Key compliance attributes of internal audit
The department of Employment and Social Development Canada (the Department) publishes key performance results for its internal audit function. This is done in accordance with the Treasury Board Directive on Internal Audit.
These results, or key compliance attributes, demonstrate that, at a minimum, the fundamental elements necessary for oversight are:
- in place
- operating as intended
- achieving results
Publishing internal audit key performance results informs Canadians regarding the professionalism, performance and impact of the internal audit function. These are not performance measures and there are no targets attached.
More information on the publication of these attributes is available on the Office of the Comptroller General’s website through the following link:
"Why publish key compliance attributes of internal audit?"
Internal audit performance results as of December 31, 2023
Do the Department’s internal auditors have the training required to do the job effectively? Are multidisciplinary teams in place to address diverse risks?
Yes. The Department’s internal audit function staff have the knowledge, skills and other competencies required to fulfill their responsibilities. As of December 31, 2023:
- 49% of staff hold the Certified Internal Auditor (CIA) or Chartered Professional Accountant (CPA) professional designation
- 18% of staff are pursuing an internal audit or accounting designation (CIA, CPA)
- 41% of staff hold other professional designations:
- 6 hold a Certified Government Auditing Professional (CGAP)
- 4 hold a Certification in Risk Management Assurance (CRMA)
- 3 hold a Certified Information Systems Auditor (CISA)
- 3 hold a Certified Fraud Examiner (CFE)
- overall, 92% of staff hold a professional designation
These percentages are not cumulative as audit staff could be in any, all, or none of these categories. For the purposes of this report, the staff composition of the Department’s internal audit function includes 39 staff members. This staff includes:
- Senior management team (Chief Audit Executive and directors)
- Audit Operations (audit principals and auditors)
- Professional Practices
- Special Examinations
- Departmental Audit Committee (DAC), Liaison and management action plans monitoring
- Special Projects (Agile Audit)
Internal Audit favours the hiring of staff who have wide-ranging backgrounds. This brings to the function a diverse skill sets in addition to auditing or accounting. For example, the internal audit function includes:
- 34 auditors with varied master’s or bachelor’s degrees
- 2 auditors with advanced knowledge of data analytics
- 1 auditor with IT security-related professional designation
Is internal audit work performed in conformance with the international standards for the profession of internal audit as required by Treasury Board policy?
Yes. The internal audit work conforms to international standards for the profession. On December 1, 2022, the internal audit function provided a comprehensive briefing to the DAC on:
- the internal processes, tools and information considered necessary to evaluate conformance with the Institute of Internal Auditors’ Code of Ethics and Standards
- the results of the Quality Assurance and Improvement Program
In addition, in January 2021, the internal audit function completed an external assessment confirming that audit work performed is in conformance with the standards.
Is internal audit credible and adding value in support of the mandate and strategic objectives of the Department
Yes. 100% of the Department’s senior management provided a “Good” or “Excellent” rating of the overall usefulness of the engagements completed by the function. The internal audit function uses post-engagement client feedback responses received during the 2023 to 2024 fiscal year to measure satisfaction.
Are the risk-based audit plans submitted to the audit committee and approved by the Deputy Minister implemented as planned with resulting reports published? Is management acting on audit recommendations for improvements to departmental processes?
Risk-based audit plans identify all proposed engagements. The DAC recommends the audit plans for approval by the Deputy Minister.
Engagements are itemized in the table below:
| Engagement title | Status | Report approved date | Report published date | Original planned MAP completion date | MAP implementation statusFootnote 1 |
|---|---|---|---|---|---|
| Audit of Identity Management PracticesFootnote 2 | published - MAP not fully implemented | June 2019 | January 2020 | March 2022 | 2 recommendations in progress |
| Audit of IT Security of Content and Collaboration | approved - not published | March 2021 | will not be published | January 2022 | 1 recommendation in progress |
| Audit of Departmental Payroll Administration - Phase 1Footnote 3 | published - MAP fully implemented | March 2022 | July 2022 | September 2022 | closed |
| Audit of the Information Technology Continuity PlanningFootnote 4 | published - MAP fully implemented | March 2022 | July 2022 | March 2023 | closed |
| Review of Contract ManagementFootnote 5 | published - MAP not fully implemented | March 2022 | July 2022 | June 2024 | 2 recommendations in progress |
| Review of the Design of the Identity and Access Management Solution (including Privileged Access) | approved - not published | August 2022 | will not be published | December 2024 | 8 recommendations in progress |
| Technical Debt Remediation Initiative (TDRI): Deep Dive Assurance on Portfolio Management | approved - not published | February 2023 | will not be published | December 2023 | closed |
| Internal Audit of Federal Government Consulting Contracts Awarded to McKinsey & CompanyFootnote 6 | published - MAP not fully implemented | March 2023 | March 2023 | June 2024 | 1 recommendation in progress |
| Audit of Controls around Payment Processes: Program and Plan Payments - Phase 1Footnote 7 | published - MAP fully implemented | November 2023 | April 2024 | March 2024 | closed |
| Audit of Program Performance MeasurementFootnote 8 | published - MAP not fully implemented | January 2024 | May 2024 | October 2025 | 3 recommendations in progress |
| TDRI: Deep Dive Assurance on TDRI Scope Definition and Management | approved - not published | February 2024 | will not be published | December 2024 | 4 recommendations in progress |
| 2023 Annual Report -Summary of Work Performed by the Dedicated Team | approved - not published | April 2024 | will not be published | not applicable | not applicable |
| TDRI: Deep Dive Assurance on Budget Forecasting and Funding Projections | approved - not published | April 2024 | will not be published | January 2025 | 5 recommendations in progress |
| Audit of Departmental Payroll Administration - Phase 2Footnote 9 | published - MAP not fully implemented | May 2024 | October 2024 | March 2026 | 3 recommendations in progress |
| Audit of the Common Experience Payment Designated Amount Fund | approved - not published | June 2024 | to be published | not applicable | not applicable |
| Review of ESDC's Program Delivery Fraud Landscape | approved - not published | June 2024 | will not be published | not applicable | not applicable |
| Audit of Program Design for Grants and Contributions | approved - not published | June 2024 | to be published | June 2025 | 4 recommendations in progress |
| Quarterly Report - January to March 2024 - BDM team | approved - not published | June 2024 | will not be published | not applicable | not applicable |
| 2023 and 2024 Annual Reports - BDM audit team | in progress | not applicable | not applicable | not applicable | not applicable |
| Audit of Business Continuity Management | in progress | not applicable | not applicable | not applicable | not applicable |
| Audit of the Consolidated Statement of Administrative Costs charge to the Canada Pension Plan Accounts by ESDC as of March 31, 2024 | in progress | not applicable | not applicable | not applicable | not applicable |
| Audit of the Employee Offboarding | in progress | not applicable | not applicable | not applicable | not applicable |
| Audit of ESDC Passport Revolving Fund Cost Recovery | in progress | not applicable | not applicable | not applicable | not applicable |
| Audit of Information Sharing Agreements | in progress | not applicable | not applicable | not applicable | not applicable |
| Office of the Comptroller General of Canada Horizontal Audit of Procurement Governance | in progress | not applicable | not applicable | not applicable | not applicable |
| Review of the Business Process for the Pensions Trusted Digital Repository Solution | in progress | not applicable | not applicable | not applicable | not applicable |
| Review of Procurement | in progress | not applicable | not applicable | not applicable | not applicable |
| Review of the Design of the Readiness Assessment Framework for the Launch of Release 2/3 of Old Age Security on Benefit Delivery Modernization (BDM) (Phase 1) | in progress | not applicable | not applicable | not applicable | not applicable |
| TDRI: Agile Review - Go Live Sustainability and Risk Universe Update | in progress | not applicable | not applicable | not applicable | not applicable |
| TDRI: Agile Review - Results and Commitments | in progress | not applicable | not applicable | not applicable | not applicable |
| Audit of Social Insurance Number | planned | not applicable | not applicable | not applicable | not applicable |
| Assessment of Internal Controls over fraud risks in ESDC's grants and contribution programs | planned | not applicable | not applicable | not applicable | not applicable |
| Audit of Application Security Vulnerabilities | planned | not applicable | not applicable | not applicable | not applicable |
| Audit of Design Effectiveness of the Departmental Migration and Operations to the Cloud | planned | not applicable | not applicable | not applicable | not applicable |
| Audit of Passport Service Delivery | planned | not applicable | not applicable | not applicable | not applicable |
| Audit of User Activity Monitoring and Event Logging | planned | not applicable | not applicable | not applicable | not applicable |
| Review of a Labour Program (placeholder) | planned | not applicable | not applicable | not applicable | not applicable |
| Review of the Design of the Readiness Assessment Framework for the Launch of Release 2/3 of Old Age Security on BDM (Phase 2) | planned | not applicable | not applicable | not applicable | not applicable |
| TDRI: Agile Review -Network Modernization IT Project Review | planned | not applicable | not applicable | not applicable | not applicable |
| Audit of Accessible Design and Delivery of ESDC's programs and services | postponed | not applicable | not applicable | not applicable | not applicable |
| Audit of Cyber Security Incident Response | postponed | not applicable | not applicable | not applicable | not applicable |
| Audit of Enterprise Risk ManagementFootnote 10 | postponed | not applicable | not applicable | not applicable | not applicable |
| Audit of IT Accessibility | postponed | not applicable | not applicable | not applicable | not applicable |
| Audit of Occupational Health and Safety | postponed | not applicable | not applicable | not applicable | not applicable |
| Audit of Post-Implementation of the Identity and Access Management and the Privileged Access Management SolutionsFootnote 11 | postponed | not applicable | not applicable | not applicable | not applicable |
| Audit of Retention and Promotion of Persons with Disabilities | postponed | not applicable | not applicable | not applicable | not applicable |
| Review of Privacy Management for Old Age Security (BDM) | postponed | not applicable | not applicable | not applicable | not applicable |
| Audit of Controls around Payment Processes: Program and Plan Payments - Phase 2 | cancelled | not applicable | not applicable | not applicable | not applicable |
| Audit of IT Supply Chain Risk Management | cancelled | not applicable | not applicable | not applicable | not applicable |
| Review of Business Continuity Planning for Old Age SecurityFootnote 12 | cancelled | not applicable | not applicable | not applicable | not applicable |
Page details
- Date modified: