Policy on Internal Audit

The Policy on Internal Audit sets out the responsibilities for deputy heads of large and small departments related to internal audit, which contributes to sound risk management, control and governance processes; as well as the role and responsibilities of the Comptroller General of Canada as the head of the function government-wide.

Supporting tools

Directive: 

More information

Terminology: 

Policy topic: 

Hierarchy

Archives

This policy replaces: 

View all inactive instruments
Print-friendly XML

1. Effective date

  • 1.1This policy takes effect on .
  • 1.2This policy replaces the Treasury Board Policy on Internal Audit dated .

2. Authorities

  • 2.1This policy is issued pursuant to sections 7 and 11.1 of the Financial Administration Act.
  • 2.2The Treasury Board has delegated to the President of the Treasury Board the authority to:
    • 2.2.1Amend directives,including mandatory procedures and other appendices related to this policy; and
    • 2.2.2Direct a department that has a reference level of less than $300 million to establish an internal audit function.

3. Objectives and expected result

  • 3.1The objective of this policy is to ensure that the oversight of public resources throughout the federal public administration is informed by a professional and objective internal audit function that is independent of departmental management. This function provides assurance as to whether government activities are managed in a way that demonstrates responsible stewardship to Canadians.
  • 3.2The expected results of this policy are as follows:
    • 3.2.1Deputy heads are supported in their role as accounting officer, as defined in section 16.4 (1) and 16.4 (2) of the Financial Administration Act , by an internal audit function that contributes directly and proactively to improving risk management, control and governance;
    • 3.2.2Deputy heads receive assurance and advice from their departmental audit committees and internal audit function to inform decision making in their departments;
    • 3.2.3The Comptroller General of Canada receives assurance and advice from audit committees and internal audit functions to inform decision making in a broader government context; and
    • 3.2.4Internal audit in the federal public administration is supported and assessed by the Comptroller General of Canada in order to build and sustain the capacity of a professional and qualified internal audit community and to ensure adherence to professional standards and rigour in internal auditing.

4. Requirements

  • 4.1Deputy heads of all departments are responsible for the following:
    • 4.1.1Ensuring that internal audit resources and capacity are appropriate to the needs of the department. Departments that have a reference level of more than $300 million per year must have an internal audit function;
    • 4.1.2Ensuring that internal audit in the department is carried out in accordance with the Institute of Internal Auditors’ International Professional Practices Framework unless the framework is in conflict with this policy or its related directive; if there is a conflict, the policy or directive will prevail;
    • 4.1.3Briefing the appropriate minister on matters arising from the work of internal audit which merit their attention;
    • 4.1.4Informing the Comptroller General of Canada, without delay, of any risk, control or governance issues that may require the involvement of the Treasury Board of Canada Secretariat;
    • 4.1.5Ensuring that a formal response is provided to the recommendations arising from internal audit engagements and that actions are assigned and implemented in a timely manner;
    • 4.1.6Ensuring that completed internal audit reports are released on platforms as prescribed by the Treasury Board of Canada Secretariat and within the timeframe prescribed by the Comptroller General of Canada;
    • 4.1.7Ensuring that the Comptroller General of Canada is provided with full and timely access to all information, documentation or explanations required or requested by the Comptroller General of Canada in order to carry out his or her responsibilities; and
    • 4.1.8Investigating and acting when significant issues regarding policy compliance arise and ensuring that appropriate remedial action is taken to address these issues within the department.
  • 4.2Deputy heads of departments that have an internal audit function are responsible for the following:
    • 4.2.1Designating, in consultation with the Comptroller General of Canada, a chief audit executive to manage the internal audit function and who reports directly to the deputy head;
      • 4.2.1.1For purposes of the Treasury Board Executive Group Qualification Standards, the CAE must either:
        • have a recognized internal auditor certification or professional accounting designation in Canada; or
        • possess an acceptable combination of education, training and/or experience as determined by the Comptroller General of Canada.
      • 4.2.1.2If the chief audit executive does not have a recognized internal auditor certification or professional accounting designation in Canada, the Comptroller General of Canada may determine any additional measures that may be appropriate to safeguard the integrity of the internal audit function.
    • 4.2.2Consulting with the Comptroller General of Canada regarding the creation of a chief audit executive position and whenever a chief audit executive is to be appointed, transferred or upon notification of departure;
    • 4.2.3Ensuring that the chief audit executive:
      • 4.2.3.1Is not assigned any departmental management or operational responsibilities that may compromise his or her independence and objectivity with respect to his or her internal audit responsibilities;
      • 4.2.3.2Has unrestricted access to the departmental audit committee;
      • 4.2.3.3Has unrestricted access to all departmental records, databases, workplaces and employees to carry out the departmental risk-based audit plan or other engagements and has the authority to obtain related information and explanations from individuals employed by the department and contractors;
      • 4.2.3.4Has unimpaired ability to carry out his or her responsibilities, including reporting issues to the deputy head, to the departmental audit committee and, as appropriate, to the Comptroller General of Canada.
    • 4.2.4Approving a departmental risk-based audit plan that spans multiple years, focuses primarily on assurance, and considers the following:
      • 4.2.4.1Departmental areas of high risk and significance;
      • 4.2.4.2Horizontal audits led by the Comptroller General;
      • 4.2.4.3Planned audits led by external assurance providers and other departments as appropriate; and
      • 4.2.4.4Other oversight engagements.
    • 4.2.5Submitting the approved departmental risk-based audit plan to the Comptroller General of Canada in the time and manner prescribed by that office;
    • 4.2.6Approving reports on the results of internal audit engagements;
    • 4.2.7Supporting the professional development and certification of internal auditors in the department;
    • 4.2.8In consultation with the Comptroller General of Canada, establishing and maintaining an independent departmental audit committee that includes a majority of external members recruited from outside the federal public administration and appointed by Treasury Board;
    • 4.2.9Ensuring that audit committee members are selected so that:
      • 4.2.9.1Their collective skills, knowledge and experience allow the committee to carry out its duties competently and efficiently;
      • 4.2.9.2They are free of any real or apparent conflict of interest; and
      • 4.2.9.3The committee reflects Canada’s diversity;
    • 4.2.10Ensuring that all members of the departmental audit committee are provided with all information and documentation necessary to perform their duties; and
    • 4.2.11Ensuring that any situation that might give rise to a real or apparent conflict of interest with the audit committee member’s responsibilities is prevented or effectively managed.
  • 4.3Deputy heads of departments that do not have an internal audit function are responsible for the following:
    • 4.3.1Considering the risk profile and control environment of their department and deciding whether the work performed by the Comptroller General of Canada meets their internal audit requirements or whether further internal audit engagements are necessary, or whether to establish an internal audit function; and
    • 4.3.2Establishing an internal audit function if directed to do so by the President of the Treasury Board.
  • 4.4The Comptroller General of Canada is responsible for the following:
    • 4.4.1Monitoring, providing guidance and recommending corrective actions regarding the following:
      • 4.4.1.1Compliance with this policy and its supporting instruments;
      • 4.4.1.2Internal audit performance of departments; and
      • 4.4.1.3Internal audit function across government.
    • 4.4.2Providing leadership to the internal audit function in the federal public administration, including:
      • 4.4.2.1Development and sustainability of the internal audit community through talent management and community development strategies; and
      • 4.4.2.2Determining the professional requirements for internal audit in the federal public administration.
    • 4.4.3Approving and sharing with deputy heads, a multi-year risk-based audit plan that identifies audit engagements that the Comptroller General of Canada plans to lead in departments;
    • 4.4.4Leading internal audit engagements focused on departments that do not have an internal audit function;
    • 4.4.5Leading internal audit engagements that address horizontal, sectoral or thematic risks or issues or any other audits that have been identified by the Comptroller General of Canada or the Secretary of the Treasury Board;
    • 4.4.6Consulting with chief audit executives and deputy heads on significant issues of risk, control and governance in departments to ensure that effective and timely action is taken;
    • 4.4.7Directing departments to undertake audits identified by the Comptroller General of Canada or the Secretary of the Treasury Board;
    • 4.4.8Establishing competency profiles to guide the recruitment of external audit committee members;
    • 4.4.9Establishing or proposing other requirements related to the terms and conditions for audit committee members;
    • 4.4.10Determining areas of responsibility for departmental audit committees related to departmental management, control and accountability;
    • 4.4.11Providing guidance on operational requirements and expected audit committee practices;
    • 4.4.12Co-recommending, with deputy heads, audit committee members for approval by Treasury Board;
    • 4.4.13Establishing and maintaining one or more independent audit committee(s) that includes a majority of external members recruited from outside the federal public administration and appointed by Treasury Board that:
      • 4.4.13.1Meets the requirements for departmental audit committees in departments that have an internal audit function;
      • 4.4.13.2Reviews and provides recommendations on the results of internal audit engagements performed by the Comptroller General of Canada; and
      • 4.4.13.3Provides advice to deputy heads, the Comptroller General of Canada and the Secretary of the Treasury Board.
  • 4.5Departmental Audit Committees are responsible for the following:
    • 4.5.1Providing objective advice and recommendations to the deputy head on the sufficiency, quality and results of internal audit engagements related to the adequacy and functioning of the department’s frameworks and processes for risk management, control and governance;
    • 4.5.2Using a risk-based approach, reviewing all areas of responsibility for departmental audit committees related to departmental management, control and accountability processes as determined by the Comptroller General of Canada; and
    • 4.5.3Providing advice and recommendations on matters for which the deputy head, as accounting officer, is responsible and on other related matters as needed or requested by the deputy head.

5. Roles of other government organizations

  • 5.1Not applicable.

6. Application

  • 6.1This policy and its supporting instruments apply to departments as defined in section 2 of the Financial Administration Act unless otherwise excluded by other acts, regulations or orders in council.
  • 6.2The requirements set out in subsections 4.1.3, 4.1.6, 4.1.7, 4.2.1.1, 4.2.1.2, 4.2.5, 4.2.8, 4.4.1, 4.4.5, 4.4.7 and 4.4.12 of this policy do not apply to the following organizations:
    • Office of the Auditor General of Canada
    • Office of the Chief Electoral Officer
    • Office of the Commissioner of Lobbying of Canada
    • Office of the Commissioner of Official Languages
    • Offices of the Information and Privacy Commissioners of Canada
    • Office of the Public Sector Integrity Commissioner of Canada

    The heads of these organizations are solely responsible for:

    • 6.2.1Monitoring and ensuring compliance with this policy within their organizations;
    • 6.2.2Establishing and maintaining an audit committee; the members of these committees are not appointed through the Treasury Board appointment process led by the Comptroller General of Canada; and
    • 6.2.3Determining any additional measures that may be appropriate to safeguard the integrity of the internal audit function if the chief audit executive does not have a recognized internal auditor certification or professional accounting designation in Canada.

7. Consequences of non-compliance

8. References

  • 8.1Legislation
    • Access to Information Act (section 22)
    • Financial Administration Act (section 16)
    • Official Languages Act (sections, 7, 13 and 46)
    • Privacy Act (subsection 8(2)h)
    • Public Service Employment Act (section 30)
  • 8.2Related policy instruments
    • Foundation Framework for Treasury Board Policies
    • Policy on Communications and Federal Identity (subsections 6.3.1, 6.3.2, 6.3.4, 6.3.5 and 6.3.7)

9. Enquiries


Appendix: Definitions

Definitions for the following terms can be found in the Institute of Internal Auditors glossary (PDF document – 296 KB)

  • assurance services
  • consulting services
  • control
  • governance
  • independent (independence)
  • objectivity
  • risk
  • risk management
Date modified: