Privy Council Office Internal Audit Charter

[PDF Version

July 2017 


This Internal Audit Charter formally defines the purpose, authority, and responsibility of the Privy Council Office (PCO) internal audit function. It establishes the internal audit function’s position within PCO; describes accountability; provides for independence from line management; and defines the scope of internal audit activities. It is based on the 2017 Treasury Board (TB)  Internal Audit Policy suite that includes the TB Policy on Internal Audit (the Policy), the Directive on Internal Auditing in the Government of Canada (the Directive), and the Institute of Internal Auditors International Professional Practices Framework. 

Departments that have a reference level of more than $300M per year must have an internal audit function. As PCO’s reference level is less than $300M per year, the Clerk has chosen, based on his discretionary authority, to maintain PCO’s internal audit function and an independent audit committee. This Internal Audit Charter is built upon provisions in the TB Internal Audit Policy suite that apply to departments and agencies that have a reference level of less than $300M per year but which have chosen to maintain their internal audit function and an independent audit committee. 

PCO’s Audit Committee is responsible for recommending the Internal Audit Charter for approval of the Clerk, and to review it annually.

Effective Date

The Internal Audit Charter becomes effective on the date it is approved by the Clerk, replacing all former Internal Audit Charter, policy or mandate documents.

Internal Audit in the Government of Canada

Internal audit in the Government of Canada is a professional, independent and objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes. PCO’s internal audit function provides assurance services that are intended to assist PCO decision-makers in exercising oversight and control and in applying sound risk management. 

Assurance refers to an auditor’s professional judgment on the appropriateness of his or her conclusions on risk management, control, and governanceFootnote 1 . Accordingly, the level of assurance provided by an auditor is the level of confidence the auditor has in the appropriateness of his or her conclusions.  Assurance services are objective examinations of evidence for the purpose of providing an independent assessment on the risk management, control and governance processes within an organization.


To ensure the independence and objectivity of PCO’s internal audit function, its personnel report to the Chief Audit Executive, who in turn reports directly to the Clerk. To ensure this objectivity and independence are maintained, any audits conducted on functions for which the Chief Audit Executive is responsible (which are PCO’s Internal Audit and Evaluation functions) will be conducted by either an external auditor or by a contracted third party.


The authority of PCO’s internal audit function flows both from the 2017 TB Internal Audit Policy Suite and from the Clerk’s decision to maintain PCO’s internal audit function and an independent audit committee. In this regard, the Clerk will:

  • Ensure PCO’s internal audit resources and capacity are appropriate to the needs of the Department;

  • Ensure PCO’s internal audit function operates in accordance with the TB Internal Audit Policy Suite;

  • Ensure the Office of the Comptroller General (OCG) is informed without delay of any risk, control or governance issue that may require the involvement of the Treasury Board Secretariat (TBS);

  • Ensure a formal response is provided and appropriate actions are taken in a timely manner to internal audit recommendations;

  • Ensure completed audit reports are released on platforms prescribed by TBS within timeframes prescribed by the OCG;

  • Ensure an investigation is conducted when significant issues regarding policy compliance arise and appropriate remedial action is taken by PCO;

  • Approve PCO’s risk-based internal audit plan (RBAP) and ensure it is submitted to the OCG;

  • Approve reports on the results of internal audit engagements;

  • Ensure PCO’s Chief Audit Executive:

    • Is not assigned any departmental management or operational responsibilities which may compromise his/her independence and objectivity in respect of the responsibilities of a Chief Audit Executive;

    • Has unrestricted access to PCO’s Audit Committee;

    • Has unrestricted access to all PCO records, databases, workplaces and employees to carry out the Risk-Based Audit Plan or other engagements, and has the authority to obtain related information and explanations from PCO employees and contractors; and

    • Has unimpaired ability to carry out his or her responsibilities, including reporting issues to the Clerk, to the Audit Committee and as appropriate after discussion with the Clerk, to the Comptroller General.

    • Ensures PCO’s independent audit committee is maintained and that:

      • It has the collective skills, knowledge and experience to allow the audit committee to carry out its duties competently and efficiently;

      • Its members are free of any real or apparent conflict of interest; and

      • It reflects Canada’s diversity in terms of gender, official languages, Indigenous Canadians, minority groups and regional representation.


PCO’s Chief Audit Executive, supported by the internal audit staff, is responsible for:

  • Applying the Institute of Internal Auditors International Professional Practices Framework in the department, unless it is in conflict with the TB Policy or TB Directive, in which case the Policy or Directive will prevail;

  • Establishing and annually updating a PCO RBAP that: spans multiple years; focuses primarily on providing assurance services; is recommended by the PCO Audit Committee and approved by the Clerk; and which considers:

    • Departmental areas of high risk and significance;

    • Horizontal audits led by the Comptroller General;

    • Planned audits led by external assurance providers and other departments, as appropriate, and

    • Other oversight engagements, including, where the necessary expertise and capacity are in place, the option to provide consulting services to the organization, as a supplement to the assurance role and in accordance with the Institute of Internal Auditors International Professional Practices Framework.

  • Ensuring that the Clerk and PCO Audit Committee are aware of the resource requirements for the internal audit function and the impact of resource decisions;

  • Ensuring the timely completion of internal audit engagements and that their results are finalized in a written report that is reviewed and recommended by the Audit Committee and approved by the Clerk;

  • Reporting at least annually to the Clerk on whether the actions scheduled by management in response to audit recommendations, both internal and external, have been implemented; and

  • Ensuring that internal auditors have the appropriate qualifications, skills, and opportunities to maintain and develop their internal auditing competencies. 

Standards of Internal Audit Practice

The internal audit function will meet or exceed requirements of the TB’s Policy on Internal Audit and Directive on Internal Auditing, and will ensure its activities conform to the Institute of Internal Auditors International Professional Practices Framework.


Original signed by Anne Weldon-Lacroix

Recommended by PCO’s Chief Audit Executive


Original signed by Munir Sheikh

Recommended by PCO’s Audit Committee Chair


Original signed by Michael Wernick

Approved by the Clerk of the Privy Council


Key Definitions 

The Treasury Board Policy on Internal Audit recognizes the definitions for the terms "risk management," "control" and "governance" included in The International Professional Practices Framework published by the Institute of Internal Auditors. Other definitions of the Policy can be found in the appendix. 

Risk Management – A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives. 

Control – Any action taken by management, the Clerk, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. 

Governance – The combination of processes and structures implemented by management (and the Audit Committee) to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: