considerable variation among six federal organizations in the extent to which their internal audit activity met the international standards for the professional practice of internal auditing issued by the Institute of Internal Auditors. We also reported the extent to which they complied with the Treasury Board Policy on Internal Audit. We found that the Treasury Board of Canada Secretariat had yet to establish and fund a strategy that would enable it to meet the requirements of the Policy and the expectations of the internal audit community. We made a number of recommendations aimed at improving the quality of internal audit across government.

Our 2004 report noted that, effective 1 June 2004, the government had re-established the Office of the Comptroller General to strengthen comptrollership and oversight across the federal government. The Comptroller General’s key duties included setting or reviewing internal auditing standards and policies of the Government of Canada, providing leadership to ensure and enforce appropriate internal controls, and promoting sound resource stewardship at all levels across the federal government.

For this status report, we examined the extent of progress made by the government in acting upon the commitments it made in response to the observations and recommendations of our 2004 report. We looked at whether independent audit committees had been established in the 24 largest departments and agencies that represent about 95 percent of the government’s total assets, liabilities, revenues, and expenses. We assessed the practices and procedures used by a sample of internal audit activities. We also looked at whether the Office of the Comptroller General provided appropriate oversight and guidance to the internal audit activity in departments.

Audit work for this chapter was substantially completed on 28 November 2010.

Why it’s important

Internal audit is an important element of good governance. An effective internal audit activity can provide senior management with objective, independent assurance that the organization’s financial, administrative, and operational controls and management practices are effective. It can also suggest improvements that may be needed.

What we found

  • The government has made satisfactory progress in acting upon the commitments it made in response to the observations and recommendations of our 2004 audit.
  • Independent departmental audit committees have been established in the 24 large departments; the majority of their members are from outside the federal public administration and have the collective skills and experience required to provide deputy heads of departments with objective advice and recommendations. Departmental audit committees are at varying stages in developing their practices and procedures. Some committees have been in effect for three years and others less than one year. We noted that the Canada Revenue Agency established its audit committee in 1999. We have also noted the positive impact that established departmental audit committees are having in contributing to stronger internal audit in government.
  • The government has strengthened its internal audit capacity since our last audit in 2004. While few internal audit activities in departments have undergone an external quality assessment review, our own review of a sample of internal audit activities found that they generally or partially conformed to policy requirements and to the standards of the Institute of Internal Auditors. Internal audit reports we reviewed met those standards and requirements. We noted that the strong senior management support for internal audit, coupled with the impact of departmental audit committees has been accompanied by a strengthened internal audit capacity. Senior management has indicated that it has a greater appreciation of the role that internal audit can and should play within an organization.
  • The Office of the Comptroller General has provided direction and guidance to the internal audit and departmental audit committee communities through the establishment of a sound policy framework and related guidance. We noted, for example, orientation material that included roles, responsibilities, and expectations of audit committee members. The Office of the Comptroller General has also developed tools and guidance for the internal audit community, such as risk-based audit plans and guidance on core controls.

The entities have responded. The entities agree with our recommendation. Their detailed responses follow the recommendation in the chapter.

Introduction

3.1 An effective internal audit activity is a fundamental component of strong governance. It can provide senior management and audit committees with assurances that key financial, administrative, and operational activities, and the organization’s management practices, are efficient and effective. An internal audit can also suggest ways to improve these activities and practices.

3.2 Internal audit is one of several ways that an organization may assess and oversee management practices and find out whether the organization is achieving its objectives. Other ways include program evaluation, studies, and monitoring whether the organization’s practices are adequate and effective.

3.3 The attributes of independence and objectivity distinguish internal auditing from other activities within an organization that review internal practices.

3.4 The Treasury Board Policy on Internal Audit (the Policy) gives the guidelines for internal audit activities that departments are to follow. Roles and responsibilities for implementing the Policy are summarized in Exhibit 3.1.

Exhibit 3.1—Roles and responsibilities for implementing the Policy on Internal Audit

Who Roles and responsibilities

Deputy heads

  • Establish an internal audit activity that is appropriately resourced and that operates in keeping with the Policy and with the Institute of Internal Auditors (IIA) Standards.
  • Form an independent departmental audit committee, where a majority of members are from outside the federal public administration.
  • Appoint a qualified chief audit executive at a senior executive level to lead and direct the internal audit activity. The chief audit executive reports directly to the deputy head.
  • Approve a departmental internal audit plan that addresses all areas of higher risk and significance, including audits the Comptroller General has identified as part of government-wide or sectoral coverage. This plan is to be designed to support an annual opinion from the chief audit executive on departmental risk management, control, and governance processes.
  • Ensure appropriate internal audit coverage for special operating agencies and other entities within their departments and under their control.

Departmental audit committees

As part of their mandate, committees review and report on those areas of responsibility that the deputy head has chosen in that year’s risk-guided focus. The overall areas of responsibility are

  • to review management’s arrangements to promote public service values and ethics and to ensure that the department complies with laws, regulations, policies, and standards of conduct;
  • to review the corporate risk profile and the department’s risk management arrangements;
  • to assess the internal audit activity;
  • to review the work of the Office of the Auditor General and other agents of Parliament and central agencies;
  • to review follow-up on management action plans;
  • to review financial statements and Public Accounts of Canada reporting; and
  • to review risk and accountability reporting.

Chief audit executives

  • Provide annual opinions to deputy heads and departmental audit committees on the effectiveness and adequacy of risk management, control, and governance processes in their departments, and report on individual risk-based audits.
  • Create appropriate policies and procedures to guide the internal audit activity.
  • Create a risk-based audit plan.
  • Ensure that the internal audit activity has the number of qualified staff it needs to carry out the risk-based audit plan, in keeping with the IIA Standards.
  • Ensure that the work of the internal audit activity is carried out in keeping with the IIA Standards.
  • Ensure that the departmental audit committee receives the information it needs to carry out its responsibilities.

Office of the Comptroller General

  • Is responsible for horizontal and sectoral audits in large and small departments and agencies;
  • Is responsible for focused, sustained functional leadership of internal audit across government to build and develop capacity; to ensure adequate levels of professionally qualified staff; and to ensure that departments maintain professional standards and rigorous methodology in delivering internal audits;
  • Reports periodically to Treasury Board on the state of risk management, control, and governance processes across government; these reports address fundamental controls, including basic reporting controls for financial statements, thematic or sectoral controls, and the results of risk-based internal audit work done within departments;
  • Provides strategic direction, leadership, advice, and assistance on issues related to internal audit;
  • Develops and updates relevant policies, directives, guidelines, and standards for internal audit;
  • Provides policy guidance and interpretation to departments and agencies on how to implement relevant policies, directives, guidelines, and standards; and
  • Monitors how relevant policies are implemented and whether policy objectives are being achieved.
Sources: Treasury Board Policy on Internal Audit; Treasury Board Directive on Departmental Audit Committees; Treasury Board Guidelines on the Expected Qualifications for Chief Audit Executives; Treasury Board Guidelines on the Responsibilities of Chief Audit Executives; and the Institute of Internal Auditors International Professional Practices Framework

3.5 The Canada Revenue Agency, which was included in this audit, is structured differently than the other entities. The Agency was established as a separate agency on 1 November 1999. Enabling legislation provided for the establishment of a Board of Management to oversee the organization and administration of the Agency. The Board comprises external members who are independent of the Agency. The Board’s structure includes an audit committee whose mandate is to provide oversight of the internal audit activity. The Canada Revenue Agency Act provides the legislative authority for the Internal Audit Policy of the Agency, which is approved by the Board of Management. While not subject to the requirements of Treasury Board policies, the Agency aims to respect their intent.

What we found in 2004

3.6 We last carried out a government-wide assessment of internal audit in 2004. We found wide variations in how well the internal audit activity in six federal organizations had met the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (the IIA Standards). We also found variations in how well they complied with the Treasury Board Policy on Internal Audit that was in effect at that time:

  • In two organizations (Public Works and Government Services Canada and the Royal Canadian Mounted Police), the internal audit activity generally met the IIA Standards.
  • Three departments (Foreign Affairs and International Trade Canada, Human Resources and Skills Development Canada, and Natural Resources Canada) partially met the IIA Standards.
  • One agency (Canadian International Development Agency) did not meet many of the IIA Standards.

3.7 Our report identified a number of important factors that, if implemented, could have a positive influence on the quality of internal audit across government:

  • a consistent understanding by senior management of the role that internal audit can and should play;
  • a departmental audit committee with external members who are independent of management;
  • a clear human resource strategy for departments and central agencies that sets out the qualifications and appropriate number of staff for the internal audit community;
  • a focus on assurance services; and
  • a strategy to ensure appropriate internal audit coverage and capacity in small entities.

3.8 We also found that the Treasury Board of Canada Secretariat (the Secretariat) had yet to create and fund a strategy that would enable it to meet both the requirements of the Policy on Internal Audit that was in effect and the internal audit community’s expectations. The Secretariat agreed with these observations and agreed to take action to correct the weaknesses we noted.

Events since 2004

3.9 To respond to these issues and to strengthen the government’s internal audit capacity, the Treasury Board adopted a revised Policy on Internal Audit (the Policy) in April 2006. The revised Policy included related directives, guidelines, and standards. The Policy and its related guidance were revised again in July 2009.

3.10 The revised Policy and related guidance were designed to sustain a strong, credible internal audit activity that

  • has the confidence of the government;
  • contributes directly to sound risk management, control, and governance; and
  • is well-positioned to support governance within departments and agencies across government.

The Policy requires that independent departmental audit committees be created and sets out specific requirements for internal audit activities, deputy heads, departmental audit committees, and the Comptroller General of Canada. Internal audit activities are to follow the Policy and the IIA International Professional Practices Framework (including the IIA Standards), which was adopted by Treasury Board in its Policy.

3.11 The internal audit community is also expected to respond to the requirements of the Financial Administration Act, which calls for deputy heads to ensure that the department has an internal audit capacity.

Focus of the audit

3.12 The focus of our audit was to find out whether departments, agencies, and the Office of the Comptroller General of Canada have acted upon the commitments they made in response to the observations and recommendations of our 2004 report.

3.13 The audit examined whether departments and agencies had set up independent audit committees, as the Policy requires, and whether the committees were carrying out the responsibilities that the Policy and related directives and guidelines set for them.

3.14 We looked at the audit committees of the 24 large departments and agencies that represent approximately 95 percent of the Government of Canada’s total assets, liabilities, revenues, and expenses. (A list of these departments and agencies is found in About the Audit.)

3.15 The audit also assessed whether the internal audit activity met the requirements of the IIA Standards, which Treasury Board adopted in its Policy. We examined four key attributes of an effective internal audit activity in a random sample of 12 of the 24 large departments. (A list of the 12 departments in the random sample is found in About the Audit.)

3.16 Specifically, we assessed the following aspects:

  • the reporting relationship of internal audit;
  • the risk-based audit plan that the internal audit activity created;
  • whether the reporting practices met the requirements of the Policy and the IIA Standards; and
  • whether the internal audit activity had completed an external quality assessment review, as the IIA Standards require.

3.17 We also conducted quality assessment reviews (Exhibit 3.2) in six of the large departments. (A list of the six departments that received such a review is found in About the Audit.)

Exhibit 3.2—Purpose of a quality assessment review

A quality assessment review is an external assessment that includes assessing the following elements of the internal audit activity:

  • conformity with the definition of internal auditing, the IIA Code of Ethics, and the IIA Standards, and with the internal audit activity’s charter, plans, policies, procedures, practices, and legislative and regulatory requirements that apply;
  • the board’s, senior management’s, and the operational managers’ expectations;
  • the integration of the internal audit activity into the organization’s governance process, including the relationships between and among the key groups involved in the process;
  • the tools and techniques used;
  • the mix of knowledge, experience, and disciplines within the staff, including staff focus on process improvement; and
  • a review of whether the internal audit activity adds value and improves the organization’s operations.

Source: Adapted from the Institute of Internal Auditors International Professional Practices Framework

3.18 The final area the audit addressed was whether the Office of the Comptroller General (the OCG) was providing leadership and direction for the internal audit community and for departmental audit committees.

3.19 In our audit, we examined the practices and procedures that departmental audit committees and internal audit have put in place over the last three years.

3.20 More details on the audit objectives, scope, approach, and criteria are in About the Audit at the end of this chapter.

Observations and Recommendation

Departmental audit committees

3.21 Independent departmental audit committees are an important part of the governance structure of departments. These committees are designed to offer objective advice and recommendations to the deputy head on whether the department’s risk management, control, and governance frameworks and processes (including accountability and auditing systems) are adequate, and on how well they have been implemented.

3.22 In its response to our 2004 audit, the Treasury Board revised its Policy on Internal Audit (the Policy) in 2006 to implement our recommendation that external members be required on departmental audit committees.

3.23 A key element of the Policy was that by 30 September 2009, deputy heads must have formed a departmental audit committee, with a majority of members from outside of the federal public administration. The collective skills, knowledge, and experience of members were to allow the committee to carry out its duties competently. Members of the departmental audit committee are to be chosen jointly by the respective deputy head and the Comptroller General and approved by the Treasury Board. Members of the committee who are from within the federal public administration must be at the deputy head or associate deputy head level. The Canada Revenue Agency appoints its audit committee from among members of its Board of Management all of whom are from outside the federal public administration.

3.24 Our assessment on the progress on the following topics is found at the end of this section (see Exhibit 3.3).

Independent departmental audit committees have been established

3.25 We looked at whether the 24 large departments had established independent departmental audit committees in accordance with the Policy and related guidelines, which required that independent audit committees be in place by 30 September 2009.

3.26 We noted that, in keeping with the Policy, 23 departmental audit committees were formed over the last three fiscal years:

  • ten committees in 2007–08
  • eight committees in 2008–09
  • five committees in 2009–10

3.27 The Canada Revenue Agency implemented its audit committee in 1999, at the time the Agency was established as a separate agency.

3.28 We reviewed the composition of the audit committees in each of the 24 large departments to find out whether the makeup of each committee met the Policy’s requirements. Specifically, we assessed the date the committee was formed, whether the majority of members were from outside the federal public administration, and, in the case of department members, whether they were deputy heads or associate deputy heads.

3.29 In each case, members appointed were independent of the federal public administration. Each committee had at least one member with the financial expertise that the Policy requires. Department members of the audit committee were deputy heads or associate deputy heads, as the Policy requires.

3.30 As part of our audit, we reviewed the process for identifying and recruiting external audit committee members. We found that the Office of the Comptroller General (the OCG) followed a rigorous process, using the services of a professional recruitment firm. This process identified independent, qualified individuals. Both the Comptroller General and the deputy head of the department recommended to the Treasury Board that these individuals be appointed. We reviewed the background documentation on each appointment and concluded that the process led to forming audit committees whose members meet the competency profiles that the Policy outlines. The Canada Revenue Agency appoints its audit committee through a resolution of the Board each fiscal year. All Canada Revenue Agency committee members are independent of the Agency.

3.31 The audit committee members and senior department officials we interviewed as part of this audit believe that the process was effective in identifying qualified individuals. However, they noted that the appointment process was lengthy.

3.32 We found that committee members for individual departments were often appointed on the same day, with the same terms of appointment. The OCG and departments have said that in renewing appointments to audit committees they will use terms of varying duration to ensure continuity.

Audit committee charters were created in keeping with the Policy on Internal Audit

3.33 In each of the 24 large departments, we looked to see whether the departmental audit committees had created and adopted a charter that sets out the committee’s responsibilities, and whether these responsibilities matched the Policy’s requirements. We found that in each case, the committee had created and approved such a charter. We found that the charters were consistent with the guidance provided by the OCG. We noted that the Canada Revenue Agency audit committee charter also sets out roles and responsibilities for its audit committee. These are consistent with the intent of the Treasury Board Policy on Internal Audit.

Audit committee members received appropriate training

3.34 As part of our audit, we reviewed the training and orientation material that departmental audit committee members received. Looking at both the type and the amount of training provided, we noted that the OCG and individual departments gave audit committee members a range of training.

3.35 We saw that the OCG offered training and development programs on the following topics:

  • pillars and perspectives on the role of audit committees in the federal public service;
  • financial management and literacy in the federal public service;
  • risk management, frameworks and practices, and values and ethics; and
  • management control frameworks.

The OCG also held departmental audit committee symposiums that dealt with a variety of topics.

3.36 We found that the vast majority of committee members took part in the orientation training that the OCG gave. As part of our audit, we interviewed a selection of audit committee members to collect their views on the training they received. Almost all the members we interviewed said that the training was very important to ensuring that they understood and carried out the duties expected of them. Members whose background was not in government said they found the orientation training valuable. Committee members added that this training should be continued.

3.37 As part of our audit, we reviewed the information and orientation that departmental audit committee members received about the business of their respective departments. We also asked a selection of the members how satisfied they were with the nature and amount of orientation material they received.

3.38 The committee members we interviewed said they were satisfied with their department’s efforts to provide orientation on its objectives and programs. This material included presentations and key performance and accountability documents. Many members also went on site visits to see operations first-hand. Audit committee members said they felt that the departments had been very responsive when asked to give additional material or explanations.

Audit committees are at varying stages of development

3.39 Departmental audit committees were designed to provide advice to the deputy head. To do so, the Treasury Board Directive on Departmental Audit Committees requires the committees to exercise oversight of core areas of departmental management, control, and accountability, including reporting on the internal audit activity, and to provide advice to deputy heads.

3.40 The Policy requires audit committees to give advice and recommendations to the deputy head on the quality and results of assurance projects and the adequacy and functioning of the department’s risk management, control, and governance frameworks and processes (including accountability and auditing systems).

3.41 As part of their responsibilities, departmental audit committees are to review and report at least once a year on these topics:

  • management’s arrangements to promote public service values and ethics and to ensure that departments comply with laws, regulations, policies, and standards of conduct;
  • the corporate risk profile and the department’s arrangements for managing risk;
  • the department’s arrangements for internal control; and
  • assessments of the internal audit activities.

3.42 We found that each of the audit committees in the 24 large departments had created work schedules that would allow the committees to address all areas of their mandate each year.

3.43 As noted earlier, some audit committees were not formed until the 2009–10 fiscal year. In some cases, the committees had met only once or twice before our audit was completed. While the work programs for these committees addressed all required areas of the Policy, the committees had not yet had the opportunity to complete a full annual cycle. For this reason, these committees had not addressed all areas of responsibility. Those audit committees formed in previous fiscal years had looked at all areas of responsibility.

3.44 To find out whether departmental audit committee members received appropriate information, we reviewed the material that committee members received on the areas of responsibility that the Policy describes. We also interviewed a sample of audit committee members and deputy heads to see whether they were satisfied with the nature and amount of information they received.

3.45 The audit committee members we interviewed told us they were satisfied with the nature and amount of information they received. They also said they found that departments responded well to requests for more information or details. We noted that the departmental audit committees received the information they needed to carry out their duties. For example, in the area of risk management, we found that departmental officials typically provided committee members copies of the corporate risk profiles. In many cases, members also attended presentations by assistant deputy ministers on key priorities and risks tied to their areas of responsibility.

3.46 Proper documentation of the discussions and activities of the audit committees is an important element of showing the work that is being done. As part of our audit, we reviewed the minutes of the departmental audit committee meetings. In most cases, the minutes contained a recommendation for the deputy head to approve key items such as the risk-based internal audit plan or completed internal audit reports. In some cases, the minutes said only that the agenda item had been discussed. We also noted that the minutes did not always describe the type or length of the discussions. For this reason, it was not possible to assess the nature and extent of the discussion of key items.

3.47 However, in interviews we held as part of our audit, audit committee members and department managers both said they were satisfied with the nature and extent of discussion at audit committee meetings. The deputy heads we interviewed said they were satisfied with the advice the committees offered.

Independent departmental audit committees have had a positive effect

3.48 We wanted to find out in our audit what effect, if any, the departmental audit committees have had on departmental management and the internal audit activity.

3.49 To answer this question, we interviewed a broad range of department managers, deputy heads, and assistant deputy heads. We also interviewed internal audit management and staff.

3.50 We found that internal auditors and senior management alike said that creating independent departmental audit committees has strengthened the independence of internal audit. The chief audit executives we interviewed said that these committees significantly enabled the internal audit capacity to develop in departments. These executives also noted that the active participation of deputy heads on the committees served as an important signal within the organization that internal audit is a key part of the department’s governance processes.

3.51 The deputy heads we interviewed said that the independent departmental audit committees brought an increased rigour and challenge to reviewing the results and quality of the work of internal audit. Deputy heads also noted the important role that audit committees play in challenging the completeness of action plans that management prepared to respond to completed audits and in monitoring progress against the action plans. Exhibit 3.3 indicates our assessment of progress in addressing our recommendations on departmental audit committees.

Exhibit 3.3—Progress in addressing our recommendations on departmental audit committees

Recommendation Progress
The Treasury Board Secretariat should establish in the Treasury Board’s Policy on Internal Audit a requirement for external membership on departmental audit committees.

(Recommendation 1.40 of the 2004 November Report of the Auditor General of Canada, Chapter 1, Internal Audit in Departments and Agencies)

Satisfactory
The Treasury Board Secretariat should, as necessary, provide guidance on better practices for audit committee performance and provide guidance on appropriate training for departmental audit committee members.

(Recommendation 1.48 of the 2004 November Report of the Auditor General of Canada, Chapter 1)

Satisfactory
The Treasury Board Secretariat should update the roles and responsibilities of the audit committee and its members.

(Recommendation 1.49 of the 2004 November Report of the Auditor General of Canada, Chapter 1)

Satisfactory
Satisfactory—Progress is satisfactory, given the significance and complexity of the issue, and the time that has elapsed since the recommendation was made.

Unsatisfactory—Progress is unsatisfactory, given the significance and complexity of the issue, and the time that has elapsed since the recommendation was made.

Internal audit

3.52 Internal auditing is intended to be an independent, objective assurance and consulting activity that is designed to add value to and improve an organization’s operations. It is intended to help an organization meet its objectives by bringing a systematic, disciplined approach to evaluating risk management, control, and governance processes and making them more effective.

3.53 In a random sample of 12 of the 24 large departments, we looked at the following four aspects of an internal audit activity:

  • reporting relationships,
  • risk-based plans,
  • reporting practices, and
  • completion of an independent external quality assessment review.

3.54 Our assessment of the progress on the following topics can be found at the end of this section (see Exhibit 3.7).

Reporting relationships support the independence of internal audit

3.55 We looked at whether each of the 12 departments in our sample had set up appropriate reporting relationships for the internal audit activity.

3.56 Treasury Board’s Policy on Internal Audit (the Policy) requires that the internal audit activity report directly to the deputy head. Such a reporting relationship is an essential element in creating and preserving the internal audit activity’s independence.

3.57 We found that in each of the 12 departments, the internal audit activity reported directly to the deputy head. We also found that the relationship established between the internal audit activity and the departmental audit committees further supported the independence of the internal audit activity.

Annual audit plans focus on key risks

3.58 We looked at whether each of the 12 departments in our sample had developed a risk-based audit plan for the internal audit activity.

3.59 Government policy and the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (the IIA Standards) require that the internal audit activity develop a risk-based audit plan to set its audit priorities, in keeping with the organization’s goals. We noted that the OCG’s Internal Audit Sector had developed guidance for departments to use to create a risk-based internal audit plan.

3.60 We found that in each of the 12 departments, the internal audit activity had developed a risk-based audit plan in keeping with the guidance. We noted that these plans clearly described those areas of departmental activities that would be subject to audit in the three-year planning horizon and explained why some areas would not be audited. In each case, the departmental audit committee had reviewed the risk-based audit plan. We found that there is an alignment between risk-based audit plans developed by internal audit and the department’s risk profiles.

3.61 We noted that internal audit activities reported regularly to their respective audit committees on the status of work completed and key changes to their internal audit plan.

3.62 In October 2010, we reported on the results of our audit of expenditures under the government’s Economic Action Plan (the Plan), which was introduced in the 2009 budget. That audit looked at whether internal audit had considered the changes, if any, in departmental risk profiles as a result of Plan expenditures and had adapted the planned audit coverage if necessary. Our audit of the Economic Action Plan in fall 2010 found that internal audit activities responded to the changes in the departmental risk profiles as a result of the Plan.

The results of internal audit work need to be reported clearly

3.63 We assessed the reporting practices that our random sample of 12 departments used to communicate the results of the work that the internal audit activities completed.

3.64 The IIA Standards require that an internal audit report contain, at a minimum, the purpose, scope, and results of the engagement. The report is also to include observations, conclusions, opinions, recommendations, and management’s action plans to correct any weaknesses noted.

3.65 In addition, internal audit reports must clearly set out the results of the audit work. Reports are to note the extent to which observed conditions met expected criteria and, if necessary, the cause and effect of any changes in expected conditions.

3.66 Internal audit reports must meet these requirements because doing so clearly explains the nature and extent of the observations so that the reader can understand their importance. Also, this information helps to explain the impact that observed weaknesses may have on the department’s ability to achieve its stated strategic outcomes or objectives.

3.67 We saw good practices in some internal audit activities and opportunities for further improvement in others. In particular, we noted a good practice that Canadian Heritage’s internal audit activity adopted: using a rating system to identify whether controls are adequate. This approach sums up the department’s performance for senior management and the audit committee. The conclusions and ranking reached for each of the examination criteria used in the audit were developed according to the definitions found in Exhibit 3.4. This approach clearly shows relative strengths and weaknesses in management practices and focuses on areas that need immediate attention.

Exhibit 3.4—Canadian Heritage uses a rating system to identify whether controls are adequate

Conclusion on audit criteria Numerical categorization Definition of conclusion
Is well-controlled 1 Is well-managed—with no material weaknesses noted—and is effective.
Is controlled 2 Is well-managed—but minor improvements are needed—and is effective.
Has moderate issues 3 Has moderate issues that call for management focus (at least one of the following two criteria must be met):
  • control weaknesses exist, but exposure is limited because likelihood of risk occurring is not high; or
  • control weaknesses exist, but exposure is limited because impact of the risk is not high.
Significant improvements are needed 4 Requires significant improvements (at least one of the following three criteria needs to be met):
  • financial adjustments that are material to line item or area or to the department are required; or
  • control deficiencies represent serious exposure; or
  • major deficiencies are found in the overall control structure.
Source: Adapted from Canadian Heritage rating system

3.68 In contrast, we also noted that a number of departments had adopted a reporting style that made it difficult for the reader to understand the seriousness of observations or the overall significance of the findings. In these cases, departments used wording that stated that elements of a management control framework were in place, but opportunities for improvement remained.

3.69 Many of the audit committee members and senior managers we interviewed as part of our audit noted the need for internal audit reports to be more succinct and to focus their recommendations at a strategic level.

Few departments have had an external quality assessment review

3.70 The Policy requires each internal audit activity to have an external review conducted at least once every five years.

3.71 Quality assessment reviews cover the entire spectrum of internal audit work that the internal audit activity performs. These reviews assess internal audit activities using three categories: “generally conforms,” “partially conforms,” or “does not conform” to the IIA Standards. The ratings are defined in Exhibit 3.5.

Exhibit 3.5—Quality assessment reviews use three categories to assess conformity to the IIA Standards

Generally conforms to the Standards—The relevant structures, policies, and procedures of the internal audit activity, as well as the processes by which they are applied, complied with the requirements of the Standards. While there may be opportunities for improvement, these did not represent situations where the internal audit activity had not implemented the Standards, did not apply them effectively, or did not achieve their stated objectives.

Partially conforms to the Standards—The internal audit activity has fallen short of achieving some of its major objectives. These will usually represent some significant opportunities for improvement in effectively applying the Standards and/or achieving their objectives. Some of the deficiencies may be beyond the control of the internal audit activity and may result in recommendations to senior management or the board of the organization.

Does not conform to the Standards—The internal audit activity is not achieving many of the objectives of the Standards. These deficiencies will usually have a significant negative impact on the internal audit activity’s effectiveness. They may also represent significant opportunities for improvement, including actions by senior management or the board.

Source: Adapted from Institute of Internal Auditors Quality Assessment Manual

3.72 We looked at whether the 12 departments in our random sample had completed a quality assessment review.

3.73 We found that 3 of the 12 departments—the Canada Revenue Agency, Environment Canada, and Canadian Heritage—have had a quality assessment review completed. In each case, departments “generally conformed” to requirements of the Policy and the IIA Standards.

3.74 We also carried out detailed quality assessment reviews on a judgementally selected sample of six departmental internal audit activities to find out whether they met the requirements of the Policy and the IIA Standards. The results of these reviews are shown in Exhibit 3.6. Of these six departments, two—National Defence and the Canadian International Development Agency—had had an external quality assessment review in 2005 and 2004 respectively.

Exhibit 3.6—Most of the departments we selected met the requirements of the Policy on Internal Audit and the IIA Standards

Organization Generally conforms to the Policy and the IIA Standards Partially conforms to the Policy and the IIA Standards Does not conform to the Policy and the IIA Standards
Canadian International Development Agency X  
Foreign Affairs and International Trade Canada X
Health Canada X
National Defence X
Royal Canadian Mounted Police X
Veterans Affairs Canada X

3.75 In conducting our assessment, we noted that the Royal Canadian Mounted Police’s internal audit activity had experienced a significant turnover, which meant recruiting and rebuilding the activity. This situation had an impact on the assessment.

3.76 Strengths noted. In conducting these quality assessment reviews, we noted a number of strengths that were common to the six internal audit activities:

  • an internal audit charter that set out the purpose and mandate of the internal audit activity;
  • the departmental audit committee and deputy head had approved the internal audit charter; and
  • the internal audit charters also set out the authority of the internal audit activity in terms of its right of access to the department’s books, records, and staff.

3.77 We also noted that, in each case, the internal audit activity had appropriate reporting relationships. It reported directly to the deputy head, with oversight provided by an audit committee, the majority of whose members were from outside the federal public administration. This relationship is important because it supports the independence and objectivity of the internal audit activity. We also found that the planning activities that were done were well-documented and considered key aspects of the area to be audited.

3.78 Opportunities for improvement. Quality assurance and improvement programs for the internal audit activity need to be strengthened. Most of the internal audit activities that we reviewed were monitoring internal audits already in process. However, at the time of our audit, periodic assessments of internal audit activities as a whole had not been conducted. Both the monitoring and periodic assessment elements are necessary for an effective quality assurance and improvement program.

3.79 In completing the quality assessment reviews, we noted some common areas where departments could strengthen their practices. As stated in the previous section, the most frequent comment from key stakeholders—audit committee members and senior management—was about communication and reporting. In internal audit reports, these stakeholders were seeking concise observations that clearly communicated the strengths and weaknesses noted in the audit.

Exhibit 3.7—Progress in addressing our recommendation on external quality assessments

Recommendation Progress
Departments should ensure that their internal audit groups conduct an external quality assessment by 1 January 2007.

(Recommendation 1.92 of the 2004 November Report of the Auditor General of Canada, Chapter 1, Internal Audit in Departments and Agencies)

Unsatisfactory
Satisfactory—Progress is satisfactory, given the significance and complexity of the issue, and the time that has elapsed since the recommendation was made.

Unsatisfactory—Progress is unsatisfactory, given the significance and complexity of the issue, and the time that has elapsed since the recommendation was made.

3.80 Recommendation. Departments that have not had an external quality assessment should have an assessment conducted as required by the International Standards for the Professional Practice of Internal Auditing and the Treasury Board Policy on Internal Audit.

The Treasury Board of Canada Secretariat’s response. Agreed. The Secretariat’s Internal Audit and Evaluation Bureau (IAEB) has planned for the conduct of an external quality assessment for the Secretariat as a department. Specifically, a self-assessment exercise was conducted in the 2010–11 fiscal year, in preparation for an external quality assessment to be completed by fall 2011.

The Canada Border Services Agency’s response. Agreed. The Canada Border Services Agency intends to complete an external quality assessment by June 2012, as required by the International Standards for the Professional Practice of Internal Auditing and the Treasury Board Policy on Internal Audit.

Canadian Heritage’s response. Agreed. Canadian Heritage notes the Office of the Auditor General’s recognition of quality assurance work conducted at the Department and will endeavour to undertake an external quality assessment every five years.

Correctional Service Canada’s response. Agreed. We understand the necessity and usefulness of quality assessments. As such, we had a preliminary external assessment conducted in 2006, where recommendations for improvement were made and actions have been taken to address them. The results of the assessment and related actions have been presented to and approved by the audit committee and reported annually in the Chief Audit Executive reports. At this point in time, following Treasury Board’s direction, Correctional Service Canada fully expects to have an external inspection conducted by the end of the 2011–12 fiscal year.

The Department of Finance Canada’s response. Agreed. Internal audit and evaluation at the Department of Finance is currently planning to have an external quality assessment conducted, as required by the International Standards for Professional Practice of Internal Auditing and the Treasury Board Policy on Internal Audit, by September 2012.

Human Resources and Skills Development Canada’s response. Agreed. Corrective measures are well under way to address this observation. Prior to initiating a formal external quality assessment review in November 2010, the Internal Audit Services Branch conducted yearly self-assessments against the Institute of Internal Auditors Standards, the Office of the Comptroller General’s Internal Audit Self-Diagnostic Tool, and relevant Treasury Board policies. The Branch also engaged an independent external reviewer in the 2008–09 fiscal year to conduct a preliminary assessment of the Department’s readiness for the formal external assessment in the 2010–11 fiscal year. Building on the results of the preliminary assessment, the Department developed an action plan to address the gaps identified. The external quality assessment review is under way and will be completed by 30 April 2011.

Industry Canada’s response. Agreed. An external quality assessment is currently planned for the 2013–14 fiscal year.

The Department of Justice Canada’s response. Agreed. The Department of Justice is planning to conduct an external quality assessment during the 2011–12 fiscal year.

Office of the Comptroller General of Canada

3.81 In response to our 2004 audit, the Office of the Comptroller General (the OCG) made a commitment to strengthen the internal audit activity in government. The initial step taken was to revise the Policy on Internal Audit (the Policy) in April 2006, with further refinements in 2009. Key elements incorporated into the Policy to strengthen internal audit were

  • professionalizing internal audit activity;
  • adopting the Institute of Internal Auditors (IIA) International Professional Practices Framework; and
  • creating departmental audit committees, the majority of whose members were from outside the public administration, to strengthen the independence of the internal audit activity.

3.82 The Policy’s implementation was supported by strategic direction from the OCG and by supplementary funding to departments to help them achieve the Policy’s objectives.

3.83 The Policy sets out a broad range of responsibilities for the OCG. The OCG is required to

  • provide strategic direction, leadership, advice, and assistance on issues related to internal audit, and provide policy guidance and interpretation to departments and agencies on how to implement relevant policies, directives, guidelines, and standards;
  • monitor how relevant policies are implemented and whether policy objectives are being achieved, as well as to ensure that internal audit activity adheres to the IIA Standards and rigorous methodology in delivering internal audits; and
  • conduct horizontal and sectoral audits in large and small departments and agencies.

3.84 These responsibilities are designed to enhance the professionalization of the internal audit community. As part of our audit, we reviewed the actions of the OCG Internal Audit Sector. Our progress rating on the following topics can be found at the end of this section (see Exhibit 3.9).

The Office of the Comptroller General provides leadership and guidance to the internal audit community

3.85 Strategic direction and guidance. We conducted a number of interviews to identify the key mechanisms the OCG used to provide strategic direction and guidance to the internal audit community. We also reviewed guidance the OCG developed and steps it took to provide leadership to the internal audit community.

3.86 We found that the OCG has carried out a wide range of activities to inform and offer direction to the community on changes to the Policy framework and the internal audit profession. These activities include developing guidance and providing training and strategic direction to the community.

3.87 The OCG has developed a number of tools and guidance for internal audit activities. These include

  • guidance on developing risk-based audit plans,
  • guidance on core management controls,
  • an inventory of audit programs,
  • models for internal audit and audit committee charters,
  • guidance on a practice inspection program, and
  • guidance for departmental audit committees.

3.88 We also noted that the OCG has given strategic direction to the community. For example, as reported in our chapter on Canada’s Economic Action Plan in our 2010 Fall Report, the OCG provided effective leadership, direction, and guidance to departmental internal audit activities with respect to audit coverage of expenditures made under the terms of the Economic Action Plan.

3.89 Professionalization of the internal audit activity. One of the OCG’s priorities has been to develop a human resource strategy to enhance professionalism in internal audit. This strategy focuses on continuing professional development and on creating a model that standardizes expectations, skills, and experience needed for internal auditors at various levels within departments. The strategy included working with departments to decide on how many internal auditors departments need. These approaches are aimed at defining the current state of capacity in the federal government and providing a basis for future development of the community.

3.90 In conducting our audit, we interviewed a broad range of audit committee members, senior department managers, and the management and staff of internal audit groups. They raised several common concerns about what human resource strategies need to do for the internal audit activity. They agreed that such strategies need to

  • focus on ongoing professional development,
  • develop common expectations and classifications for the internal audit community to reduce the movement of internal audit staff from one organization to another and to achieve higher classification levels, and
  • provide for orderly career advancement within the federal government’s internal audit community.

3.91 We found that, in implementing the Policy, the OCG gave funds to departmental internal audit activities for the professional development of internal audit staff. As noted in Exhibit 3.8, departments have not used all of the funds they received for this purpose.

Exhibit 3.8—Departments did not use all of the funds they received for continuing professional development of internal audit staff

Fiscal year Budget Expended
2006–07 $2,455,000 $833,000
2007–08 $3,334,000 $1,952,000
2008–09 $3,026,000 $2,258,000

3.92 We found that ongoing professional development is available. The OCG sponsors regular conferences for chief audit executives to address current issues and provide a forum for the exchange of information. The OCG also invites all members of the community to regular internal audit forums. We noted that the OCG has created working protocols with the Canada School of Public Service and the Ottawa chapter of the Institute of Internal Auditors to deliver training programs, such as a three-day internal audit orientation workshop.

3.93 As part of our audit, we interviewed chief audit executives and internal audit staff about professional development. Many internal auditors said that the demands to complete assigned audits made it difficult to engage in ongoing professional development activities.

3.94 In response to the issues related to classification and career or succession planning for the internal audit community, the OCG has designed a maturity model to be used to identify current capacity within the internal audit community and to serve as a roadmap for further development. The OCG will work with departments to identify the required number of internal audit resources by department. The OCG is in the process of implementing this model, which includes implementation of standard classifications across all government departments.

3.95 The model includes key indicators for human resource development and levels of maturity that staff at various levels would be expected to show. The OCG has also created generic job descriptions for internal auditors at different levels within departments. The next step in developing and applying this model is to pilot test the model in 12 departments in the 2011–12 fiscal year.

3.96 Monitoring. The OCG is required to monitor the implementation of the Treasury Board Policy on Internal Audit (the Policy) and find out whether its objectives are being met. The Policy requires the Treasury Board of Canada Secretariat to complete an evaluation of the Policy by 1 April 2011. We found that the OCG has begun this mandatory evaluation.

3.97 As part of our audit, we reviewed the mechanisms the OCG has put in place to monitor how well the Policy’s requirements are being met and how effectively internal audit capacity is being developed across government.

3.98 We noted that the main tool the OCG is using is the Management Accountability Framework. The OCG reviews and assesses information that departmental internal audit activities provide to find out how well they are complying with key aspects of the Policy. This process is designed to give the OCG an overview of the departments’ progress in implementing the Policy.

3.99 Horizontal audits. In the 2009–10 fiscal year the OCG completed two horizontal audits in large departments and two in small departments and agencies. In previous years, such audits were not carried out beyond the survey phase. To support these audits, the OCG has created a government-wide, risk-based internal audit plan that is designed to identify the audits to be carried out over the next three years in both large departments and small departments and agencies. The OCG recently updated its risk-based plan and, in April 2010, presented the plan to its audit committee. In May 2010, departments received the approved horizontal audit plan, which sets out horizontal audits for the next three years. The risk-based plan also identifies areas of significance and risk in small departments and agencies that are to receive audit coverage. In 2010, the OCG Internal Audit Sector carried out two audits that addressed areas of risk in small agencies.

Exhibit 3.9—Progress in addressing our recommendations on staffing internal audit and audit coverage

Recommendation Progress
The Treasury Board Secretariat, in collaboration with departments, should establish benchmarks to determine the number of internal auditors that the federal government and each department need to provide a reasonable level of audit coverage and a sustainable audit function.

(Recommendation 1.57 of the 2004 November Report of the Auditor General of Canada, Chapter 1, Internal Audit in Departments and Agencies)

Satisfactory
The Treasury Board Secretariat, in collaboration with departments, should determine the appropriate mix of qualifications, experience, and skills required for internal audit on a department and government-wide basis.

(Recommendation 1.63 of the 2004 November Report of the Auditor General of Canada, Chapter 1)

Satisfactory
The Treasury Board Secretariat, in consultation with small entities, should develop a risk-based strategy and establish, within government, a capacity for providing internal audit services to small entities.

(Recommendation 1.73 of the 2004 November Report of the Auditor General of Canada, Chapter 1)

Satisfactory
Satisfactory—Progress is satisfactory, given the significance and complexity of the issue, and the time that has elapsed since the recommendation was made.

Unsatisfactory—Progress is unsatisfactory, given the significance and complexity of the issue, and the time that has elapsed since the recommendation was made.

Conclusion

3.100 The government has shown satisfactory progress in acting upon the commitments it made in response to the observations and recommendations of our 2004 report.

3.101 We found that independent departmental audit committees have been created in the 24 large departments, with the majority of members coming from outside the federal public administration. Audit committees are at various stages in developing their practices and procedures. Established departmental audit committees are having a positive impact by contributing to stronger internal audit in government.

3.102 The government has strengthened its internal audit capacity within the large departments since our last audit, which was done in 2004. Departments have created internal audit charters that set out clear roles and responsibilities for internal audit activities. The charters, along with strong support of senior management and departmental audit committees, have resulted in independent, objective internal audit activities. Most of the completed internal audit reports we reviewed are assuring management about internal control and making recommendations to improve departmental practices. Quality assurance and improvement processes for internal audits are at varying stages of development: some are well developed, while others are in early development.

3.103 The Office of the Comptroller General of Canada has responded to the observations and recommendations of our 2004 report. The OCG introduced a new policy framework that requires it to create audit committees and set clear expectations for them. The OCG provides direction and guidance to the internal audit community and to departmental audit committees.

About the Audit

All of the audit work in this chapter was conducted in accordance with the standards for assurance engagements set by The Canadian Institute of Chartered Accountants. While the Office adopts these standards as the minimum requirement for our audits, we also draw upon the standards and practices of other disciplines.

Objectives

The overall audit objective was to assess the progress that the government has made in addressing the concerns we raised in Chapter 1 of our 2004 November Report.

This follow-up audit assessed the extent to which, as required by the Treasury Board Policy on Internal Audit (the Policy),

  • deputy heads of departments and agencies have created independent departmental audit committees and these committees were carrying out the duties and responsibilities that the Policy and related guidance set out for them,
  • deputy heads of departments and agencies have appointed chief audit executives who are appropriately qualified and who have established internal audit activities, and
  • the Office of the Comptroller General of Canada (the OCG) is carrying out its duties and responsibilities to provide leadership and direction to the internal audit community.

Scope and approach

Departmental audit committees. The audit assessed whether deputy heads of departments and agencies had created an independent departmental audit committee and whether these committees had carried out the duties and responsibilities that the Policy and its related directives set out for them.

We reviewed documentation for appointing external audit committee members and assessed whether, collectively, their backgrounds were consistent with the Policy’s requirements, particularly the requirement for financial expertise.

Our audit included a review of the information that departments and agencies gave to audit committee members, to find out whether they received the information they needed to perform their roles and responsibilities. Our audit approach included interviews with a selection of audit committee members.

The audit team assessed the nature and extent of the tools and training that audit committee members received to help them understand and carry out their obligations.

This line of enquiry includes the following 24 large departments and agencies that represent approximately 95 percent of the Government of Canada’s total assets, liabilities, revenues, and expenses:

  • Agriculture and Agri-Food Canada
  • Canada Border Services Agency
  • Canada Revenue Agency
  • Canadian Heritage
  • Citizenship and Immigration Canada
  • Canadian International Development Agency
  • Correctional Service Canada
  • Environment Canada
  • Finance Canada, Department of
  • Fisheries and Oceans Canada
  • Foreign Affairs and International Trade Canada
  • Health Canada
  • Human Resources and Skills Development Canada
  • Indian and Northern Affairs Canada
  • Industry Canada
  • Infrastructure Canada
  • Justice Canada, Department of
  • National Defence
  • Natural Resources Canada
  • Public Works and Government Services Canada
  • Royal Canadian Mounted Police
  • Transport Canada
  • Treasury Board and Office of the Comptroller General
  • Veterans Affairs Canada

Departmental internal audit activities. We conducted quality assessment reviews of internal audit activities in a selection of six departments and agencies to find out if the activity met the requirements of the Institute of Internal Auditors International Professional Practices Framework (including the IIA Standards). The following six departments were judgmentally selected using a variety of criteria:

  • Canadian International Development Agency
  • Foreign Affairs and International Trade Canada
  • Health Canada
  • National Defence
  • Royal Canadian Mounted Police
  • Veterans Affairs Canada

We also looked at the following four key aspects within the internal audit activity across a random sample of 12 of the 24 large departments and agencies:

  • reporting relationships
  • risk-based plans
  • reporting practices
  • completion of an independent quality assessment review of the activity

The 12 entities randomly selected for this review were the following:

  • Canada Revenue Agency
  • Canadian Heritage
  • Canadian International Development Agency
  • Correctional Service Canada
  • Environment Canada
  • Finance Canada, Department of
  • Foreign Affairs and International Trade Canada
  • Human Resources and Skills Development Canada
  • Justice Canada, Department of
  • Royal Canadian Mounted Police
  • Treasury Board of Canada Secretariat and the Office of the Comptroller General
  • Veterans Affairs Canada

The Office of the Comptroller General of Canada. We assessed whether the OCG was providing leadership and direction to the internal audit and departmental audit communities.

The audit excluded all Policy requirements related to small departments and agencies, except for the OCG’s requirement to conduct horizontal audits on these departments and agencies each year.

Criteria

To determine whether deputy heads of departments and agencies have created independent departmental audit committees and whether these committees were carrying out the duties and responsibilities that the Policy on Internal Audit and related guidance set out for them, we used the following criteria:
Criteria Sources

Deputy heads are responsible for establishing an independent audit committee.

  • Policy on Internal Audit, section 5.4.2., Treasury Board, 2009
  • Directive on Departmental Audit Committees, Treasury Board, 2009

Departmental audit committees are exercising oversight on

  • departmental values and ethics, risk management, and management control frameworks, which are reviewed with an appropriate risk-guided focus and cycle;
  • the internal audit activity;
  • results of work completed by the Office of the Auditor General and central agencies;
  • follow-up on management action plans to address internal and external audit recommendations;
  • financial statements and public accounts reporting; and
  • risk and accountability reporting.

Directive on Departmental Audit Committees, sections 4.1 and 4.2, Treasury Board, 2009

Departmental audit committees are meeting operational requirements of the Policy (charter, annual work plan, and annual report on activities).

Directive on Departmental Audit Committees, section 4.4, Treasury Board, 2009

To determine whether deputy heads of departments and agencies have appointed chief audit executives who are appropriately qualified and who have established internal audit activities, we used the following criteria:
Criteria Sources

Deputy heads

  • have appointed chief audit executives at a senior executive level, reporting to the deputy head, with appropriate professional qualifications; and
  • have ensured that the audit committees received the information they needed to carry out their responsibilities.
  • Guidelines on Expected Qualifications for Chief Audit Executives, section 3, Treasury Board
  • Directive on Chief Audit Executives, Internal Audit Plans, and Support to the Comptroller General, section 4.1, Treasury Board, 2009
  • Policy on Internal Audit, section 5.4.3 and 5.6.3, Treasury Board, 2009
  • Institute of Internal Auditors International Professional Practices Framework, Institute of Internal Auditors, 2009.

Chief audit executives have met their responsibilities to

  • establish appropriate policies and procedures to guide the internal audit activity;
  • establish a risk-based audit plan that is done at least once a year and that ensures proper coverage and minimizes duplication of effort;
  • ensure that the Institute of Internal Auditors (IIA) International Professional Practices Framework (including the IIA Standards) are followed;
  • ensure that internal auditors have appropriate professional qualifications, skills, and opportunities for training and development and obtain Certified Internal Auditor certification;
  • ensure that internal audit engagements are completed in a timely manner and that reports are given to the audit committee as quickly as possible;
  • develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity, and continuously monitor the program’s effectiveness;
  • ensure that a practice inspection or other external review of the internal audit activity is conducted at least every four years.
  • Institute of Internal Auditors International Professional Practices Framework, Institute of Internal Auditors, 2009.
  • Guidelines on Expected Qualifications for Chief Audit Executives, section 3, Treasury Board
To determine whether the Office of the Comptroller General of Canada is carrying out its duties and responsibilities to provide leadership and direction to the internal audit community, we used the following criteria:
Criteria Sources

The Comptroller General has met his or her responsibilities to provide effective functional leadership by

  • developing and supporting the implementation of effective internal auditing methodologies and procedures across government;
  • strengthening the internal audit community through recruitment and training programs;
  • supporting the creation of independent departmental audit committees;
  • liaising with chief audit executives, deputy heads and agents of Parliament, the Public Service Commission, and other central agencies on significant audit issues;
  • ensuring ongoing practice inspections and assessments of the entire spectrum of departmental internal audit activities;
  • undertaking or leading horizontal audits across large and small departments and agencies;
  • reporting periodically to Treasury Board on the overall state of risk management, control, and governance across government, with a fulsome report occurring at least every three years;
  • supporting the implementation of appropriately qualified audit committees, as well as providing guidance on expected committee practices across government; and
  • evaluating the Policy on Internal Audit by 1 April 2011.
  • Policy on Internal Audit, Appendix—Responsibilities of the Comptroller General for Internal Audit, Treasury Board, 2009
  • Policy on Internal Audit, sections 5.7, 5.8.4, 5.8.5, and 5.8.6, Treasury Board, 2009

 

Management reviewed and accepted the suitability of the criteria used in the audit.

Period covered by the audit

The period covered by the audit was the fiscal year ending 31 March 2010. Audit work for this chapter was substantially completed on 28 November 2010.

Audit team

Assistant Auditor General: Nancy Y. Cheng
Senior Principal: Bruce C. Sloan
Principal: Karen Hogan
Director: Marianne Avarello

Daniel Boutin
Caron Mervitz
Sophie Miller
Jacqueline Warren
Judith Wilson

For information, please contact Communications at 613-995-3708 or 1-888-761-5953 (toll-free).

Appendix—List of recommendations

The following is the recommendation found in Chapter 3. The number in front of the recommendation indicates the paragraph where it appears in the chapter. The numbers in parentheses indicate the paragraphs where the topic is discussed.

Recommendation

Response

Internal Audit

3.80 Departments that have not had an external quality assessment should have an assessment conducted as required by the International Standards for the Professional Practice of Internal Auditing and the Treasury Board Policy on Internal Audit. (3.70–3.79)

The Treasury Board of Canada Secretariat’s response. Agreed. The Secretariat’s Internal Audit and Evaluation Bureau (IAEB) has planned for the conduct of an external quality assessment for the Secretariat as a department. Specifically, a self-assessment exercise was conducted in the 2010–11 fiscal year, in preparation for an external quality assessment to be completed by fall 2011.

The Canada Border Services Agency’s response. Agreed. The Canada Border Services Agency intends to complete an external quality assessment by June 2012, as required by the International Standards for the Professional Practice of Internal Auditing and the Treasury Board Policy on Internal Audit.

Canadian Heritage’s response. Agreed. Canadian Heritage notes the Office of the Auditor General’s recognition of quality assurance work conducted at the Department and will endeavour to undertake an external quality assessment every five years.

Correctional Service Canada’s response. Agreed. We understand the necessity and usefulness of quality assessments. As such, we had a preliminary external assessment conducted in 2006, where recommendations for improvement were made and actions have been taken to address them. The results of the assessment and related actions have been presented to and approved by the audit committee and reported annually in the Chief Audit Executive reports. At this point in time, following Treasury Board’s direction, Correctional Service Canada fully expects to have an external inspection conducted by the end of the 2011–12 fiscal year.

The Department of Finance Canada’s response. Agreed. Internal audit and evaluation at the Department of Finance is currently planning to have an external quality assessment conducted, as required by the International Standards for Professional Practice of Internal Auditing and the Treasury Board Policy on Internal Audit, by September 2012.

Human Resources and Skills Development Canada’s response. Agreed. Corrective measures are well under way to address this observation. Prior to initiating a formal external quality assessment review in November 2010, the Internal Audit Services Branch conducted yearly self-assessments against the Institute of Internal Auditors Standards, the Office of the Comptroller General’s Internal Audit Self-Diagnostic Tool, and relevant Treasury Board policies. The Branch also engaged an independent external reviewer in the 2008–09 fiscal year to conduct a preliminary assessment of the Department’s readiness for the formal external assessment in the 2010–11 fiscal year. Building on the results of the preliminary assessment, the Department developed an action plan to address the gaps identified. The external quality assessment review is under way and will be completed by 30 April 2011.

Industry Canada’s response. Agreed. An external quality assessment is currently planned for the 2013–14 fiscal year.

The Department of Justice Canada’s response. Agreed. The Department of Justice is planning to conduct an external quality assessment during the 2011–12 fiscal year.

 


Definitions:

Internal audit activity—A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. (Return)

Independence—The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. (Return)

Objectivity—An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to others. (Return)

Internal auditing—An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Internal auditing helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes. (Return)

 

PDF Versions

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet: