Practice Review and Internal Audit—Risk-Based Plan for the 2020–21 to 2022–23 Fiscal Years

Practice Review and Internal Audit—Risk-Based Plan for the 2020–21 to 2022–23 Fiscal Years

ISSN 1925-8488

Foreword

The Practice Review and Internal Audit (PRIA) team of the Office of the Auditor General of Canada (OAG) developed the Risk-Based Plan for the 2020–21 to 2022–23 Fiscal Years to ensure that PRIA’s planned engagements meet the OAG’s assurance needs.

This document contains details about the PRIA team’s role, an overview of the planned engagements for the next 3 fiscal years, and information about PRIA’s resources and capacity for the 2020–21 fiscal year.

In establishing its practice review and internal audit priorities, PRIA conducts environmental scans, risk assessments, and consultations with senior management and staff. PRIA also reviews the OAG’s plans and priorities, and the results of the OAG’s latest integrated risk management process. PRIA updates the risk-based plan annually, according to organizational priorities, the availability of resources, and evolving risk-assessment needs.

I would like to thank the OAG’s senior management, staff, and the members of the Audit Committee for their cooperation and assistance with the development of this plan. Their input will allow PRIA to assess the adequacy and effectiveness of governance, risk management, and internal control processes in the OAG.

Louise Bertrand
Chief Audit Executive
Office of the Auditor General of Canada

July 2020

Introduction

As an officer of Parliament, the OAG is independent from government and reports directly to the Parliament of Canada. Given its mandate, the OAG is not subject to direct Treasury Board of Canada Secretariat oversight. Consequently, the OAG’s internal oversight mechanisms are of significant importance to ensuring that adequate management practices are in place. PRIA is one of these oversight mechanisms, as it provides assurance to management through internal audits and practice reviews.

This document presents PRIA’s Risk-Based Plan for the 2020–21 to 2022–23 Fiscal Years for the OAG. PRIA has updated the plan to consider the latest results of the OAG’s integrated risk management process and the detailed work and analysis completed by PRIA in the 2019–20 fiscal year. The plan combines proposed internal audit engagements and practice reviews to be completed over the next 3 fiscal years. In determining its planned activities, PRIA sought to allocate its resources to the OAG’s areas of significant risk.

Office of the Auditor General of Canada

Mandate

The Auditor General of Canada is an officer of Parliament, reporting directly to the Parliament of Canada. The Auditor General is independent of the government in the execution of the position’s work and responsibilities. The OAG’s mandate and the Auditor General’s responsibilities are set out in the Auditor General Act, the Financial Administration Act, and other acts and orders-in-council.

The Commissioner of the Environment and Sustainable Development supports the Auditor General’s mandate related to the environment and sustainable development.

The OAG is the legislative audit office for the federal government and for the 3 territorial governments (Nunavut, Yukon, and the Northwest Territories).

The OAG conducts independent audits and studies that provide objective information, advice, and assurance to Parliament, territorial legislatures, governments, and Canadians. The OAG conducts audits according to professional auditing standards and OAG policies.

The OAG’s mission is to contribute to a well-managed and accountable government for Canadians.

Strategic objectives

The OAG’s strategic plan for the next 3 years has 3 over-arching goals: caring for each other, modernizing the OAG, and connecting with stakeholders. Caring for each other focuses on supporting employees’ well-being and their learning and growth. Modernizing the OAG focuses on improving tools, the use of technology, processes, and practices. Connecting with stakeholders focuses on enhancing value to clients and the organizations being audited. The desired result of this plan is to increase the impact and relevance of the OAG for its clients, those it audits, other stakeholders, and its employees.

Practice Review and Internal Audit

Mission

The mission of the OAG’s PRIA team is to enhance and protect the OAG’s value by providing risk-based and objective assurance, advice, and insight.

Scope of activities

The PRIA team’s scope of activities serves 2 separate but related purposes:

PRIA conducts its work in accordance with established professional standards:

Reporting relationships

The OAG’s Chief Audit Executive reports functionally to the Audit Committee and administratively to the Auditor General.

The Chief Audit Executive is responsible for developing and updating PRIA’s risk-based plan annually. PRIA presents its plan to the Audit Committee for review. The Audit Committee recommends the approval of the plan to the Auditor General. The Auditor General is the final approval authority for the plan.

Objectives of the risk-based plan

PRIA’s risk-based plan has 2 key objectives:

The PRIA planning process ensures that all internal audit and practice review activities are relevant, timely, and strategically aligned to support the achievement of the OAG’s strategic objectives. As a result, the PRIA risk-based plan is adjusted as required.

PRIA’s performance measures

In 2018, PRIA developed a set of performance measures to quantify and track its performance. Using a balanced scorecard approach, PRIA developed indicators for 4 key perspectives:

The Appendix provides details on each perspective and associated performance measure as well as the results for the 2019–20 fiscal year.

Status of the 2019–20 PRIA Risk-Based Plan

In the 2019–20 fiscal year, PRIA completed most of its planned activities as described in its Risk-Based Plan for the 2019–20 to 2021–22 Fiscal Years. Activities still to be completed are the internal audit on Resourcing the audit practices, which is scheduled to be completed in 2020–21 fiscal year, and the review and performance of internal controls for executive travel, hospitality, conference and event expenditures is in the reporting phase.

PRIA also undertook the following additional activities in the 2019–20 fiscal year:

Furthermore, in the 2019–20 fiscal year, PRIA team members participated on a number of OAG committees. This participation helped members to increase their knowledge of business and identify risks. In 2019–20, the team observed at the following committees:

Internal Audit Plan for the 2020–21 to 2022–23 Fiscal Years

Context for performing internal audits

The OAG complies, as required, with the Treasury Board’s Policy on Internal Audit and Directive on Internal Audit. PRIA adheres to the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing when conducting its internal audit work.

In developing its risk-based plan, PRIA considers the requirements of the institute’s standards. When planning its internal audits and assessments of internal controls, PRIA seeks to validate the effectiveness of the OAG’s implementation of its internal control framework.

Internal audit planning and prioritization process

PRIA has developed a comprehensive strategy for establishing its risk-based internal audit plan, which includes environmental scanning, risk assessments, and extensive consultations.

Environmental scanning

PRIA performs internal and external environmental scans.

The external environmental scans look for changes in the environment that could affect the OAG’s strategic objectives or PRIA’s internal audit mandate. PRIA monitors the external environment to ensure that its internal policies and procedures regarding internal audits comply with requirements. PRIA also considers the work of the Office of the Comptroller General of Canada and other government departments and agencies that may be relevant to the OAG.

The internal scan looks for changes in the OAG’s internal environment, such as the introduction of new policies, procedures, and programs. It also includes a review of previous PRIA plans and the findings of previous internal audits and practice reviews.

Risk assessments

PRIA’s risk-based plan is based on an assessment of risk affecting audit services and audit practices. The OAG uses its Integrated Risk Management Framework to assess risks and assign them to “strategic,” “compliance,” and “operations” categories. The key risks identified by leaders of the services and of the audit practices must be monitored and managed to ensure that the OAG meets its commitments and achieves its objectives. PRIA reviews the risks the OAG faces using the results of the OAG’s integrated risk management exercise, including the risk registries for the audit practices and audit services. The main activities and processes of the OAG’s corporate, practice, and service risk registers form the basis for PRIA’s audit universe.

For planning purposes, PRIA classifies risks from low to high by considering the risk mitigation activities presented by the leaders of the practice and service areas. PRIA also looks for risks that affect more than 1 service area, and considers such risks as higher risks.

In the 2019–20 fiscal year, the OAG underwent significant changes to its senior management ranks. The passing of the Auditor General in February 2019 resulted in the appointment of an Interim Auditor General. In addition, 2 Deputy Auditors General (one of whom became the Interim Auditor General) and a new Chief Financial Officer had been appointed in January 2019, along with 5 other assistant auditors general to lead the audit practices and audit services in anticipation of upcoming retirements at this executive level. Also, the Commissioner of the Environment and Sustainable Development retired in 2019 and an interim Commissioner was appointed. After an appointment process that was managed by the Privy Council Office, Karen Hogan was appointed as the Auditor General, for a ten-year term, effective 8 June 2020.

Management took actions to manage the risks that may result from these leadership changes. When planning new engagements and in developing its framework to assess governance at the OAG, PRIA will continue to monitor the risks associated leadership changes and with processes put in place by management.

In March 2020, the country was affected by a national pandemic, COVID-19 which impacted the Office’s ability to carry out its mandate. Stay at home and physical distancing orders, caused the Office to close its premises and to instruct staff to work remotely. The pandemic impacted all sectors of the Office, including PRIA, and posed a risk to employee wellness and business continuity. In response to this event, PRIA has planned to conduct a review of the Office’s preparedness and response to the pandemic including information technologyIT security.

Other events

In the 2017–18 fiscal year, PRIA conducted an external assessment of the OAG’s internal audit activity to assess conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. The OAG received the highest rating of “generally conforms”. The Institute’s standards required that such an assessment be conducted every 5 years. As such, the next external assessment is to be conducted in the 2022–23 fiscal year. In response to this upcoming review, PRIA plans to conduct a self-assessment in 2021–22 of its internal audit practices against the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and implement an action plan to address any gaps.

In the 2018-19 fiscal year, an international peer review was conducted to determine whether the OAG adhered to relevant legislation and professional standards in the execution of its mandate and whether its system of quality control (SOQC) for the audit practices was suitably designed and effectively implemented to provide the OAG with reasonable assurance that its work complied with all relevant professional standards. The Office’s system of quality control included the conduct of practice reviews. The peer reviewers recommended that in order for the OAG to receive the maximum benefit from its practice review process, PRIA should focus on complex and risky audits and ensure that the outcomes of these reviews are available to inform the planning of the next cycle of audits. In response, PRIA documented its consideration of audit risk and complexity in its selection strategy for practice reviews and modified its procedure to conduct practice reviews and disseminate the results of these reviews in a more timely fashion.

Consultations

The PRIA team seeks clarification, if required, with senior management to better understand management’s assessment of risk. It also discusses other management activities undertaken to better document controls or mitigate risks.

PRIA uses these activities to establish a list of auditable activities.

Prioritization

To prioritize auditable activities and other types of work, PRIA prepares a template and considers how the issues identified link with risk factors and OAG strategies.

PRIA defines risk factors as

PRIA uses a rating scale of 1 to 5 to rank the impact of the auditable activity with the risk factors on the OAG’s 11 strategic objectives, with 1 meaning low impact and 5 meaning high impact.

Prioritizing the auditable activities results in identifying new engagements and may also affect the scheduling of previously planned engagements.

Internal audit plan for the 2020–21 to 2022–23 fiscal years

For the 2020–21 to 2022–23 fiscal years, PRIA plans to conduct the following internal audits and engagements (Exhibit 1).

Exhibit 1—PRIA’s planned activities for the next 3 fiscal years

Exhibit 1—PRIA’s planned activities for the next 3 fiscal years
Fiscal year Name Estimated hours External resource Data analytics Governance Risk management Internal controls
2020–21 Internal audit: Resourcing Audit Practices (continue) 1,000 (original budget for engagement is 2,000) Yes No Yes Yes Yes
2020–21 Review of OAG’s preparedness and response as it relates to the recent COVID-19 pandemic, including IT security 1,500 Yes No Yes Yes Yes
2021–22 Internal audit: Protection of personal informationFootnote * 1,500 Yes No Yes Yes Yes
2021–22 Internal review: Security—Physical site accessFootnote * 1,500 Yes Not applicable Yes Yes Yes
2021–22 Self-assessment: PRIA’s self-assessment of its internal audit activity 400 No Not applicable Yes Yes Yes
2022–23 External review: External assessment of PRIA’s internal audit function 250 Yes Not applicable Yes Yes Yes
2022–23 Internal audit: Strategic planning for performance auditsFootnote * 2,000 No No Yes Yes Yes

Practice Review Plan for the 2020–21 Fiscal Year

Context for performing practice reviews

The Chartered Professional Accountants of Canada’s Canadian System of Quality Control 1 (CSQC 1), Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements requires the OAG to establish a monitoring process that provides reasonable assurance that the policies and procedures for quality control are relevant, are adequate, and operate effectively. The process must include, on a cyclical basis, an inspection of at least 1 completed engagement for each engagement leader (principal).

PRIA is responsible for conducting inspections at the engagement level by assessing the design and implementation of the OAG’s System of Quality Control in accordance with CSQC 1 for all product lines to ensure its operational effectiveness. To do so, PRIA periodically assesses the design of the System of Quality Control and annually conducts systematic and rigorous practice reviews that cover all senior practitioners over a multi-year cycle.

PRIA’s approach to engagement selection

As of April 2020, there were 30 engagement leaders in the audit practices: 18 in the financial audit practice and 12 in the performance audit practice.

PRIA used a random sampling approach to select engagement leaders for practice reviews that had completed an audit during the audit period under review. PRIA ensures that the sample selected for practice review includes the following considerations:

Engagement leader review

PRIA reviews the audit work of engagement leaders from each practice at least once every 4 years. PRIA’s 4-year review cycle for each assurance category allows for the review of each engagement leader within a reasonable period.

Practice reviews planned for the 2020–21 fiscal year

In the 2020–21 fiscal year, PRIA expects to perform up to 6 practice reviews of financial audit engagement leaders who completed audits in 2020–21 and up to 12 reviews of direct engagement leaders who completed audits in 2018–19, 2019–20, and 2020–21. PRIA may conduct additional practice reviews, given the results of past reviews or to address other concerns or specific audit practice risks.

Resourcing

PRIA’s team to carry out its risk-based plan:

PRIA may engage temporary resources as needed.

Budget

PRIA has a total budget of approximately 9,100 hours to perform its work in the 2020–21 fiscal year (Exhibit 2). This is an increase of approximately 23% over the previous year’s allocation of 7,400 hours.

Exhibit 2—PRIA’s budget allocation for the 2020–21 fiscal year

Exhibit 2—PRIA’s budget allocation for the 2020–21 fiscal year
Activities Estimated hours
Internal audit engagement 2,500
Knowledge of business, assessments of internal controls, consulting engagements, projects, the Quality Assurance and Improvement Program, and risk-based planning 1,500
Practice reviews—Financial audit and direct engagement audit practices 2,000
Audit Committee and follow-up of recommendations 1,500
Administration and team management 1,500
External inspections 100
Total 9,100

Appendix—Performance of PRIA against Its Measures

In the 2018–19 fiscal year, Practice Review and Internal Audit (PRIA) developed its balance scorecard of performance measures and began to track its performance against these measures. Below are PRIA’s results for 2019–20 fiscal year.

Vision

The PRIA team is recognized and respected for the quality of its work and for its value-added contribution to the Office of the Auditor General of Canada (OAG).

Mission

The PRIA team’s mission is to enhance and protect the OAG’s value by providing risk-based and objective assurance, advice, and insight.

Financial perspective

Be a financially well-managed organization accountable for the use of resources entrusted to it

Measure Target Result Comment
Percentage of PRIA contracts that are in compliance with OAG policies. 100% 100%
PRIA’s activities are delivered within its operational budget of hours. 100% 123% 23% over  budgetFootnote *

Internal perspective

Ensure selection and continuance of audit products likely to have significant impact and value

Measure Target Result Comment
The Audit Committee recommends the approval of PRIA’s risk‑based plan to the Auditor General (AG). AG Approval Met

Ensure internal audits comply with professional standards in an economical manner

Measure Target Result Comment
External reviews find the PRIA team does comply with professional standards in the conduct of internal audits. Highest level of Institute of Internal Audit Standards Met Conducted 2017–18

Ensure effective, efficient, and accountable OAG governance and management

Measure Target Result Comment
Percentage of PRIA activities completed in 2019–20 as planned in its risk-based plan for 2019–20. At least 80% 67% 3 of 9 projects delayed due to pandemicFootnote *
Audit Committee finds the PRIA team is carrying out its activities as expected. Meets at least 80% of expectations 100%

Customer perspective

Be independent, objective, and non-partisan

Measure Target Result Comment
Percentage of PRIA employees who comply with professional standards and are independent. 100% 100%
Client Satisfaction Survey results indicate that the PRIA team staff demonstrated independence, objectivity, and non-partisanship. Achieved Met

Report what is working, areas for improvement, and recommendations in a manner that is understandable, timely, fair, and adds value

Measure Target Result Comment
Percentage of internal audit and practice review recommendations addressed by management. At least 90% 100%

Learning and growth perspective

Develop and maintain a skilled, engaged, and bilingual workforce

Measure Target Result Comment
Percentage of PRIA employees who complete mandatory training within the allotted time frame. 100% 100%
The Chief Audit Executive (CAE) is a Certified Internal Auditor (CIA). 100% 100%
Percentage of PRIA employees who are certified (CIA, Chartered Professional Accountant (CPA)). At least 50% 80%
Percentage of PRIA employees who meet the language requirements of their positions. 100% 100%