Practice Review and Internal Audit—Risk-Based Plan for the 2020–21 to 2022–23 Fiscal Years
Practice Review and Internal Audit—Risk-Based Plan for the 2020–21 to 2022–23 Fiscal Years
Table of Contents
- Office of the Auditor General of Canada
- Practice Review and Internal Audit
- Status of the 2019–20 PRIA Risk-Based Plan
- Internal Audit Plan for the 2020–21 to 2022–23 Fiscal Years
- Practice Review Plan for the 2020–21 Fiscal Year
- Appendix—Performance of PRIA against Its Measures
The Practice Review and Internal Audit (PRIA) team of the Office of the Auditor General of Canada (OAG) developed the Risk-Based Plan for the 2020–21 to 2022–23 Fiscal Years to ensure that PRIA’s planned engagements meet the OAG’s assurance needs.
This document contains details about the PRIA team’s role, an overview of the planned engagements for the next 3 fiscal years, and information about PRIA’s resources and capacity for the 2020–21 fiscal year.
In establishing its practice review and internal audit priorities, PRIA conducts environmental scans, risk assessments, and consultations with senior management and staff. PRIA also reviews the OAG’s plans and priorities, and the results of the OAG’s latest integrated risk management process. PRIA updates the risk-based plan annually, according to organizational priorities, the availability of resources, and evolving risk-assessment needs.
I would like to thank the OAG’s senior management, staff, and the members of the Audit Committee for their cooperation and assistance with the development of this plan. Their input will allow PRIA to assess the adequacy and effectiveness of governance, risk management, and internal control processes in the OAG.
Chief Audit Executive
Office of the Auditor General of Canada
As an officer of Parliament, the OAG is independent from government and reports directly to the Parliament of Canada. Given its mandate, the OAG is not subject to direct Treasury Board of Canada Secretariat oversight. Consequently, the OAG’s internal oversight mechanisms are of significant importance to ensuring that adequate management practices are in place. PRIA is one of these oversight mechanisms, as it provides assurance to management through internal audits and practice reviews.
This document presents PRIA’s Risk-Based Plan for the 2020–21 to 2022–23 Fiscal Years for the OAG. PRIA has updated the plan to consider the latest results of the OAG’s integrated risk management process and the detailed work and analysis completed by PRIA in the 2019–20 fiscal year. The plan combines proposed internal audit engagements and practice reviews to be completed over the next 3 fiscal years. In determining its planned activities, PRIA sought to allocate its resources to the OAG’s areas of significant risk.
Office of the Auditor General of Canada
The Auditor General of Canada is an officer of Parliament, reporting directly to the Parliament of Canada. The Auditor General is independent of the government in the execution of the position’s work and responsibilities. The OAG’s mandate and the Auditor General’s responsibilities are set out in the Auditor General Act, the Financial Administration Act, and other acts and orders-in-council.
The Commissioner of the Environment and Sustainable Development supports the Auditor General’s mandate related to the environment and sustainable development.
The OAG is the legislative audit office for the federal government and for the 3 territorial governments (Nunavut, Yukon, and the Northwest Territories).
The OAG conducts independent audits and studies that provide objective information, advice, and assurance to Parliament, territorial legislatures, governments, and Canadians. The OAG conducts audits according to professional auditing standards and OAG policies.
The OAG’s mission is to contribute to a well-managed and accountable government for Canadians.
The OAG’s strategic plan for the next 3 years has 3 over-arching goals: caring for each other, modernizing the OAG, and connecting with stakeholders. Caring for each other focuses on supporting employees’ well-being and their learning and growth. Modernizing the OAG focuses on improving tools, the use of technology, processes, and practices. Connecting with stakeholders focuses on enhancing value to clients and the organizations being audited. The desired result of this plan is to increase the impact and relevance of the OAG for its clients, those it audits, other stakeholders, and its employees.
Practice Review and Internal Audit
The mission of the OAG’s PRIA team is to enhance and protect the OAG’s value by providing risk-based and objective assurance, advice, and insight.
Scope of activities
The PRIA team’s scope of activities serves 2 separate but related purposes:
- Internal Audit. PRIA’s Internal Audit team has adopted the Institute of Internal Auditors’ Definition of Internal Auditing to help the OAG accomplish its organizational vision, mission, and strategic objectives. The team provides independent, objective assurance and consulting activities to add value and improve the OAG’s operations. The team brings a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
- Practice Review. PRIA’s Practice Review team helps the OAG meet its obligations under the Chartered Professional Accountants of Canada’s Canadian Standard on Quality Control 1 (CSQC 1), Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements. PRIA does this work by conducting inspections to determine the extent to which engagement leaders comply with professional standards, OAG policies, and applicable legislative and regulatory requirements when conducting their audits. These reviews also ensure that audit reports are supported and appropriate.
PRIA conducts its work in accordance with established professional standards:
- Internal audits are conducted in accordance with the International Professional Practices Framework issued by the Institute of Internal Auditors and with the Treasury Board’s Policy on Internal Audit and Directive on Internal Audit as they apply to the OAG.
- Practice reviews are conducted in compliance with the Chartered Professional Accountants of Canada’s CSQC 1, Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements. PRIA also conforms to the Institute of Internal Auditors’ Attribute Standards for independence and objectivity, for proficiency and due professional care, and for the Quality Assurance and Improvement Program.
The OAG’s Chief Audit Executive reports functionally to the Audit Committee and administratively to the Auditor General.
The Chief Audit Executive is responsible for developing and updating PRIA’s risk-based plan annually. PRIA presents its plan to the Audit Committee for review. The Audit Committee recommends the approval of the plan to the Auditor General. The Auditor General is the final approval authority for the plan.
Objectives of the risk-based plan
PRIA’s risk-based plan has 2 key objectives:
- Identify potential internal engagements on the basis of an assessment of the OAG’s risks and risk management procedures and an understanding of the OAG’s plans and priorities.
- Identify a practice review schedule that meets the requirements of professional standards and addresses the OAG’s intent to continue improving the conduct of its audits.
The PRIA planning process ensures that all internal audit and practice review activities are relevant, timely, and strategically aligned to support the achievement of the OAG’s strategic objectives. As a result, the PRIA risk-based plan is adjusted as required.
PRIA’s performance measures
In 2018, PRIA developed a set of performance measures to quantify and track its performance. Using a balanced scorecard approach, PRIA developed indicators for 4 key perspectives:
- financial perspective
- internal perspective
- customer perspective
- learning and growth perspective
The Appendix provides details on each perspective and associated performance measure as well as the results for the 2019–20 fiscal year.
Status of the 2019–20 PRIA Risk-Based Plan
In the 2019–20 fiscal year, PRIA completed most of its planned activities as described in its Risk-Based Plan for the 2019–20 to 2021–22 Fiscal Years. Activities still to be completed are the internal audit on Resourcing the audit practices, which is scheduled to be completed in 2020–21 fiscal year, and the review and performance of internal controls for executive travel, hospitality, conference and event expenditures is in the reporting phase.
PRIA also undertook the following additional activities in the 2019–20 fiscal year:
- completed a benchmarking exercise to compare the OAG’s internal audit activity with those of similar-sized government departments or agencies and other officers of Parliament
- reviewed the implementation of the project to replace the OAG’s human resources management information system
- helped coordinate a provincial practice inspection required by the Chartered Professional Accountants of Canada (CPA Canada); CPA Alberta completed a review
- monitored OAG management’s follow-up on PRIA recommendations
- acted as an independent observer of the international peer review process
- conducted annual and multi-year planning for PRIA engagements
- attended conferences and professional development training related to PRIA’s work
Furthermore, in the 2019–20 fiscal year, PRIA team members participated on a number of OAG committees. This participation helped members to increase their knowledge of business and identify risks. In 2019–20, the team observed at the following committees:
- Annual Audit Principal/Director (PX/DX) Steering Committee
- Annual Audit PX/DX Forum
- Annual Audit Champion Network
- Biweekly Financial Directors’ Meeting
- Performance Audit Practice Management Committee
- Performance Audit Practice Operations Committee
- PX Forum
Internal Audit Plan for the 2020–21 to 2022–23 Fiscal Years
Context for performing internal audits
The OAG complies, as required, with the Treasury Board’s Policy on Internal Audit and Directive on Internal Audit. PRIA adheres to the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing when conducting its internal audit work.
In developing its risk-based plan, PRIA considers the requirements of the institute’s standards. When planning its internal audits and assessments of internal controls, PRIA seeks to validate the effectiveness of the OAG’s implementation of its internal control framework.
Internal audit planning and prioritization process
PRIA has developed a comprehensive strategy for establishing its risk-based internal audit plan, which includes environmental scanning, risk assessments, and extensive consultations.
PRIA performs internal and external environmental scans.
The external environmental scans look for changes in the environment that could affect the OAG’s strategic objectives or PRIA’s internal audit mandate. PRIA monitors the external environment to ensure that its internal policies and procedures regarding internal audits comply with requirements. PRIA also considers the work of the Office of the Comptroller General of Canada and other government departments and agencies that may be relevant to the OAG.
The internal scan looks for changes in the OAG’s internal environment, such as the introduction of new policies, procedures, and programs. It also includes a review of previous PRIA plans and the findings of previous internal audits and practice reviews.
PRIA’s risk-based plan is based on an assessment of risk affecting audit services and audit practices. The OAG uses its Integrated Risk Management Framework to assess risks and assign them to “strategic,” “compliance,” and “operations” categories. The key risks identified by leaders of the services and of the audit practices must be monitored and managed to ensure that the OAG meets its commitments and achieves its objectives. PRIA reviews the risks the OAG faces using the results of the OAG’s integrated risk management exercise, including the risk registries for the audit practices and audit services. The main activities and processes of the OAG’s corporate, practice, and service risk registers form the basis for PRIA’s audit universe.
For planning purposes, PRIA classifies risks from low to high by considering the risk mitigation activities presented by the leaders of the practice and service areas. PRIA also looks for risks that affect more than 1 service area, and considers such risks as higher risks.
In the 2019–20 fiscal year, the OAG underwent significant changes to its senior management ranks. The passing of the Auditor General in February 2019 resulted in the appointment of an Interim Auditor General. In addition, 2 Deputy Auditors General (one of whom became the Interim Auditor General) and a new Chief Financial Officer had been appointed in January 2019, along with 5 other assistant auditors general to lead the audit practices and audit services in anticipation of upcoming retirements at this executive level. Also, the Commissioner of the Environment and Sustainable Development retired in 2019 and an interim Commissioner was appointed. After an appointment process that was managed by the Privy Council Office, Karen Hogan was appointed as the Auditor General, for a ten-year term, effective 8 June 2020.
Management took actions to manage the risks that may result from these leadership changes. When planning new engagements and in developing its framework to assess governance at the OAG, PRIA will continue to monitor the risks associated leadership changes and with processes put in place by management.
In March 2020, the country was affected by a national pandemic, COVID-19 which impacted the Office’s ability to carry out its mandate. Stay at home and physical distancing orders, caused the Office to close its premises and to instruct staff to work remotely. The pandemic impacted all sectors of the Office, including PRIA, and posed a risk to employee wellness and business continuity. In response to this event, PRIA has planned to conduct a review of the Office’s preparedness and response to the pandemic including information technologyIT security.
In the 2017–18 fiscal year, PRIA conducted an external assessment of the OAG’s internal audit activity to assess conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. The OAG received the highest rating of “generally conforms”. The Institute’s standards required that such an assessment be conducted every 5 years. As such, the next external assessment is to be conducted in the 2022–23 fiscal year. In response to this upcoming review, PRIA plans to conduct a self-assessment in 2021–22 of its internal audit practices against the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and implement an action plan to address any gaps.
In the 2018-19 fiscal year, an international peer review was conducted to determine whether the OAG adhered to relevant legislation and professional standards in the execution of its mandate and whether its system of quality control (SOQC) for the audit practices was suitably designed and effectively implemented to provide the OAG with reasonable assurance that its work complied with all relevant professional standards. The Office’s system of quality control included the conduct of practice reviews. The peer reviewers recommended that in order for the OAG to receive the maximum benefit from its practice review process, PRIA should focus on complex and risky audits and ensure that the outcomes of these reviews are available to inform the planning of the next cycle of audits. In response, PRIA documented its consideration of audit risk and complexity in its selection strategy for practice reviews and modified its procedure to conduct practice reviews and disseminate the results of these reviews in a more timely fashion.
The PRIA team seeks clarification, if required, with senior management to better understand management’s assessment of risk. It also discusses other management activities undertaken to better document controls or mitigate risks.
PRIA uses these activities to establish a list of auditable activities.
To prioritize auditable activities and other types of work, PRIA prepares a template and considers how the issues identified link with risk factors and OAG strategies.
PRIA defines risk factors as
- external events/operating environment, such as pandemics
- susceptibility to fraud
- implications for reputation and corporate image
- complexity of operations
- results of the last audit or other known deficiencies
- changes to systems, policies, or procedures
- implications for legal, regulatory, or policy compliance
PRIA uses a rating scale of 1 to 5 to rank the impact of the auditable activity with the risk factors on the OAG’s 11 strategic objectives, with 1 meaning low impact and 5 meaning high impact.
Prioritizing the auditable activities results in identifying new engagements and may also affect the scheduling of previously planned engagements.
Internal audit plan for the 2020–21 to 2022–23 fiscal years
For the 2020–21 to 2022–23 fiscal years, PRIA plans to conduct the following internal audits and engagements (Exhibit 1).
Exhibit 1—PRIA’s planned activities for the next 3 fiscal years
|Fiscal year||Name||Estimated hours||External resource||Data analytics||Governance||Risk management||Internal controls|
|2020–21||Internal audit: Resourcing Audit Practices (continue)||1,000 (original budget for engagement is 2,000)||Yes||No||Yes||Yes||Yes|
|2020–21||Review of OAG’s preparedness and response as it relates to the recent COVID-19 pandemic, including IT security||1,500||Yes||No||Yes||Yes||Yes|
|2021–22||Internal audit: Protection of personal informationFootnote *||1,500||Yes||No||Yes||Yes||Yes|
|2021–22||Internal review: Security—Physical site accessFootnote *||1,500||Yes||Not applicable||Yes||Yes||Yes|
|2021–22||Self-assessment: PRIA’s self-assessment of its internal audit activity||400||No||Not applicable||Yes||Yes||Yes|
|2022–23||External review: External assessment of PRIA’s internal audit function||250||Yes||Not applicable||Yes||Yes||Yes|
|2022–23||Internal audit: Strategic planning for performance auditsFootnote *||2,000||No||No||Yes||Yes||Yes|
Practice Review Plan for the 2020–21 Fiscal Year
Context for performing practice reviews
The Chartered Professional Accountants of Canada’s Canadian System of Quality Control 1 (CSQC 1), Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements requires the OAG to establish a monitoring process that provides reasonable assurance that the policies and procedures for quality control are relevant, are adequate, and operate effectively. The process must include, on a cyclical basis, an inspection of at least 1 completed engagement for each engagement leader (principal).
PRIA is responsible for conducting inspections at the engagement level by assessing the design and implementation of the OAG’s System of Quality Control in accordance with CSQC 1 for all product lines to ensure its operational effectiveness. To do so, PRIA periodically assesses the design of the System of Quality Control and annually conducts systematic and rigorous practice reviews that cover all senior practitioners over a multi-year cycle.
PRIA’s approach to engagement selection
As of April 2020, there were 30 engagement leaders in the audit practices: 18 in the financial audit practice and 12 in the performance audit practice.
PRIA used a random sampling approach to select engagement leaders for practice reviews that had completed an audit during the audit period under review. PRIA ensures that the sample selected for practice review includes the following considerations:
- selecting engagement leaders from the financial audit practice and the direct engagement practice (performance audits and special examinations);
- ensuring that a new engagement leader is being selected at a rate of 75% in the first year of appointment at level; and
- ensuring that audits of higher risk and of higher complexity are included in the sample selection.
Engagement leader review
PRIA reviews the audit work of engagement leaders from each practice at least once every 4 years. PRIA’s 4-year review cycle for each assurance category allows for the review of each engagement leader within a reasonable period.
Practice reviews planned for the 2020–21 fiscal year
In the 2020–21 fiscal year, PRIA expects to perform up to 6 practice reviews of financial audit engagement leaders who completed audits in 2020–21 and up to 12 reviews of direct engagement leaders who completed audits in 2018–19, 2019–20, and 2020–21. PRIA may conduct additional practice reviews, given the results of past reviews or to address other concerns or specific audit practice risks.
PRIA’s team to carry out its risk-based plan:
- Louise Bertrand, Chief Audit Executive
- Lori-Lee Flanagan, Director
- Marc Gauthier, Director
- Patrick Polan, Director
- Michelle Robert, Director
- Caroline Viens, Director
- Karen O’Reilly, Administrative Assistant
PRIA may engage temporary resources as needed.
PRIA has a total budget of approximately 9,100 hours to perform its work in the 2020–21 fiscal year (Exhibit 2). This is an increase of approximately 23% over the previous year’s allocation of 7,400 hours.
Exhibit 2—PRIA’s budget allocation for the 2020–21 fiscal year
|Internal audit engagement||2,500|
|Knowledge of business, assessments of internal controls, consulting engagements, projects, the Quality Assurance and Improvement Program, and risk-based planning||1,500|
|Practice reviews—Financial audit and direct engagement audit practices||2,000|
|Audit Committee and follow-up of recommendations||1,500|
|Administration and team management||1,500|
Appendix—Performance of PRIA against Its Measures
In the 2018–19 fiscal year, Practice Review and Internal Audit (PRIA) developed its balance scorecard of performance measures and began to track its performance against these measures. Below are PRIA’s results for 2019–20 fiscal year.
The PRIA team is recognized and respected for the quality of its work and for its value-added contribution to the Office of the Auditor General of Canada (OAG).
The PRIA team’s mission is to enhance and protect the OAG’s value by providing risk-based and objective assurance, advice, and insight.
Be a financially well-managed organization accountable for the use of resources entrusted to it
|Percentage of PRIA contracts that are in compliance with OAG policies.||100%||100%|
|PRIA’s activities are delivered within its operational budget of hours.||100%||123%||23% over budgetFootnote *|
Ensure selection and continuance of audit products likely to have significant impact and value
|The Audit Committee recommends the approval of PRIA’s risk‑based plan to the Auditor General (AG).||AG Approval||Met|
Ensure internal audits comply with professional standards in an economical manner
|External reviews find the PRIA team does comply with professional standards in the conduct of internal audits.||Highest level of Institute of Internal Audit Standards||Met||Conducted 2017–18|
Ensure effective, efficient, and accountable OAG governance and management
|Percentage of PRIA activities completed in 2019–20 as planned in its risk-based plan for 2019–20.||At least 80%||67%||3 of 9 projects delayed due to pandemicFootnote *|
|Audit Committee finds the PRIA team is carrying out its activities as expected.||Meets at least 80% of expectations||100%|
Be independent, objective, and non-partisan
|Percentage of PRIA employees who comply with professional standards and are independent.||100%||100%|
|Client Satisfaction Survey results indicate that the PRIA team staff demonstrated independence, objectivity, and non-partisanship.||Achieved||Met|
Report what is working, areas for improvement, and recommendations in a manner that is understandable, timely, fair, and adds value
|Percentage of internal audit and practice review recommendations addressed by management.||At least 90%||100%|
Learning and growth perspective
Develop and maintain a skilled, engaged, and bilingual workforce
|Percentage of PRIA employees who complete mandatory training within the allotted time frame.||100%||100%|
|The Chief Audit Executive (CAE) is a Certified Internal Auditor (CIA).||100%||100%|
|Percentage of PRIA employees who are certified (CIA, Chartered Professional Accountant (CPA)).||At least 50%||80%|
|Percentage of PRIA employees who meet the language requirements of their positions.||100%||100%|