Policy on Internal Audit

1. Effective date

  • 1.1This policy takes effect on .
  • 1.2This policy replaces the Treasury Board Policy on Internal Audit dated .

2. Authorities

  • 2.1This policy is issued pursuant to sections 7 and 11.1 of the Financial Administration Act.
  • 2.2The Treasury Board has delegated to the President of the Treasury Board the authority to:
    • 2.2.1Issue, amend and rescind any related directives that are under this policy.
    • 2.2.2Direct a department that has a reference level of less than $300 million to establish an internal audit function.
  • 2.3The Treasury Board has delegated to the Comptroller General of Canada the authority to:
    • 2.3.1Issue, amend and rescind appendices related to this policy and any related directives.

3. Objectives and expected result

  • 3.1The objective of this policy is to ensure that the oversight of public resources throughout the federal public administration is informed by a professional and objective internal audit function that is independent of departmental management. This function provides assurance as to whether government activities are managed in a way that demonstrates responsible stewardship to Canadians.
  • 3.2The expected results of this policy are as follows:
    • 3.2.1Deputy heads are supported in their role as accounting officer, as defined in section 16.4 (1) and 16.4 (2) of the Financial Administration Act, by an internal audit function that contributes directly and proactively to improving risk management, control and governance;
    • 3.2.2Deputy heads receive independent and objective advice from their departmental audit committees and assurance and advice from their internal audit function to inform decision making in their departments;
    • 3.2.3The Comptroller General of Canada receives independent and objective guidance and advice from Office of the Comptroller General’s departmental audit committee and assurance and advice from their internal audit function to inform decision making in a broader government context; and
    • 3.2.4Internal audit in the federal public administration is supported and assessed by the Comptroller General of Canada in order to build and sustain the capacity of a professional, qualified and multi-disciplinary internal audit community and to ensure adherence to professional standards and rigour in internal auditing.

4. Requirements

  • 4.1Deputy heads of all departments are responsible for the following:
    • 4.1.1Ensuring that internal audit resources and capacity are appropriate to the needs of the department. Departments that have a reference level of $300 million or more per year must have an internal audit function;
    • 4.1.2Ensuring that internal audit in the department is carried out in accordance with the Institute of Internal Auditors’ International Professional Practices Framework unless the framework is in conflict with this policy or its related directive; if there is a conflict, the policy or directive will prevail;
    • 4.1.3Briefing the appropriate minister on matters arising from the work of internal audit which merit their attention;
    • 4.1.4Informing the Comptroller General of Canada, without delay, of any risk, control or governance issues that may require the involvement of the Treasury Board of Canada Secretariat;
    • 4.1.5Ensuring that a formal response is provided to the recommendations arising from internal audit engagements and that actions are assigned and implemented in a timely manner;
    • 4.1.6Ensuring that completed internal audit reports are released on platforms as prescribed by the Treasury Board of Canada Secretariat and within the timeframe prescribed by the Comptroller General of Canada;
    • 4.1.7Ensuring that the Comptroller General of Canada is provided with full and timely access to all information, documentation, employees and explanations required or requested by the Comptroller General of Canada in order to carry out their responsibilities; and
    • 4.1.8Investigating and acting when significant issues regarding policy compliance arise and ensuring that appropriate remedial action is taken to address these issues within the department.
  • 4.2Deputy heads of departments that have an internal audit function are responsible for the following:
    • 4.2.1Designating, in consultation with the Comptroller General of Canada, a chief audit executive to manage the internal audit function;
      • 4.2.1.1For purposes of the Treasury Board Executive Group Qualification Standards, the chief audit executive must either:
        • have a recognized internal auditor certification or professional accounting designation in Canada; or
        • possess an acceptable combination of education, training and/or experience as determined by the Comptroller General of Canada.
      • 4.2.1.2If the chief audit executive does not have a recognized internal auditor certification or professional accounting designation in Canada, the Comptroller General of Canada may determine any additional measures that may be appropriate to safeguard the integrity of the internal audit function.
    • 4.2.2Consulting with the Comptroller General of Canada regarding creating a chief audit executive position and prior to the appointment, deployment, replacement or departure of a chief audit executive.
    • 4.2.3Ensuring that the chief audit executive:
      • 4.2.3.1Reports directly to the deputy head;
      • 4.2.3.2Is not assigned any departmental management or operational responsibilities that may compromise their independence and objectivity with respect to their internal audit responsibilities;
      • 4.2.3.3Has unrestricted access to the departmental audit committee;
      • 4.2.3.4Has unrestricted access to all departmental records, databases, workplaces, and employees to effectively carry out the responsibilities of the internal audit activity, including conducting engagements and has the authority to obtain related information and explanations from individuals employed by the department and contractors; or any other resources deemed necessary; and
      • 4.2.3.5Has unimpaired ability to carry out their responsibilities, including reporting issues to the deputy head, to the departmental audit committee and, as appropriate, to the Comptroller General of Canada.
    • 4.2.4Approving a departmental risk-based audit plan that considers the following:
      • 4.2.4.1Departmental areas of high risk and significance;
      • 4.2.4.2Internal audit engagements led by the Comptroller General;
      • 4.2.4.3Planned audits led by external assurance providers and other departments as appropriate; and
      • 4.2.4.4Other oversight engagements.
    • 4.2.5Submitting the approved departmental risk-based audit plan to the Comptroller General of Canada in the time and manner prescribed by that office;
    • 4.2.6Approving reports on the results of internal audit engagements;
    • 4.2.7Supporting the professional development and certification of internal auditors in the department;
    • 4.2.8In consultation with the Comptroller General of Canada, establishing and maintaining an independent departmental audit committee that includes a majority of external members recruited from outside the federal public administration and appointed by Treasury Board;
    • 4.2.9Ensuring that audit committee members are selected so that:
      • 4.2.9.1Their collective skills, knowledge and experience allow the committee to carry out its duties competently and efficiently;
      • 4.2.9.2They are free of any real or apparent conflict of interest; and
      • 4.2.9.3The committee reflects Canada’s diversity;
    • 4.2.10Ensuring that all members of the departmental audit committee are provided with all information and documentation necessary to perform their duties; and
    • 4.2.11Ensuring that any situation that might give rise to a real or apparent conflict of interest with the audit committee member’s responsibilities is prevented or effectively managed.
  • 4.3Deputy heads of departments that do not have an internal audit function are responsible for the following:
    • 4.3.1Considering the risk profile and control environment of their department to determine if the work performed by the Comptroller General of Canada meets their internal audit requirements. If it does not, consulting with the Comptroller General of Canada to assess whether further internal audit engagements are necessary, or whether to establish an internal audit function; and
    • 4.3.2Establishing an internal audit function if directed to do so by the President of the Treasury Board.
  • 4.4The Comptroller General of Canada is responsible for the following:
    • 4.4.1Monitoring, providing guidance and recommending actions regarding the following:
      • 4.4.1.1Compliance with this policy and its supporting instruments;
      • 4.4.1.2Internal audit performance of departments; and
      • 4.4.1.3Internal audit function across government.
    • 4.4.2Providing leadership to the internal audit function in the federal public administration, including:
      • 4.4.2.1Development and sustainability of the internal audit community through talent management and community development strategies; and
      • 4.4.2.2Determining the professional requirements for internal audit in the federal public administration.
    • 4.4.3Approving and sharing with deputy heads, a risk-based audit plan that identifies audit engagements that the Comptroller General of Canada plans to lead in departments;
    • 4.4.4Leading internal audit engagements focused on departments that do not have an internal audit function;
    • 4.4.5Leading internal audit engagements that address horizontal, sectoral or thematic risks or issues or any other internal audit engagements that have been identified by the Comptroller General of Canada or the Secretary of the Treasury Board;
    • 4.4.6Consulting with chief audit executives and deputy heads on significant issues of risk, control and governance in departments to ensure that effective and timely action is taken;
    • 4.4.7Directing departments to undertake audits identified by the Comptroller General of Canada or the Secretary of the Treasury Board;
    • 4.4.8Guiding the recruitment of external audit committee members;
    • 4.4.9Establishing, amending or proposing other requirements related to the terms and conditions of appointment of audit committee members;
    • 4.4.10Determining areas of responsibility for departmental audit committees and providing guidance on operational requirements and expected audit committee practices;
    • 4.4.11Co-recommending, with deputy heads, audit committee members for approval by Treasury Board;
    • 4.4.12Establishing and maintaining one or more independent audit committee(s) that includes a majority of external members recruited from outside the federal public administration and appointed by Treasury Board that:
      • 4.4.12.1Meets the requirements outlined in sections 4.2.8 to 4.2.10 of this Policy;
      • 4.4.12.2Reviews and provides objective advice on the results of internal audit engagements performed by the Comptroller General of Canada;
      • 4.4.12.3Provides advice to the Comptroller General of Canada, the Secretary of the Treasury Board, and deputy heads; and
      • 4.4.12.4Uses a risk-based approach to review areas of responsibility related to departmental management, control and accountability processes, as determined by the Comptroller General of Canada.
  • 4.5Departmental Audit Committees are responsible for the following:
    • 4.5.1Providing objective advice to the deputy head on the sufficiency, quality and results of internal audit engagements related to the adequacy and functioning of the department’s frameworks and processes for risk management, control and governance;
    • 4.5.2Using a risk-based approach, reviewing all areas of responsibility for departmental audit committees related to departmental management, control and accountability processes as determined by the Comptroller General of Canada; and
    • 4.5.3Providing advice on matters for which the deputy head, as accounting officer, is responsible and on other related matters as needed or requested by the deputy head.

5. Roles of other government organizations

  • 5.1Not applicable.

6. Application

  • 6.1This policy and its supporting instruments apply to departments as defined in section 2 of the Financial Administration Act unless otherwise excluded by other acts, regulations or orders in council.
  • 6.2For the purposes of this policy, small departments and agencies are defined as organizations that have reference levels that include revenues credited to the vote of less than $300 million per year or that have been, for the purposes of this policy, designated as small departments or agencies by the President of the Treasury Board on the recommendation of the Secretary of the Treasury Board.
  • 6.3Should a small department’s reference levels move to $300 million or above for three consecutive years, its deputy head will be required to establish an internal audit function, in accordance with section 4.2, unless an exception is granted by the Comptroller General of Canada.
  • 6.4The requirements set out in subsections 4.1.3, 4.1.6, 4.1.7, 4.2.1, 4.2.2, 4.2.5, 4.2.7, 4.4.1, 4.4.5, 4.4.7 and 4.4.11 of this policy do not apply to the following organizations:
    • Office of the Auditor General of Canada
    • Office of the Chief Electoral Officer
    • Office of the Commissioner of Lobbying of Canada
    • Office of the Commissioner of Official Languages
    • Office of the Information Commissioner of Canada
    • Office of the Privacy Commissioner of Canada
    • Office of the Public Sector Integrity Commissioner of Canada

    The heads of these organizations are solely responsible for:

    • 6.4.1Monitoring and ensuring compliance with this policy within their organizations;
    • 6.4.2Establishing and maintaining an audit committee; the members of these committees are not appointed through the Treasury Board appointment process led by the Comptroller General of Canada; and
    • 6.4.3Determining any additional measures that may be appropriate to safeguard the integrity of the internal audit function if the chief audit executive does not have a recognized internal auditor certification or professional accounting designation in Canada.
  • 6.5The requirements set out in section 4.5 do not apply to the audit committee(s) that advise on internal audit engagements performed by the Comptroller General of Canada. Specific requirements for these audit committees are determined by the Comptroller General.

7. Consequences of non-compliance

8. References

  • 8.1Legislation
    • Access to Information Act (section 22)
    • Financial Administration Act (section 16)
    • Official Languages Act (sections, 7, 13 and 46)
    • Privacy Act (subsection 8(2)h)
    • Public Service Employment Act (section 30)
  • 8.2Related policy instruments
    • Foundation Framework for Treasury Board Policies
    • Policy on Communications and Federal Identity (subsections 6.3.1, 6.3.2, 6.3.4, 6.3.5 and 6.3.7)
    • Policy on Results

9. Enquiries


Appendix: Definitions

Definitions for the following terms can be found in the Glossary of the International Standards for the Professional Practice of Internal Auditing (Standards)

  • assurance services
  • consulting services
  • control
  • governance
  • independent (independence)
  • objectivity
  • risk
  • risk management

© Her Majesty the Queen in Right of Canada, represented by the President of the Treasury Board, 2017,
ISBN: 978-0-660-09922-4