Directive on Internal Audit

1. Effective date

  • 1.1This directive takes effect on .
  • 1.2This directive replaces the Directive on Internal Audit dated April 1, 2017.

2. Authorities

  • 2.1This directive is issued pursuant to the authorities indicated in section 2 of the Policy on Internal Audit.

3. Objectives and expected results

  • 3.1The objectives indicated in section 3 of the Policy on Internal Audit apply to this directive.
  • 3.2The expected results indicated in section 3 of the Policy on Internal Audit apply to this directive.

4. Requirements

  • 4.1The chief audit executive is responsible for the following:
    • 4.1.1Applying the Institute of Internal Auditors’ International Professional Practices Framework in the department, unless the framework is in conflict with the Treasury Board Policy on Internal Audit or this directive; if there is a conflict, the policy or directive will prevail;
    • 4.1.2Establishing at least annually, and updating as required, a departmental risk-based audit plan that: is reviewed by the departmental audit committee and approved by the deputy head; and which considers the following:
      • 4.1.2.1Departmental areas of high risk and significance;
      • 4.1.2.2Internal audit engagements led by the Comptroller General;
      • 4.1.2.3Planned audits led by external assurance providers and other departments as appropriate; and
      • 4.1.2.4Other oversight engagements;
      • 4.1.2.5The appropriate balance between assurance and advisory engagements as part of a full suite of services in light of the organization's strategy, objectives, and risks.
    • 4.1.3Ensuring that the deputy head and the departmental audit committee are aware of the resource requirements for the internal audit function and the impact of resource decisions;
    • 4.1.4Ensuring the timely completion of internal audit engagements;
    • 4.1.5Reporting at least annually to the deputy head on whether the actions scheduled by management in response to audit recommendations, both internal and external, have been implemented; and
    • 4.1.6Ensuring that internal auditors have the appropriate qualifications, skills, and opportunities to maintain and develop their internal auditing competencies.

5. Roles of other government organizations

  • 5.1Not applicable.

6. Application

  • 6.1This directive applies to the organizations described in section 6 of the Policy on Internal Audit.

7. References

  • 7.1Legislation
    • Access to Information Act (section 22)
    • Financial Administration Act (section 16)
    • Privacy Act (paragraph 8(2)h)
    • Public Service Employment Act (section 30)
  • 7.2Related policy instruments
    • Foundation Framework for Treasury Board Policies
    • Policy on Communications and Federal Identity (subsections 6.3.1, 6.3.2, 6.3.4, 6.3.5 and 6.3.7)

8. Enquiries

Appendix A: Mandatory Procedures for Internal Auditing in the Government of Canada

A.1 Effective date

  • A.1.1These procedures take effect on .

A.2 Procedures

  • A.2.1These procedures provide details on the requirements set out in section 4 of the Directive on Internal Audit.
  • A.2.2Internal audit in the federal public administration is carried out in accordance with the Institute of Internal Auditors’ International Professional Practices Framework and the following mandatory procedures:
    • A.2.2.1Departments must undertake internal audit engagements of programs or services that are identified by the Comptroller General of Canada or the Secretary of the Treasury Board.
    • A.2.2.2Results of internal audit engagements must be finalized in a written report. An internal audit engagement report is considered completed when:
      • A.2.2.2.1It sets out the engagement’s objectives, scope and context, the criteria applied in the engagement, the risks and opportunities for improvement identified, the recommendations, the statement of conformance, and the management response to recommendations;
      • A.2.2.2.2It has been reviewed by the departmental audit committee; and
      • A.2.2.2.3It has been approved by the deputy head.
    • A.2.2.3Departments must meet public reporting requirements as prescribed by the Comptroller General of Canada.

Appendix B: Mandatory Attributes of the Composition and Operations of Departmental Audit Committees

B.1 Attributes

  • B.1.1These attributes provide details on the requirements related to audit committees set out in section 4 of the Policy on Internal Audit.
  • B.1.2Mandatory attributes are as follows:
    • B.1.2.1Departmental audit committees are to reflect Canada’s diversity in terms of gender, official languages, Indigenous Canadians, minority groups and regional representation;
    • B.1.2.2Committee members are to execute their duties as described in section 4.5 of the Policy on Internal Audit. The Comptroller General of Canada has prescribed a list of the areas of management for committee review;
    • B.1.2.3Committee members are to be familiar with financial reporting or are to become familiar with such reporting within the first year of their appointment. At least one external member is to be a financial expert holding a professional accounting designation in good standing. On an exceptional basis, the Comptroller General may grant an exception to the requirement for the financial expert to hold a valid professional accounting designation;
    • B.1.2.4 Committee members from within the federal public administration are to be limited to individuals at the level of deputy head, unless an exception is granted by the Comptroller General of Canada;
    • B.1.2.5 The chair of the departmental audit committee is to be from outside the federal public administration unless an exception is granted by the Comptroller General of Canada;
    • B.1.2.6 An external member of a departmental audit committee is to serve no more than two terms and up to a maximum of eight years. A single term must not exceed four years;
    • B.1.2.7 Departments are to disclose proactively remuneration and expenses (including travel) of individual external departmental audit committee members, in the time and manner prescribed by the Comptroller General of Canada; and
    • B.1.2.8Audit committee members must disclose all current and prospective activities, interests or appointments prior to acceptance in order for the department to assess whether they may impair, or be seen to impair, the member’s ability to discharge their duties in an independent and objective manner. This disclosure should be done as required and at least annually for the duration of the member’s term.

Appendix C: Definitions

Definitions to be used in the interpretation of this directive can be found in the appendix section of the Policy on Internal Audit.

© Her Majesty the Queen in Right of Canada, represented by the President of the Treasury Board, 2017,
ISBN: 978-0-660-09654-4