Report: Key compliance attributes of the Department’s internal audit function as of March 31, 2025 - Employment and Social Development Canada
On this page
Overview
The 4 key compliance attributes relate to the following areas and are reported below:
- Internal audit training and team composition
- Conformance with professional standards
- Implementation of the risk-based audit plan
- Credibility and value of internal audit
For the purpose of this report, the staff composition of the Department's internal audit function includes 32 indeterminate auditors, comprising:
- Senior management team (Chief Audit Executive and directors)
- Audit Operations (audit principals and auditors)
- Agile Audit Group for Benefits Delivery Modernization (audit principals and auditors)
- Professional Practices
- Departmental Audit Committee, Liaison and Management Action Plans Monitoring
Table 1. Key compliance attributes of the Department's internal audit function as of March 31, 2025
Key Compliance Attributes | Departmental Results as of March 31, 2025 |
---|---|
1. (a). % of staff with an internal audit or accounting designation (Certified Internal Auditor [CIA], Chartered Professional Accountant [CPA]). 1. (b). % of staff with an internal audit or accounting designation in progress (CIA, CPA). 1. (c). % of staff holding other designations (Certified Government Auditing Professional [CGAP], Certification in Risk Management Assurance [CRMA], etc.). |
1. (a) 50% of staff have an internal audit or accounting designation (Certified Internal Auditor (CIA) or Chartered Professional Accountant (CPA)). 1. (b) 19% of staff have an internal audit or accounting designation in progress (CIA, CPA). 1. (c) 28% of staff hold other professional designations (CGAP, CISA etc.) |
2. (a). Date of last comprehensive briefing to the Departmental Audit Committee (DAC) on the internal processes, tools, and information considered necessary to evaluate conformance with the Institute of Internal Auditors (IIA) Code of Ethics and the Standards and the results of the Quality Assurance and Improvement Program (QAIP). 2. (b). Date of last external assessment. |
2. (a). The last briefing to the DAC on the internal processes, tools, information necessary to evaluate conformance with the IIA Standards and the Quality Assurance and Improvement Program (QAIP) was on December 5, 2024. 2. (b). The last external quality assessment was completed in January 2021. |
3. Risk-Based Audit Plan (RBAP) and related information:
|
3. The 2024-25 RBAP was approved in June 2024. Please refer to Table 1 below for progress in implementing the current RBAP and to Table 2 for information on MAPs still in progress. |
4. Average overall usefulness rating from senior management of areas audited. | 4. 85% of the Department's senior management provided a "Good" or "Excellent" rating of the overall usefulness of internal audit engagements. The internal audit function uses post-engagement client feedback responses received during the 2024-2025 fiscal year to measure satisfaction. |
Table 2. Progress in Implementing the 2024-25 RBAP, as of March 31, 2025
Engagement title | Status | Report approved date | Report published date | Original planned MAP completion date | MAP implementation status |
---|---|---|---|---|---|
Technical Debt Remediation Initiative (TDRI): Review of Deep Dive Assurance on Budget Forecasting and Funding Projections | Approved - Not published | 2024/10/02 | not applicable | 2024/12/31 | 0% |
Review of ESDC's Program Delivery Fraud LandscapeFootnote 1 | Approved - Not published | 2024/06/11 | not applicable | not applicable | not applicable |
Audit of the Common Experience Payment Designated Amount FundFootnote 1 | Published - MAP not applicable | 2024/06/11 | 2024/12/13 | not applicable | not applicable |
Audit of Business Continuity Management | Published - MAP not fully implemented | 2024/12/05 | 2025/07/15 | 2027/06/30 | 0% |
Review of Procurement - Phase 1 | Approved - Not published | 2024/08/27 | not applicable | 2026/12/31 | 0% |
Review of the Design of the Readiness Assessment Framework for the Launch of Release 2/3 of Old Age Security on Benefit Delivery Modernization (BDM) (Phase 1) | Approved - Not published | 2024/08/06 | not applicable | 2025/05/31 | 100% |
Audit of ESDC Passport Revolving Fund Cost Recovery | Published - MAP not fully implemented | 2024/12/05 | 2025/07/18 | 2025/03/31 | 0% |
Audit of the Consolidated Statement of Administrative Costs charge to the Canada Pension Plan Accounts by ESDC as of March 31, 2024Footnote 1 | Published - MAP not applicable | 2024/12/05 | 2025/07/11 | not applicable | not applicable |
Audit of Information Sharing Agreements | Published - MAP not fully implemented | 2024/12/05 | 2025/07/11 | 2028/03/31 | 0% |
Review of the Design of the Readiness Assessment Framework for the Launch of Release 2/3 of Old Age Security on BDM (Phase 2) | In progress | not applicable | not applicable | not applicable | not applicable |
Review of Labour Program Complaints ManagementFootnote 2 | In progress | not applicable | not applicable | not applicable | not applicable |
Review of TDRI Commitments and ResultsFootnote 3 | In progress | not applicable | not applicable | not applicable | not applicable |
Review of Remediation of Technical Debt Plans Post TDRIFootnote 4 | In progress | not applicable | not applicable | not applicable | not applicable |
Audit of the Employee Offboarding | In progress | not applicable | not applicable | not applicable | not applicable |
Review of Social Insurance NumberFootnote 5 | In progress | not applicable | not applicable | not applicable | not applicable |
Review of Internal Controls over Fraud Risks in ESDC's Grants and Contribution ProgramsFootnote 6 | In progress | not applicable | not applicable | not applicable | not applicable |
Audit of ESDC's Employee Access Monitoring ProgramFootnote 7 | In progress | not applicable | not applicable | not applicable | not applicable |
Audit of Passport Service Delivery | In progress | not applicable | not applicable | not applicable | not applicable |
Agile Review -Network Modernization IT Project Review | In progress | not applicable | not applicable | not applicable | not applicable |
Audit of the Security Design Effectiveness of the Departmental Adoption of Operations of the CloudFootnote 8 | In progress | not applicable | not applicable | not applicable | not applicable |
Audit of Application Security Vulnerabilities | In progress | not applicable | not applicable | not applicable | not applicable |
Audit of Cyber Security Incident Response | Planned | not applicable | not applicable | not applicable | not applicable |
Audit of Post-Implementation of the Identity and Access Management and the Privileged Access Management Solutions | Planned | not applicable | not applicable | not applicable | not applicable |
Table 3. Engagements with Management Action Plans (MAPs) in progress, as of March 31, 2025Footnote 9
Engagement title | Status | Report approved date | Report published date | Original planned MAP completion date | MAP implementation status |
---|---|---|---|---|---|
TDRI: Deep Dive Assurance on TDRI Scope Definition and Management | Approved - Not published | not applicableFootnote 10 | not applicable | 2024/12/01 | 0% |
TDRI Deep Dive Assurance on Portfolio Management | Approved - Not published | not applicableFootnote 10 | not applicable | 2025/01/31 | 29% |
Audit of Departmental Payroll Administration - Phase 2 | Published - MAP not fully implemented | 2024/04/09 | 2024/09/27 | 2026-03-31 | 33% |
Audit of Program Design for Grants and Contributions | Published - MAP not fully implemented | 2024/06/11 | 2024/12/06 | 2025/03/31 | 0% |
Audit of Program Performance Measurement | Published - MAP not fully implemented | 2023/11/28 | 2024/05/01 | 2026/12/31 | 0% |
Audit of Identification, Security and Protection of Sensitive Information | Approved - Not published | 2023/08/24 | not applicable | 2025/03/31 | 33% |
Audit of Controls Around Payment Processes - Program Payments - Phase 1 | Published - MAP not fully implemented | 2023/06/06 | 2024/04/19 | To be completed upon the completion of the Government-wide solution (+/- 2 years). | 50% |
Internal Audit of Federal Government Consulting Contracts Awarded to McKinsey & Company | Published - MAP fully implemented | 2023/03/22 | 2023/03/30 | 2024/06/30 | 100% |
Review of the Design of the Identity and Access Management Solution (including Privileged Access) | Approved - Not published | 2022/08/25 | not applicable | 2024/12/31 | 40% |
Review of Contract Management | Published - MAP not fully implemented | 2022/01/28 | 2022/07/28 | 2024/06/30 | 75% |
Audit of IT Security of Content and Collaboration | Approved - Not published | 2021/03/23 | not applicable | 2022/01/11 | 100% |
Audit of Identity Management Practices | Published - MAP fully implemented | 2019/06/18 | 2022/04/21 | 2022/03/31 | 100% |
Integrated Management Action Plan for Audit of Access Controls Initiative | Approved - Not published | 2018/11/20 | not applicable | 2019/08/31 | 0%Footnote 11 |