2019 Guidebook for a Departmental Audit Committee

1.1 Role and responsibilities of the Departmental Audit Committee

A DAC is an advisory body whose role is defined in the Treasury Board Policy on Internal Audit and the Directive on Internal Audit. The Terms and Conditions of Appointment for Audit Committee Members address the key issues that surround the initiation and management of members’ tenure. A DAC is expected to support the deputy head in his or her accounting officer role^{Footnote 1} by providing the deputy head with objective advice and guidance, independent of management, in the areas of governance, risk management and control.^{Footnote 2}

The DAC members’ knowledge, experience, expertise and independence as external to the public service should provide a valuable, impartial and respectful supplementary perspective on departmental operations. DACs must also provide a crucial challenge function to management, which is core to the purpose of its external composition. In so doing, the committees serve to help strengthen management processes and practices in departments across the federal government.

While policies related to internal audit and audit committees may be modified from time to time, and were most recently updated and streamlined under the Treasury Board’s policy reset initiative, the core areas of DAC responsibility remain constant:

• values and ethics
• risk management
• management control framework
• internal audit function
• external assurance providers
• follow-up on management action plans
• financial statements and public accounts
• accountability reporting

The amount of time spent by the DAC on each of these core areas of responsibility varies in accordance with the complexity, risks, and priorities of the department in question. The intention is for the DAC to provide sufficient and appropriate coverage to all areas over the course of a year.

The approach to addressing some of the responsibilities listed above will necessarily be adapted by the Small Departments Audit Committee and by the Government of Canada Audit Committee due to the horizontal nature of their mandates (e.g., accountability instruments and financial statements).

The DAC’s independence from line management situates the chair and members to provide the deputy head with strategic guidance and advice in areas that may appear to fall outside of the core responsibilities listed above. This guidance could be in the form of advice on topics ranging from strategic planning to large IT-enabled business transformation projects to digital government.

For instance, the DAC could play a critical role in questioning whether and how management has taken steps to adhere to IT project oversight and management processes and principles. With respect to strategic planning, the DAC could play a valuable challenge function regarding alignment between departmental performance targets and strategies to deliver on them. These activity areas in fact support the DAC’s core responsibilities for risk management, management control frameworks, and accountability reporting (see corresponding aides-mémoire 3.2, 3.3 and 3.8), and are expected to be undertaken in accordance with the department’s risk and operational environment.

In all areas of their responsibilities, DACs must always be satisfied that they have received sufficient information in order to be confident in the advice they provide to the deputy head. Consistent with the Terms and Conditions of Appointment for Audit Committee Members, DACs must devote appropriate time to preparation and should raise any information gaps with the chief audit executive (CAE). Just as auditors are often referred to as “professional sceptics,” DAC members must endeavour to ensure that they have received some acceptable level of substantiation of the information, findings and conclusions that are presented to them for deliberation.

Where the substantiation is not present, DAC members are justified in challenging departmental staff to better support their material prior to the committee forming a decision on their advice to the deputy head.

1.2 Accountability relationships

The DAC’s primary role is to assist the deputy head in monitoring the organization’s core systems of control and accountability. The DAC’s direct reporting relationship to the deputy head provides him or her with objective advice and guidance, independent of management, in the areas of governance, risk management and control. This is the role that makes DACs critical to achieving the objectives of the Treasury Board Policy on Internal Audit. The DAC should be conversant with the policy, and the directive and guidance that support it, relative to their responsibilities. It should be noted that DAC has no relationship or accountability to the appropriate Minister.

Another critical player in this relationship is the Office of the Comptroller General (OCG). In addition to co-recommending the appointment of DAC members, the Comptroller General of Canada is responsible for providing functional direction to the internal audit community across the federal government.^{Footnote 3}

The following diagram illustrates the DAC’s key accountability and reporting relationships.

Figure 1: DAC Accountability Relationship - Text version

The DAC’s accountability relationship to the deputy head fits within broader departmental relationships and accountabilities as follows:

• The Departmental Audit Committee provides advice to the Deputy Head, functional oversight to the Chief Audit Executive and the Chief Financial Officer.
• The Chief Audit executive and the Chief Financial Officer are accountable to the Deputy Head.
• The Deputy Head is accountable to the Minister.
• The Comptroller General provides functional direction to the Departmental Audit Committee, the Chief Audit Executive and the Chief Financial Officer.
• The Office of the Auditor General and the Departmental Audit Committee share information.

1.3 Authority

The DAC has no authority in its own right over the operations of the department; it should not be directing departmental staff, nor should it be undertaking activities reserved for management. The DAC chair has no authority over the members. The role involves additional responsibilities aimed at ensuring that established committee procedures are respected and that expectations for the DAC are met.

1.4 Knowledge of business and relationship with management

The importance of orienting DAC members to their roles is especially critical. Upon joining a DAC, external members should be briefed by management on the expectations for the DAC and on the department’s business through presentations and discussions, and, where appropriate, through site visits. In addition, sessions orienting the DAC to public service governance and the machinery of government are offered annually.

It is important that DAC members continue to increase their understanding of the department’s business throughout their tenure, particularly in the areas of the business that are undergoing significant change. To this end, members should discuss their information needs with the CAE and arrive at an effective system of briefings to stay current on important departmental developments. This may be done through a variety of technologically enabled communications channels and methods, as well as through discussions with management as part of the regular DAC agenda.

Strong, open relationships between the DAC and management with respect to these responsibilities are also critical to the committee’s success. Of particular importance is the relationship and dialogue between the DAC chair and the deputy head. This interaction should be marked by its candour so that discussions of risk exposures and areas for improvement are unambiguous and focus on opportunities for effective mediation.

Open communication with the CAE and the chief financial officer is essential in building effective relationships with the management team and in bolstering knowledge of departmental operations. The DAC may also wish to invite a member of the executive team and/or members of the internal audit team to attend DAC meetings as observers, perhaps on a rotating basis. This participation can be a valuable learning opportunity for observers to strengthen their understanding of the DAC and its work while at the same time increasing awareness of the DAC mandate and operations in the department.

The OCG provides each DAC member with a membership to the Institute of Internal Auditors, which provides access to research, training, updates to the standards and reporting on key global trends in internal auditing. This membership also allows access to The Institute of Internal Auditors’ (IIA’s) Public Sector Audit Center, an on-line network of resources, created and aggregated specifically for auditors and their stakeholders working in the American public sector. In addition, the OCG hosts an annual DAC symposium where current issues and relevant topics are presented and discussed. This event is widely recognized as an important opportunity for committees to learn and share. DAC members are encouraged to take advantage of these resources to improve their awareness of their role and their knowledge of the profession of internal auditing.

1.5 Comparison of a DAC to a private sector audit committee

The role of the DAC is different from that of an audit committee in the private sector.

In the private sector, the board of directors is responsible for governing the organization and has the full authority to do so. Audit committees are a sub- committee of the board of directors. The board nominates members for appointment and delegates authority to the audit committee for financial oversight. The audit committee has a fiduciary role in helping the board fulfill its governance and oversight responsibilities in the areas of financial management and reporting, risk management, control assessment, external auditors, and the effective use of internal auditing. The audit committee also has the responsibility to review and recommend to the board the approval of the audited financial statements of the organization.

By contrast, in the Government of Canada, individual departments generally do not produce audited financial statements. Departmental financial results are consolidated into the public accounts and audited by the Auditor General of Canada. DAC members’ responsibility over financial matters is limited to reviewing and providing advice to the deputy head on the key financial management reports and disclosures of the department.

DACs in the federal government are advisory and are not a part of the governance structure for departments. DACs are appointed by the Treasury Board on the recommendation of the President of the Treasury Board. DAC members have no authority to make decisions or to direct the activities of public servants. Rather, they advise and make recommendations to the deputy head on the key areas of responsibility as defined by the Comptroller General of Canada.

1.6 Membership

As set out in the Treasury Board Policy on Internal Audit and Directive on Internal Audit, the DAC must have a majority of independent, external members who do not hold a position in the federal public administration. The membership is to reflect Canada’s diversity in terms of gender, official languages, Indigenous Canadians, minority groups and regional representation.

External members are jointly selected by the deputy head and the Comptroller General of Canada for approval by the Treasury Board. The collective skills, knowledge, and experience of the members are to enable the committee to competently and efficiently undertake its duties. DAC membership from within the federal public administration is to be limited to individuals at the level of deputy head, unless an exception is granted by the Comptroller General of Canada.

Although they are not members of the committee, by virtue of their central roles in the department, the chief financial officer and the CAE are expected to attend all committee meetings. As necessary, the chair may also request other departmental officials and representatives from the Office of the Auditor General (OAG) and the Treasury Board of Canada Secretariat (TBS) to attend.

2.1 Charter or terms of reference

The DAC is expected to document its roles and responsibilities in a charter or terms of reference. The DAC’s roles and responsibilities should be consistent with Treasury Board policies and guidance, while recognizing that the committee may be requested to provide advice in additional related areas where the deputy head feels he or she can benefit from the DAC’s counsel.

The charter or terms of reference must be approved by the deputy head and reviewed periodically. Changes to relevant policies and standards should be factored into the process for reviewing and updating the charter or terms of reference. The DAC charter may indicate a continued requirement to provide advice in areas that may no longer be required by policy but where the deputy head feels the DAC can continue to add value. For example, the DAC may be requested to review and provide advice on departmental accountability reports or financial reports prior to their finalization even though this is no longer a policy requirement.

2.2 Annual plan

To ensure the fulfillment of its responsibilities, the DAC is expected to prepare an annual plan for the deputy head’s approval. DAC members and the deputy head should be actively engaged in this process. The annual plan will help utilize a risk- based approach to reviewing the core areas of responsibility as well as scheduling any additional areas where the deputy head wishes the DAC to provide strategic advice. DAC members may wish to review pertinent elements of this Guidebook, either individually or as a committee, when developing the annual plan.

Recognizing that not all core areas of responsibility may be covered in a single year, the DAC may find it beneficial to have the plan cover a two-year horizon.

2.3 Meetings

Meetings are a main working forum for the committee, and members should participate actively. Meetings provide an opportunity to review information, identify and discuss important issues, and develop informed judgments. The usefulness of meetings and the DAC’s overall effectiveness depend on members’ thorough preparation beforehand and their willingness to discuss key issues at meetings.

The number of meetings each year largely depends on the extent and nature of the DAC’s work. On average, DACs meet in person three to four times per year. The committee may find it beneficial to use teleconferencing and/or video conferencing as a means to carry out DAC business where there is important, time-sensitive work to be done but the nature or volume of it does not warrant an in-person meeting. For example, a DAC meeting may be held via teleconference to review and provide advice on the department’s financial statements, including any associated auditor’s report.

In camera discussions should be a regular and integral part of each DAC meeting. The committee should meet separately in camera with the CAE, the chief financial officer and the external auditor, when in attendance. A good practice is for the external DAC members themselves to meet in camera, either before the meeting, as part of the agenda, or both.

It is the chair’s responsibility to include these in camera discussions at every DAC meeting and to ensure that sufficient time is set aside for them. Regularly scheduling such meetings provides an excellent opportunity for DAC and key stakeholders to communicate privately and candidly.

2.4 Expectations of the DAC

As previously noted, in fulfilling its responsibilities, it is expected that the DAC will exercise due diligence, provide constructive challenge in its work, and maintain independence from line management.

2.5 Support from the department

To perform its work, the DAC requires the support and cooperation of the department’s management. The committee depends on management for information, reports, knowledge, and insight about the department’s practices and the issues it faces. There is no set model for the provision of this support. Nor is there a set lead within departments for the provision of this support. In some departments, it is provided by the corporate secretariat; in others, it is provided by the internal audit function. Where support is provided by internal audit, the CAE should keep the DAC secretariat separate from the other internal audit business to maintain the internal audit function’s actual and perceived independence and objectivity.

Support provided to the DAC can cover many activities, including administrative, strategic and logistical support. This could include booking meeting rooms and travel arrangements, processing proactive disclosure of DAC members’ expenditures, identifying issues, preparing reports and charters, researching topics, and liaising with management. Departments should provide updates on ongoing matters of importance to the DAC and relay key communications from the OCG. The department should also support the external members in developing a sound understanding of their role and responsibilities and those of the department, and in complying with their terms and conditions of appointment. This Guidebook can also be used by the department to support the DAC, particularly by those providing secretariat support. In addition, this guidebook may be shared with the Chief Financial Officer, whose presence is required at every DAC meeting.

Appendix A describes examples of the kind of support and assistance departments should consider providing to DACs. A sample table of contents for a DAC orientation/reference binder is included as Appendix B.

2.6 Self-assessment

While considered a good practice, there is no requirement from the OCG for DACs to submit an annual report. The decision whether to continue the practice will be made by the deputy head and will depend on a number of factors that determine the relative value derived by developing this report.

A formal, external assessment of the DAC’s performance is part of the external assessment of the internal audit function to be carried out every five years. The DAC should also undertake a periodic self-assessment of its own performance.

Self-assessments help ensure that the DAC delivers on its charter or terms of reference and continually enhances its value to the deputy head. Self-assessment can take many different forms, involve a number of participants, and use diverse techniques. The key to successful self-assessments is a willingness to actively seek out opportunities to improve performance and recognition of the importance of acting on the results. Management should not hesitate to use the self-assessment as a basis to assess DAC performance and determine whether the DAC is adding value.

The format of the self-assessment is up to the department. Appendix C contains a sample DAC self-assessment questionnaire, which sets out the kinds of questions that can help members gain insight into the DAC’s performance.

To obtain more comprehensive insight into the DAC’s performance, value and opportunities for improvement, consideration should be given to including attendees at DAC meetings as well as members of management who have extensive interactions with the committee in the self-assessment process. Tools that facilitate this broader participation in committee self-assessment are available from the OCG.

Regardless of the tool utilized, the critical element is the dialogue and discussion at the DAC with regard to the results so as to identify and effectively address any noted areas for improvement in a timely manner.

3.1 Values and ethics: aide-mémoire

This aide-mémoire is designed to help DAC members consider values and ethics when reviewing materials, participating in discussions or receiving presentations from senior management.

Leadership and people management

• What support does the deputy head provide to set the required “tone from the top” for the department’s ethics program?
• How does the department ensure that its leadership and management practices reflect public service values and ethics?
• Does the department have a senior official for values and ethics?
• Does the department have a senior official to receive and investigate disclosures of wrongdoing, including alleged instances of harassment and breaches of the values and ethics code?
• Is the quality of values and ethics leadership regularly assessed internally and externally?
• Is performance information on public service values and ethics, including people management, integrated into hiring, promotion and performance management?
• What processes or structures does the department have in place to ensure active values and ethics dialogue among senior management?
• What are the results of the Public Service Employee Survey and management’s plans to address noted issues? How does the department ensure employees remain engaged between survey cycles?

Departmental culture

• How does the department maintain an ongoing dialogue on public service values and ethics relevant to the specific departmental challenges?
• How does the department ensure that values and ethics are embedded in what staff do every day?
• Is there value in carrying out a review or audit of departmental culture?

Policies and guidelines

• Does the department have its own values and ethics code consistent with the Values and Ethics Code for the Public Sectorand Directive on Conflict of Interest?
• If so:
  • does it clearly state acceptable and unacceptable behaviour, particularly in areas of significant ethical risk?
  • does it identify which departmental programs and functions may be of highest risk for conflicts of interest?
• How does the department communicate its own values and ethics code and the Values and Ethics Code for the Public Sector to staff to ensure they understand their responsibilities and expectations of them regarding ethical behaviour and the consequences of non-compliance?
• How does the department communicate recourse and disclosure mechanisms to staff?
• How does the department ensure that employees are aware of its disclosure procedures and are encouraged to expose wrongdoing without fear of reprisal? In other words, how does the department ensure a safe environment?
• How does the department ensure that public servants intending to leave the public service are aware of the post-employment obligations of the departmental code and the Values and Ethics Code for the Public Sector?

Values and ethics program

• Does the department have a values and ethics program in place?
• If so, is there a plan in place that sets out the expected benefits, results and performance measures of this program, including the applicable sections of the Public Servants Disclosure Protection Act?
• How do employees obtain advice when facing difficult ethical decisions?
• How does the department identify, assess and manage values and ethics risks, including the risk of fraud?
• How does the department investigate complaints of wrongdoing, harassment and conflicts of interest?
• What are the processes and mechanisms in place to ensure that investigations proceed promptly, fairly and objectively, with due regard for confidentiality?
• What procedures and mechanisms does the department have in place to establish, promote and manage disclosures made under the Public Servants Disclosure Protection Act, as it applies to the department?
• How does the deputy head ensure:
  • the confidentiality of those involved in the disclosure process?
  • security of information collected through disclosures?
  • prompt public access to information if wrongdoing as described by the Act is found?

Values and ethics learning

• What training on the Values and Ethics Code for the Public Sector and on recourse and disclosure do new and existing employees and managers receive? Is this training mandatory? Is it provided on an ongoing basis?
• How frequently are training materials updated to ensure they maintain their relevance and appeal?
• How does the department measure the effectiveness of its values and ethics learning activities?
• What other mechanisms or approaches are in place to share lessons learned and best practices, e.g., sharing examples of ethical dilemmas and how they were handled?

Values and ethics monitoring and reporting

• How does the department monitor compliance with its own code and the Values and Ethics Code for the Public Sector?
• How does the department measure and report on employees’ and managers’ understanding of the Values and Ethics Code for the Public Sector and their confidence in the department’s recourse and disclosure mechanisms?
• How does the deputy head know that behaviour throughout the department is consistent with the expectations and standards of the department’s code and the Values and Ethics Code for the Public Sector?
• What role does internal audit play in providing assurance on values and ethics, including departmental compliance with the department’s code, the Values and Ethics Code for the Public Sector and relevant sections of the Public Servants Disclosure Protection Act?
• How are unlawful activities (known or potential) reported in the department and to whom?
• What reports does the deputy head receive on ethics concerns or investigations, including findings and recommended actions?
• What processes are in place to monitor the implementation of required actions to ensure they are implemented on a timely basis and address the reported findings?

3.2 Risk management: aide-mémoire

This aide-mémoire is designed to help DAC members consider risk management when reviewing materials, participating in discussions or receiving presentations from senior management.

Risk management responsibility

• Is there a senior management risk champion (assistant deputy minister level or above) who is responsible for the department’s risk management framework and related activities and corporate risk profile?
• How is the champion held to account for his or her risk management responsibilities?
• Is it clear that senior managers are responsible for managing and mitigating risks in their programs, functions and areas?

Risk management Strategy

• Does the department have a risk management policy or framework?
• If so, does this policy or framework:
  • establish an approach for integrating risk management into the department’s decision-making processes?
  • link with the entity’s strategic documents (i.e., accountability reports to Parliament)?
  • reflect departmental roles and responsibilities for implementing and practising risk management?
  • include reporting and monitoring requirements to ensure compliance with the risk management policy or framework?
• What are the key elements of the department’s risk management approach? Does it include an annual risk assessment that includes an assessment of:
  • the risk of fraud?
  • information technology risks, including data integrity, infrastructure, capacity and cybersecurity risks?
  • physical security risks?
  • risks associated with major IT-enabled and non-IT projects?
  • business continuity planning and disaster recovery planning?
  • risks with respect to all significant departmental changes, projects and programs?
• How is staff informed of the department’s approach to risk management?

Corporate risk profile

• Does the department have a current corporate risk profile approved by senior management?
• If so, does this profile:
  • identify the department’s key strategic risks?
  • include an assessment of the key risks identified?
  • reflect the risk tolerance of key clients and other stakeholders?
  • outline the strategies to mitigate or manage key strategic risks?
• How does the department identify and assess strategic and business risks?
• How does the department identify and assess new and emerging risks?
• What controls are in place to manage or mitigate the highest inherent risks? (see subsection 3.3 for the aide-mémoire on management control frameworks)
• How has management determined the opportunities for innovation and experimentation? How are the associated risks identified, assessed and prioritized? Is the associated risk tolerance discussed and incorporated into risk mitigation plans?
• How is the corporate risk profile communicated across the department?
• What processes are in place to ensure that risk management strategies outlined in the profile are implemented?
• How often does management review and update its corporate risk profile?

Fraud risk management

• What mechanisms does the department have in place to manage the risk of fraud, recognizing that it can result in a loss of public money or property, hurt employee morale, and can undermine Canadians’ confidence in public services?
• Has the department undertaken a fraud risk assessment? If not, why not?
• What role does internal audit play in helping manage the risk of fraud?

Integrated risk management

• How are risk management practices integrated into the management of programs throughout the department?
• How is risk management aligned with the department’s expected results and performance measurement practices?
• How is risk integrated into the department’s key business planning and decision-making processes?
• How does the department demonstrate that it is performing in accordance with the approved business plan and within risk tolerance limits?

Continuous risk management learning

• What risk management training, including training to mitigate risk, does staff receive?
• To what extent does management review lessons learned from major departmental events, surprises and disasters and how it has responded to these occurrences?
• How are lessons learned and best practices communicated across the department?
• How are lessons learned and best practices built into risk management practices?

Risk management reporting and monitoring

• How are risk or control failures escalated within the department (e.g., risk and incident reporting and tracking)? To whom and through what mechanisms are they reported?
• To what extent does senior management receive reports throughout the year on risk management plans and take corrective action as required?
• What reports or information does the deputy head receive on departmental risk management?
• What role does internal audit play in providing assurance on risk management practices, key risks and/or controls mitigating the highest inherent risks?
• Is risk management monitored and discussed regularly at senior governance committees? If so, how?

3.3 Management control framework: aide-mémoire

This aide-mémoire is designed to help DAC members consider the department’s management control framework when reviewing materials, participating in discussions or receiving presentations from senior management.

Management controls: roles and responsibility

• Is it clearly articulated and understood that the deputy head has overall responsibility for the department’s systems of internal control?^{Footnote 5}
• Is it clearly articulated and understood that management has a fundamental responsibility to identify, document and monitor controls?
• Does the department have a chief results officer and, if so, is that position at an appropriate level?
• Are delegations of authority and responsibility to individuals documented, properly approved and kept up to date?
• Are delegations of authority communicated to all departmental staff?

Management controls: control framework and departmental systems

• Does the department have a control framework that:
  • includes, but is broader than, internal controls over financial reporting?
  • reflects the department’s key controls to ensure sound management practices, consistent with the Treasury Board Management Accountability Framework and Treasury Board policies and legislative requirements?
  • reflects other key controls that help mitigate the department’s key strategic and business risks?
  • reflects financial management controls, including controls with respect to budgeting, forecasting and costing?
  • includes controls to support the management of large departmental projects?
  • is aligned with the department’s results framework?
  • explicitly supports departmental innovation and experimentation, including learning from experimentation?
  • reflects departmental roles and responsibilities for developing, reviewing, implementing and sustaining key controls?
  • includes reporting and monitoring requirements to ensure compliance with this framework?
• If the system of internal controls is lacking in key elements, what is the department’s strategy for developing a sound management control framework in support of the ongoing effectiveness of internal controls across the department, including financial management processes and practices?
• How does management identify and implement required controls necessary to mitigate, manage and monitor new or emerging risks?
• How does the department identify and implement management controls in support of innovation and experimentation?
• How is staff informed of the department’s control framework and held to account for ensuring sound controls in their area?
• Does management review the Annex to the financial statements of common service providers to identify any control issues with respect to the related services provided?
• Are processes in place to review and strengthen the adequacy of internal controls for significant new departmental systems, business transformation projects or programs?
• What training in management or internal controls do employees receive?

Management controls: project management

• What major projects (i.e., transformation, modernization, information technology, program delivery) does the department have planned or underway? Are they reflected in the Departmental Plan and the investment plan? Are they aligned with the Government of Canada Strategic Plan for Information Management and Information Technology 2017–2021? (see section 3.9: Large transformation projects: aide-mémoire (supplemental)
• For projects that cut across multiple departments:
  • how are client/recipient departments engaged throughout the project?
  • what is the status of the project (i.e., on track, on time, notable issues identified and managed)?
  • what is internal audit’s role? If not playing a role, why not?
• For major projects, is the following clear and sufficiently robust:
  • governance structures, including performance expectations, monitoring, challenge function, oversight and reporting?
  • project scope, timing and milestones, roles and responsibilities, linkages within the department and with other departments?
  • key risks and how they are being managed or mitigated?
• How are lessons learned from major government or departmental projects leveraged to strengthen the management of future projects?

Management controls: control certifications

• As part of the financial statements, does the department produce a Statement of Management Responsibility Including Internal Control over Financial Reporting each year that is signed off by the deputy head and chief financial officer (CFO)?
• If so, what evidence underpins this statement?
• Do assistant deputy ministers or their equivalents provide the deputy head and/or CFO with internal control certifications?
• If so, how often are they provided, and what evidence underpins these certifications?

Reporting and monitoring of controls

• How are risk or control failures escalated within the department?
• How are required changes to the design or implementation of key controls identified and implemented in a timely manner?
• What performance information does each level of management receive, and how often, that compares actual performance against budget and performance targets?
• In addition to the control certifications, what arrangements are in place to periodically assess the effectiveness of the department’s control framework (e.g., internal audits, management review and sign-offs)?
• How does management report the detection of fraud to the deputy head and the DAC?

3.4 Internal audit function: aide-mémoire

This aide-mémoire is designed to help DAC members consider the department’s internal audit function when reviewing materials, participating in discussions or receiving presentations. Given the DAC’s independence from line management and responsibilities in this area, the DAC is well positioned to influence the professionalism, quality, performance and capacity of the internal audit function and provide the deputy head with advice on addressing areas of concern. This aide- mémoire provides questions for consideration to assist the DAC in this work.

Internal audit policy or charter

• Does the department have an internal audit policy or charter?
• If so, does this policy or charter:
  • reflect the purpose, authority and responsibility of the internal audit function?
  • align with the OCG’s Value Proposition and Attributes of an Ideal Internal Audit Function?
  • reflect the primary focus on the provision of assurance services to the department?
  • describe non-assurance services provided (i.e., advisory, consulting)?
  • have periodic reviews and revision, as required?

Independence and objectivity

• Does the CAE report directly to the deputy head? If not, why not?
• Does the CAE have the necessary certification or designation for the position? If not, does the CAE possess an acceptable combination of education, training and/or experience as determined by the Comptroller General for this particular case?
• Is internal audit free from interference in determining the scope of internal auditing, performing the work, and communicating the results?
• Does the CAE have responsibility for functions other than audit? If so, how is independence assured? If so, do these other duties impede the ability of the CAE to meet their responsibilities under the policy and the Standards?
• Is the CAE a member of the senior executive table while still maintaining their independence? If not, why not?
• Does internal audit have unencumbered access to all departmental information, records and locations as required?
• Does internal audit receive the necessary cooperation and assistance from departmental staff and management?

Internal audit planning

• What is the process for developing the Risk-Based Internal Audit Plan (RBAP)?
• Does the RBAP conform to the Standards according to OCG maturity models and/or assessment tools?
• Does the RBAP comply with the requirements of the Policy on Internal Audit?
• Is the RBAP risk assessment process thorough, documented and clear to the DAC?
• How does the RBAP link with the department’s corporate risk profile and key strategic and operational risks?
• Have departmental objectives and risks with respect to innovation and experimentation been considered in the development of the RBAP?
• Have fraud risks been considered in the development of the RBAP, as well as the planning for individual internal audit projects or major transformation projects?
• Has internal audit considered major capital projects in the development of the RBAP? If not, why not?
• How does the RBAP align with the department’s Evaluation Plan? How are these functions aligned, and are there opportunities for joint work?
• How are the proposed audit projects determined and prioritized (i.e., are they linked to the department’s risk management strategy or to internal audit’s own risk assessment process)?
• Are the majority of proposed audit projects assurance engagements? If not, why not?
• Where the plan includes advisory services, does the internal audit team have the necessary expertise and capacity in place to deliver these services? Are advisory engagements conducted according to IIA Standards?
• Does the plan adequately detail the objectives, scope, timing and resource requirements (dollars and staffing resources) for each of the proposed projects?
• Does the RBAP make appropriate provision for the work of external assurance providers (i.e., horizontal audit activities to be undertaken by the OCG and engagements by the OAG)?
• Does the RBAP document resources allocated for follow-up on recommendations resulting from internal and external engagements, including management letters, and horizontal engagements?
• Does the RBAP reflect the impact of any resource limitations?

Internal audit delivery

• Does the internal audit service delivery model^{Footnote 6} meet the department’s needs?
• Where the internal audit delivery is co-sourced, what processes are in place to manage the engagement and ensure compliance with the Institute of Internal Auditors’ International Professional Practices Framework?
• Where an interdepartmental engagement or joint audit and evaluation engagement is conducted, is sufficient background and context provided to the DAC on risk levels, maturity of collaborating functions and any other pertinent information?

Internal audit reports

• Are internal audit reports clear, concise and compelling? Do they satisfactorily address audit objectives?
• Is technology leveraged to support modern, compelling internal audit reporting?
• Do audit reports include a statement of conformance? If not why not?
• Are internal audit reports issued on a timely basis (i.e., what is the elapsed time from the start of the engagement to issuing the final report)?
• Are the recommendations relevant, practical and achievable?
• Do audit reports include management’s response and action plan to address all agreed-upon recommendations? Does the response and action plan appear to effectively respond to the observations and findings or the root cause of the problems and issues outlined in the report?
• For interdepartmental or joint engagements, are approvals coordinated to facilitate the publishing of reports and related performance information?

Internal audit capacity and resources

• Does the internal audit team have sufficient resources (full-time equivalents and/or money) to support the deputy head in their legislative responsibilities, including delivering on the approved risk-based internal audit plan (assurance and advisory services, as applicable) and maintaining a quality assurance and improvement program?
• Is there a human resources and learning strategy in place to support the professionalism of the function (i.e., certified internal auditor, chartered professional accountant and other relevant recognized designations) and the needs of the department?
• Does the internal audit team have the necessary complement of required skills and experience to deliver on its RBAP? Does this include a multidisciplinary team that reflects the mandate and risks of the department? If not, what is internal audit’s plan to acquire these skills and expertise?
• Is internal audit able to access specialist skills, where and when required?

Performance of the internal audit function

• Does internal audit have a sound understanding of the department’s business, including key strategic and operational risks?
• Does internal audit have a performance framework, consistent with TBS expectations, to outline, monitor and report on the performance of the function, including results of follow-up on management action plans? Does the framework support innovation and growth of the function?
• To what extent does the internal audit team complete its engagements on time?
• Does internal audit publicly report on its performance? If so, is this report consistent with the OCG performance framework, and is it provided to the deputy head and the DAC and posted on the department’s website?^{Footnote 7}
• Does internal audit have a formal Quality Assurance and Improvement Program (QAIP) in place to ensure that internal audit provides quality, value-added services and complies with Treasury Board policies and the IIA Standards? Do these processes provide timely feedback on issues or areas of concern?
• Does the audit committee receive a periodic comprehensive briefing on the QAIP, including areas for attention and conformance to the Standards for ongoing monitoring and both internal and external assessments?
• Has the CAE explained to the DAC the implications of not having an appropriate QAIP in terms of policy compliance and standards conformance?
• Has internal audit undergone an independent external quality assessment within expected time frames? If not, why not?
• If so:
  • what were the results of the external quality assessment?
  • has an action plan been prepared to address noted areas for improvement, and has this report been provided to the DAC?
  • are periodic reports provided to the DAC to monitor the implementation of actions flowing from the external quality assessment?
• Does internal audit maintain effective liaison with the OCG, the OAG and other assurance providers and stakeholders, as required?
• Does internal audit provide OCG with required and requested documents and information within deadlines? If not, why not?
• Does internal audit provide DAC with the department’s results/ benchmarks with regard to the OCG internal audit community performance framework (e.g., Capacity Assessment Template, RBAP self-assessment, etc.)?
• Does internal audit have a professional relationship with departmental management?
• How does the function leverage the information gained from the post-engagement surveys?

3.5 External assurance providers: aide-mémoire

This aide-mémoire is designed to help DAC members consider reports of external assurance providers and accompanying materials when participating in discussions or presentations from senior management.

Leadership and support

• Is there a senior lead for monitoring and reporting on the work of external assurance providers done in the department, including audits and special reviews?
• Does the department have a designated OAG or external assurance liaison resource? What does the role entail?
• How does the department support external assurance providers undertaking audits and special reviews in the department?

OAG and central agency audits and management improvement initiatives

• What are the processes in place to ensure that management and the DAC is kept up to date on work planned and being carried out by external assurance providers?
• Are audit projects planned by external assurance providers considered and identified in the department’s RBAP?
• What processes are in place to review and develop the necessary management responses to issues raised by external assurance providers?^{Footnote 9} If there are no such processes, what needs to be put in place to facilitate management responses?
• What processes are in place to review, assess and report on issues and priorities raised by external assurance providers?
• Does the DAC receive external assurance provider reports on a timely basis? If not, what processes are in place to support DAC members in providing the deputy head with advice on management’s response as well as on any noted audit-related issues or priorities?
• What is the process and time frame for monitoring, assessing and briefing the deputy head and DAC on the departmental impacts of resulting government-wide initiatives to improve management practices?

3.6 Follow-up on management action plans: aide-mémoire

This aide-mémoire is designed to help DAC members consider follow-up of management action plans when reviewing materials, participating in discussions or receiving presentations from senior management.

Roles and responsibilities

• Is a senior manager identified as being responsible for implementing agreed-upon management action plans articulated in departmental internal audit reports, internal responses to OAG audits or audits from other assurance providers?
• Is it clearly understood that the CAE is responsible for monitoring and following up on management action plans, including plans that result from the work of external assurance providers?
• Is it clearly understood that the CAE is responsible for monitoring and following up on action plans for recommendations resulting from quality assessments?

Monitoring and reporting

• What process and procedures does the CAE have in place for monitoring the implementation of management action plans, including management action plans arising from audits conducted by external assurance providers?
• What methodology and process does the CAE have in place to follow up on whether management actions taken have been effective?
• How often does the CAE report to the deputy head and the DAC on management follow-up?
• What management procedures are in place to ensure timely action on recommendations resulting from audit engagements? For example, are actions for recommendations that are deemed serious or imperative incorporated into the performance agreement of managers of the office of primary interest (OPI)?
• Does a senior management representative from the OPI attend the follow-up segment of the DAC meeting to discuss delays in the implementation of the management action plans?
• What is the nature of the CAE’s reporting to the DAC on management follow-up (i.e., verbal or written report)? Does this report:
  • reflect the extent to which management action plans are being implemented within the specified time frame and adequately explain delays and revised time frames for completion?
  • indicate the extent to which actions implemented are effective (if actions are not effective, why not)?
  • indicate why the CAE believes management has accepted a level of risk that is unacceptable to the department or to the government, if applicable?
• Does the CAE maintain timely reporting of follow-up results for internal audit performance that are made publicly available?

3.7 Financial statements and Public Accounts reporting: aide-mémoire

This aide-mémoire is designed to help DAC members consider the departmental financial statements and Public Accounts reporting when reviewing materials, participating in discussions or receiving presentations from senior management.

Accounting policies and practices

• Are the department’s accounting policies and practices consistent with Treasury Board directives and requirements? If not, why not?
• What is the process for obtaining advice for the proper accounting treatment when significant accounting issues arise (e.g., during consultation with the OCG or the OAG)?
• Are the department’s significant accounting policies disclosed in the financial statements, including changes in the accounting policies from the previous year?
• Do the processes that underpin the preparation of the financial statements also support the financial health and financial management of the department?
• Has DAC or management identified other key financial disclosures that members will receive as part of discharging this responsibility?
• Where DAC receives Quarterly Financial Reports, is sufficient contextual information included, such as risks, significant changes, risks and uncertainties, results, impacts of large transformation initiatives and/or horizontal initiatives? Are year- to-year comparisons discussed?
• Is there sufficient and appropriate context to support the material that is presented (e.g., information on relevant external influences, mandatory templates, departmental or government- wide specific financial practices or protocols not included in Treasury Board policies, etc.)?

Financial statement presentation

• Do the financial statements comply with required Treasury Board accounting standards? If not, why not?
• To what extent are there significant departmental legal matters, contingencies, claims or assessments that could have a material impact on the financial statements (i.e., the departments and/or the government as a whole)? How have these been reflected in the department’s financial statements?
• What are the processes in place to estimate significant accounting accruals, reserves and other estimated liabilities?
• What is the support for significant valuations, assumptions or judgments reflected in the financial statements?
• Do the financial statements reflect any significant or unusual transactions that occurred during the year?
• Have significant financial statement variances from the budget and prior year’s statements been satisfactorily explained?

Review and sign- off

• Is there a process in place for the CFO to review the financial statements on a timely basis with the deputy head and with management?
• Is there a process in place to inform the deputy head, senior management and the DAC throughout the year of significant issues that impact or may impact the department’s financial statements?
• Is there a process in place to identify which, if any, of these issues should be communicated to the Comptroller General of Canada?
• Have the deputy head and CFO signed off on or certified the financial statements?
  • If not, why not?
  • If so, what are the processes in place to support the deputy head and CFO in signing off on or certifying the financial statements (i.e., the key procedures, systems, resources and tasks for the preparation and review of the financial statements to ensure they do not contain any material errors or omissions)?

Audited financial statements / Public Accounts

• Have the deputy head and CFO signed off on the Management Representation Letter required as part of the audited financial statements?
  • If not, why not?
  • If so, what are the processes in place to support the deputy head and CFO sign-off?
• Were there any breakdowns in controls that impacted the audit of the financial statements or the Public Accounts?
• What adjustments, if any, to the financial statements or the Public Accounts were required as a result of the audit?
• What was the nature of any significant disagreements between management and the external auditors, and to what extent were these disagreements satisfactorily resolved?
• Did the department receive an unmodified audit opinion? If not, what action is being taken to address the reasons for the modified or denied opinion on a timely basis?

3.8 Accountability reporting: aide-mémoire

This aide-mémoire is designed to help DAC members consider accountability reporting when reviewing materials, participating in discussions or receiving presentations from senior management.

Process and timing

• Does the DAC receive the accountability reports on a timely basis? If not, why not?
• If the deputy head asks for DAC’s advice on a draft accountability report to Parliament, is there a process in place to facilitate members’ review of the report electronically, recognizing the tight time frame for the reports’ preparation, review and approval?

Presentation and linkage between accountability reports

• Do the accountability reports to Parliament include key performance measures and targets that are clearly linked to expected outcomes such that the reader understands the basis upon which performance will be assessed?
• Is performance information provided in the year-end results report to Parliament consistent with the performance metrics and targets outlined in the department’s results reporting instruments and the departmental plan reported to Parliament, together with explanations for significant changes or variances?
• Is there a discussion of the results the department seeks to achieve, does achieve, and the resources used to achieve them?
• What processes and procedures ensure the completeness and reliability of the performance information contained in the department’s accountability reports?
• Are the accountability reports to Parliament clear, straight forward and easy to understand?
• Do the accountability reports to Parliament include a brief explanation as to why the reader can have confidence in the methodology and data used to substantiate the department’s plans and performance?
• Does the narrative in the planning report to Parliament clearly identify the expected results, departmental priorities aligned with those of the government, and the progress the department intends to make toward its strategic outcomes?

Review and certification

• What is the underlying process and support for the Management Representation Letter signed by the deputy head (i.e., to ensure that the representations made contain no material misstatements)?

3.9 Large transformation projects: aide-mémoire (supplemental)

This aide-mémoire is designed to help DAC members exercise their challenge function when reviewing materials, participating in discussions or receiving presentations from senior management regarding large change management initiatives or horizontal projects.

Project vision

• What are the underlying objectives for transformation? Is this primarily a cost-cutting exercise or are there wider service improvement or policy aims?
• Is there a risk of other weakly related objectives being loaded into the project?
• Is the current problem well understood?
• Are benefits based on a rigorous assessment of operational processes?
• What is transformation going to change?
• Does the organization have a clear understanding of how the end-state organization and services will differ from the current state?
• Is the role of technology well understood?
• How dependent is the project on changes to ways of working rather than technology itself?
• Are there indications that the need for new ways of working is not fully recognized and there is a misplaced belief that technology alone will provide the solution?
• Is the timetable for transformation realistic?
• How much of the end-state design has been left to be resolved during the program?

Strategy

• Does the transformation strategy translate the vision into a coherent program of work?
• Has the program been broken down into stages with clear sequencing and dependencies?
• Does the strategy identify all the elements of the affected service?
• Is the strategy consistent with wider organizational requirements?
• Is the strategy led by business requirements, or is it overly focused on implementing a technology-driven solution?
• Is funding aligned to the sequencing and uncertainty of the project?
• Is funding dependent on realizing early benefits and savings?
• What will happen if those benefits are delayed or reduced over time?

Governance and architecture

• Do governance arrangements reflect the importance of senior engagement and acknowledge the significant burden this places on leadership’s time and attention?
• Is there sufficient leadership continuity?
• If not, does this risk blurring the vision for transformation or undermining accountability?
• Are governance structures clear and simple? (i.e. is it clear where decisions are made)?
• Are decisions around technical development based on business priorities rather than being technologically driven?

Change and implementation

• Is the project uncovering a large number of unresolved issues?
• Is there a well understood and effective process for resolving new issues?
• Are prioritization decisions made clearly and early?
• Are decisions being driven by last-minute identification of under-delivery and funding issues?
• Are project issues being explained away without clear evidence or attributed to policy?

Performance management

• Is there adequate management information?
• Has information been delayed or prevented by changes to the project or de-prioritization of information systems?
• Does management use live data or does it rely on interpretations of progress from the project team and suppliers?
• Are there persistent shortages of key staff?
• How are vacancies for specialist skills being addressed?
• Is there heavy reliance on contractors and suppliers?
• Is there sufficient quality of management and understanding of external experts’ input?
• Is there sufficient capacity in transition?
• Are parallel running costs significant, and how are they affecting remaining services?

Technology/data

• Is the service ready to be used and tested publicly?
• If rollout is being driven by the need to meet funding or policy deadlines, how are risks being managed?
• Has the program set out the role of data in transformation?
• Is there a data strategy to support transformation?
• Is it clear how data will be managed (for example, consolidated and standardized) to get a single view across the organization?
• Are responsibilities for data set out clearly?
• Who sets data requirements (for example, definitions, quality, and timeliness) and ensures that they are met?
• Is action being taken to address the underlying causes of current data issues, such as quality and integrity, which limit the effectiveness of such tools?

Horizontal initiatives

• What role does each participating organization play (as applicable) in the horizontal assurance frameworks?
• Have agreements defining monitoring and oversight roles and responsibilities been established?
• Will this initiative impact existing corporate controls for departments (e.g., internal controls over financial reporting, information security controls)?
• How is this impact being planned for?
• Is there an understanding of both the future-state control design and the interim controls to be executed during transition from current state to future state?
• How will risk owners be monitored in their ability to manage specific risks?
• How will the identification of risk management issues be escalated appropriately when necessary?
• How are oversight functions monitoring financial transactions, including (but not limited to) vendor procurement and contract awards, infrastructure procurement, and funding arrangements?
• How are oversight functions engaging in evidence-based interventions or issue escalation when issues are identified during implementation?
• How is oversight and monitoring data shared among participants?
• How is this data being leveraged to identify areas of improvement?

Involvement of Internal Audit and of DAC

• Is the DAC aware of all significant transformational change initiatives
• Are such initiatives discussed at DAC meetings to facilitate understanding of context, purpose, status and risk?
• Does the DAC review the list of projects regularly (e.g. via review of the investment plan and/or other key documents)?
• Is the internal audit function conducting work to support key initiatives? If not, why not?
• Where the internal audit function supports key initiatives, specifically how is this done?
  • How are projects selected?
  • Does the function use a suite of services to provide ongoing timely assurance and/or advice?
  • Does the CAE or other audit staff attend key fora where these projects are monitored or discussed?

Other comments

Please answer these additional questions:

1. What do you think is the most critical issue the DAC should address in the coming months?
2. Is there a particular topic that you consider important, but on which you are not receiving information or receiving insufficient information?
3. Are there any significant elements that affect the DAC’s effectiveness or performance?
4. In your opinion, do you believe that the DAC is adding sufficient value to the deputy head and to the department? Can you provide examples? (optional)
5. Do you have additional general comments?