Archived [2009-07-01] - Policy on Internal Audit
We will be updating our design to align with Canada.ca. The policies, directives, standards and guidelines will remain available during and after this update is complete.
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
1. Effective Date
1.1 This policy takes effect on April 1, 2006, replacing the 2001 Policy on Internal Audit.
1.2 The implementation of this policy will be phased in between the effective date of the policy and April 1, 2009. A review of the implementation will be conducted six months prior to April 1, 2009, to determine if changes to the policy are required.
2.1 This policy applies to departments and agencies defined as departments within the meaning of section 2 of the Financial Administration Act. Throughout this policy, the terms "government-wide" and "across government" refer to these departments.
2.2 For the purposes of this policy, Treasury Board has established criteria for designating departments as small departments and agencies (SDAs). These criteria are provided in section 5.4.1 below. All other departments are referred to as large departments and agencies (LDAs).
3.1 This policy is issued pursuant to paragraph 7.(1) (a) of the Financial Administration Act.
3.2 This policy is designed to ensure that, at both departmental and government-wide levels, internal audit and audit committees provide deputy heads and the Comptroller General, respectively, with added assurance, independent from line management, on risk management, control, and governance processes. (The terms risk management, control, and governance processes are defined in The Professional Practices Framework published by the Institute of Internal Auditors, January 2004.)
3.3 While deputy heads, in the context of the Treasury Board Secretariat Management Accountability Framework, are responsible for the systems of internal controls in their departments, this policy provides a clear and integrated assignment of responsibilities for internal auditing between deputy heads and the Comptroller General that supports strong internal auditing across government.
4. Policy Statement
4.1 The objective of the policy is to strengthen public sector accountability, risk management, resource stewardship and good governance by reorganizing and bolstering internal audit on a government-wide basis.
4.2 In that context, Treasury Board has decided that:
4.2.1 The Government of Canada sustain a strong, credible internal audit regime that has the confidence of the government, contributes directly to effective risk management, sound resource stewardship and good governance, and is repositioned as a key underpinning of governance within departments and agencies and across government.
4.2.2 The government ensure the real and perceived independence of internal audit from line management by introducing:
- Independent audit committees that will include competent and experienced members drawn from outside the federal public service; and
- The organizational independence of chief audit executives who lead audit functions.
4.2.3 All departments and agencies, and the government as a whole, be supported by professional and comprehensive internal audit coverage through a changed delivery model in which:
- Deputy heads remain fully responsible for the adequacy of internal audit coverage in their departments;
- The Comptroller General takes on responsibility for horizontal and sectoral audits; and
- As part of this mandate, the Comptroller General undertakes focused horizontal or sectoral auditing in SDAs and facilitates access to professional internal audit resources for SDAs that need additional audit work.
4.2.4 The Comptroller General is responsible for focused, sustained functional leadership of internal audit across government in order to build and develop capacity; ensure adequate levels of professionally qualified resources; and ensure adherence to professional standards and rigorous methodology in the delivery of internal audits.
4.2.5 Chief audit executives provide annual holistic opinions to deputy heads and audit committees on the effectiveness and adequacy of risk management, control, and governance processes in their departments, as well as reporting on individual risk-based audits. Similarly, it was decided that the Comptroller General report annually to Treasury Board on the state of risk management, control and governance processes across government, addressing fundamental controls, including basic reporting controls for financial statements, thematic or sectoral controls, and the results of risk-based internal audit work carried out within departments.
5. Policy Requirements
5.1 The term "deputy head" is used in this policy in the broad sense assigned to it by section 11 of the Financial Administration Act. It includes deputy ministers, heads of agencies, chief executive officers, and statutory or designated deputy heads.
5.2 This policy recognizes that departments are diverse in size and risk. The requirements below distinguish among those applicable to deputy heads of large departments, deputy heads of SDAs, and those that apply to all deputy heads.
5.3 Deputy heads of large departments (all departments other than those designated as SDAs) are responsible for:
5.3.1 Establishing an internal audit function that is appropriately resourced and that operates in accordance with this policy and professional internal auditing standards.
5.3.2 Establishing an independent departmental audit committee that includes a majority of external members who are not currently in the federal public service. (Requirements relating to the role, responsibilities and membership of the departmental audit committee are described in Directive on Departmental Audit Committees.)
5.3.3 Appointing a qualified chief audit executive at a senior executive level, reporting to the deputy head, to lead and direct the internal audit function. (Directive on Chief Audit Executives, Internal Audit Plans, and Support to the Comptroller General sets out additional requirements for chief audit executives. The Comptroller General's Guidelines on the Responsibilities of Chief Audit Executives and Guidelines on Expected Qualifications of Chief Audit Executives provide advice on the responsibilities and expected qualifications of chief audit executives.)
5.3.4 Approving a departmental internal audit plan that addresses all areas of higher risk and significance, including audits identified by the Comptroller General as part of government-wide or sectoral coverage, and designed to support an annual opinion from the chief audit executive on departmental risk management, control, and governance processes. (Directive on Chief Audit Executives, Internal Audit Plans, and Support to the Comptroller General sets out additional requirements for departmental internal audit plans.)
5.3.5 Ensuring appropriate internal audit coverage for special operating agencies and other entities within their departments and under their control.
5.4 Small departments and agencies
5.4.1 For the purpose of designating departments as SDAs under this policy, the two criteria of fewer than 500 full-time equivalents and a reference-level of less than $300 million per year will apply for all departments except agents of Parliament (Office of the Auditor General, Office of the Chief Electoral Officer, Office of the Commissioner of Official Languages, Office of the Information Commissioner and Office of the Privacy Commissioner), which are treated as LDAs. Any exclusions to the application of these criteria will require the approval of the Treasury Board, providing the SDA has the demonstrated capacity to fully meet the expectations set out in this policy for LDAs, on an ongoing basis, either on its own or via the provisions of such capacity by the leadership of the portfolio of the departments/agencies to which the SDA is accountable. Similarly, any exceptional additions to the list of SDAs will require the approval of Treasury Board and will be treated on a case-by-case basis. For both exclusions and additions, the Comptroller General will provide an independent assessment.
5.4.2 The Comptroller General will conduct horizontal and other audits on SDAs each year and will provide deputy heads with copies of all relevant audit reports. Recognizing that SDAs vary in terms of size and risk, in many cases deputy heads may decide that the work performed by the Comptroller General fully meets their internal audit requirements. However, considering the risk profile and control environment of their departments, deputy heads must decide whether further internal audits are necessary. If further work is needed, the deputy head shall approve an internal audit plan.
5.4.3 When deputy heads of SDAs need internal auditing work beyond that conducted by the Comptroller General, but do not have enough work or resources to sustain a credible, professional internal audit function, the Comptroller General will facilitate access to independent, qualified internal auditing resources.
5.4.4 When an SDA conducts an internal audit, the deputy head must ensure that the internal auditing work meets the Internal Auditing Standards of the Government of Canada as prescribed by the Comptroller General.
5.4.5 When an SDA conducts an internal audit, the deputy head must ensure that the audit work is overseen and guided by an independent audit committee. The deputy head must establish a departmental audit committee in accordance with Directive on Departmental Audit Committees, or a joint independent audit committee with other portfolio-related departments, or arrange with the Comptroller General to have access to the SDA Audit Committee.
5.5 Deputy heads of all departments are responsible for:
5.5.1 Putting in place effective procedures to ensure systematic review of control and accountability processes in their departments.
5.5.2 Taking into account the results of internal audits conducted by the Comptroller General.
5.5.3 Ensuring that the audit committee receives all of the information and documentation needed or requested to fulfill its responsibilities, subject to applicable legislation.
5.5.4 Ensuring that management action plans are prepared that adequately address the recommendations and findings arising from internal audits, and that the action plans have been effectively implemented.
5.5.5 Ensuring that completed audit reports are:
- Issued in a timely manner and made accessible to the public with minimal formality; and
- Posted on departmental web sites in a timely manner, in both official languages. Reports posted on the departmental web site must respect the Access to Information Act and the Privacy Act.
5.5.6 Ensuring that the respective Minister is briefed periodically on significant items arising from the work of internal audit and the audit committee. It is expected that the Minister would meet annually in camera with the Internal Audit Committee for assurance regarding risk management, control and audit systems. It is also expected that the deputy head would routinely be briefed by the Audit Committee on their assurance findings.
5.5.7 Ensuring that the Office of the Comptroller General and its agents, for the purpose of carrying out assigned responsibilities, are given:
- Full access to departmental records, databases, workplaces and employees, and have the right to obtain information and explanations from departmental employees and contractors; and
- Management representations needed to support the planning, conduct, and reporting of audits by the Comptroller General.
5.6 Responsibilities of the Comptroller General
5.6.1 Treasury Board has assigned specific responsibilities to the Comptroller General for the functional leadership and monitoring of internal auditing across government, for horizontal auditing in LDAs and SDAs, and for the support of information technology and forensic auditing. These responsibilities are described in the Appendix.
5.6.2 Treasury Board also requires the Comptroller General to report annually to the Board on:
- Significant issues of risk, control or management arising from internal auditing across government;
- Horizontal and SDA auditing; and
- The overall state of risk management, control, and governance processes across government.
5.6.3 Treasury Board has delegated to the Comptroller General the authority to issue such operational directives, standards and guidelines as are necessary to support this policy.
5.7 Monitoring and Reporting
5.7.1 Deputy heads are responsible for monitoring adherence to this policy in their departments. Departments should have measures in place, as appropriate, to ensure:
- The independence, professionalism and performance of the internal audit function;
- The extent to which internal audit activities address areas of higher risk and significance;
- The timeliness of the internal audit process and reporting on internal auditing engagements;
- The effectiveness of follow-up action;
- The independence, competence and performance of the audit committee; and
- The adequacy of support to the Comptroller General in carrying out horizontal or directed audits.
5.7.2 Departmental audit committees will prepare annual reports to their deputies on their activities, including assessments of the internal audit functions. These reports will be made available to the Comptroller General.
5.7.3 The Comptroller General is responsible for government-wide leadership of internal audit, and for directing horizontal audits, including focused horizontal and other audits in SDAs.At a minimum, the Comptroller General should have measures in place to ensure:
- The adequacy and skill capacity of the internal audit community across government;
- The effectiveness of internal audit methodology;
- The performance of departmental and Comptroller General internal audit functions;
- The effectiveness of liaison with departments and in addressing and resolving issues; and
- The level of satisfaction of deputy heads with internal auditing services conducted by the Office of the Comptroller General.
5.7.4 The Comptroller General will report annually to Treasury Board on the implementation of this policy and on the effectiveness of the internal audit function across government, based on the analysis of internal audit plans and reports, practice inspections of departmental internal audit functions, audit committee reports and work undertaken directly by the Comptroller General.
5.7.5 The Comptroller General will establish a framework to guide the evaluation of the policy; Treasury Board Secretariat will make sure an evaluation is conducted within five years.
6.1 If, as a result of this monitoring, it is apparent that a department has not complied with this policy, consequences that are applicable to all Treasury Board policies, and as set out in the Financial Administration Act, will apply.
7.1 Other Relevant Legislation
7.2 Related Publications
Institute of Internal Auditors (IIA): The Professional Practices Framework
Canadian Institute of Chartered Accountants (CICA) Handbook
Results for Canadians: A Management Framework for the Government of Canada
Treasury Board of Canada Secretariat Management Accountability Framework
Treasury Board of Canada Secretariat Integrated Risk Management Framework
Please send any questions about this policy to:
Office of the Assistant Comptroller General, Internal Audit
Treasury Board of Canada Secretariat
300 Laurier Avenue West
Fax: (613) 952-3698
Appendix — Responsibilities of The Comptroller General for Internal Audit
As directed by the Treasury Board, the Comptroller General must:
- Provide effective functional leadership of internal auditing across government;
- Develop and support an effective human resources strategy to ensure that the government has sufficient, well-trained, professional internal audit resources;
- Determine the professional standards to be used for internal auditing in the federal government;
- Develop and support the implementation of standard internal auditing methodology and procedures to be used across government;
- Support the implementation of suitably qualified audit committees, and develop and support expected committee practices to be used across government;
- Conduct ongoing practice inspections and assessments of the entire spectrum of departmental internal audit activities as set out in the Policy on Internal Audit. These inspections to be carried out by independent and qualified professionals who will communicate the results to respective deputy heads, departmental audit committees and chief audit executives;
- Identify, and indicate to deputy heads, which audits are to be included in departmental internal audit plans as part of government-wide coverage;
- Conduct horizontal and other internal audits focused on SDAs, and communicate the results to the appropriate deputy heads and the SDA audit committee;
- Establish an independent SDA audit committee to provide oversight and guidance on internal auditing in SDAs. (Requirements relating to the role, responsibilities and membership of the SDA audit committee are set out in Directive on Small Departments and Agencies Audit Committee);
- Undertake or lead horizontal audits that address government-wide, sectoral or thematic issues in accordance with approved Treasury Board Audit Committee government-wide audit plans;
- Support departments in undertaking internal audits of information technology and forensic audits;
- Confer with, and provide advice to, deputy heads, audit committees, chief audit executives and internal auditors on the application of the Policy on Internal Audit and professional internal auditing standards;
- Maintain an active liaison with chief audit executives and deputy heads on significant issues of risk, control or management practices in departments, and ensure that effective and timely action is taken where there are serious issues to be resolved; and
- Maintain effective liaison with agents of Parliament and central agencies on audit issues.