Policy on Internal Audit
1. Effective Date
This Policy takes effect on April 1, 2012. It replaces the Treasury Board Policy on Internal Audit, dated July 1, 2009.
2.1 The term "deputy head" is used in this Policy in the sense assigned to it by section 11 of the Financial Administration Act.
2.2 This Policy applies to departments as defined in section 2 of the Financial Administration Act (FAA), unless otherwise excluded by specific acts, regulations or Orders in Council. However, paragraphs 22.214.171.124 and 126.96.36.199.1 below apply to departments in the core public administration as defined in section 11.1 of the FAA. Other departments or separate agencies not subject to these provisions are encouraged to meet these requirements as good practice.
2.3 For the purposes of this Policy, Treasury Board has established a criterion for designating departments as small departments. This criterion is described in section 3.11 below. All other departments are referred to as large departments.
2.4 The principles of this Policy, as they apply to large departments, will apply to the offices of agents of Parliament (the Office of the Auditor General, the Office of the Privacy Commissioner, the Office of the Information Commissioner, the Office of the Chief Electoral Officer, the Office of the Commissioner of Lobbying, the Office of the Commissioner of Official Languages and the Office of the Public Sector Integrity Commissioner). Deputy heads of these organizations may, subject to compliance with sections 16.1 and 16.2 of the Financial Administration Act, authorize such departures from the specific policy requirements contained in this Policy as they may deem appropriate in light of the governance arrangements, statutory mandate and risk profile of the organization of which they are deputy heads.
3.1 Internal auditing in the Government of Canada is a professional, independent and objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes.
3.2 For the internal auditing profession, the above-described role is referred to as providing assurance. It is intended to assist decision-makers to exercise oversight and control over their organizations and apply sound risk management.
3.3 Internal auditing adds value by assessing and contributing to the improvement of risk management, control, and governance processes. In doing so, it helps ensure that the organization achieves its objectives efficiently and in a way that demonstrates informed ethical and accountable decision-making.
3.4 Principally as an adjunct to the assurance role, and within their sphere of expertise, internal auditors may also provide consulting services to their organizations
3.5 Deputy heads are accountable to their Ministers, to the Prime Minister through the Clerk of the Privy Council, and the Treasury Board, for the management systems in their departments.
3.6 This Policy directly supports and recognizes the role and responsibilities of deputy heads as accounting officers, as laid out in Part I.1 of the Financial Administration Act.
3.7 This Policy provides a clear and integrated assignment of responsibilities for internal auditing between deputy heads and the Comptroller General.
3.8 This Policy is issued pursuant to paragraphs 7(1) (a) and (e.2) and sections 11, 16.1 and 16.2 of the Financial Administration Act.
3.9 The President of the Treasury Board has the authority to amend, issue and rescind directives pursuant to this Policy.
3.9.1 The Comptroller General will provide guidance and standards necessary to ensure the effective implementation and support of this Policy.
3.10 This Policy recognizes that departments are diverse in size and risk.
3.11 For the purpose of designating departments as small departments under this Policy:
- 3.11.1 The criterion of a reference level of less than $300 million per year will apply for all departments except the offices of the agents of Parliament.
- 3.11.2 Notwithstanding section 3.11.1, the President of the Treasury Board may designate any department as a small department upon the recommendation of the Comptroller General.
3.12 Additional mandatory requirements are set out in the:
Definitions to be used in the interpretation of this Policy and related directives and standards are included in the Appendix.
5. Policy Statement
The objective of this Policy is to contribute to the improvement of public sector management by ensuring a strong, credible, effective and sustainable internal audit function within departments as well as government-wide.
5.2 Expected Results
5.2.1 Deputy heads are effectively supported in their role of accounting officer by a strong, credible internal auditing regime that:
- Contributes directly to sound risk management, control and governance; and is independent from line management.
5.2.2 Deputy heads are provided with independent assurance from internal auditing, and advice from the audit committee, regarding the effectiveness of risk management, control and governance processes, at the departmental level and the Comptroller General is provided with the same at the government-wide level.
6. Policy Requirements
6.1 Deputy heads of all departments are responsible for:
- 6.1.1 Ensuring that internal audit resources are sufficient to achieve the risk-based internal audit plan.
- 6.1.2 Ensuring that the departmental internal audit function operates in accordance with this Policy and any related directive or standard, including the Internal Auditing Standards for the Government of Canada.
- 6.1.3 Ensuring that the audit committee receives all of the information and documentation necessary to fulfill its responsibilities.
- 6.1.4 Ensuring that management action plans that adequately address the recommendations and findings arising from internal audit engagements are prepared and implemented.
- 6.1.5 Ensuring that completed internal audit reports, including management action plans, are:
- Issued in a timely manner and made accessible to the public with minimal formality; and
- Posted on departmental web sites in a timely manner, in both official languages.
- 6.1.6 Ensuring that the respective Minister is briefed periodically on significant matters arising from the work of internal audit and the audit committee. Further, the Minister shall be offered the opportunity to meet with the audit committee, along with the deputy head, at least annually.
- 6.1.7 Informing the Comptroller General without delay of any issue of risk, control or management practice that may be of significance to the government and/or require Treasury Board Secretariat's involvement.
- 6.1.8 Ensuring that, on a timely basis, the Office of the Comptroller General and its agents, for the purpose of carrying out assigned responsibilities, are provided:
- Full access to departmental records, databases, workplaces and employees, and have the right to obtain information and explanations from departmental employees and contractors;
- Representations from management pertinent to supporting the planning, conduct, reporting and follow-up of internal audits led by the Comptroller General;
- Copies of internal audit plans as approved by the deputy head;
- Copies of any management letters resulting from the audits by external assurance providers;
- Copies of reports on all completed internal audits;
- The chief audit executive's annual report;
- Access to internal auditing staff and their working papers, when requested;
- The annual report of the departmental audit committee including the committee's assessment of the departmental internal audit function;
- Practice Inspection reports; and
- Reports or information as requested by the Comptroller General or Treasury Board Secretariat.
6.2 Deputy heads of large departments are responsible for:
6.2.1 Establishing and maintaining an independent departmental audit committee that includes a majority of external members recruited from outside of the federal public administration. An independent and objective perspective is essential to the audit committee members' capacity to challenge and effectively assess their key areas of responsibility. The deputy head is responsible for ensuring that the departmental audit committee is not assigned any responsibilities which could compromise the independence and objectivity of the departmental audit committee or the committee's ability to fulfill its responsibilities. The deputy head may consult with the Comptroller General on the matter.
Further requirements relating to the role, responsibilities, membership and operations of the departmental audit committee are described in the Directive on Internal Auditing in the Government of Canada.
- 6.2.2 Appointing a qualified chief audit executive, reporting directly to the deputy head, to lead and direct the internal audit function. (For further information on the expected qualifications of a CAE refer to section 6.1.2 of the Directive on Internal Auditing in the Government of Canada).
- The deputy head should ensure that:
- 188.8.131.52 The chief audit executive:
- Is not assigned any departmental management or operational responsibilities which may compromise the independence and objectivity of the CAE in respect of the CAE's internal audit responsibilities;
- Has unfettered access to the departmental audit committee and to the committee chair and/or vice-chair;
- Has access to all departmental records, databases, workplaces and employees, and has the authority within the context of carrying out its departmental risk-based audit plan or other engagements to obtain information and explanations from departmental employees and contractors; and
- Has unimpaired ability to carry out his or her responsibilities, including reporting findings to the deputy head, to the departmental audit committee and, as appropriate, to the Comptroller General.
- 184.108.40.206 The Comptroller General, or his or her representative:
- Is a member of the selection committee during the CAE's appointment process;
- Is advised of the appointment, transfer or departure of the CAE; and
- Is consulted on the proposed position description of the CAE.
- 220.127.116.11.1 The Comptroller General:
- Is consulted on the establishment of clear responsibilities and performance expectations for the CAE;
- Is consulted on the periodic performance evaluation of the CAE; and
- Is consulted on the intention to remove a CAE for reasons relating to the CAE's professional performance.
- 18.104.22.168 The chief audit executive:
- 6.2.3 Approving a departmental risk-based internal audit plan that considers:
- Departmental areas of high risk and significance; and
- Government-wide audits led by the Comptroller General.
- The Directive on Internal Auditing in the Government of Canada sets out additional requirements for departmental internal audit plans.
- 6.2.4 Ensuring that a practice inspection of the internal audit function is conducted at least every five years, by a qualified independent reviewer.
6.3 Deputy heads of small departments are responsible for:
6.3.1 Considering the risk profile and control environment of their department, deciding whether the work performed by the Office of Comptroller General fully meets their internal audit requirements or if further assurance engagements are necessary.
- 22.214.171.124 When deputy heads of small departments determine a need for internal auditing work beyond that conducted by the Comptroller General, but do not have sufficient resources to sustain a credible, professional internal audit function, the Comptroller General will facilitate access to independent, qualified internal auditing resources.
- 126.96.36.199 When a small department conducts an internal audit engagement, the deputy head will ensure that the audit work is subject to review by an independent audit committee prior to the audit being finalized.
- 188.8.131.52 Deputy heads of small departments may establish a departmental audit committee or a joint independent audit committee with other portfolio-related departments. Where a small department operates with a Board that exercises management responsibilities and possesses the necessary competencies, such a Board may assume the functions of an audit committee for that small department. Alternatively, specific arrangements can be made with the Chair of the Small Departments Audit Committee for access to that committee.
Departmental audit committees established by deputy heads of small departments must be structured in accordance with the requirements outlined in the Directive on Internal Auditing in the Government of Canada.
6.4 The Comptroller General is responsible for:
- 6.4.1 Providing government-wide functional leadership of internal auditing.
- 6.4.2 Providing leadership and having measures in place to support the capacity, proficiency and sustainability of the internal audit community government-wide.
- 6.4.3 Determining the professional standards for internal auditing in the federal government.
- 6.4.4 Providing advice, guidance and support on the application of the Policy on Internal Audit and related instruments.
- 6.4.5 Supporting the establishment and operation of appropriately qualified audit committees, as well as providing guidance on expected audit committee practices government-wide.
- 6.4.6 Establishing competency profiles to guide the recruitment of external audit committee members and establishing or proposing other requirements related to the terms and conditions of appointment for audit committee members.
- 6.4.7 Identifying and communicating to deputy heads through a risk-based horizontal audit plan internal audits to be considered for inclusion in departmental risk-based internal audit plans.
- 6.4.8 Establishing an independent Small Departments Audit Committee to provide the Comptroller General with guidance and advice on internal auditing in small departments.
- Further requirements relating to the role, responsibilities and membership of the Small Departments Audit Committee (SDAC) are set out in the Directive on Internal Auditing in the Government of Canada.
- 6.4.9 Leading internal audit engagements:
- Focused on small departments and communicating the results to the appropriate deputy heads and the SDAC;
- That address government-wide, sectoral or thematic risks or issues identified in the government-wide risk-based internal audit plan for:
- Small departments, as recommended by the Small Departments Audit Committee; and
- Large departments, as recommended by the Government of Canada Audit Committee;
- Identified by the Secretary of the Treasury Board or the Comptroller General.
- 6.4.10 Maintaining active liaison with chief audit executives and deputy heads on significant issues of risk, control or management practices in departments, particularly in determining that effective and timely action is taken where there are serious issues to be resolved.
- 6.4.11 Maintaining effective liaison with agents of Parliament and other central agencies on internal auditing issues.
6.5 Monitoring and Reporting
6.5.1 Deputy heads are responsible for monitoring their department's adherence to this Policy and its related instruments.
6.5.2 Deputy heads are responsible for ensuring that the following reporting is prepared and copies submitted to the Office of the Comptroller General as required:
- The departmental audit committee's annual report;
- The chief audit executive's annual report; and
- Other particular reports or information as requested by the Comptroller General or Treasury Board Secretariat.
6.5.3 The Comptroller General will monitor and report to Treasury Board on departments' adherence to the policy and its related instruments.
6.5.4 The Comptroller General's periodic reporting to the Treasury Board will provide an assessment of:
- The implementation of this Policy and the status of the internal audit function government-wide; and
- Significant issues of risk, control or management arising from internal auditing government-wide.
6.5.5 Sections 7.2 and 7.3 that provide for the Comptroller General to monitor compliance with this Policy within departments and/or request departments to take corrective action, do not apply with respect to the agents of Parliament; Office of the Auditor General, the Office of the Privacy Commissioner, the Office of the Information Commissioner, the Office of the Chief Electoral Officer, the Office of the Commissioner of Lobbying, the Office of the Commissioner of Official Languages, and the Office of the Public Sector Integrity Commissioner. The deputy heads of these organizations are solely responsible for monitoring and ensuring compliance with this Policy within their organizations; and for responding to cases of non-compliance in accordance with any Treasury Board instruments that address the management of compliance.
6.5.6 The Comptroller General will review the policy, its associated directives and standards, and their effectiveness at the five year mark of implementation of the policy. Where substantiated by risk analysis, the Office of the Comptroller General will establish a framework to guide an evaluation of the policy and ensure that an evaluation is conducted.
7.1 The deputy head is responsible for investigating and acting when significant issues arise with respect to compliance with this Policy. The deputy head is also responsible for ensuring that appropriate remedial actions are taken to address the issues within the deputy head's department.
7.2 If the Comptroller General determines that a department may not have complied with any requirement of this Policy or supporting directives and standards, the Comptroller General may request that the deputy head:
- 7.2.1 Conduct a practice inspection to assess whether requirements of this Policy or its supporting directives and standards have been met. The cost of such an inspection will be paid from the department's reference level; and
- 7.2.2 Take corrective actions and report back to the Comptroller General on the results achieved.
7.3 Consequences of non-compliance with this Policy and supporting directives and standards, or of failure to take corrective actions requested by the Comptroller General, may include recommending to Treasury Board:
- 7.3.1 Limits on the spending authority of the department;
- 7.3.2 Imposition of any other measures determined appropriate in the circumstances; and
- 7.3.3 Imposition of any measure allowed by the FAA.
7.4 For a range of consequences of non-compliance refer to Appendix C: Consequences for Institutions and Appendix D: Consequences for Individuals in the Framework for the Management of Compliance.
For question on this Policy instrument, please contact TBS Public Inquiries
Telephone: (613) 957-2400
Toll free: 1-877-636-0656
TTY: (613) 957-9090
Treasury Board of Canada Secretariat
Strategic Communications and Ministerial Affairs
L'Esplanade Laurier, 9th Floor, East Tower
140 O'Connor Street
Ottawa, Canada K1A 0R5
Appendix - Definitions
For the purposes of this Policy, the following definitions are provided:
- assurance services
- An objective examination of evidence for the purpose of providing an independent assessment on the risk management, control, and governance processes of the organization.
- completed audit reports
- The result of assurance services is a report which must include the engagement's objectives, scope and context; the risks and opportunities for improvement identified by the audit; the criteria applied in the audit; the inclusion of applicable recommendations; a statement of conformance; and a management action plan. Completed internal audit reports are defined as internal audit reports that have been recommended by the audit committee and approved by the deputy head. Further details are available in the Internal Auditing Standards for the Government of Canada.
- consulting services
- Client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization's risk management, control, and governance processes without the internal auditor assuming management responsibility. These services do not include a statement of assurance. Examples include advice, facilitation, and training.
- Any action taken by management, the deputy head, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
- deputy head
- as defined in subsection 11(1) of the Financial Administration Act means:
- in relation to a department named in Schedule I, its deputy minister;
- in relation to any portion of the federal public administration named in Schedule IV, its chief executive officer or, if there is no chief executive officer, its statutory deputy head or, if there is neither, the person who occupies the position designated under subsection (2) in respect of that portion;
- in relation to a separate agency, its chief executive officer or, if there is no chief executive officer, its statutory deputy head or, if there is neither, the person who occupies the position designated under subsection (2) in respect of that separate agency; and
- in relation to any portion of the federal public administration designated for the purposes of paragraph (d) of the definition "public service", its chief executive officer or, if there is no chief executive officer, the person who occupies the position designated under subsection (2) in respect of that portion.
- The policies, procedures and structures used to direct an organization's activities to provide reasonable assurance that objectives are met and that operations are carried out in an ethical and accountable manner.
- Refers to all departments within the federal public administration as defined within the meaning of section 2 of the Financial Administration Act.
- Refers to risks common to a group of departments within the federal public administration, as defined within the meaning of section 2 of the Financial Administration Act.
- The freedom from conditions that threaten, or could reasonably be perceived to threaten, the ability to carry out internal audit responsibilities in an unbiased manner.
- large departments
- For the purpose of designating departments as large departments under this Policy, the criterion of a reference level of $300 million or more per year will apply for all departments except the offices of the agents of Parliament.
- Management Control Framework
- A management control framework is a recognized system of categories that cover all internal controls expected in organizations. These controls are designed to ensure that risks are contained within the risk tolerances established by the risk management process. Widely used control frameworks include COSO (Committee of Sponsoring Organizations of the Treadway Commission) and CoCo (Criteria of Control Board by the Canadian Institute of Chartered Accountants).
- The ability of an individual or group of individuals to perform tasks or responsibilities in accordance with the system that has been established for the performance of these tasks or responsibilities, without allowing factors external to this system and/or factors not relevant to the tasks or responsibilities to influence or compromise their work or work product. In internal audit, objectivity requires that judgement on audit matters is not subordinated to that of others.
- Used with reference to the frequency of the Comptroller General's reporting to Treasury Board. Periodic reporting means, reporting as often as prevailing circumstances require; however the reporting shall not be less than once every three years.
- practice inspection
- An independent assessment of the internal audit activity's conformance with the Internal Auditing Standards for the Government of Canada, which are composed of the requirements of the Treasury Board Policy on Internal Audit, any related directives or standards and the Institute of Internal Auditors (IIA) International Professional Practices Framework.
- The expected magnitude of an event occurring that will have an impact on the achievement of objectives. Risk is measured as a function of the extent of the event's impact and the likelihood of its occurrence.
- risk management
- A process or coordinated set of activities to identify risks and opportunities, to assess their implications and impact, and to assist in managing potential events or situations that may affect the organization. The objective is to contain the level of risk facing the organization to an amount that is within the organization's risk appetite. This is done through measures that aim to affect the likelihood of events or the magnitude of their consequences.
- small departments
- For the purpose of this Policy, any department with an operating budget of less than $300 million per year shall be designated as a small department, with the exception of the offices of the agents of Parliament.
- The absence of prejudice or prejudgment in the assessments or evaluations undertaken by individuals or groups of individuals. An unbiased approach and outcome requires that individuals or groups of individuals have an open mind.