Frequently Asked Questions

TBS and IAS Role

What audit products does the Treasury Board Secretariat expect to see under the Policy?

The requirements of the Policy on Internal Audit are clear on this question.

First, deputy heads are to ensure that TBS is "provided in a timely manner with electronic copies in both official languages of all completed internal audit reports." Appendix B to the Policy defines completed internal audit reports as "ones that have been approved by the internal audit committee and have the required management action plans, if such are required." If an internal audit report is a completed internal audit report under this definition, whether it arises from an assurance or a consulting engagement, it must be forwarded to TBS.

Quite independently of providing completed internal audit reports, the Internal Audit Policy requires deputy heads to inform TBS, on a timely basis, of significant issues of risk, control or other problems with management practices, whether or not they arise in the course of audit work. This requirement echoes that of the Policy on Active Monitoring under which departments are required to communicate significant management concerns to TBS on a timely basis. In meeting these requirements timeliness is of the essence to serve TBS's obligation to provide the Government with early warning. Accordingly, when concerns do arise as a result of audit work, the provision of information to TBS under these requirements should not be delayed until there is a completed internal audit report.

Finally, the Internal Audit Policy requires deputy heads to provide TBS with copies of annual internal audit plans that describe internal audit activities, as approved by the departmental audit committee. Any amendments to the annual audit plan that are approved by the audit committee should also be provided to TBS.

(16)

What does the Internal Audit Sector do with internal audit information shared by internal audit groups?

The OAG Interface, Environmental Scanning & Early Warning Group within the Internal Audit Sector reviews all internal audit reports, internal audit plans and other information provided by internal audit groups. This review supports a number of responsibilities placed on the Sector, including:

• providing Treasury Board Ministers and other Secretariat functions with early warning and advice on emerging issues and potential vulnerabilities;
• identifying government-wide internal audit priorities for the Board's consideration;
• tracking internal audit activity across departments;
• assessing the quality of internal audit reporting across government;
• providing feedback to departments on their internal audit plans.

(11)

To whom at the Treasury Board Secretariat do departments send completed internal audit reports and approved annual internal audit plans?

Under the Directive on Chief Audit Executives, Internal Audit Plans, and Support to the Comptroller General, deputy heads are responsible for ensuring that, on a timely basis, the Comptroller General is provided:

• Annual risk-based audit plans
• Audit reports^[1]
• Chief audit executive annual reports
• Departmental audit committee annual reports
• Management letters resulting from the audits of the Office of the Auditor General
• Practice inspection reports / External reviews

In addition to the above, the following documents should also be provided to the OCG:

• Agendas of departmental audit committee meetings
• Minutes from departmental audit committee meetings

The OCG will analyze the products and provide feedback on the quality and on the trends arising from cross-government analysis.

Normally, the OCG expects to receive internal audit products in at least one of the official languages within one month of approval. The translated versions are to be provided as soon as possible.

Non-sensitive documents (Protected A or below) should be sent by email to the Registrar, Internal Audit Sector. Sensitive documents (Protected B and above) should be sent, in both electronic and paper formats, by mail or courier to:

The Registrar
Internal Audit Sector
Office of the Comptroller General
Treasury Board of Canada Secretariat
300 Laurier Ave West, 9th Floor, West Tower
Ottawa, Ontario 
K1A 0R5

The Registrar, Internal Audit, should be notified, by email, at least one week before the posting of any internal audit reports on departmental websites, and provided with related communication and media lines. In addition, once a report is posted, the Registrar should be sent an email confirming online availability, along with the hyperlink. Any changes to the web addresses of audit reports posted on departmental websites should also be communicated to the Registrar in a timely manner.

[1] Includes follow-up audits. All reports sent should be complete, un-severed.

(10)

Will the Internal Audit Sector have representatives sit as members on departmental Internal Audit Committees?

Representatives of the  Internal Audit Sector will not participate as members of departmental internal audit committees. Internal audit decision-making in departments is the responsibility of the department and not the Treasury Board Secretariat.

The Internal Audit Policy does provide that the Treasury Board Secretariat and the Office of the Auditor General are to be provided with access to the audit committee, as required, to address matters of mutual interest or concern. This provides a sufficient means for both the chair of the audit committee and the Treasury Board Secretariat to arrange for Treasury Board Secretariat attendance as necessary.

(9)

Does the Internal Audit Sector want to review the terms of reference for internal audits to be conducted by departments prior to the commencement of an internal audit?

No. The terms reference for an internal audit are generally for a department to determine and, consequently, the  Internal Audit Sector does not want to review the terms of reference for individual internal audits. The sole exception might be for internal audits that have been specifically requested by the Treasury Board Secretariat.

(4)

Internal Audit Standards

Are there differences in the application of internal audit standards to consulting engagements that depend on how an engagement is initiated - e.g. as a part of an approved risk-based audit plan, as an ad hoc request from the audit committee or as a request from program management?

No. The standards apply whatever the genesis of the project. As IIA Practice Advisory 1000.C1-2 states " An internal auditor is first and foremost an internal auditor. Thus, in the performance of all services the internal auditor is guided by.... the Attribute and Performance Standards of the Professional Practice of Internal Auditing."

(18)

Role of Internal Audit

Should internal audit groups be involved in departmental risk assessment exercises?

The Treasury Board Policy on Internal Audit identifies the prime role of the internal audit function as the provider of assurance services to departmental senior management. This does not preclude the internal audit function from providing other internal auditing services which, using the IIA's definition, include consulting services. Consulting services are defined by the IIA as "advisory and related client service activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization's operations. Examples include counsel, advice, facilitation, process design and training."

An internal audit group's involvement in risk assessment exercises could clearly fall within this definition of consulting services.

Internal auditors undertaking such work are to be guided by internal auditing standards. In particular, it should be noted that where significant risk management, control or governance issues are identified, these should be communicated to senior management and the audit committee by the head of audit (IIA Standard 2440.C2)

Particular care has to be taken in undertaking consulting engagements to avoid impairment of independence and objectivity. Internal audit cannot be a management decision-making function.

(8)

What is the role of internal audit in Active Monitoring?

The Policy on Active Monitoring states that departments are responsible for:

• establishing a capacity to actively monitor, on an ongoing basis, management practices and controls;
• developing and maintaining, ... an ability to detect and communicate within the organization, as early as possible, significant risks, potential and actual control failures, and other significant management vulnerabilities.

While primary responsibility for active monitoring lies with management, the internal audit function is clearly part of deputy heads' capacity to monitor management practices and controls, and contributes to the detection of risks, control failures and vulnerabilities. Equally clear is the internal audit function's professional obligation to communicate to senior management significant issues of risk management, control or governance that are identified.

(7)

Publication of Internal Audit Documents

Is it Treasury Board policy that departmental internal audit plans be made accessible to the public?

No. The Treasury Board Policy on Internal Audit requires that completed internal audit reports be made available to the public with minimal formality but this requirement does not extend to departmental internal audit plans. These may, of course, be accessible through ATIP.

The Internal Audit Policy does require deputy heads to ensure that the Treasury Board Secretariat is provided with copies of annual internal audit plans that describe internal audit activities as approved by the departmental audit committee.

(6)