Performance Measurement Results for the Office of Audit and Evaluation – As of September 30 2019

Introduction

The Policy on Internal Audit and its associated Directive on Internal Audit came into force on April 1, 2017. The Directive on Internal Audit stipulates, “Departments must meet public reporting requirements as prescribed by the Comptroller General of Canada and using Treasury Board of Canada Secretariat prescribed platforms, including: Performance results for the internal audit function (A.2.2.3, A.2.2.3.1)”.

The compliance attributes detailed below are intended to show an external audience that an internal audit function is in place and operating as intended.

The objective of the Policy on Internal audit is to “ensure that the oversight of public resources throughout the federal public administration is informed by a professional and objective internal audit function that is independent of departmental management.”Footnote 1

Heads of government organizations are responsible for “ensuring that internal audit in the department is carried out in accordance with the Institute of Internal Auditors’ International Professional Practices Framework unless the framework is in conflict with this policy or its related directive; if there is a conflict, the policy or directive will prevail”Footnote 1.

On March 9, 2018, the Office of the Comptroller General issued Technical Bulletin 2018-1: Policy on Internal Audit, which provided additional guidance on the Policy and Directive. One element of the bulletin was the requirement to post performance results commencing June 30, 2018.

Furthermore, the Office of the Comptroller General provided departments with a document titled, Why publish key performance compliance attributes of internal audit? to provide additional context for the request.

In accordance with the Office of the Comptroller General’s request and with the Policy, we are pleased to provide Shared Service Canada’s (SSC) Office of Audit and Evaluation key compliance attributes as defined by the Office of the Comptroller General.

Key compliance attributes of Internal Audit

Departments are required to publish selected key compliance attributes in order to provide pertinent information to stakeholders (Canadians, parliamentarians) regarding the professionalism, performance and impact of the internal audit function in departments. The compliance attributes noted below address staff designations and training, as well as quality assurance and improvement programs in internal audit.

Professional certifications and designations

The Office of Audit and Evaluation leverages multidisciplinary teams to ensure identified engagement risks are sufficiently and appropriately addressed. This is achieved by hiring staff with diverse backgrounds and experience, together with the engagement of technical experts and specialists on an as-needed basis.

Key compliance attribute Response
1(a) Percent of staff with an internal audit or accounting designation (Certified Internal Auditor, or Chartered Professional Accountant). Of the 17 staff at the Office of Audit and Evaluation who are auditors or do audit‑related work, 8 people, or 47%, have an internal audit or accounting designation.
1(b) Percent of staff with an internal audit of accounting designation (Certified Internal Auditor or Chartered Professional Accountant) in progress. Of the 17 staff at the Office of Audit and Evaluation who are auditors or do audit‑related work, 1 person, or 6%, have an internal audit or accounting designation in progress.
1(c) Percent of staff holding other designations (for example, Certified Government Auditing Professional, Certified Information Systems Auditor). Of the 17 staff at the Office of Audit and Evaluation who are auditors or do audit‑related work, 11 people, or 65%, hold relevant designations.

Quality assurance and improvement program

Key compliance attribute Response
2(a) Date of last comprehensive briefing to the Departmental Audit Committee on the internal processes, tools and information considered necessary to evaluation conformance with the Institute of Internal Auditors’ Code of Ethics and the Standards and the results of quality assurance and improvement program. On March 16, 2016, the Departmental Audit Committee received a copy of the External Practice Inspection for SSC, and a briefing on the internal processes, tools and information considered necessary to evaluate conformance with the Institute of Internal Auditors’ Standards and the Code of Ethics, and the results of the quality assurance and improvement program.
2(b) Date of the last external assessment. The External Practice Inspection Final Report for SSC is dated April 12, 2016.

Internal audit plan and related information

Additions and adjustments to the internal audits listed in the Departmental Plan may occur in order to address emerging risks and priorities.

  Internal Audit Status Status Date of approval Date of Publication Original planned date of Management Action Plan (MAP) Status of completion of MAP (% of MAP completed)
Audit Engagements Closed in 2017-18
1 Coordinated Audit of Cyber Security with Canada Revenue Agency Approved—MAP not fully implemented April 24, 2017 Not published due to security concerns March 31, 2018 75%
2 Coordinated Audit of IT Security with Treasury Board of Canada Secretariat Approved—MAP not fully implemented June 30, 2017 Not published due to security concerns March 31, 2018 62%
3 Audit of Technology Asset Management Approved—MAP fully implemented June 27, 2017 September 22, 2017 July 14, 2017 100%
4 Systems Under Development Audit Annual Report 2016-17 Published December 12, 2017 January 22, 2018 March 31, 2018 92%
Audit Engagements Carried Forward from 2017-18 to 2018-19
5 Audit of Demand and Relationship Management Published—MAP fully implemented June 6, 2018 September 5, 2018 June 30, 2020 100%
6 Audit of Email Transformation Initiative Bell Canada Invoicing Controls Approved—MAP fully implemented July 5, 2018 October 3, 2018 June 30, 2018 100%
7 Coordinated Audit of IT Security with Employment Security and Development Canada Approved—MAP not fully implemented October 12, 2018 Not published due to security concerns March 31, 2023 0%
8 Systems Under Development Audit – Dashboard 8: Project Management Approved—MAP fully implemented September 11, 2018 March 29, 2019 April 15, 2019 100%
9 Audit of High Performance Computing Approved—MAP not fully implemented April 5, 2019 May 20, 2019 April 2020 50%
10 Systems Under Development Annual Report 2017-18 Approved—MAP fully implemented March 28, 2019 May 10, 2019 April 1, 2018 100%
Audit Engagements from the 2018-19 Risk-based Audit Plan
11 Systems Under Development Dashboard 10: Project Cost Management Approved—MAP not fully implemented July 18, 2019 August 28, 2019 March 30, 2020 40%
12 Audit of Patch Management In Progress
13 Audit of Logical Access Controls In Progress
Audit Engagements from the 2019-20 Risk-based Audit Plan
14 Audit of Information for Decision Making In Progress
15 Audit of Wide Area Network Bandwidth / Capacity Planning and Operation Planned
16 Audit of the Management of Customer Revenue Agreements In Progress
17 Audit of Security Assessment and Authorization In Progress
18 Audit of SSC’s Approach to Service Costing Planned

Adding Value

Senior management perception of the added value of the internal audit function overall is positive, and the Office of Audit and Evaluation will continue its efforts to improve these ratings.

For 2016-17, SSC reported in its Capacity Assessment that of 5 respondents to 2 audits, 40% deemed the overall usefulness of the audits as excellent, 20% reported them as good, and 40% reported them as fair.

In 2017-18, of 5 respondents to 3 surveys, 20% reported them as excellent, 40% reported them as good, and 40% reported them as fair.

In 2018-19, of 13 respondents to 5 surveys, 19% reported them as excellent, 73% reported them as good, and 8% reported them as fair.

The results for 2019-20 are not yet available.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: