2025 to 2026 Report on Key Compliance Attributes of the Internal Audit Function
Table of contents
- Introduction
-
Key compliance attributes
- Internal auditors are trained to effectively perform the work
- Audit work is performed in conformance with the international standards for the profession
- Audit work is performed according to a systematically developed risk-based audit plan, which has been approved by the head of the organization, and that results in management actions being taken in response to recommendations
- Audit work is perceived by stakeholders as adding value in the pursuit of organizational objectives
Introduction
About key compliance attributes
The objective of the Treasury Board Policy on Internal Audit is to ensure that the oversight of public resources throughout the federal public administration is informed by a professional and objective internal audit function that is independent of departmental management.
Heads of organizations are responsible for ensuring that internal audit in the department is carried out in accordance with the Institute of Internal Auditors International Professional Practices Framework unless the framework is in conflict with the Treasury Board Policy or its related directive; if there is a conflict, the Policy or Directive will prevail.
Departments with internal audit functions are required to publish key attributes of compliance as per section A.2.2.3 of the Treasury Board Directive on Internal Audit. It is important that the public is aware that heads of government organizations are receiving assurance and that activities are managed in a way that demonstrates responsible stewardship.
These attributes have been selected because they demonstrate to an external audience that, at a minimum, the fundamental elements necessary for oversight are in place, are operating as intended and are achieving results. The key attributes of compliance with the Policy and standards are:
- internal auditors that are trained to effectively perform the work;
- audit work that is performed in conformance with the international standards for the profession;
- audit work that is performed according to a systematically developed risk-based audit plan, which has been approved by the head of the organization, and that results in management actions being taken in response to report recommendations; and,
- audit work that is perceived by stakeholders as adding value in the pursuit of organizational objectives.
Publishing departmental key compliance attributes provides pertinent information to Canadians and parliamentarians regarding the professionalism, performance, and impact of the internal audit function in departments. These are not performance measures, and no targets are attached. Under the Policy, the Comptroller General has the authority to amend these attributes, should there be changes in the internal audit environment and/or due to the evolving maturity of the internal audit function.
About the Internal Audit and Evaluation Directorate
The Internal Audit and Evaluation Directorate enhances and protects organizational value by providing risk-based objective assurance, advice and insight. The internal audit function allows the Public Service Commission of Canada (PSC) to meet its goals, using a systematic and disciplined approach to evaluating and improving the adequacy and effectiveness of the PSC’s processes for risk management, control and governance.
Key Compliance Attributes
1. Internal auditors are trained to effectively perform the work
Do internal auditors have the training required to do the job effectively? Are multidisciplinary teams in place to address diverse risks?
Yes. As of March 31, 2025Footnote1, 7.5 full-time equivalents make up the PSC’s internal audit function. This includes the Chief Audit Executive, 5 members of the internal audit team and 1 professional practices project leader, as well as 50% of the capacity of the Internal Audit and Evaluation Directorate’s administrative assistant. The internal audit staff is made up of people with diverse backgrounds, qualifications and education, and they collectively have the knowledge, skills and abilities to do their work effectively. Two internal audit staff members are certified internal auditors, 2 hold the internal audit practitioner certification and 1 is a chartered professional accountant. Two staff members are currently working toward becoming certified internal auditors. In addition, 1 staff member holds the Certification in Risk Management Assurance.
Table 1: Competency attributes
| Key compliance attribute | Designation status as of March 31, 2025 | Percentage of staff |
|---|---|---|
| 1(a) | Percentage of staff with an internal audit or accounting designation (Certified Internal Auditor and Chartered Professional Accountant) | 40% |
| 1(b) | Percentage of staff with an internal audit or accounting designation in progressFootnote2 | 26.7%Footnote3 |
| 1(c) | Percentage of staff holding other designations (Internal Audit Practitioner, Certified Government Auditing Professional, Certified Information Systems Auditor) | 40% |
2. Audit work is performed in conformance with the international standards for the profession
Is internal audit work performed in conformance with the international standards for the profession of internal audit as required by Treasury Board policy?
Yes. The most recently completed external assessment, which was tabled at the spring 2023 Internal Audit Committee meeting, found that the function continues to generally conform to all applicable internal audit standards. The next external assessment is scheduled for March 2028.
The PSC provides comprehensive briefings to the Internal Audit Committee, which include:
- the scope and frequency of both the internal and external assessments
- the qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest
- conclusions of assessors
- corrective action plans
In June 2025, the PSC conducted a gap self-assessment against the new Global Internal Audit Standards, effective January 2025. The results of this gap assessment and the action taken to align with the new standards were tabled at the June 2025 Internal Audit Committee meeting as part of our comprehensive briefing, demonstrating our progress on aligning with the updated standards. Together, the positive findings from the external assessment, the actions taken to align with the new standards and the positive findings from the June 2024 self-assessment demonstrate that the internal audit function’s work is performed in conformance with the international standards for the profession of internal audit. We will continue to conduct thorough self-assessments against the standards and Treasury Board policy in alignment with the Institute of Internal Auditors and Treasury Board of Canada Secretariat’s guidance for small internal audit functions.
Table 2: Conformance attributes
| Key compliance attribute | Conformance milestone | Date |
|---|---|---|
| 2(a) | Date of last comprehensive briefing to the Departmental Audit Committee on:
|
June 5, 2025 |
| 2(b) | Date of last external assessment | April 5, 2023 |
3. Audit work is performed according to a systematically developed risk-based audit plan, which has been approved by the head of the organization, and that results in management actions being taken in response to recommendations
Are the risk-based audit plans submitted to audit committees and approved by deputy heads implemented as planned with resulting reports published?
Yes. The PSC’s risk-based audit and evaluation plan covers a period of 2 fiscal years and is updated, submitted to the Internal Audit Committee for discussion and approved by the President of the PSC on an annual basis. A list of internal audit engagements that are in progress, planned or cancelled is provided in Table 3 and reflects the approved 2025 to 2027 risk-based audit and evaluation plan.
Table 3: Audit plan status and related information
| Audit title | Status | Notes |
|---|---|---|
| Audit of Financial Controls | Cancelled | The Internal Audit and Evaluation Directorate determined that the internal processes in this area are strong based on discussions with the Internal Audit Committee and Chief Financial Officer / Vice-President of the Corporate Affairs Sector. |
| Advisory on Operational Governance | In progress | Target completion: second quarter, 2025 to 2026 |
| Advisory on the New Risk and Compliance Process | In progress | Target completion: October 2025 |
| Internal Audit of Information Management | Planned | Target launch: third quarter, 2025 to 2026 |
| Feasibility Assessment on Digital Modernization and Artificial Intelligence | Planned | Target launch: second quarter, 2026 to 2027 |
| Audit of Planning and Budgeting | Planned | Target launch: third quarter, 2026 to 2027 |
Is management acting on audit recommendations for improvements to departmental processes?
Yes. The PSC’s management is implementing the recommendations resulting from internal audit engagements. Details on progress can be found in Table 4. The rationale for extensions of original target dates was discussed with the Internal Audit Committee and approved by the President of the PSC.
Table 4: Management Action Plan implementation status
| Audit title | Audit status | Approval date | Publication dateFootnote4 | Original target completion of all management action plansFootnote5 | Implementation status |
|---|---|---|---|---|---|
| Audit of Risk Management Practices | Published; management action plan not fully implemented | March 2023 | July 11, 2023 | Third quarter, 2023 to 2024 | 40% |
| Audit of IT Security | Approved; not published | June 2023 | Not applicable | Fourth quarter, 2024 to 2025 | 40% |
| Audit of Procurement | Published; management action plan fully implemented | December 2023 | February 2, 2024 | October 31, 2023 | 100%Footnote6 |
| Consultation on Data and Incident Management for the Veterans Hiring Act | Approved; not published | August 2024 | Not applicable | Not applicable | Not applicable |
| Consultative Engagement on PSC’s Data Landscape | Approved; not published | June 2025 | Not applicable | March 31, 2027 | 14.3% |
4. Audit work is perceived by stakeholders as adding value in the pursuit of organizational objectives
Is internal audit credible and does it add value in support of our mandate and strategic objectives?
Yes. The PSC ensures its credibility through its Quality Assurance and Improvement Program, which provides reasonable assurance that its internal audit function conforms to the Global Internal Audit Standards, its Internal Audit Charter, the Treasury Board of Canada policy suite and other applicable frameworks.
Based on the post-audit survey results received and discussions at Internal Audit Committee meetings, the President and senior management agreed that the internal audit engagements conducted were useful and added value to the PSC overall.
The average overall usefulness rating of the advisory engagement that was completed in fiscal year 2024 to 2025 was 81.25%.
Information contained in this publication or product may be reproduced, in part or in whole, and by any means, for personal or public non-commercial purposes without charge or further permission, unless otherwise specified. Commercial reproduction and distribution are prohibited except with written permission from the Public Service Commission of Canada.
For more information, contact
Public Service Commission of Canada
22 Eddy Street
Gatineau (Quebec) K1A 0M7
Email: cfp.infocom.psc@cfp-psc.gc.ca
Website of publisher: https://www.canada.ca/en/public-service-commission.html
© His Majesty the King in Right of Canada, as represented by the President of the Public Service Commission of Canada, 2025
Cat No SC1-18E-PDF (Electronic PDF, English)
ISSN 2819-4918
No de cat SC1-18F-PDF
ISSN 2819-4926 (Electronic PDF, French)