Guidebook for a Departmental Audit Committee

3.4.1 Expectations of the DAC Chair

The Treasury Board Directive on Internal Auditing in the Government of Canada requires that either the deputy head or an external member chair the DAC. The directive recommends, however, that an external member be the chair. If the deputy head is the chair, an external member is to be the vice-chair.

Where the deputy head is the chair, he or she has the challenge of simultaneously providing and receiving independent advice and guidance on the management of his or her own department. To help strengthen the independence of the DAC in this situation, the vice-chair is expected to play a strong leadership role.

The expectations of the DAC chair include but are not limited to the following:

Prepare a DAC annual plan

In consultation with DAC members and the deputy head, prepare the DAC's annual plan, to be presented to the deputy head for approval. The chair should ensure that the DAC's responsibilities are scheduled and fully addressed, including areas where the deputy head is seeking strategic advice.

Oversee DAC pre-meeting mechanics

This includes the following:

• Establishing the agenda, including having in camera sessions as part of each meeting;
• Ensuring the timely distribution of pre-meeting materials;
• Holding pre-meetings as required;
• Encouraging and supporting DAC members' attendance at all DAC meetings; and
• Approving the general nature and length of presentations.

Chair DAC meetings

Responsibility for chairing meetings includes the following:

• Facilitating discussion among DAC members and management;
• Leading discussions in a manner that reinforces reasonable expectations, encouraging meaningful and respectful participation;
• Ensuring that all DAC members who wish to address a matter are provided with the opportunity to do so;
• Attempting to achieve consensus where members express conflicting positions, views or advice; and
• As appropriate, invite representatives from external assurance providers to attend DAC meetings to discuss plans, findings and other matters of mutual concern.

Lead the DAC's accountability reporting and self-assessment process

The chair should manage the development of the DAC's annual self-assessment process and its annual report.

Support a positive DAC culture

A positive DAC culture is characterized by the following:

• The DAC's acceptance of its accountabilities;
• Respect and trust among DAC members;
• Open, candid and direct communication between management and the DAC;
• Acceptance of the right of each DAC member to hold and express dissenting opinions;
• A genuine commitment by DAC members to good governance practices; and
• A willingness of DAC members to act as a team.

3.4.2 Expectations of DAC Members

In discharging their responsibilities, DAC members are each expected to:

• Act honestly and in good faith, with a view to the best interests of the department;
• Comply with the terms and conditions of appointment, including disclosing any activity, interest or appointment that may affect a member's ability to discharge his or her DAC responsibilities independently and objectively;
• Accept the responsibility to make their best efforts in carrying out their duties;
• Be prepared for DAC meetings, including reviewing information, reports and background material provided in advance of each meeting;
• Attend all DAC meetings;
• Ask probing questions and expect, encourage and elicit reasonable answers;
• Encourage a culture of open, candid, respectful and direct communication between management and the committee;
• Provide sound counsel while respecting management's authority to make decisions; and
• Help the deputy head prepare to be held to public account by periodically subjecting executive decisions to constructive challenge, and by encouraging the deputy head to demonstrate that the best possible decisions have been made, considering all available information and evidence.

Leadership and people management

• What support does the deputy head provide to set the required "tone from the top" for the department's ethics program?
• How does the department ensure that its leadership and management practices reflect public service values and ethics?
• Does the department have a senior official for values and ethics?
• Does the department have a senior official to receive and investigate disclosures of wrongdoing, including alleged breaches of the Values and Ethics Code for the Public Sector?
• Is the quality of values and ethics leadership regularly assessed internally and externally?
• Is performance information on public service values and ethics, including people management, integrated into hiring, promotion and performance management?
• What processes or structures does the department have in place to ensure active dialogue on values and ethics among departmental senior management?

Departmental culture

• How does the department maintain an ongoing dialogue on public service values and ethics as they pertain to specific departmental challenges?
• How does the department ensure that values and ethics are embedded in what staff does every day?

Policies and guidelines

• Does the department have its own values and ethics code that is consistent with the Values and Ethics Code for the Public Sector and the Policy on Conflict of Interest and Post-Employment?
• If so:
  • Does it clearly state what behaviour is acceptable and unacceptable, particularly in areas of significant ethical risk; and
  • Does it identify which departmental programs and functions may be of highest risk for conflict of interest?
• How does the department communicate its own values and ethics code and the Values and Ethics Code for the Public Sector to staff to ensure they understand their responsibilities and expectations of them regarding ethical behaviour and the consequences of non-compliance?
• How does the department communicate recourse and disclosure mechanisms to staff?
• How does the department ensure that employees are aware of its disclosure procedures and are encouraged to expose wrongdoing without fear of reprisal? In other words, how does the department ensure a safe environment?
• How does the department ensure that public service employees who are intending to leave the public service are aware of the post-employment obligations of the departmental code and the Values and Ethics Code for the Public Sector?

Values and ethics program

• Does the department have a values and ethics program in place?
• If so, is there a plan that sets out the expected benefits, results and performance measures of the program, including the applicable sections of the Public Service Disclosure Protection Act?
• How do employees obtain advice when facing difficult ethical decisions?
• How does the department respond to the results of the Public Service Employee Survey?
• How does the department identify, assess and manage values and ethics risks, including the risk of fraud?
• How does the department investigate complaints of wrongdoing, harassment and conflicts of interest?
• What are the processes and mechanisms in place to ensure that investigations proceed promptly, fairly and objectively, with due regard for confidentiality?
• What procedures and mechanisms does the department have in place to establish, promote and manage disclosures made under the Public Service Disclosure Protection Act as it applies to the department?
• How does the deputy head ensure:
  • The confidentiality of those involved in the disclosure process;
  • Security of information collected through disclosures; and
  • Prompt public access to information if wrongdoing, as described by the Act, is found?

Values and ethics learning

• What training on the Values and Ethics Code for the Public Sector and on recourse and disclosure do new and existing employees and managers receive? Is this training mandatory? Is it provided on an ongoing basis?
• How frequently are training materials updated to ensure that they remain relevant?
• How does the department measure the effectiveness of its values and ethics learning activities?
• What other mechanisms or approaches are in place to share lessons learned and best practices, e.g., sharing examples of ethical dilemmas and how they were handled?

Values and ethics monitoring and reporting

• How does the department monitor compliance with its own code of conduct and the Values and Ethics Code for the Public Sector?
• How does the department measure and report on employees' and managers' understanding of the Values and Ethics Code for the Public Sector and their confidence in the department's recourse and disclosure mechanisms?
• How does the deputy head know that behaviour throughout the department is consistent with the expectations and standards of the department's code and the Values and Ethics Code for the Public Sector?
• What role does internal audit play in providing assurance on values and ethics, including departmental compliance with the department's code, the Values and Ethics Code for the Public Sector and relevant sections of the Public Service Disclosure Protection Act?
• How are unlawful activities (known or potential) reported in the department and to whom?
• What reports does the deputy head receive on ethics concerns and investigations, including findings and recommended actions?
• What processes are in place to monitor the implementation of required actions to ensure that they are implemented on a timely basis and address the reported findings?

Risk management responsibility

• Is there a senior management risk champion (assistant deputy minister level or above) who is responsible for the department's risk management framework and related activities and the department's corporate risk profile?
• How is the champion held to account for his or her risk management responsibilities?
• Is it clear that senior managers are responsible for managing and mitigating risks in their programs, functions and areas?

Risk management strategy

• Does the department have a risk management policy or framework?
• If so, does this policy or framework:
  • Establish an approach for integrating risk management into the department's decision-making processes?
  • Link with the department's strategic documents, such as the Report on Plans and Priorities, the Departmental Performance Report and others?
  • Reflect departmental roles and responsibilities for implementing and practicing risk management?
  • Include reporting and monitoring requirements to ensure compliance with the policy or framework?
• What are the key elements of the department's risk management approach (e.g., annual risk assessment that includes assessing risk of fraud; business continuity planning; disaster recovery planning; and all significant departmental changes, projects and programs), and how are these coordinated?
• How is staff informed of the department's approach to risk management?

Corporate risk profile

• Does the department have a current corporate risk profile approved by senior management?
• If so, does this profile:
  • Identify the department's key strategic risks?
  • Include an assessment of the key risks identified?
  • Reflect the risk tolerance of key clients and other stakeholders?
  • Outline the strategies to mitigate or manage key strategic risks?
• How does the department identify and assess strategic and business risks, including new and emerging risks?
• What controls are in place to manage or mitigate the highest inherent risks? (See section 4.3 for the aide-mémoire on management control frameworks.)
• How are opportunities for innovation and risk mitigation identified, assessed and prioritized?
• How is the corporate risk profile communicated across the department?
• What processes are in place to ensure that risk management strategies outlined in the corporate risk profile are implemented?
• How often does management review and update its corporate risk profile?

Integrated risk management

• How are risk management practices integrated into the management of programs throughout the department?
• How is risk management aligned with the department's expected results and performance measurement practices?
• How is risk integrated into the department's key business planning and decision-making processes?
• How does the department demonstrate that it is performing in accordance with the approved business plan and risk tolerance limits?

Continuous risk management learning

• What training in risk management, including training to mitigate risk, does staff receive?
• To what extent does management review lessons learned from major departmental events, surprises and disasters, and how has it responded to these occurrences?
• How are lessons learned and best practices communicated across the department?
• How are lessons learned and best practices built into risk management practices?

Risk management reporting and monitoring

• How are risk or control failures escalated within the department (e.g., risk and incident reporting and tracking)? To whom and through what mechanisms are they reported?
• To what extent does senior management receive reports on risk management plans and take corrective action as required?
• What reports or information does the deputy head receive on departmental risk management?
• What role does internal audit play in providing assurance on risk management practices, key risks and controls that mitigate the highest inherent risks?

Management controls: Roles and responsibilities

• Is it clearly articulated and understood that the deputy head has overall responsibility for the department's systems of internal control?^{See Footnote 5}
• Is it clearly articulated and understood that management has a fundamental responsibility to identify, document and monitor controls?
• Are delegations of authority and responsibility to individuals documented, properly approved and kept up to date?
• Are delegations of authority communicated to all departmental staff?

Management controls: Control framework and departmental systems

• Does the department have a control framework that:
  • Includes, but is broader than, internal controls over financial reporting?
  • Reflects the department's key controls to ensure sound management practices, consistent with the Management Accountability Framework and Treasury Board policies and legislative requirements?
  • Reflects other key controls that help mitigate the department's key strategic and business risks?
  • Reflects departmental roles and responsibilities for developing, reviewing, implementing and sustaining key controls?
  • Includes reporting and monitoring requirements to ensure compliance with the framework?
• If not, what is the department's strategy for developing a sound management control framework in support of the ongoing effectiveness of internal controls across the department, including internal controls over financial reporting?
• How does management identify and implement required controls to mitigate, manage and monitor new or emerging risks?
• How is staff informed of the department's control framework and held to account for ensuring sound controls in their area?
• Are processes in place to review and strengthen the adequacy of internal controls for significant new departmental systems, projects or programs?
• What training in management or in internal controls do employees receive?

Management controls: Control certifications

• As part of the financial statements, does the department produce a Statement of Management Responsibility Including Internal Controls Over Financial Reporting each year that is signed off by the deputy head and chief financial officer?
• If so, what evidence underpins this statement?
• Do assistant deputy ministers or their equivalents provide the deputy head and/or chief financial officer with internal control certifications?
• If so, how often are they provided, and what evidence underpins these certifications?

Reporting and monitoring of controls

• How are responses to risk and to control failures escalated within the department?
• How are required changes to the design or implementation of key controls identified and implemented in a timely manner?
• What performance information does each level of management receive that compares actual performance against budget and performance targets? How often does such a comparison occur?
• In addition to control certifications, what arrangements are in place to periodically assess the effectiveness of the department's control framework (e.g., internal audits, management review and sign-offs)?
• How does management report detection of fraud to the deputy head and the DAC? Once it is determined what corrective action needs to be taken, how is it reported?

Internal audit policy or charter

• Does the department have an internal audit policy or charter?
• Is so, does this policy or charter:
  • Reflect the purpose, authority and responsibility of the internal audit function?
  • Reflect the focus on the provision of assurance services to the department?
  • Have periodic reviews and revision, as required?

Independence and objectivity

• Does the chief audit executive report to the deputy head?
• Is internal audit free from interference in determining the scope of internal auditing, in performing the work, and in communicating the results?
• Does internal audit have unencumbered access to all departmental information, records and locations, as required?
• Does internal audit receive the necessary cooperation and assistance from departmental staff and management?

Internal audit planning

• What is the process for developing the Risk-Based Audit Plan (RBAP )?
• How does the RBAP link with the department's corporate risk profile and key strategic and operational risks?
• How are the proposed audit projects determined and prioritized (i.e., are they linked to the department's risk management strategy or to internal audit's own risk assessment process)?
• Are the proposed audit projects assurance engagements? If not, why not?
• Does the plan adequately detail the objectives, scope, timing and resource requirements (money and staffing resources) for each audit project?
• Does the RBAP make appropriate provision for the work of external assurance providers (i.e., horizontal audit activities to be undertaken by the Office of the Comptroller General and the Office of the Auditor General)?
• Does the plan reflect the impact of any resource limitations?

Internal audit delivery

• Does the internal audit service delivery model^{See Footnote 6} meet the department's needs?
• Where the internal audit delivery is outsourced, what processes are in place to manage the engagement of external suppliers and ensure compliance with the Internal Auditing Standards for the Government of Canada?

Internal audit reports

• Are internal audit reports clear and concise, and do they satisfactorily address audit objectives?
• Do audit reports include a statement of conformance?
• Are internal audit reports issued on a timely basis (i.e., what is the elapsed time from the start of the engagement to issuing the final report)?
• Are the recommendations relevant and practical?
• Do audit reports include management's response and action plan to address all agreed-upon recommendations? Does the response and the action plan appear to effectively respond to the problems and issues outlined in the report?

Internal audit capacity and resources

• Does the internal audit team have sufficient resources (full-time equivalents and/or money) to carry out its responsibilities, including delivering on the approved risk-based internal audit plan?
• Is there a human resources strategy for the department's internal audit function?
• Does the internal audit team have the necessary complement of required skills and expertise? If not, what is the internal audit team's plan to acquire these skills and expertise?
• Is internal audit able to access specialist skills, where and when required?

Performance of the internal audit function

• Does internal audit have a sound understanding of the department's business, including key strategic and operational risks?
• Does internal audit have a performance framework to monitor and report on the performance of the function, and to support innovation and the growth of the function?
• To what extent does the internal audit team complete its engagements on time?
• What quality assurance processes are in place to ensure that internal audit work complies with the Internal Auditing Standards for the Government of Canada?
• Has internal audit undergone an external practice inspection within expected time frames? If not, why not?
• If so:
  • What were the results of the external practice inspection?
  • Has an action plan been prepared to address noted areas for improvement, and has this report been provided to the DAC?
  • Are periodic reports provided to the DAC to monitor the implementation of actions that result from the external practice inspection?
• Does internal audit liaise effectively with the Office of the Comptroller General, the Office of the Auditor General and other central agencies, as required?
• Does internal audit have a professional relationship with departmental management?

Leadership and support

• Is there a senior lead for monitoring and reporting on the work of external assurance providers in the department?
• How does the department support external assurance providers that undertake audit work in the department?

Office of the Auditor General and central agency audits, and management improvement initiatives

• What are the processes in place to ensure that management and the DAC are kept up to date on audit work being carried out by external assurance providers?
• What processes are in place to review and develop the necessary management responses to audit issues raised by external assurance providers?^{See Footnote 8} If there are no such processes, what needs to be put in place to facilitate management responses?
• What processes are in place to review, assess and report on audit-related issues and priorities raised by external assurance providers?
• Does the DAC receive external assurance provider reports on a timely basis? If not, what processes are in place to support DAC members in providing the deputy head with advice on management's response and any noted audit-related issues or priorities?
• What is the process and time frame for monitoring, assessing and briefing the deputy head and the DAC on the departmental impacts of government-wide initiatives to improve management practices

Roles and responsibilities

• Is the senior manager responsible for implementing agreed-upon management action plans articulated in departmental internal audit reports, internal responses to Office of the Auditor General audits, or audits from other sources?
• Is it clearly understood that the chief audit executive (CAE ) is responsible for monitoring and following up on management action plans, including plans that result from the work of external assurance providers?

Monitoring and reporting

• What procedures does the CAE have in place for monitoring the implementation of management action plans, including plans that arise from audits conducted by external assurance providers?
• What methodology and process does the CAE have in place to follow up on whether management actions have been effective?
• How often does the CAE report to the DAC on management follow-up?
• Does management attend the follow-up segment of the DAC meeting to discuss delays in implementing management action plans?
• What is the nature of the CAE 's reporting to the DAC on management follow-up (i.e., a verbal or written report)? Does this report:
  • Reflect the extent to which management action plans are being implemented within the specified time frame and adequately explain delays for completion?
  • Indicate the extent to which actions that have been implemented are effective (if not, why not)?
  • Indicate why the CAE believes that management has accepted a level of risk that is unacceptable to the department or to the government, as applicable?

Accounting policies and practices

• Are the department's accounting policies and practices consistent with Treasury Board Accounting Standards? If not, why not?
• What is the process for obtaining advice on proper accounting treatment when significant accounting issues arise (e.g., during consultation with the Office of the Comptroller General or the Office of the Auditor General)?
• Are the department's significant accounting policies cited in the financial statements, including changes in accounting policies from the previous year?

Financial statement presentation

• Do the financial statements comply with Treasury Board Accounting Standards? If not, why not?
• To what extent are there significant departmental legal matters, contingencies, claims or assessments that could have a material impact on the financial statements (i.e., the departments and/or the government as a whole)? How have these issues been reflected in the department's financial statements?
• What processes are in place to estimate significant accounting accruals, reserves and other estimated liabilities?
• What is the support for significant valuations, assumptions or judgments reflected in the financial statements?
• Do the financial statements show any significant or unusual transactions that occurred during the year?
• Have significant financial statement variances from the budget and the prior year's statements been satisfactorily explained?

Review and sign-off

• Is there a process in place for the chief financial officer (CFO) to review the financial statements on a timely basis with the deputy head and with management?
• Is there a process in place to inform the deputy head, senior management and the DAC throughout the year of significant issues that impact the department's financial statements?
• Has the deputy head and the CFO signed off on or certified the financial statements?
  • If not, why not?
  • If so, what processes are in place to support the deputy head and the CFO in signing off on or certifying the financial statements (i.e., the key procedures, systems, resources and tasks for preparing and reviewing the financial statements to ensure they do not contain any material errors or omissions)?

Audited financial statements and the Public Accounts

• Have the deputy head and the CFO signed off on the Management Representation Letter required as part of the audited financial statements?
  • If not, why not?
  • If so, what processes are in place to support the deputy head's and the CFO's sign-off?
• Were there any breakdowns in controls that impacted the audit of the financial statements or the Public Accounts? What adjustments, if any, to the financial statements or the Public Accounts were required as a result of the audit?
• What was the nature of any significant disagreements between management and the external auditors, and to what extent were these disagreements satisfactorily resolved?
• Did the department receive an unmodified audit opinion? If not, what action is being taken to address the reasons for the modified or denied opinion on a timely basis?

Process and timing

• Does the DAC receive the accountability reports on a timely basis following their review? If not, why not?
• When the DAC is reviewing and providing advice to the deputy head on the draft RPP and DPR:
  • What process is in place to facilitate members' review of the reports electronically, recognizing the tight time frame for these reports' preparation, review and approval?
  • Do DAC members receive the reports in sufficient time to allow them to carry out a meaningful review and discussion prior to the reports' approval?
  • If the process or timing is not effective, what modifications can the department and DAC members make to improve this in the future?

Presentation and linkage between the RPP and DPR

• Do the RPP and DPR reflect key performance measures and targets that are clearly linked to expected outcomes, such that the basis upon which performance has been or will be assessed is understood?
• Is the performance information provided in the DPR consistent with the performance metrics and targets outlined in the RPP, with explanations for significant changes or variances?
• What processes and procedures ensure the completeness and reliability of the performance information contained in the RPP and DPR?
• Do the RPP and DPR include a brief explanation as to why the reader can have confidence in the methodology and data used to substantiate the department's performance?
• Does the narrative in the RPP clearly identify the expected results and the progress the department intends to make toward achieving its strategic outcomes?
• Does the narrative on departmental performance in the DPR facilitate understanding of the department's actual performance against its expected results, as articulated in the RPP, and the progress made toward achieving its strategic outcomes?
• Does the department clearly and candidly acknowledge performance shortfalls, together with planned actions to improve performance?
• Are DAC members confident that the performance information reported in the DPR is consistent with the results of the department's review, analysis and certification processes, and with the DAC's understanding of the actual state of departmental performance generally?

Review and certification

• What is the underlying process and support for the Management Representation Letter signed by the deputy head (i.e., that ensures the representations made contain no material misstatements)?