Internal Audit Charter
[ PDF version ]
This Internal Audit Charter formally defines the purpose, authority, and responsibility of the Privy Council Office (PCO) internal audit function. It establishes the internal audit function’s position within PCO; describes accountability; provides for independence from line management; and defines the scope of internal audit activities. It is based on the 2017 Treasury Board (TB) Internal Audit Policy suite that includes the TB Policy on Internal Audit (the Policy), the Directive on Internal Auditing in the Government of Canada (the Directive), and the Institute of Internal Auditors International Professional Practices Framework.
Departments that have a reference level of more than $300M per year must have an internal audit function. Even though PCO’s reference level is less than $300M per year, the Clerk has elected, based on his discretionary authority, to maintain PCO’s internal audit function and an independent audit committee. This Internal Audit Charter is built upon provisions in the TB Internal Audit Policy that apply to departments and agencies that have a reference level of less than $300M per year but which have chosen to maintain their internal audit function and an independent audit committee.
PCO’s Audit Committee is responsible for recommending the Internal Audit Charter for approval by the Clerk.
The Internal Audit Charter becomes effective on the date it is approved by the Clerk, replacing all former Internal Audit Charter, policy or mandate documents.
Internal audit in the Government of Canada
Internal audit in the Government of Canada is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. PCO’s internal audit function provides assurance services that are intended to assist PCO decision-makers in exercising oversight and control and in applying sound risk management.
Accordingly, the level of assurance provided by an auditor is the level of confidence the auditor has in the appropriateness of his or her conclusions. Assurance services are objective examinations of evidence for the purpose of providing an independent assessment on the risk management, control and governance processes within an organization. Consulting services are designed to add value and improve an organization’s operations.
Code of ethics
PCO’s internal audit function observes the code of ethics of the Institute of Internal Auditors (IIA). The principles of integrity, objectivity, confidentiality and competency guide the work of PCO’s internal audit function.
To ensure the independence and objectivity of PCO’s internal audit function, its personnel report to the Chief Audit Executive (CAE), who in turn reports directly to the Clerk. Functionally, the CAE reports to the Clerk through the Deputy Clerk’s Office. To ensure this objectivity and independence are maintained, any audits conducted on functions for which the Chief Audit Executive is responsible (which are PCO’s Internal Audit and Evaluation functions) will be conducted by either an external auditor or by a contracted third party.
The authority of PCO’s internal audit function flows both from the 2017 TB Internal Audit Policy and from the Clerk’s decision to maintain PCO’s internal audit function and an independent audit committee. In this regard, the Clerk will:
- Ensure PCO’s internal audit resources and capacity are appropriate to the needs of the Department;
- Ensure PCO’s internal audit function operates in accordance with the TB Internal Audit Policy;
- Ensure the Office of the Comptroller General (OCG) is informed without delay of any risk, control or governance issue that may require the involvement of the Treasury Board Secretariat (TBS);
- Ensure a formal response is provided and appropriate actions are taken in a timely manner to internal audit recommendations;
- Ensure completed audit reports are released on platforms prescribed by TBS within timeframes prescribed by the OCG;
- Ensure an investigation is conducted when significant issues regarding policy compliance arise and appropriate remedial action is taken by PCO;
- Approve PCO’s Risk-Based Assurance Plan (RBAP) and ensure it is submitted to the OCG;
- Approve reports on the results of internal audit engagements;
- Ensure PCO’s Chief Audit Executive:
- Is not assigned any departmental management or operational responsibilities which may compromise his/her independence and objectivity in respect of the responsibilities of a Chief Audit Executive;
- Has unrestricted access to PCO’s Audit Committee;
- Has unrestricted access to all PCO records, databases, workplaces and employees to carry out the Risk-Based Assurance Plan or other engagements, and has the authority to obtain related information and explanations from PCO employees and contractors; and
- Has unimpaired ability to carry out his or her responsibilities, including reporting issues to the Clerk, to the Audit Committee and as appropriate after discussion with the Clerk, to the Comptroller General.
- Ensure PCO’s independent audit committee is maintained and that:
- It has the collective skills, knowledge and experience to allow the audit committee to carry out its duties competently and efficiently;
- Its members are free of any real or apparent conflict of interest; and
- It reflects Canada’s diversity in terms of gender, official languages, Indigenous Canadians, minority groups and regional representation.
PCO’s Chief Audit Executive, supported by the internal audit staff, is responsible for:
- Applying the Institute of Internal Auditors International Professional Practices Framework in the department, unless it is in conflict with the TB Policy or TB Directive, in which case the Policy or Directive will prevail;
- Establishing and annually updating a PCO RBAP that: spans multiple years; focuses primarily on providing assurance and consulting services; is recommended by the PCO Audit Committee and approved by the Clerk; and which considers:
- Departmental areas of high risk and significance;
- Horizontal audits led by the Comptroller General;
- Planned audits led by external assurance providers and other departments, as appropriate, and
- Other oversight engagements, including, where the necessary expertise and capacity are in place, the option to provide consulting services to the organization, as a supplement to the assurance role and in accordance with the Institute of Internal Auditors International Professional Practices Framework.
- Ensuring that the Clerk and PCO Audit Committee are aware of the resource requirements for the internal audit function and the impact of resource decisions;
- Ensuring the timely completion of internal audit engagements and that their results are finalized in a written report that is reviewed and recommended by the Audit Committee and approved by the Clerk;
- Reporting at least annually to the Clerk on whether the actions scheduled by management in response to audit recommendations, both internal and external, have been implemented; and
- Ensuring that internal auditors have the appropriate qualifications, skills, and opportunities to maintain and develop their internal auditing competencies.
Internal audit suite of services
The internal audit function will meet or exceed requirements of the TB’s Policy on Internal Audit and Directive on Internal Auditing, and will ensure its activities conform to the Institute of Internal Auditors International Professional Practices Framework. In addition to assurance services, the internal audit function will undertake Targeted Control Audits and provide consulting services which will include, Reviews, Lessons Learned, Risk Management Support, Advice and miscellaneous consulting engagements.
Quality Assurance Improvement Program
PCO’s internal audit function maintains a Quality Assurance Improvement Program (QAIP) which ensures that work is performed in accordance with the Internal Audit Charter and conforms with the IIA’s definition of internal auditing, Standards and Code of Ethics. The QAIP further ensures that the internal audit function operates in an efficient and effective manner and is perceived by its stakeholders as adding value.
Original signed by Abdillahi Roble
Recommended by PCO’s Chief Audit Executive
Original signed by Munir Sheikh
Recommended by PCO’s Audit Committee Chair
Original signed by Ian Shugart
Approval by the Clerk of the Privy Council
- "risk management," "control" and "governance"
- The Treasury Board Policy on Internal Audit recognizes the definitions for the terms "risk management," "control" and "governance" included in The International Professional Practices Framework published by the Institute of Internal Auditors.
- Risk Management
- A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.
- Any action taken by management, the Clerk, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
- The combination of processes and structures implemented by management (and the Audit Committee) to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
- Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. The nature and scope of an assurance engagement are determined by the internal auditor.
- Participants in assurance services
- Generally, three parties are participants in assurance services:
- the person or group directly involved with the entity, operation, function, process, system, or other subject matter—the process owner,
- the person or group making the assessment—the internal auditor, and
- the person or group using the assessment—the user.
- Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties:
- the person or group offering the advice—the internal auditor, and
- the person or group seeking and receiving the advice—the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility.
Report a problem or mistake on this page
- Date modified: