Performance Measurement Results for the Office of Audit and Evaluation

Table of contents

Permission to reproduce

Except as otherwise specifically noted, the information in this publication may be reproduced, in part or in whole and by any means, without charge or further permission from Shared Services Canada, provided that due diligence is exercised to ensure the accuracy of the information reproduced is maintained; that the complete title of the publication is produced; that Shared Services Canada is identified as the source institution; and that the reproduction is not represented as an official version of the information reproduced, nor as having been made in affiliation with, or with the endorsement of the Government of Canada.

Commercial reproduction and distribution are prohibited except with written permission from Shared Services Canada. For more information, please contact Shared Services Canada at information@ssc-spc.gc.ca.

© His Majesty the King in Right of Canada, as represented by the Minister responsible for Shared Services Canada, 2025.

Shared Services Canada’s Performance Measurement Results for the Office of Audit and Evaluation
ISSN 2818-0593
Cat. No. P116-3E-PDF

Publié aussi en français sous le titre :

Services Partagés Canada – Résultats de la mesure du rendement pour le Bureau de la vérification et de l’évaluation
ISSN 2818-0607
No. de catalogue P116-3F-PDF

Introduction

The Policy on Internal Audit and its associated Directive on Internal Audit came into force on June 15, 2023. The Directive on Internal Audit stipulates, “Departments must meet public reporting requirements as prescribed by the Comptroller General of Canada (A.2.2.3)”.

The compliance attributes detailed below are intended to show an external audience that an internal audit function is in place and operating as intended.

The objective of the Policy on Internal audit is to “ensure that the oversight of public resources throughout the federal public administration is informed by a professional and objective internal audit function that is independent of departmental management.”[1]

Heads of government organizations are responsible for “ensuring that internal audit in the department is carried out in accordance with the Institute of Internal Auditors’ International Professional Practices Framework unless the framework is in conflict with this policy or its related directive; if there is a conflict, the policy or directive will prevail”[2].

In June 2023, the Office of the Comptroller General issued Technical Bulletin 2023-1: Policy on Internal Audit, which provided additional guidance on the Policy and Directive. One element of the bulletin was the requirement to post performance results commencing August 30, 2023.

Furthermore, the Office of the Comptroller General provided departments with a document titled, Why publish key performance compliance attributes of internal audit? to provide additional context for the request.

In accordance with the Office of the Comptroller General’s request and with the Policy, we are pleased to provide Shared Service Canada’s (SSC) Office of Audit and Evaluation key compliance attributes as defined by the Office of the Comptroller General.

Key compliance attributes of Internal Audit

Departments are required to publish selected key compliance attributes in order to provide pertinent information to stakeholders (Canadians, parliamentarians) regarding the professionalism, performance and impact of the internal audit function in departments. The compliance attributes noted below address staff designations and training, as well as quality assurance and improvement programs in internal audit.

(1) Professional certifications and designations

The Office of Audit and Evaluation leverages multidisciplinary teams to ensure identified engagement risks are sufficiently and appropriately addressed. This is achieved by hiring staff with diverse backgrounds and experience, together with the engagement of technical experts and specialists on an as-needed basis.

As of March 31, 2025
Key compliance attribute Response
1(a) Percent of staff with an internal audit or accounting designation (Certified Internal Auditor, or Chartered Professional Accountant). Of the 18 staff at the Office of Audit and Evaluation who are auditors or do audit related work, 7 people, or 36%, have an internal audit or accounting designation.
1(b) Percent of staff with an internal audit of accounting designation (Certified Internal Auditor or Chartered Professional Accountant) in progress. Of the 18 staff at the Office of Audit and Evaluation who are auditors or do audit related work, 1 person, or 6%, have an internal audit or accounting designation in progress.
1(c) Percent of staff holding other designations (e.g., Certified Government Auditing Professional, Certified Information Systems Auditor). Of the 18 staff at the Office of Audit and Evaluation who are auditors or do audit related work, 9 people, or 50%, hold other relevant designations.

(2) Quality assurance and improvement program

As of March 31, 2025
Key compliance attribute Response
2(a) Date of last comprehensive briefing to the Departmental Audit Committee on the internal processes, tools and information considered necessary to evaluation conformance with the Institute of Internal Auditors’ Code of Ethics and the Standards and the results of quality assurance and improvement program. On March 3, 2025, the Office of Audit and Evaluation reported on its annual Internal Assessment of the internal audit practices at SSC, covering fiscal year 2024-2025.
2(b) Date of the last external assessment. February 8th, 2021.

(3) Internal audit plan and related information

The following table is updated regularly, at a minimum twice annually, to show the implementation status of the audit plan. Additions and adjustments to the internal audits listed in the Departmental Plan may occur in order to address emerging risks and priorities.

As of June 30, 2025
Internal Audit Title Status Date of report approval Date of publication Original planned date of Management Action Plan (MAP) Status of completion of MAP
(% of MAP completed)
Audit Engagements from the 2018-2019 Risk-based Audit Plan
1 Audit of Patch Management Approved—Not published June 21, 2022 N/A March 31, 2025 95%
Audit Engagements from the 2021–2022 Risk-based Audit Plan
2 Audit of Workload Migration (WLM) Published — MAP not fully implemented November 30, 2023 March 18, 2024 September 30, 2024 0%
3 Auditof IT Continuity Approved—Not published May 31, 2024 N/A July 31, 2025 15%
Audit Engagements from the 2022–2023 Risk-based Audit Plan
4 Review of Governance Over Business Request Prioritization Approved—Not published April 17, 2024 N/A June 30, 2024 0%
5 SSC Personnel Onboarding and Offboarding Processes Approved — MAP not fully implemented December 16, 2024 May 20, 2025 March 31, 2026 0%
6 Audit of Cyber and IT Security Governance Approved — MAP not fully implemented March 26, 2025 June 24, 2025 March 1, 2027 0%
Audit Engagements from the 2023–2024 Risk-based Audit Plan
7 Review of Contract Amendments Approved — MAP not fully implemented June 3, 2025 N/A August 31, 2026 0%
Audit Engagements from the 2025–2026 Risk-based Audit Plan
8 Privileged Access Management - Continuous In Progress - - - -
9 Audit of SSC’s Approach to Service Costing In Progress - - - -
10 Audit of Project: SSC - CRA CBSA Migration (CCM) In Progress - - - -
11 Audit of Management of Secret Infrastructure In Progress - - - -
12 Advisory on Incident Management Planned - - - -
13 Proactive Approach to Fraud Risk in Procurement Processes: Fraud Risk Assessment Planned - - - -

(4) Adding Value

As of March 31, 2025

Senior management's perception of the added value of audit recommendations and processes to improve controls, governance and risk management:

For the reporting period of April 1, 2024 to March 31, 2025, of 2 respondents to 1 survey, 100% reported them as excellent.

Page details

Date modified: