2019 Guidebook for a Departmental Audit Committee

Note

This document is intended as advice or guidance, and contains questions and considerations, though not exhaustive, that are critical to the functioning of Departmental Audit Committees.

This document does not constitute a departmental legal or policy requirement nor does it establish monitoring obligations on the part of the Treasury Board of Canada Secretariat.

On this page

Introduction

Since their inception in 2006, Departmental Audit Committees (DACs) have formed an integral component of the Government of Canada’s efforts to ensure rigorous stewardship and accountability for public resources. Meanwhile, much has changed in the federal government’s operating environment over that time, characterized not only by a fast-moving and ever-evolving risk environment, but an enhanced emphasis on horizontal approaches and business transformation initiatives to address growing complexity in how government works. In this context, DACs face significant challenges but remain uniquely positioned to offer advice and guidance, with the power to address some of the most pressing matters in modern public administration.

This latest version of the Guidebook for a Departmental Audit Committee has been updated to reflect these realities, as well as changes to the Policy on Internal Audit and the Directive on Internal Audit. As such, the Guidebook continues to present a framework to support the work of DACs, and remains premised on the understanding that its contents should be adapted to meet each committee’s and each department’s unique needs and circumstances.

The Guidebook is divided into three broad sections:

  • the first is an overview of a Departmental Audit Committee
  • the second discusses the functioning of a Departmental Audit Committee
  • the third comprises aides-mémoire and appendices to supplement the information provided in the first two sections

The Guidebook will function as an evergreen document, with updates to be posted, as needed, on appropriate web-based platforms or communicated to DAC members through their host departments.

1.0 Overview of a Departmental Audit Committee

The sections that follow set out the roles and responsibilities of a DAC as a whole and of DAC members individually.

1.1 Role and responsibilities of the Departmental Audit Committee

A DAC is an advisory body whose role is defined in the Treasury Board Policy on Internal Audit and the Directive on Internal Audit. The Terms and Conditions of Appointment for Audit Committee Members address the key issues that surround the initiation and management of members’ tenure. A DAC is expected to support the deputy head in his or her accounting officer roleFootnote 1 by providing the deputy head with objective advice and guidance, independent of management, in the areas of governance, risk management and control.Footnote 2

The DAC members’ knowledge, experience, expertise and independence as external to the public service should provide a valuable, impartial and respectful supplementary perspective on departmental operations. DACs must also provide a crucial challenge function to management, which is core to the purpose of its external composition. In so doing, the committees serve to help strengthen management processes and practices in departments across the federal government.

While policies related to internal audit and audit committees may be modified from time to time, and were most recently updated and streamlined under the Treasury Board’s policy reset initiative, the core areas of DAC responsibility remain constant:

  • values and ethics
  • risk management
  • management control framework
  • internal audit function
  • external assurance providers
  • follow-up on management action plans
  • financial statements and public accounts
  • accountability reporting

The amount of time spent by the DAC on each of these core areas of responsibility varies in accordance with the complexity, risks, and priorities of the department in question. The intention is for the DAC to provide sufficient and appropriate coverage to all areas over the course of a year.

The approach to addressing some of the responsibilities listed above will necessarily be adapted by the Small Departments Audit Committee and by the Government of Canada Audit Committee due to the horizontal nature of their mandates (e.g., accountability instruments and financial statements).

The DAC’s independence from line management situates the chair and members to provide the deputy head with strategic guidance and advice in areas that may appear to fall outside of the core responsibilities listed above. This guidance could be in the form of advice on topics ranging from strategic planning to large IT-enabled business transformation projects to digital government.

For instance, the DAC could play a critical role in questioning whether and how management has taken steps to adhere to IT project oversight and management processes and principles. With respect to strategic planning, the DAC could play a valuable challenge function regarding alignment between departmental performance targets and strategies to deliver on them. These activity areas in fact support the DAC’s core responsibilities for risk management, management control frameworks, and accountability reporting (see corresponding aides-mémoire 3.2, 3.3 and 3.8), and are expected to be undertaken in accordance with the department’s risk and operational environment.

In all areas of their responsibilities, DACs must always be satisfied that they have received sufficient information in order to be confident in the advice they provide to the deputy head. Consistent with the Terms and Conditions of Appointment for Audit Committee Members, DACs must devote appropriate time to preparation and should raise any information gaps with the chief audit executive (CAE). Just as auditors are often referred to as “professional sceptics,” DAC members must endeavour to ensure that they have received some acceptable level of substantiation of the information, findings and conclusions that are presented to them for deliberation.

Where the substantiation is not present, DAC members are justified in challenging departmental staff to better support their material prior to the committee forming a decision on their advice to the deputy head.

1.2 Accountability relationships

The DAC’s primary role is to assist the deputy head in monitoring the organization’s core systems of control and accountability. The DAC’s direct reporting relationship to the deputy head provides him or her with objective advice and guidance, independent of management, in the areas of governance, risk management and control. This is the role that makes DACs critical to achieving the objectives of the Treasury Board Policy on Internal Audit. The DAC should be conversant with the policy, and the directive and guidance that support it, relative to their responsibilities. It should be noted that DAC has no relationship or accountability to the appropriate Minister.

Another critical player in this relationship is the Office of the Comptroller General (OCG). In addition to co-recommending the appointment of DAC members, the Comptroller General of Canada is responsible for providing functional direction to the internal audit community across the federal government.Footnote 3

The following diagram illustrates the DAC’s key accountability and reporting relationships.

Figure 1: DAC Accountability Relationship
DAC accountability relationship
Figure 1: DAC Accountability Relationship - Text version

The DAC’s accountability relationship to the deputy head fits within broader departmental relationships and accountabilities as follows:

  • The Departmental Audit Committee provides advice to the Deputy Head, functional oversight to the Chief Audit Executive and the Chief Financial Officer, and takes part in an annual briefing with the Minister.
  • The Chief Audit executive and the Chief Financial Officer are accountable to the Deputy Head.
  • The Deputy Head is accountable to the Minister.
  • The Comptroller General provides functional direction to the Departmental Audit Committee, the Chief Audit Executive and the Chief Financial Officer.
  • The Office of the Auditor General and the Departmental Audit Committee share information.

1.3 Authority

The DAC has no authority in its own right over the operations of the department; it should not be directing departmental staff, nor should it be undertaking activities reserved for management. The DAC chair has no authority over the members. The role involves additional responsibilities aimed at ensuring that established committee procedures are respected and that expectations for the DAC are met.

1.4 Knowledge of business and relationship with management

The importance of orienting DAC members to their roles is especially critical. Upon joining a DAC, external members should be briefed by management on the expectations for the DAC and on the department’s business through presentations and discussions, and, where appropriate, through site visits. In addition, sessions orienting the DAC to public service governance and the machinery of government are offered annually.

It is important that DAC members continue to increase their understanding of the department’s business throughout their tenure, particularly in the areas of the business that are undergoing significant change. To this end, members should discuss their information needs with the CAE and arrive at an effective system of briefings to stay current on important departmental developments. This may be done through a variety of technologically enabled communications channels and methods, as well as through discussions with management as part of the regular DAC agenda.

Strong, open relationships between the DAC and management with respect to these responsibilities are also critical to the committee’s success. Of particular importance is the relationship and dialogue between the DAC chair and the deputy head. This interaction should be marked by its candour so that discussions of risk exposures and areas for improvement are unambiguous and focus on opportunities for effective mediation.

Open communication with the CAE and the chief financial officer is essential in building effective relationships with the management team and in bolstering knowledge of departmental operations. The DAC may also wish to invite a member of the executive team and/or members of the internal audit team to attend DAC meetings as observers, perhaps on a rotating basis. This participation can be a valuable learning opportunity for observers to strengthen their understanding of the DAC and its work while at the same time increasing awareness of the DAC mandate and operations in the department.

The OCG provides each DAC member with a membership to the Institute of Internal Auditors, which provides access to research, training, updates to the standards and reporting on key global trends in internal auditing. This membership also allows access to The Institute of Internal Auditors’ (IIA’s) Public Sector Audit Center, an on-line network of resources, created and aggregated specifically for auditors and their stakeholders working in the American public sector. In addition, the OCG hosts an annual DAC symposium where current issues and relevant topics are presented and discussed. This event is widely recognized as an important opportunity for committees to learn and share. DAC members are encouraged to take advantage of these resources to improve their awareness of their role and their knowledge of the profession of internal auditing.

1.5 Comparison of a DAC to a private sector audit committee

The role of the DAC is different from that of an audit committee in the private sector.

In the private sector, the board of directors is responsible for governing the organization and has the full authority to do so. Audit committees are a sub- committee of the board of directors. The board nominates members for appointment and delegates authority to the audit committee for financial oversight. The audit committee has a fiduciary role in helping the board fulfill its governance and oversight responsibilities in the areas of financial management and reporting, risk management, control assessment, external auditors, and the effective use of internal auditing. The audit committee also has the responsibility to review and recommend to the board the approval of the audited financial statements of the organization.

By contrast, in the Government of Canada, individual departments generally do not produce audited financial statements. Departmental financial results are consolidated into the public accounts and audited by the Auditor General of Canada. DAC members’ responsibility over financial matters is limited to reviewing and providing advice to the deputy head on the key financial management reports and disclosures of the department.

DACs in the federal government are advisory and are not a part of the governance structure for departments. DACs are appointed by the Treasury Board on the recommendation of the President of the Treasury Board. DAC members have no authority to make decisions or to direct the activities of public servants. Rather, they advise and make recommendations to the deputy head on the key areas of responsibility as defined by the Comptroller General of Canada.

1.6 Membership

As set out in the Treasury Board Policy on Internal Audit and Directive on Internal Audit, the DAC must have a majority of independent, external members who do not hold a position in the federal public administration. The membership is to reflect Canada’s diversity in terms of gender, official languages, Indigenous Canadians, minority groups and regional representation.

External members are jointly selected by the deputy head and the Comptroller General of Canada for approval by the Treasury Board. The collective skills, knowledge, and experience of the members are to enable the committee to competently and efficiently undertake its duties. DAC membership from within the federal public administration is to be limited to individuals at the level of deputy head, unless an exception is granted by the Comptroller General of Canada.

Although they are not members of the committee, by virtue of their central roles in the department, the chief financial officer and the CAE are expected to attend all committee meetings. As necessary, the chair may also request other departmental officials and representatives from the Office of the Auditor General (OAG) and the Treasury Board of Canada Secretariat (TBS) to attend.

2.0 Functioning of a Departmental Audit Committee

2.1 Charter or terms of reference

The DAC is expected to document its roles and responsibilities in a charter or terms of reference. The DAC’s roles and responsibilities should be consistent with Treasury Board policies and guidance, while recognizing that the committee may be requested to provide advice in additional related areas where the deputy head feels he or she can benefit from the DAC’s counsel.

The charter or terms of reference must be approved by the deputy head and reviewed periodically. Changes to relevant policies and standards should be factored into the process for reviewing and updating the charter or terms of reference. The DAC charter may indicate a continued requirement to provide advice in areas that may no longer be required by policy but where the deputy head feels the DAC can continue to add value. For example, the DAC may be requested to review and provide advice on departmental accountability reports or financial reports prior to their finalization even though this is no longer a policy requirement.

2.2 Annual plan

To ensure the fulfillment of its responsibilities, the DAC is expected to prepare an annual plan for the deputy head’s approval. DAC members and the deputy head should be actively engaged in this process. The annual plan will help utilize a risk- based approach to reviewing the core areas of responsibility as well as scheduling any additional areas where the deputy head wishes the DAC to provide strategic advice. DAC members may wish to review pertinent elements of this Guidebook, either individually or as a committee, when developing the annual plan.

Recognizing that not all core areas of responsibility may be covered in a single year, the DAC may find it beneficial to have the plan cover a two-year horizon.

2.3 Meetings

Meetings are a main working forum for the committee, and members should participate actively. Meetings provide an opportunity to review information, identify and discuss important issues, and develop informed judgments. The usefulness of meetings and the DAC’s overall effectiveness depend on members’ thorough preparation beforehand and their willingness to discuss key issues at meetings.

The number of meetings each year largely depends on the extent and nature of the DAC’s work. On average, DACs meet in person three to four times per year. The committee may find it beneficial to use teleconferencing and/or video conferencing as a means to carry out DAC business where there is important, time-sensitive work to be done but the nature or volume of it does not warrant an in-person meeting. For example, a DAC meeting may be held via teleconference to review and provide advice on the department’s financial statements, including any associated auditor’s report.

In camera discussions should be a regular and integral part of each DAC meeting. The committee should meet separately in camera with the CAE, the chief financial officer and the external auditor, when in attendance. A good practice is for the external DAC members themselves to meet in camera, either before the meeting, as part of the agenda, or both.

It is the chair’s responsibility to include these in camera discussions at every DAC meeting and to ensure that sufficient time is set aside for them. Regularly scheduling such meetings provides an excellent opportunity for DAC and key stakeholders to communicate privately and candidly.

2.4 Expectations of the DAC

As previously noted, in fulfilling its responsibilities, it is expected that the DAC will exercise due diligence, provide constructive challenge in its work, and maintain independence from line management.

2.4.1 Expectations of the DAC chair

The chair of the DAC is to be from outside the federal public administration (unless an exception is granted by the Comptroller General of Canada). Exceptions exist primarily to address sudden vacancies or delays in the Treasury Board appointment process. The position holds no authority beyond the functioning of the committee.

The expectations of the DAC chair include, but are not limited to, the following:

  • Prepare a DAC annual plan: In consultation with the DAC members and the CAE, prepare the annual plan, to be presented to the deputy head for approval. The chair should ensure that the DAC’s areas of responsibilities are fully addressed, including any additional areas found in the DAC charter or where the deputy head is seeking strategic advice.
  • Oversee preparations for DAC meetings: This includes the following:
    • leading the development of the agenda, which includes in camera sessions as part of each meeting, in consultation with the deputy head
    • influencing the timely distribution of pre-meeting materials, which facilitates the DAC’s ability to prepare for the meeting
    • meeting informally with members before the meeting if necessary
    • encouraging and supporting DAC members’ attendance at all DAC meetings
    • recommending the general nature and length of presentations
  • Chair DAC meetings: The chair is responsible for:
    • facilitating discussion among DAC members and management in accordance with the DAC annual plan
    • leading discussions in a manner that reinforces reasonable expectations of DAC members
    • encouraging meaningful and respectful participation in keeping with the principles of inclusive leadership, including ensuring that all DAC members who wish to address a matter are provided with the opportunity to do so
    • leading discussions among members as to whether sufficient information or material has been provided to inform DAC deliberations or decisions;
    • attempting to achieve consensus where members express conflicting positions, views or advice
    • as appropriate, inviting representatives from external assurance providers to attend committee meetings to discuss the plans, findings and other matters of mutual concern
  • Lead the DAC’s self-assessment process: The chair should champion and manage the development of the DAC’s annual self-assessment process as a means to support open and frank discussions on the committee’s performance, and in support of continuous improvement.
  • Support a positive DAC culture: A positive DAC culture is nurtured by the DAC chair and is characterized by the following:
    • DAC’s acceptance of its responsibilities and mandate
    • DAC’s willingness and capacity to exert a healthy challenge function
    • respect and trust among DAC members and management
    • welcoming a diversity of opinions and perspectives, including acceptance of the right of each DAC member to hold and express dissenting opinions
    • a positive atmosphere conducive to collaboration and progress toward the achievement of departmental objectives
    • a genuine commitment to good governance practices on the part of DAC members
    • a willingness to act as a team

2.4.2 Expectations of DAC members

In discharging their responsibilities, DAC members are each expected to:

  • be familiar with those sections of the Treasury Board Policy on Internal Audit relevant to their work
  • know, respect and comply with the Terms and Conditions of Appointment for Audit Committee Members
  • be familiar with the scope of internal audit and the limits of its purview
  • be aware at all times of the implications of taking on activities that could pose potential eligibility concerns,Footnote 4 mindful of the fact that the Financial Administration Act prohibits DAC members from occupying positions in the federal public administration
  • attend all DAC meetings and provide adequate advance warning to departments should attendance not be possible
  • be prepared for DAC meetings by reviewing information, reports and background material provided in advance of each meeting
  • ask probing questions and expect, encourage and elicit reasonable answers
  • encourage a culture of open, candid, respectful and direct communication between management and the committee
  • provide sound counsel while respecting management’s authority to make decisions
  • help the deputy head prepare for being held to public account by periodically subjecting the deputy head’s executive decisions to constructive challenge and by encouraging the deputy head to demonstrate that the best possible decisions have been made in light of all available information and evidence
  • provide invoices in a timely manner to meet proactive disclosure timelines

2.5 Support from the department

To perform its work, the DAC requires the support and cooperation of the department’s management. The committee depends on management for information, reports, knowledge, and insight about the department’s practices and the issues it faces. There is no set model for the provision of this support. Nor is there a set lead within departments for the provision of this support. In some departments, it is provided by the corporate secretariat; in others, it is provided by the internal audit function. Where support is provided by internal audit, the CAE should keep the DAC secretariat separate from the other internal audit business to maintain the internal audit function’s actual and perceived independence and objectivity.

Support provided to the DAC can cover many activities, including administrative, strategic and logistical support. This could include booking meeting rooms and travel arrangements, processing proactive disclosure of DAC members’ expenditures, identifying issues, preparing reports and charters, researching topics, and liaising with management. Departments should provide updates on ongoing matters of importance to the DAC and relay key communications from the OCG. The department should also support the external members in developing a sound understanding of their role and responsibilities and those of the department, and in complying with their terms and conditions of appointment. This Guidebook can also be used by the department to support the DAC, particularly by those providing secretariat support. In addition, this guidebook may be shared with the Chief Financial Officer, whose presence is required at every DAC meeting.

Appendix A describes examples of the kind of support and assistance departments should consider providing to DACs. A sample table of contents for a DAC orientation/reference binder is included as Appendix B.

2.6 Self-assessment

While considered a good practice, there is no requirement from the OCG for DACs to submit an annual report. The decision whether to continue the practice will be made by the deputy head and will depend on a number of factors that determine the relative value derived by developing this report.

A formal, external assessment of the DAC’s performance is part of the external assessment of the internal audit function to be carried out every five years. The DAC should also undertake a periodic self-assessment of its own performance.

Self-assessments help ensure that the DAC delivers on its charter or terms of reference and continually enhances its value to the deputy head. Self-assessment can take many different forms, involve a number of participants, and use diverse techniques. The key to successful self-assessments is a willingness to actively seek out opportunities to improve performance and recognition of the importance of acting on the results. Management should not hesitate to use the self-assessment as a basis to assess DAC performance and determine whether the DAC is adding value.

The format of the self-assessment is up to the department. Appendix C contains a sample DAC self-assessment questionnaire, which sets out the kinds of questions that can help members gain insight into the DAC’s performance.

To obtain more comprehensive insight into the DAC’s performance, value and opportunities for improvement, consideration should be given to including attendees at DAC meetings as well as members of management who have extensive interactions with the committee in the self-assessment process. Tools that facilitate this broader participation in committee self-assessment are available from the OCG.

Regardless of the tool utilized, the critical element is the dialogue and discussion at the DAC with regard to the results so as to identify and effectively address any noted areas for improvement in a timely manner.

3.0 Aides-mémoire

This section contains eight aides-mémoire, one for each of the DAC’s eight core areas of responsibility:

  • Values and ethics
  • Risk management
  • Management control framework
  • Internal audit function
  • External assurance providers
  • Follow-up on management action plans
  • Financial statements and public accounts reporting
  • Accountability reporting
  • Supplementary aide-mémoire: Large transformational projects

The specifics of each of these core areas may vary due to changes in Treasury Board policy and the department’s specific needs. For this reason, each aide- mémoire should be reviewed in the context of the DAC’s charter or terms of reference.

These interrelated aides-mémoire are intended to support the DAC as a whole, and members individually, in performing their due diligence. Each aide-mémoire includes a series of prompts or questions that individual members can ask themselves and/or management when reviewing materials, reports and information provided to the committee. There is no requirement for the DAC to utilize these aides-mémoire and, if employed, no requirement to use the entire list of questions where the risk is not assessed as significant. However, they can help stimulate meaningful discussion in each of the DAC’s key areas of responsibility. They are not an exhaustive list and should also help DAC members ask the necessary probing questions and consider the reasonableness of responses with greater knowledge and understanding.

In addition to a set of questions, each aide-mémoire provides a list of guidance material that is pertinent to the particular subject matter. Departments should make this guidance available to DAC members as requested or required.

3.1 Values and ethics: aide-mémoire

This aide-mémoire is designed to help DAC members consider values and ethics when reviewing materials, participating in discussions or receiving presentations from senior management.

Overview of DAC responsibilities

Specific DAC responsibilities in this area are expected to be outlined in the department’s DAC charter or terms of reference. In general, it is expected that the DAC’s work will include reviewing and advising the deputy head on departmental systems and practices established to monitor compliance with laws, regulations, policies and standards of ethical conduct, and identify and deal with any legal or ethical violations. It may also include the procedures and feedback mechanisms established to monitor conformance with its code of conduct and ethics policies, as well as how its processes encourage and maintain high ethical standards.

Pertinent government policies and related guidance

  1. Government of Canada web page on values and ethics of the public service
  2. Values and Ethics Code for the Public Sector
  3. Treasury Board Policy on Conflict of Interest and Post-Employment
  4. Public Servants Disclosure Protection Act
  5. Criminal Code, Part IV
  6. Department-specific values and ethics code and related guidance

Leadership and people management

  • What support does the deputy head provide to set the required “tone from the top” for the department’s ethics program?
  • How does the department ensure that its leadership and management practices reflect public service values and ethics?
  • Does the department have a senior official for values and ethics?
  • Does the department have a senior official to receive and investigate disclosures of wrongdoing, including alleged instances of harassment and breaches of the values and ethics code?
  • Is the quality of values and ethics leadership regularly assessed internally and externally?
  • Is performance information on public service values and ethics, including people management, integrated into hiring, promotion and performance management?
  • What processes or structures does the department have in place to ensure active values and ethics dialogue among senior management?
  • What are the results of the Public Service Employee Survey and management’s plans to address noted issues? How does the department ensure employees remain engaged between survey cycles?

Departmental culture

  • How does the department maintain an ongoing dialogue on public service values and ethics relevant to the specific departmental challenges?
  • How does the department ensure that values and ethics are embedded in what staff do every day?
  • Is there value in carrying out a review or audit of departmental culture?

Policies and guidelines

  • Does the department have its own values and ethics code consistent with the Values and Ethics Code for the Public Sectorand the Treasury Board Policy on Conflict of Interest and Post- Employment?
  • If so:
    • does it clearly state acceptable and unacceptable behaviour, particularly in areas of significant ethical risk?
    • does it identify which departmental programs and functions may be of highest risk for conflicts of interest?
  • How does the department communicate its own values and ethics code and the Values and Ethics Code for the Public Sector to staff to ensure they understand their responsibilities and expectations of them regarding ethical behaviour and the consequences of non-compliance?
  • How does the department communicate recourse and disclosure mechanisms to staff?
  • How does the department ensure that employees are aware of its disclosure procedures and are encouraged to expose wrongdoing without fear of reprisal? In other words, how does the department ensure a safe environment?
  • How does the department ensure that public servants intending to leave the public service are aware of the post-employment obligations of the departmental code and the Values and Ethics Code for the Public Sector?

Values and ethics program

  • Does the department have a values and ethics program in place?
  • If so, is there a plan in place that sets out the expected benefits, results and performance measures of this program, including the applicable sections of the Public Servants Disclosure Protection Act?
  • How do employees obtain advice when facing difficult ethical decisions?
  • How does the department identify, assess and manage values and ethics risks, including the risk of fraud?
  • How does the department investigate complaints of wrongdoing, harassment and conflicts of interest?
  • What are the processes and mechanisms in place to ensure that investigations proceed promptly, fairly and objectively, with due regard for confidentiality?
  • What procedures and mechanisms does the department have in place to establish, promote and manage disclosures made under the Public Servants Disclosure Protection Act, as it applies to the department?
  • How does the deputy head ensure:
    • the confidentiality of those involved in the disclosure process?
    • security of information collected through disclosures?
    • prompt public access to information if wrongdoing as described by the Act is found?

Values and ethics learning

  • What training on the Values and Ethics Code for the Public Sector and on recourse and disclosure do new and existing employees and managers receive? Is this training mandatory? Is it provided on an ongoing basis?
  • How frequently are training materials updated to ensure they maintain their relevance and appeal?
  • How does the department measure the effectiveness of its values and ethics learning activities?
  • What other mechanisms or approaches are in place to share lessons learned and best practices, e.g., sharing examples of ethical dilemmas and how they were handled?

Values and ethics monitoring and reporting

  • How does the department monitor compliance with its own code and the Values and Ethics Code for the Public Sector?
  • How does the department measure and report on employees’ and managers’ understanding of the Values and Ethics Code for the Public Sector and their confidence in the department’s recourse and disclosure mechanisms?
  • How does the deputy head know that behaviour throughout the department is consistent with the expectations and standards of the department’s code and the Values and Ethics Code for the Public Sector?
  • What role does internal audit play in providing assurance on values and ethics, including departmental compliance with the department’s code, the Values and Ethics Code for the Public Sector and relevant sections of the Public Servants Disclosure Protection Act?
  • How are unlawful activities (known or potential) reported in the department and to whom?
  • What reports does the deputy head receive on ethics concerns or investigations, including findings and recommended actions?
  • What processes are in place to monitor the implementation of required actions to ensure they are implemented on a timely basis and address the reported findings?

3.2 Risk management: aide-mémoire

This aide-mémoire is designed to help DAC members consider risk management when reviewing materials, participating in discussions or receiving presentations from senior management.

Overview of DAC responsibilities

Specific DAC responsibilities in this area are expected to be outlined in the department’s DAC charter or terms of reference. In general, it is expected that the DAC’s work focuses prominently on reviewing and advising the deputy head on the department’s risk management arrangements.

Pertinent government policies and related guidance

  1. Treasury Board of Canada Secretariat risk management web page
  2. Framework for the Management of Risk
  3. Guide to Integrated Risk Management
  4. The department’s own risk management policy and guidance

Risk management responsibility

  • Is there a senior management risk champion (assistant deputy minister level or above) who is responsible for the department’s risk management framework and related activities and corporate risk profile?
  • How is the champion held to account for his or her risk management responsibilities?
  • Is it clear that senior managers are responsible for managing and mitigating risks in their programs, functions and areas?

Risk management Strategy

  • Does the department have a risk management policy or framework?
  • If so, does this policy or framework:
    • establish an approach for integrating risk management into the department’s decision-making processes?
    • link with the entity’s strategic documents (i.e., accountability reports to Parliament)?
    • reflect departmental roles and responsibilities for implementing and practising risk management?
    • include reporting and monitoring requirements to ensure compliance with the risk management policy or framework?
  • What are the key elements of the department’s risk management approach? Does it include an annual risk assessment that includes an assessment of:
    • the risk of fraud?
    • information technology risks, including data integrity, infrastructure, capacity and cybersecurity risks?
    • physical security risks?
    • risks associated with major IT-enabled and non-IT projects?
    • business continuity planning and disaster recovery planning?
    • risks with respect to all significant departmental changes, projects and programs?
  • How is staff informed of the department’s approach to risk management?

Corporate risk profile

  • Does the department have a current corporate risk profile approved by senior management?
  • If so, does this profile:
    • identify the department’s key strategic risks?
    • include an assessment of the key risks identified?
    • reflect the risk tolerance of key clients and other stakeholders?
    • outline the strategies to mitigate or manage key strategic risks?
  • How does the department identify and assess strategic and business risks?
  • How does the department identify and assess new and emerging risks?
  • What controls are in place to manage or mitigate the highest inherent risks? (see subsection 3.3 for the aide-mémoire on management control frameworks)
  • How has management determined the opportunities for innovation and experimentation? How are the associated risks identified, assessed and prioritized? Is the associated risk tolerance discussed and incorporated into risk mitigation plans?
  • How is the corporate risk profile communicated across the department?
  • What processes are in place to ensure that risk management strategies outlined in the profile are implemented?
  • How often does management review and update its corporate risk profile?

Fraud risk management

  • What mechanisms does the department have in place to manage the risk of fraud, recognizing that it can result in a loss of public money or property, hurt employee morale, and can undermine Canadians’ confidence in public services?
  • Has the department undertaken a fraud risk assessment? If not, why not?
  • What role does internal audit play in helping manage the risk of fraud?

Integrated risk management

  • How are risk management practices integrated into the management of programs throughout the department?
  • How is risk management aligned with the department’s expected results and performance measurement practices?
  • How is risk integrated into the department’s key business planning and decision-making processes?
  • How does the department demonstrate that it is performing in accordance with the approved business plan and within risk tolerance limits?

Continuous risk management learning

  • What risk management training, including training to mitigate risk, does staff receive?
  • To what extent does management review lessons learned from major departmental events, surprises and disasters and how it has responded to these occurrences?
  • How are lessons learned and best practices communicated across the department?
  • How are lessons learned and best practices built into risk management practices?

Risk management reporting and monitoring

  • How are risk or control failures escalated within the department (e.g., risk and incident reporting and tracking)? To whom and through what mechanisms are they reported?
  • To what extent does senior management receive reports throughout the year on risk management plans and take corrective action as required?
  • What reports or information does the deputy head receive on departmental risk management?
  • What role does internal audit play in providing assurance on risk management practices, key risks and/or controls mitigating the highest inherent risks?
  • Is risk management monitored and discussed regularly at senior governance committees? If so, how?

3.3 Management control framework: aide-mémoire

This aide-mémoire is designed to help DAC members consider the department’s management control framework when reviewing materials, participating in discussions or receiving presentations from senior management.

Overview of DAC responsibilities

Specific DAC responsibilities in this area are expected to be outlined in the DAC charter or terms of reference. In general, it is expected that the DAC’s work will include reviewing and advising the deputy head on the departmental internal control arrangements, and that its work will be informed on all significant matters that arise from the work performed by others who provide assurances to senior management and the deputy head.

The DAC should have an understanding of the level of comfort that the deputy head has with regard to his or her responsibilities under subsection 16.4 of the Financial Administration Act to maintain effective systems of internal control in the department and whether that comfort is justified.

Pertinent government policies and related guidance

  1. Treasury Board Policy on Financial Management
  2. Treasury Board Guideline for the “Policy on Internal Control”
  3. Treasury Board Policy on Results
  4. Management Accountability Framework: methodology and findings
  5. Financial Administration Act
  6. Department-specific management and internal control policy or framework

Management controls: roles and responsibility

  • Is it clearly articulated and understood that the deputy head has overall responsibility for the department’s systems of internal control?Footnote 5
  • Is it clearly articulated and understood that management has a fundamental responsibility to identify, document and monitor controls?
  • Does the department have a chief results officer and, if so, is that position at an appropriate level?
  • Are delegations of authority and responsibility to individuals documented, properly approved and kept up to date?
  • Are delegations of authority communicated to all departmental staff?

Management controls: control framework and departmental systems

  • Does the department have a control framework that:
    • includes, but is broader than, internal controls over financial reporting?
    • reflects the department’s key controls to ensure sound management practices, consistent with the Treasury Board Management Accountability Framework and Treasury Board policies and legislative requirements?
    • reflects other key controls that help mitigate the department’s key strategic and business risks?
    • reflects financial management controls, including controls with respect to budgeting, forecasting and costing?
    • includes controls to support the management of large departmental projects?
    • is aligned with the department’s results framework?
    • explicitly supports departmental innovation and experimentation, including learning from experimentation?
    • reflects departmental roles and responsibilities for developing, reviewing, implementing and sustaining key controls?
    • includes reporting and monitoring requirements to ensure compliance with this framework?
  • If the system of internal controls is lacking in key elements, what is the department’s strategy for developing a sound management control framework in support of the ongoing effectiveness of internal controls across the department, including financial management processes and practices?
  • How does management identify and implement required controls necessary to mitigate, manage and monitor new or emerging risks?
  • How does the department identify and implement management controls in support of innovation and experimentation?
  • How is staff informed of the department’s control framework and held to account for ensuring sound controls in their area?
  • Does management review the Annex to the financial statements of common service providers to identify any control issues with respect to the related services provided?
  • Are processes in place to review and strengthen the adequacy of internal controls for significant new departmental systems, business transformation projects or programs?
  • What training in management or internal controls do employees receive?

Management controls: project management

  • What major projects (i.e., transformation, modernization, information technology, program delivery) does the department have planned or underway? Are they reflected in the Departmental Plan and the investment plan? Are they aligned with the Government of Canada Strategic Plan for Information Management and Information Technology 2017–2021? (see section 3.9: Large transformation projects: aide-mémoire (supplemental)
  • For projects that cut across multiple departments:
    • how are client/recipient departments engaged throughout the project?
    • what is the status of the project (i.e., on track, on time, notable issues identified and managed)?
    • what is internal audit’s role? If not playing a role, why not?
  • For major projects, is the following clear and sufficiently robust:
    • governance structures, including performance expectations, monitoring, challenge function, oversight and reporting?
    • project scope, timing and milestones, roles and responsibilities, linkages within the department and with other departments?
    • key risks and how they are being managed or mitigated?
  • How are lessons learned from major government or departmental projects leveraged to strengthen the management of future projects?

Management controls: control certifications

  • As part of the financial statements, does the department produce a Statement of Management Responsibility Including Internal Control over Financial Reporting each year that is signed off by the deputy head and chief financial officer (CFO)?
  • If so, what evidence underpins this statement?
  • Do assistant deputy ministers or their equivalents provide the deputy head and/or CFO with internal control certifications?
  • If so, how often are they provided, and what evidence underpins these certifications?

Reporting and monitoring of controls

  • How are risk or control failures escalated within the department?
  • How are required changes to the design or implementation of key controls identified and implemented in a timely manner?
  • What performance information does each level of management receive, and how often, that compares actual performance against budget and performance targets?
  • In addition to the control certifications, what arrangements are in place to periodically assess the effectiveness of the department’s control framework (e.g., internal audits, management review and sign-offs)?
  • How does management report the detection of fraud to the deputy head and the DAC?

3.4 Internal audit function: aide-mémoire

This aide-mémoire is designed to help DAC members consider the department’s internal audit function when reviewing materials, participating in discussions or receiving presentations. Given the DAC’s independence from line management and responsibilities in this area, the DAC is well positioned to influence the professionalism, quality, performance and capacity of the internal audit function and provide the deputy head with advice on addressing areas of concern. This aide- mémoire provides questions for consideration to assist the DAC in this work.

Overview of DAC responsibilities

The specific DAC responsibilities in this area are expected to be outlined in the department’s DAC charter or terms of reference. The DAC should be able to reasonably determine if the deputy head is meeting the requirement of subsection 16.1 of the Financial Administration Act to ensure “an internal audit capacity appropriate to the needs of the department.”

In general, it is expected that the DAC’s work will include reviewing and advising the deputy head on the department’s internal audit policy or charter, the sufficiency of internal audit resources, the quality and substance of the department’s Risk-Based Internal Audit Plan and progress against the plan, internal audit reports, the performance of the internal audit function (including the results of external practice assessments and ongoing and periodic internal assessments), and the recruitment, qualifications and performance of the CAE.

It is also generally expected that DAC members would be informed of any internal audit engagements or tasks that do not result in a report to the DAC, including all matters of significance arising from such work.

Pertinent government policies and related guidance

  1. Section 16 of the Financial Administration Act
  2. Treasury Board Policy on Internal Audit
  3. Treasury Board Directive on Internal Audit
  4. International Professional Practices Framework (The Institute of Internal Auditors)
  5. Treasury Board of Canada Secretariat frameworks for oversight of internal audit

Internal audit policy or charter

  • Does the department have an internal audit policy or charter?
  • If so, does this policy or charter:
    • reflect the purpose, authority and responsibility of the internal audit function?
    • align with the OCG’s Value Proposition and Attributes of an Ideal Internal Audit Function?
    • reflect the primary focus on the provision of assurance services to the department?
    • describe non-assurance services provided (i.e., advisory, consulting)?
    • have periodic reviews and revision, as required?

Independence and objectivity

  • Does the CAE report directly to the deputy head? If not, why not?
  • Does the CAE have the necessary certification or designation for the position? If not, does the CAE possess an acceptable combination of education, training and/or experience as determined by the Comptroller General for this particular case?
  • Is internal audit free from interference in determining the scope of internal auditing, performing the work, and communicating the results?
  • Does the CAE have responsibility for functions other than audit? If so, how is independence assured? If so, do these other duties impede the ability of the CAE to meet their responsibilities under the policy and the Standards?
  • Is the CAE a member of the senior executive table while still maintaining their independence? If not, why not?
  • Does internal audit have unencumbered access to all departmental information, records and locations as required?
  • Does internal audit receive the necessary cooperation and assistance from departmental staff and management?

Internal audit planning

  • What is the process for developing the Risk-Based Internal Audit Plan (RBAP)?
  • Does the RBAP conform to the Standards according to OCG maturity models and/or assessment tools?
  • Does the RBAP comply with the requirements of the Policy on Internal Audit?
  • Is the RBAP risk assessment process thorough, documented and clear to the DAC?
  • How does the RBAP link with the department’s corporate risk profile and key strategic and operational risks?
  • Have departmental objectives and risks with respect to innovation and experimentation been considered in the development of the RBAP?
  • Have fraud risks been considered in the development of the RBAP, as well as the planning for individual internal audit projects or major transformation projects?
  • Has internal audit considered major capital projects in the development of the RBAP? If not, why not?
  • How does the RBAP align with the department’s Evaluation Plan? How are these functions aligned, and are there opportunities for joint work?
  • How are the proposed audit projects determined and prioritized (i.e., are they linked to the department’s risk management strategy or to internal audit’s own risk assessment process)?
  • Are the majority of proposed audit projects assurance engagements? If not, why not?
  • Where the plan includes advisory services, does the internal audit team have the necessary expertise and capacity in place to deliver these services? Are advisory engagements conducted according to IIA Standards?
  • Does the plan adequately detail the objectives, scope, timing and resource requirements (dollars and staffing resources) for each of the proposed projects?
  • Does the RBAP make appropriate provision for the work of external assurance providers (i.e., horizontal audit activities to be undertaken by the OCG and engagements by the OAG)?
  • Does the RBAP document resources allocated for follow-up on recommendations resulting from internal and external engagements, including management letters, and horizontal engagements?
  • Does the RBAP reflect the impact of any resource limitations?

Internal audit delivery

  • Does the internal audit service delivery modelFootnote 6 meet the department’s needs?
  • Where the internal audit delivery is co-sourced, what processes are in place to manage the engagement and ensure compliance with the Institute of Internal Auditors’ International Professional Practices Framework?
  • Where an interdepartmental engagement or joint audit and evaluation engagement is conducted, is sufficient background and context provided to the DAC on risk levels, maturity of collaborating functions and any other pertinent information?

Internal audit reports

  • Are internal audit reports clear, concise and compelling? Do they satisfactorily address audit objectives?
  • Is technology leveraged to support modern, compelling internal audit reporting?
  • Do audit reports include a statement of conformance? If not why not?
  • Are internal audit reports issued on a timely basis (i.e., what is the elapsed time from the start of the engagement to issuing the final report)?
  • Are the recommendations relevant, practical and achievable?
  • Do audit reports include management’s response and action plan to address all agreed-upon recommendations? Does the response and action plan appear to effectively respond to the observations and findings or the root cause of the problems and issues outlined in the report?
  • For interdepartmental or joint engagements, are approvals coordinated to facilitate the publishing of reports and related performance information?

Internal audit capacity and resources

  • Does the internal audit team have sufficient resources (full-time equivalents and/or money) to support the deputy head in their legislative responsibilities, including delivering on the approved risk-based internal audit plan (assurance and advisory services, as applicable) and maintaining a quality assurance and improvement program?
  • Is there a human resources and learning strategy in place to support the professionalism of the function (i.e., certified internal auditor, chartered professional accountant and other relevant recognized designations) and the needs of the department?
  • Does the internal audit team have the necessary complement of required skills and experience to deliver on its RBAP? Does this include a multidisciplinary team that reflects the mandate and risks of the department? If not, what is internal audit’s plan to acquire these skills and expertise?
  • Is internal audit able to access specialist skills, where and when required?

Performance of the internal audit function

  • Does internal audit have a sound understanding of the department’s business, including key strategic and operational risks?
  • Does internal audit have a performance framework, consistent with TBS expectations, to outline, monitor and report on the performance of the function, including results of follow-up on management action plans? Does the framework support innovation and growth of the function?
  • To what extent does the internal audit team complete its engagements on time?
  • Does internal audit publicly report on its performance? If so, is this report consistent with the OCG performance framework, and is it provided to the deputy head and the DAC and posted on the department’s website?Footnote 7
  • Does internal audit have a formal Quality Assurance and Improvement Program (QAIP) in place to ensure that internal audit provides quality, value-added services and complies with Treasury Board policies and the IIA Standards? Do these processes provide timely feedback on issues or areas of concern?
  • Does the audit committee receive a periodic comprehensive briefing on the QAIP, including areas for attention and conformance to the Standards for ongoing monitoring and both internal and external assessments?
  • Has the CAE explained to the DAC the implications of not having an appropriate QAIP in terms of policy compliance and standards conformance?
  • Has internal audit undergone an independent external quality assessment within expected time frames? If not, why not?
  • If so:
    • what were the results of the external quality assessment?
    • has an action plan been prepared to address noted areas for improvement, and has this report been provided to the DAC?
    • are periodic reports provided to the DAC to monitor the implementation of actions flowing from the external quality assessment?
  • Does internal audit maintain effective liaison with the OCG, the OAG and other assurance providers and stakeholders, as required?
  • Does internal audit provide OCG with required and requested documents and information within deadlines? If not, why not?
  • Does internal audit provide DAC with the department’s results/ benchmarks with regard to the OCG internal audit community performance framework (e.g., Capacity Assessment Template, RBAP self-assessment, etc.)?
  • Does internal audit have a professional relationship with departmental management?
  • How does the function leverage the information gained from the post-engagement surveys?

3.5 External assurance providers: aide-mémoire

This aide-mémoire is designed to help DAC members consider reports of external assurance providers and accompanying materials when participating in discussions or presentations from senior management.

Overview of DAC responsibilities

Specific DAC responsibilities in this area are expected to be outlined in the DAC’s charter or terms of reference. In general, it is expected that the DAC’s work in this area will include being informed of and advising the deputy head on the results of the work of external assurance providers,Footnote 8 and providing advice on audit-related issues or priorities raised by the external assurance providers.

Pertinent government policies and related guidance

The Office of the Auditor General of Canada (OAG) produces functional audit guidance and tools for general application in performance audits, or for use in audits on specialized areas.

  1. What to Expect—An Auditee’s Guide to the Performance Audit Process
  2. Examining Public Spending—Estimates Review: A Guide for Parliamentarians
  3. The Environment and Sustainable Development Guide: Integrating Environmental and Sustainable Development Considerations in Direct Engagement Work

Leadership and support

  • Is there a senior lead for monitoring and reporting on the work of external assurance providers done in the department, including audits and special reviews?
  • Does the department have a designated OAG or external assurance liaison resource? What does the role entail?
  • How does the department support external assurance providers undertaking audits and special reviews in the department?

OAG and central agency audits and management improvement initiatives

  • What are the processes in place to ensure that management and the DAC is kept up to date on work planned and being carried out by external assurance providers?
  • Are audit projects planned by external assurance providers considered and identified in the department’s RBAP?
  • What processes are in place to review and develop the necessary management responses to issues raised by external assurance providers?Footnote 9 If there are no such processes, what needs to be put in place to facilitate management responses?
  • What processes are in place to review, assess and report on issues and priorities raised by external assurance providers?
  • Does the DAC receive external assurance provider reports on a timely basis? If not, what processes are in place to support DAC members in providing the deputy head with advice on management’s response as well as on any noted audit-related issues or priorities?
  • What is the process and time frame for monitoring, assessing and briefing the deputy head and DAC on the departmental impacts of resulting government-wide initiatives to improve management practices?

3.6 Follow-up on management action plans: aide-mémoire

This aide-mémoire is designed to help DAC members consider follow-up of management action plans when reviewing materials, participating in discussions or receiving presentations from senior management.

Overview of DAC responsibilities

Specific DAC responsibilities in this critical area of oversight are expected to be outlined in the DAC charter or terms of reference. In general, it is expected that the DAC’s work in this area will include regularly reviewing and advising the deputy head on the progress of implementing approved management action plans resulting from the work of internal audit and external assurance providers.

Pertinent government policies and related guidance

  1. International Professional Practices Framework (The Institute of Internal Auditors)
  2. Treasury Board Directive on Internal Audit

Roles and responsibilities

  • Is a senior manager identified as being responsible for implementing agreed-upon management action plans articulated in departmental internal audit reports, internal responses to OAG audits or audits from other assurance providers?
  • Is it clearly understood that the CAE is responsible for monitoring and following up on management action plans, including plans that result from the work of external assurance providers?
  • Is it clearly understood that the CAE is responsible for monitoring and following up on action plans for recommendations resulting from quality assessments?

Monitoring and reporting

  • What process and procedures does the CAE have in place for monitoring the implementation of management action plans, including management action plans arising from audits conducted by external assurance providers?
  • What methodology and process does the CAE have in place to follow up on whether management actions taken have been effective?
  • How often does the CAE report to the deputy head and the DAC on management follow-up?
  • What management procedures are in place to ensure timely action on recommendations resulting from audit engagements? For example, are actions for recommendations that are deemed serious or imperative incorporated into the performance agreement of managers of the office of primary interest (OPI)?
  • Does a senior management representative from the OPI attend the follow-up segment of the DAC meeting to discuss delays in the implementation of the management action plans?
  • What is the nature of the CAE’s reporting to the DAC on management follow-up (i.e., verbal or written report)? Does this report:
    • reflect the extent to which management action plans are being implemented within the specified time frame and adequately explain delays and revised time frames for completion?
    • indicate the extent to which actions implemented are effective (if actions are not effective, why not)?
    • indicate why the CAE believes management has accepted a level of risk that is unacceptable to the department or to the government, if applicable?
  • Does the CAE maintain timely reporting of follow-up results for internal audit performance that are made publicly available?

3.7 Financial statements and Public Accounts reporting: aide-mémoire

This aide-mémoire is designed to help DAC members consider the departmental financial statements and Public Accounts reporting when reviewing materials, participating in discussions or receiving presentations from senior management.

Overview of DAC responsibilities

Specific DAC responsibilities in this area are expected to be outlined in the DAC’s charter or terms of reference. In general, it is expected that the DAC’s work in this area will include reviewing and, as appropriate, advising the deputy head on key departmental financial reports and disclosures of the department, including quarterly financial reports, annual financial statements and Public Accounts, and the annual Statement of Management Responsibility and associated plans and assessments with respect to internal controls over financial reporting. The DAC is not required to recommend these materials for approval by the deputy head, nor are they expected to participate in their development.

If the financial statements are audited, it is generally expected that the DAC will review the financial statements with the external auditor and senior management, discussing any significant accounting estimates and adjustments, as well as any difficulties or disputes the external auditors encountered with management during the course of the audit. It is also generally expected that the DAC will review any management letters arising from the external audit and the auditor’s findings and recommendations relating to internal controls over financial reporting and consider their impact on departmental governance, risk management and control processes.

Pertinent government policies and related guidance

  1. Treasury Board Directive on Accounting Standards
  2. Government of Canada Accounting Handbook (GCAH)
  3. CPA Canadian Public Sector Accounting Handbook (PSAH)
  4. Treasury Board Policy on Financial Management

Accounting policies and practices

  • Are the department’s accounting policies and practices consistent with Treasury Board directives and requirements? If not, why not?
  • What is the process for obtaining advice for the proper accounting treatment when significant accounting issues arise (e.g., during consultation with the OCG or the OAG)?
  • Are the department’s significant accounting policies disclosed in the financial statements, including changes in the accounting policies from the previous year?
  • Do the processes that underpin the preparation of the financial statements also support the financial health and financial management of the department?
  • Has DAC or management identified other key financial disclosures that members will receive as part of discharging this responsibility?
  • Where DAC receives Quarterly Financial Reports, is sufficient contextual information included, such as risks, significant changes, risks and uncertainties, results, impacts of large transformation initiatives and/or horizontal initiatives? Are year- to-year comparisons discussed?
  • Is there sufficient and appropriate context to support the material that is presented (e.g., information on relevant external influences, mandatory templates, departmental or government- wide specific financial practices or protocols not included in Treasury Board policies, etc.)?

Financial statement presentation

  • Do the financial statements comply with required Treasury Board accounting standards? If not, why not?
  • To what extent are there significant departmental legal matters, contingencies, claims or assessments that could have a material impact on the financial statements (i.e., the departments and/or the government as a whole)? How have these been reflected in the department’s financial statements?
  • What are the processes in place to estimate significant accounting accruals, reserves and other estimated liabilities?
  • What is the support for significant valuations, assumptions or judgments reflected in the financial statements?
  • Do the financial statements reflect any significant or unusual transactions that occurred during the year?
  • Have significant financial statement variances from the budget and prior year’s statements been satisfactorily explained?

Review and sign- off

  • Is there a process in place for the CFO to review the financial statements on a timely basis with the deputy head and with management?
  • Is there a process in place to inform the deputy head, senior management and the DAC throughout the year of significant issues that impact or may impact the department’s financial statements?
  • Is there a process in place to identify which, if any, of these issues should be communicated to the Comptroller General of Canada?
  • Have the deputy head and CFO signed off on or certified the financial statements?
    • If not, why not?
    • If so, what are the processes in place to support the deputy head and CFO in signing off on or certifying the financial statements (i.e., the key procedures, systems, resources and tasks for the preparation and review of the financial statements to ensure they do not contain any material errors or omissions)?

Audited financial statements / Public Accounts

  • Have the deputy head and CFO signed off on the Management Representation Letter required as part of the audited financial statements?
    • If not, why not?
    • If so, what are the processes in place to support the deputy head and CFO sign-off?
  • Were there any breakdowns in controls that impacted the audit of the financial statements or the Public Accounts?
  • What adjustments, if any, to the financial statements or the Public Accounts were required as a result of the audit?
  • What was the nature of any significant disagreements between management and the external auditors, and to what extent were these disagreements satisfactorily resolved?
  • Did the department receive an unmodified audit opinion? If not, what action is being taken to address the reasons for the modified or denied opinion on a timely basis?

3.8 Accountability reporting: aide-mémoire

This aide-mémoire is designed to help DAC members consider accountability reporting when reviewing materials, participating in discussions or receiving presentations from senior management.

Overview of DAC responsibilities

Specific DAC responsibilities in this area are expected to be outlined in the DAC’s charter or terms of reference. In general, it is expected that the DAC’s work will include receiving copies of departmental accountability reports (i.e., reports to Parliament). Regardless of the timing and focus of the DAC’s review of actual accountability reports, it is expected that through this area of responsibility or that of the management control framework, DAC would generally review and comment on their confidence in the underlying processes that support effective accountability reporting, consistent with requirements of the Treasury Board of Canada Secretariat. The committee may also receive plans and reports prepared by the department’s evaluation function for information.

These reports are intended to provide context on departmental operations and oversight. The DAC is not required to recommend these documents for approval by the deputy head, nor is there an expectation that DAC would be involved in the development of these reports.

Pertinent government policies and related guidance

  1. Treasury Board Policy on Results
  2. Treasury Board guidance for accountability reports to Parliament

Process and timing

  • Does the DAC receive the accountability reports on a timely basis? If not, why not?
  • If the deputy head asks for DAC’s advice on a draft accountability report to Parliament, is there a process in place to facilitate members’ review of the report electronically, recognizing the tight time frame for the reports’ preparation, review and approval?

Presentation and linkage between accountability reports

  • Do the accountability reports to Parliament include key performance measures and targets that are clearly linked to expected outcomes such that the reader understands the basis upon which performance will be assessed?
  • Is performance information provided in the year-end results report to Parliament consistent with the performance metrics and targets outlined in the department’s results reporting instruments and the departmental plan reported to Parliament, together with explanations for significant changes or variances?
  • Is there a discussion of the results the department seeks to achieve, does achieve, and the resources used to achieve them?
  • What processes and procedures ensure the completeness and reliability of the performance information contained in the department’s accountability reports?
  • Are the accountability reports to Parliament clear, straight forward and easy to understand?
  • Do the accountability reports to Parliament include a brief explanation as to why the reader can have confidence in the methodology and data used to substantiate the department’s plans and performance?
  • Does the narrative in the planning report to Parliament clearly identify the expected results, departmental priorities aligned with those of the government, and the progress the department intends to make toward its strategic outcomes?

Review and certification

  • What is the underlying process and support for the Management Representation Letter signed by the deputy head (i.e., to ensure that the representations made contain no material misstatements)?

3.9 Large transformation projects: aide-mémoire (supplemental)

This aide-mémoire is designed to help DAC members exercise their challenge function when reviewing materials, participating in discussions or receiving presentations from senior management regarding large change management initiatives or horizontal projects.

Overview of DAC responsibilities

While not specifically one of the eight areas of DAC responsibilities, large transformation projects are initiatives that combine the oversight of risk management and management control frameworks. This area, if applicable, should be outlined in the department’s DAC charter or terms of reference. In general, it is expected that the DAC’s work will include reviewing and advising the deputy head on current, in development and future transformational initiatives and projects of significance where the department has a key role or is impacted (including horizontal initiatives). The DAC should seek answers to questions about the fundamental purpose of the project, the skills and experience required to deliver it, the quality and timing of the data that will be used to guide projects, the amount of resources available vs. required to deliver projects, and, specifically, how the end-state organization and services will differ from the current state.

Many of the questions in this aide-mémoire are among those found in the Transformation Guidance for Audit Committees, published by the National Audit Office, United Kingdom, which has permitted OCG to use its material. Another useful tool is the British publication, The 7 lenses of Transformation, which provides a practical guide for understanding complex transformations. Links to both publications are included in the list below.

Pertinent government policies and related guidance

  1. Guidebook for Horizontal Assurance Frameworks (2017)
  2. Lessons Learned From the Transformation of Pay Administration Initiative
  3. Transformation Guidance for Audit Committees, National Audit Office, UK
  4. The 7 lenses of Transformation, GOV.UK
  5. Treasury Board policies on project management and investment planning (pending)
  6. Department-specific policies, practices and related guidance

Project vision

  • What are the underlying objectives for transformation? Is this primarily a cost-cutting exercise or are there wider service improvement or policy aims?
  • Is there a risk of other weakly related objectives being loaded into the project?
  • Is the current problem well understood?
  • Are benefits based on a rigorous assessment of operational processes?
  • What is transformation going to change?
  • Does the organization have a clear understanding of how the end-state organization and services will differ from the current state?
  • Is the role of technology well understood?
  • How dependent is the project on changes to ways of working rather than technology itself?
  • Are there indications that the need for new ways of working is not fully recognized and there is a misplaced belief that technology alone will provide the solution?
  • Is the timetable for transformation realistic?
  • How much of the end-state design has been left to be resolved during the program?

Strategy

  • Does the transformation strategy translate the vision into a coherent program of work?
  • Has the program been broken down into stages with clear sequencing and dependencies?
  • Does the strategy identify all the elements of the affected service?
  • Is the strategy consistent with wider organizational requirements?
  • Is the strategy led by business requirements, or is it overly focused on implementing a technology-driven solution?
  • Is funding aligned to the sequencing and uncertainty of the project?
  • Is funding dependent on realizing early benefits and savings?
  • What will happen if those benefits are delayed or reduced over time?

Governance and architecture

  • Do governance arrangements reflect the importance of senior engagement and acknowledge the significant burden this places on leadership’s time and attention?
  • Is there sufficient leadership continuity?
  • If not, does this risk blurring the vision for transformation or undermining accountability?
  • Are governance structures clear and simple? (i.e. is it clear where decisions are made)?
  • Are decisions around technical development based on business priorities rather than being technologically driven?

Change and implementation

  • Is the project uncovering a large number of unresolved issues?
  • Is there a well understood and effective process for resolving new issues?
  • Are prioritization decisions made clearly and early?
  • Are decisions being driven by last-minute identification of under-delivery and funding issues?
  • Are project issues being explained away without clear evidence or attributed to policy?

Performance management

  • Is there adequate management information?
  • Has information been delayed or prevented by changes to the project or de-prioritization of information systems?
  • Does management use live data or does it rely on interpretations of progress from the project team and suppliers?
  • Are there persistent shortages of key staff?
  • How are vacancies for specialist skills being addressed?
  • Is there heavy reliance on contractors and suppliers?
  • Is there sufficient quality of management and understanding of external experts’ input?
  • Is there sufficient capacity in transition?
  • Are parallel running costs significant, and how are they affecting remaining services?

Technology/data

  • Is the service ready to be used and tested publicly?
  • If rollout is being driven by the need to meet funding or policy deadlines, how are risks being managed?
  • Has the program set out the role of data in transformation?
  • Is there a data strategy to support transformation?
  • Is it clear how data will be managed (for example, consolidated and standardized) to get a single view across the organization?
  • Are responsibilities for data set out clearly?
  • Who sets data requirements (for example, definitions, quality, and timeliness) and ensures that they are met?
  • Is action being taken to address the underlying causes of current data issues, such as quality and integrity, which limit the effectiveness of such tools?

Horizontal initiatives

  • What role does each participating organization play (as applicable) in the horizontal assurance frameworks?
  • Have agreements defining monitoring and oversight roles and responsibilities been established?
  • Will this initiative impact existing corporate controls for departments (e.g., internal controls over financial reporting, information security controls)?
  • How is this impact being planned for?
  • Is there an understanding of both the future-state control design and the interim controls to be executed during transition from current state to future state?
  • How will risk owners be monitored in their ability to manage specific risks?
  • How will the identification of risk management issues be escalated appropriately when necessary?
  • How are oversight functions monitoring financial transactions, including (but not limited to) vendor procurement and contract awards, infrastructure procurement, and funding arrangements?
  • How are oversight functions engaging in evidence-based interventions or issue escalation when issues are identified during implementation?
  • How is oversight and monitoring data shared among participants?
  • How is this data being leveraged to identify areas of improvement?

Involvement of Internal Audit and of DAC

  • Is the DAC aware of all significant transformational change initiatives
  • Are such initiatives discussed at DAC meetings to facilitate understanding of context, purpose, status and risk?
  • Does the DAC review the list of projects regularly (e.g. via review of the investment plan and/or other key documents)?
  • Is the internal audit function conducting work to support key initiatives? If not, why not?
  • Where the internal audit function supports key initiatives, specifically how is this done?
    • How are projects selected?
    • Does the function use a suite of services to provide ongoing timely assurance and/or advice?
    • Does the CAE or other audit staff attend key fora where these projects are monitored or discussed?

Appendix A: suggested departmental support for the DAC

In order for the DAC to effectively carry out its duties, it requires assistance and support from the department. The leadership for this support may be provided by the department’s internal audit function or another area in the department (e.g., departmental corporate secretariat). There is no set model for providing this support, and it is up to the department to determine the model that is best suited to its needs. Where the support is provided by internal audit, the CAE should keep the DAC secretariat separate from the other internal audit business so as to maintain the actual and perceived independence and objectivity of the internal audit function.

Suggested departmental support to be provided to the DAC includes, the following:

  • Assisting the DAC with administrative issues including:
    • Developing a schedule of DAC meetings, ideally months in advance
    • Booking the DAC meeting room
    • Arranging audiovisual equipment and simultaneous translation needs
    • Arranging hospitality for DAC meetings
    • Developing a critical path for the timely preparation of DAC materials and communicating this to management on a timely basis
    • Gathering, preparing and collating meeting materials
    • Liaising with presenters at the meeting to ensure they arrive at their scheduled time
    • Sending meeting materials, including the agenda, to members sufficiently prior to the meeting
    • Developing and implementing mechanisms to support DAC members in disclosing any activity that may raise doubt of a real or perceived conflict of interest
    • Assisting with members’ travel arrangements and the reimbursement of travel expenses consistent with Treasury Board policy
    • Ensuring DAC members submit time sheets and expense claims in a timely manner
    • Reviewing and processing members’ time sheets for DAC services rendered at approved per diem rates
    • Preparing and distributing minutes of meetings or records of discussion/decision
    • Supporting proactive disclosure of DAC remuneration
  • Assisting the DAC in executing its work
    • Assisting the DAC in developing and delivering on its annual plan
    • Liaising with the chair and deputy head to develop and finalize the agenda for each meeting
    • Periodically reminding DAC members to consult this Guidebook as a general reference or for guidance in a specific area under discussion (i.e., values and ethics, financial statements)
    • Acting as an advisor to the chair
    • Tracking bring-forward and follow-up items to ensure their timely consideration
    • Identifying issues for discussion through consultations with the chair, management and other senior officials
    • Researching and analyzing assigned issues or topics
    • Liaising with senior management to seek its input on issues that should be addressed or are being addressed by the DAC, and to keep senior management informed about the issues, views and preferences that the DAC is considering
    • Liaising with the OCG on tenure management or policy interpretation issues
  • Assisting the DAC in assessing its performance
    • Working with the chair to develop the DAC’s self-assessment process and tools
    • Providing support or assistance to the self-assessment process
    • Following up on outstanding issues or required changes flowing from the assessment process
  • Supporting the orientation of new members and continuous learning of all members
    • Preparing DAC orientation material and arranging orientation sessions to brief new members on their department, the committee and their role
    • Scheduling briefings to fill information gaps prior to meetings as required
    • Developing a comprehensive orientation/reference binder that DAC members can access and refer to on an ongoing basis (see Appendix C for a sample table of contents for an orientation/reference binder for new DAC members)
    • Planning site visits as appropriate
    • Sharing information and documents of interest with members, including pertinent communications from the Office of the Comptroller General
  • Supporting DAC succession planning
    • Liaising with the OCG to facilitate continuity in DAC membership
    • Providing guidance and assistance in appointment of members, renewal of terms and changes in roles
    • Completing all required activities, including providing documentation to the OCG, to support DAC member appointments approved by the Treasury Board

Appendix B: sample table of contents for a DAC orientation/reference binder

The following is a sample table of contents of suggested material for departments to include in an orientation/reference binder for DAC members:

  1. Departmental corporate information
    1. Organization charts
    2. Executive profiles
    3. Corporate risk profile
    4. Business plans for key lines of business / Departmental Investment Plan
    5. Key ministerial briefing notes
    6. Departmental legislation (i.e., the Act that governs the organization)
    7. Values and Ethics Code for the Public Sector and the departmental code of professional conduct
  2. Departmental accountability reporting to government
    1. Departmental Results Framework
    2. Most recent Departmental Plans
    3. Most recent Departmental Results Report
    4. Departmental financial statements, including the annex to the Statement of Management Responsibility including Internal Controls over Financial Reporting
  3. Treasury Board Policy on Internal Audit and related directive
  4. Key documents related to the department’s internal audit function
    1. Internal Audit Charter
    2. Approved Risk-Based Internal Audit Plan (RBAP)
    3. List of internal audit reports (past year)
    4. Recent annual report of the CAE (if applicable)
    5. Internal audit performance reports
    6. Most recent internal quality assessment report
  5. Management Accountability Framework
    1. TBS Management Accountability Framework documents and details
    2. The department’s most recent Management Accountability Framework or oversight assessment by the Office of the Comptroller General
  6. List of recent reports of external assurance providers
  7. Key documents related to the evaluation function
    1. Approved departmental Evaluation Plan
    2. List of evaluation reports (past year)
  8. DAC documents
    1. DAC Charter
    2. DAC Guidebook
    3. DAC Terms and Conditions of Appointment
    4. Guideline on Conflict of Interest
    5. Guidance on Proactive Disclosure

Appendix C: self-assessment questionnaire

The sample questions provided in this questionnaire may be used as a starting point for audit committee external members in conducting their functional evaluation of the committee. These questions should be adapted to suit departmental needs. The model questionnaire contains an exhaustive list of 48 questions. Members are not required to use all questions or categories, rather they are encouraged to select those whose answer would add the most value. Members are also free to add questions of their own creation. Each self-assessment should reflect the DAC’s intention to appraise their own performance and to look for areas for improvement.

The model questions are formulated to closely examine the committee’s functionality, as well as the importance that members attach to specific areas of query. Each question also provides an opportunity for comments.

The first part of the template pertains to the competencies, abilities and responsibilities of the DAC as a whole.

The second part of the template pertains to infrastructure and operations. This is where DAC members assess the level of support provided.

The third part of the template deals with the administration of DAC meetings. DAC members will assess the mechanical aspects of the meeting process and back office procedures.

DAC members provide a response for each question, by selecting “Yes,” “Somewhat,” “No” or “Insufficient knowledge.”

Members choose the degree of importance (high, medium or low) they feel is appropriate for each query and corresponding response.

In the last section, there are three questions and a request for general comments. These are included to gather insight or opinions on issues pertinent to all DACs.

Members are strongly encouraged to support their responses by providing comments.

Competencies and abilities (questions 1 to 23)
Question Importance: high, medium or low Yes Somewhat (when applicable) No Insufficient knowledge Comments

1. Do DAC members support a positive culture by:

  • providing a model of conduct?
  • accepting the expectations, roles and responsibilities of a DAC member?
  • encouraging respect and trust among members?
  • supporting open, candid and direct interaction among members and with management?
  • respecting differences of opinion?
  • committing to good governance and a team spirit?

2. Does the DAC have the appropriate number of members to effectively discharge its responsibilities?

3. Do the collective skills, knowledge and experience of the members allow the DAC to competently and efficiently undertake its duties?

If not, what skills or expertise are required?

4. Has the DAC been sufficiently probing and challenging in its activities?

5. Is internal audit independent from line management within the department, and is it perceived as such?

6. Is the DAC aware of the line between its role and that of management to retain its independence and objectivity, and does it respect that line?

7. Is there a need for the DAC’s role to expand to further support the deputy head in an advisory capacity (i.e., providing advice on major departmental projects)?

8. Historically, has the DAC taken on additional duties outside of their 8 areas of responsibility?

9. Does the DAC demonstrate an understanding of the department and of key areas such as governance, risk management and internal control?

10. Do all members communicate and respond effectively by offering feedback that is frank, timely and appropriate?

11. Do all members demonstrate integrity and high ethical standards in professional and personal dealings concerning the DAC?

12. Do all members participate in all DAC teleconferences, attend in-person meetings, and stay for the duration of the meetings?

13. Do all members come to meetings well prepared, having read pre-briefing materials beforehand and ready to engage in a meaningful discussion?

14. Do members give sufficient time to others to discuss issues, and are they willing to consider their opinions?

15. Do all members participate fully in discussions and ask challenging and relevant questions in a manner that is respectful and encourages robust dialogue?

16. Does the DAC work as a cohesive team in trying to reach consensus on issues in a constructive manner?

17. Are all members actively involved in providing advice to the deputy head?

18. Is the DAC’s level of involvement in accountability reports to Parliament appropriate, relative to the tight timelines for development and reporting?

19. Has the DAC met its obligations as outlined in the Treasury Board Policy on Internal Audit and associated directive and guidance?

20. Have DAC members fully abided by the Terms and Conditions of Appointment for Audit Committee Members?

21. Has the DAC supported the independence of the internal audit function and the strengthening of internal audit?

22. Do all DAC members maintain independence and promote transparency?

23. Do or will members recuse themselves, when appropriate, in situations of potential conflict of interest (both real and perceived)?

Infrastructure and operations (questions 24 to 29)
Question Importance: high, medium or low Yes Somewhat (when applicable) No Insufficient knowledge Comments

24. Are you satisfied that you are provided with appropriate opportunities to periodically review and amend the DAC charter or terms of reference and obtain the deputy head’s approval or reaffirmation, as applicable?

25. Do you feel that the DAC is meeting its roles and responsibilities under its charter or terms of reference?

26. Does the DAC annual plan successfully ensure that annual and ongoing responsibilities are scheduled on a risk basis and fully addressed? Is the plan provided to the deputy head?

27. Does the DAC annual plan have the appropriate risk focus and level of detail, and does it include any additional guidance or advice that the deputy head is seeking (i.e., major projects)?

28. Are you satisfied with the department’s orientation and briefings on the responsibilities of the DAC and on the business of the department?

29. Does the OCG provide adequate support to the DAC?

Administration and audit committee meetings (questions 30 to 48)
Question Importance: high, medium or low Yes Somewhat (when applicable) No Insufficient knowledge Comments

30. Is the calendar of meetings prepared sufficiently in advance?

31. Are meetings sometimes rescheduled? If so, is there a sound rationale for rescheduling?

32. Is there a sufficient number of meetings for the DAC to effectively discharge its responsibilities?

33. Are the meetings of the right duration?

34. Are agendas and supporting documentation circulated sufficiently in advance of meetings to give members enough time to review and understand the information?

35. Is appropriate information provided to DAC members, both in content and in quality?

36. Are the departmental mechanisms of information transmittal (e.g., website, email or courier) effective and secure?

37. Is there a process in place for addressing urgent matters between meetings, and are teleconferences and secretariat processes effective and sufficient?

38. Are the right people in attendance at meetings, especially those who have meaningful input on agenda items?

39. Do presentations to the DAC communicate relevant information in a timely and professional manner, and in a clear, concise and effective format?

40. Do DAC meetings provide an appropriate balance between presentations and discussions?

41. Do members feel free to disagree or voice opinions that may be in the minority?

42. Are differences of opinion on issues that face the DAC resolved to members’ satisfaction?

43. Are the records of decisions, proceedings and minutes for each meeting generally recorded in a satisfactory manner and submitted to the DAC for approval?

44. Does the DAC hold in camera meetings with the chief financial officer, the CAE and the committee membership?

45. Are DAC meeting facilities and services adequate?

46. Is the DAC sufficiently supported by the department’s DAC secretariat?

47. Are travel claims and per diem disbursements properly processed in a timely manner?

48. Does the DAC regularly review and assess its performance?

Other comments

Please answer these additional questions:

  1. What do you think is the most critical issue the DAC should address in the coming months?
  2. Is there a particular topic that you consider important, but on which you are not receiving information or receiving insufficient information?
  3. Are there any significant elements that affect the DAC’s effectiveness or performance?
  4. In your opinion, do you believe that the DAC is adding sufficient value to the deputy head and to the department? Can you provide examples? (optional)
  5. Do you have additional general comments?
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: