Rescinded [2017-04-01] - Directive on Internal Auditing in the Government of Canada

This directive takes effect on April 1, 2012.

1.2 It replaces the following:

• Directive on Departmental Audit Committees dated July 1, 2009;
• Directive on Small Departments and Agencies Audit Committee dated July 1, 2009
• Directive on Chief Audit Executives, Internal Audit Plans, and Support to the Comptroller General dated July 1, 2009
• Guidelines on the Responsibilities of Chief Audit Executive dated April 1, 2006;
• Guidelines on Expected Qualifications for Chief Audit Executives dated April 1, 2006.

2.1 This directive applies to departments as defined in section 2 of the Financial Administration Act (FAA), unless excluded by specific acts, regulations or Orders in Council.

2.2 The principles of this directive, as they apply to large departments, will apply to the offices of agents of Parliament (the Office of the Auditor General, the Office of the Privacy Commissioner, the Office of the Information Commissioner, the Office of the Chief Electoral Officer, the Office of the Commissioner of Lobbying, the Office of the Commissioner of Official Languages, the Office of the Conflict of Interest and Ethics Commissioner and the Office of the Public Sector Integrity Commissioner). Deputy heads of these organizations may, subject to compliance with sections 16.1 and 16.2 of the Financial Administration Act, authorize such departures from the specific directive requirements contained in this directive as they deem appropriate in light of the governance arrangements, statutory mandate and risk profile of the organization of which they are deputy heads.

2.3 This directive applies to the Comptroller General, deputy heads as defined in subsection 11(1) of the FAA, as well as the chief audit executive and the members of the audit committee of those departments.

3.1 Internal auditing in the Government of Canada is a professional, independent and objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes. It is intended to contribute to the basis by which decision-makers exercise oversight and control over their organizations and apply sound risk management.

Internal auditing adds value by assessing and contributing to the improvement of risk management, control, and governance processes. In doing so, it helps ensure that the organization achieves its objectives efficiently and in a way that demonstrates informed ethical and accountable decision-making.

3.2 This directive will assist in the effective implementation and support of the Policy on Internal Audit by identifying the mandatory requirements and providing direction:

• In establishing appropriate responsibilities and qualifications for departmental chief audit executives;
• In relation to departmental internal auditing and reporting;
• On the role and responsibilities of the members of the audit committee; and
• In relation to the membership and operations of the audit committee.

3.3 This directive is to be read in conjunction with the Policy on Internal Audit, and the Internal Auditing Standards for the Government of Canada.

For definitions of terms used in this directive, refer to the Appendix - Definitions to the Policy on Internal Audit.

5.1 Objective

The objective of this directive is to contribute to the improvement of management by ensuring a strong, credible, effective and sustainable internal audit function within departments as well as government-wide.

5.2 Expected Results

5.2.1 Deputy heads are provided with independent assurance from internal auditing, and advice from the audit committee, regarding the effectiveness of risk management, control and governance processes, at the departmental level and the Comptroller General is provided with the same at the government-wide level.

5.2.2 A strong, credible and effective internal auditing regime that supports deputy heads in their role of accounting officers by:

• Contributing directly to sound risk management, control and governance;
• Maintaining the independence of the internal audit function from line management; and
• Supporting departments, and the government as a whole, through risk-targeted internal audit coverage.

5.2.3 Chief audit executives establish risk-based audit plans and perform assurance engagements necessary to provide the deputy head with independent assurance regarding risk management, control and governance processes.

5.2.4 Internal auditing government-wide is supported and assessed by the Comptroller General in order to:

• Build and sustain the capacity and levels of professionally qualified internal audit resources in the Government of Canada; and
• Ensure adherence to professional standards and rigour in the delivery of internal auditing.

6.1 Chief Audit Executives (CAE)

6.1.1 CAEs are responsible for:

• 6.1.1.1 Establishing and updating at least annually a multi-year plan of internal audit engagements based on a risk assessment and which is focused predominantly on the provision of assurance services.
• 6.1.1.2 Coordinating internal auditing activities and plans with other assurance providers to minimize duplication of effort and demands on departmental management.
• 6.1.1.3 Communicating the plan of engagements and resource requirements for the internal audit function, including any variances to this plan and the impact of resource limitations to the deputy head and the audit committee.
• 6.1.1.4 Ensuring that internal audit resources are appropriate and effectively deployed to achieve the approved plan.
• 6.1.1.5 Ensuring the timely completion of internal audit engagements, including internal audits led by the Comptroller General.
• 6.1.1.6 Ensuring that internal audit engagement reports are provided to the audit committee in a timely manner.
• 6.1.1.7 Reporting to the audit committee on whether management's action plans have been implemented. The CAE's report will include an assessment of the impact of the proposed actions and whether these actions will address the risks identified.
• 6.1.1.8 Ensuring that internal auditors have appropriate professional qualifications and skills and opportunities to maintain and develop their internal auditing competence. This includes the opportunity to become a Certified Internal Auditor (CIA) or at minimum a Certified Government Auditing Professional (CGAP), or to acquire any other relevant auditing certification.
• 6.1.1.9 Developing and maintaining a quality assurance and improvement program that covers all aspects of the internal audit function and continuously monitors its effectiveness.
• 6.1.1.10 In consultation with the deputy head and the audit committee, ensuring that a practice inspection of the internal audit function is conducted at least every five years, by a qualified independent reviewer competent in the professional practice of internal auditing and the external assessment process. The results of these external assessments with accompanied action plan are to be communicated to the deputy head, the departmental audit committee and the Office of the Comptroller General.
• 6.1.1.11 Ensuring that the Internal Auditing Standards for the Government of Canada are followed.
• 6.1.1.12 Reporting annually to the deputy head and the audit committee, as defined in section 6.6.1.1 of this directive.

6.1.2 Expected Qualifications of the CAE

The qualifications of chief audit executives are critical to the credibility of the internal audit function they lead. Chief audit executives should have appropriate professional qualifications.

6.1.2.1 Chief Audit Executives who have received a professional accounting designation (i.e. CA, CGA or CMA) are expected, within two years of appointment, to attain additional certification at minimum as a Certified Government Auditing Professional (CGAP), and preferably as a Certified Internal Auditor (CIA).

6.1.2.2 Chief Audit Executives who have not attained a professional accounting designation are expected to attain a CIA certification within two years of appointment.

6.2 Departmental Audit Committees (DACs)

The departmental audit committee (DAC) is an essential part of governance and of the internal audit regime established by the Financial Administration Act (FAA) and the Policy on Internal Audit. The policy makes the deputy head of each department, other than for small departments, responsible for establishing and maintaining an independent departmental audit committee that includes a majority of external members.

6.2.1 Role of DACs

• 6.2.1.1 Providing objective advice and recommendations to the deputy head regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the department's risk management, control and governance frameworks and processes (including accountability and auditing systems).
• 6.2.1.2 Using a risk-based approach, reviewing all core areas (as defined in section 6.2.2) of departmental management, control and accountability processes, including reporting.
• 6.2.1.3 Providing such advice and recommendations as may be requested by the deputy head on matters for which the deputy head, as accounting officer, is responsible to report before Parliamentary Committees.

6.2.2 Responsibilities of DACs

6.2.2.1 The particular emphasis and priorities from among the committee's key areas of responsibility are to be set by the deputy head in consultation with the committee. Consideration should be given to the particular departmental mandate, objectives and priorities, as well as the corresponding risks affecting the department and the government.

6.2.2.2 The key areas of responsibility that fall within the scope of concern of DACs, and that will be reviewed with an appropriate risk-guided focus and cycle, are:

1. Values and Ethics:
   • To review and provide advice on the departmental systems and practices established by the deputy head to monitor compliance with laws, regulations, policies and standards of ethical conduct and identify and deal with any legal or ethical violations. This may also include the procedures and feedback mechanisms established to monitor conformance with its code of conduct and ethics policies, as well as how its processes encourage and maintain high ethical standards;
2. Risk Management:
   • To review and provide advice on the risk management arrangements established and maintained by the department.
3. Management Control Framework:
   • To review and provide advice on the departmental internal control arrangements, and be informed on all matters of significance arising from work performed by others who provide assurances to senior management and the deputy head.
4. Internal Audit Function:
   • Recommend, and periodically review, a departmental internal audit policy or charter for the approval of the deputy head;
   • Provide advice to the deputy head on the sufficiency of resources of the internal audit function;
   • Review and recommend for approval a multi-year risk-based internal audit plan;
   • Monitor and assess the performance of the internal audit function;
   • Provide advice to the deputy head on the recruitment and appointment, as well as the performance of the chief audit executive;
   • Review and recommend for approval internal audit reports and corresponding management action plans to address recommendations;
   • Review regular reports on progress against the risk-based internal audit plan; and
   • Be made aware of internal audit engagements or tasks that do not result in a report to the committee, and be informed of all matters of significance arising from such work.
5. External Assurance Providers:
   • Be informed and advise the deputy head on:
     • All audit work relating to the department to be undertaken by external assurance providers, including management's response; and
     • Audit-related issues and priorities raised by external assurance providers.
6. Follow-up on Management Action Plans:
   • The audit committee shall review regular reports on the progress of the implementation of approved management action plans resulting from prior internal audit recommendations as well as management action plans resulting from the work of external assurance providers.
7. Financial Statements and Public Accounts Reporting:
   • The audit committee shall review and provide advice to the deputy head on the key financial management reports and disclosures of the department, including quarterly financial reports, annual financial statements and Public Accounts.
   • The committee will also review the annual Statement of Management Responsibility Including Internal Control over Financial Reporting and provide advice to the deputy head on the risk-based assessment plans and associated results related to the effectiveness of the departmental system of Internal Control over Financial Reporting.
   • For departmental financial statements that are audited, the audit committee will review:
     • The financial statements with the external auditor and senior management, discuss any significant accounting estimates and adjustments therein, any adjustments required to the statements as a result of the audit, as well as any difficulties or disputes encountered with management during the course of the audit;
     • Management letters arising from the external audit; and
     • The auditor's findings and recommendations relating to the internal controls in place for financial reporting and consider their impact on controls, risk management and governance processes.
8. Accountability Reporting:
   • The audit committee will receive copies of the Departmental Report on Plans and Priorities, the Departmental Performance Report and other significant accountability reports. These reports provide context for the deliberations of the audit committee and advice to the deputy head.
   • The audit committee may also receive, as information, copies of plans and reports prepared by the departmental evaluation function.

6.3 Small Departments Audit Committee (SDAC)

6.3.1 Role of SDAC

• 6.3.1.1 The Comptroller General is responsible for establishing and maintaining an audit committee to provide for review, advice and recommendations on internal auditing performed on small departments.
• 6.3.1.2 Deputy heads of small departments undertaking internal audit work in their departments may choose to access the Small Departments Audit Committee for advice.
• 6.3.1.3 Members of the Small Departments Audit Committee should not be assigned any responsibilities which could compromise their independence, objectivity or their ability to fulfill their responsibilities.

6.3.2 Responsibilities of SDAC

6.3.2.1 The key areas of responsibility that fall within the scope of concern of the members of the Small Departments Audit Committee are:

1. Internal Auditing Performed under the Direction of the Comptroller General:
   • The audit committee shall review and advise the Comptroller General on the internal audit charter for the conduct of internal auditing in small departments and regularly review its continuing appropriateness;
   • Review and recommend for approval a multi-year risk-based internal audit plan, prepared and updated at least annually by the Office of the Comptroller General, which appropriately addresses areas of high risk and significance in small departments;
   • Review and recommend for approval internal audit reports of small departments led by the Comptroller General; and
   • Be aware of internal audit engagements initiated by deputy heads of small departments and review and recommend, as requested, the reports arising from such engagements for approval by the responsible deputy head.
2. Follow-up on Management Action Plans:
   • In respect of internal audits led by the Office of the Comptroller General, the committee will receive periodic briefings on whether management action plans have been implemented in small departments and, whether the actions taken have been effective. Such briefings shall include an assessment of the impact of the proposed actions and whether these actions will address the risks identified.

6.4 Audit Committee Membership

6.4.1 Audit Committees are to include a majority of external members recruited from outside of the federal public administration. Membership of audit committees should be based on the overall skill set required within the department or portfolio. However, diversity of experience is encouraged. Members of an audit committee are to be selected so that their collective skills, knowledge, and experience will allow the committee to competently and efficiently undertake its duties. Committee membership from within the federal public administration is to be limited to individuals at the level of deputy head.

6.4.2 Audit committee members shall be jointly selected by the deputy head and the Comptroller General for approval by the Treasury Board. The Comptroller General, in consultation with the Secretary of the Treasury Board, with representative small department deputy heads, shall jointly identify suitably qualified external members for the SDAC to be recommended for approval by the Treasury Board.

6.4.3 Audit committee members shall be free of any real or perceived conflict of interest.

6.4.4 The audit committee shall have, at a minimum, three members.

6.4.5 A member of the audit committee shall serve no more than two terms. External members are to be engaged for terms of up to four years. To ensure adequate continuity, the terms for the members of the committee should be staggered. To achieve this staggering, terms may be for four years or less.

6.4.6 All external members of the audit committee are to be reasonably familiar with private or public sector financial reporting, or undertake to become familiar within the first year after appointment. At least one external member is to be a financial expert who possesses a professional accounting designation.

6.4.7 The deputy head or an external member will chair the audit committee. The preferred model is for the chair to be an external member. If the deputy head is chair, an external member will be vice-chair. The Comptroller General is responsible for recommending a member to chair the Small Departments Audit Committee.

6.4.8 The quorum for an audit committee or subcommittee will be a simple majority of the members. No alternates shall be permitted.

6.4.9 The chief financial officer and the chief audit executive are expected to attend all departmental audit committee meetings. The chair may request the attendance of other departmental officials.

6.4.10 The chair shall, as appropriate, invite representatives from external assurance providers to attend committee meetings to discuss the plans, findings and other matters of mutual concern.

6.4.11 The chair of the Small Departments Audit Committee shall invite the deputy head of any small department to attend a meeting when any matter relating specifically to that small department is on the agenda for consideration. All deputy heads of small departments shall have direct access to the audit committee.

6.4.12 The chair may, as necessary, invite Treasury Board Secretariat officials to attend the audit committee meeting.

6.5 Audit Committees Operations

6.5.1 The role, responsibilities, and operations of the departmental audit committee shall be documented in an approved audit committee terms of reference or charter, reviewed periodically by the audit committee and reaffirmed by the deputy head. The role, responsibilities, and operations of the Small Departments Audit Committee shall be documented in an approved audit committee terms of reference or charter, reviewed periodically by the audit committee and reaffirmed by the Comptroller General.

6.5.2 The Chair (or Vice-Chair if the deputy head is the Chair) of the departmental audit committee, in consultation with the other members of the committee, will prepare a plan for recommendation to the deputy head, to ensure that the responsibilities of the committee are scheduled and fully addressed. The Chair of the SDAC, in consultation with the other committee members, shall prepare such a plan for the Comptroller General.

6.5.3 The audit committee shall meet, in person, twice a year at a minimum

6.5.4 As part of each meeting of departmental audit committees, the committee will normally meet individually in camera with the departmental chief financial officer, the chief audit executive, representatives of external assurance providers when in attendance, and any other officials the committee may determine. The SDAC, at the discretion of the chair, may invite deputy heads of small departments or other officials to meet individually and/or in camera with the committee.

6.6 Monitoring and Reporting

6.6.1 Annual Reporting

6.6.1.1 The CAE shall prepare a written report annually to the deputy head and the audit committee that will include sections on:

• Internal audit's independence, proficiency, performance and results relative to its plan including resource utilization, lessons learned and influences on future years' plans;
• The results of the Quality Assurance and Improvement Program including internal audit's conformance with the Internal Auditing Standards for the Government of Canada;
• The results of the follow-up on the implementation of management action plans; and
• An overview of the aggregate findings following the execution of the risk-based audit plan including the actions taken by management to address key findings.

6.6.1.2 The independent members of the audit committee shall submit an annual report to the deputy head that will:

• Summarize the results of the committee's reviews of areas of responsibility;
• Provide the independent members' assessment, and make recommendations as needed on the capacity, independence and performance of the internal audit function; and
• Express views in the annual report and shall be entirely and exclusively those of the independent members, notwithstanding any assistance given by departmental officials in the preparation of the annual report.

6.6.1.3 The independent members of the Small Department Audit Committees shall submit an annual report to the deputy head that will:

• Summarize the results of the committee's reviews of areas of responsibility;
• Provide the independent members' assessment, and make recommendations as needed on the capacity, independence and performance of the internal audit function; and
• Express views in the annual report and shall be entirely and exclusively those of the independent members, notwithstanding any assistance given by departmental officials in the preparation of the annual report.

The consequences as described in section 7 of the Policy on Internal Audit will apply to this directive.

The references as outlined in section 8 of the Policy on Internal Audit will apply to this directive.

For question on this Policy instrument, please contact TBS Public Inquiries

Telephone: (613) 957-2400
Toll free: 1-877-636-0656
TTY: (613) 957-9090
Facsimile: 613-941-4000

Treasury Board of Canada Secretariat
Strategic Communications and Ministerial Affairs
L'Esplanade Laurier, 9th Floor, East Tower
140 O'Connor Street
Ottawa, Canada K1A 0R5