Technical bulletin 2022: Internal audit key compliance attributes

Why publish key compliance attributes of internal audit

The objective of the Treasury Board Policy on Internal Audit is “to ensure that the oversight of public resources throughout the federal public administration is informed by a professional and objective internal audit function that is independent of departmental management.” It is important that the public know that heads of government organizations are receiving assurance and that activities are managed in a way that demonstrates responsible stewardship.

Departments with internal audit functions are required to meet public reporting requirements as prescribed by the Comptroller General of Canada (section A.2.2.3 of the Treasury Board Directive on Internal Audit) including:

  • A.2.2.3.1 Performance results for the internal audit function
  • A.2.2.3.2 A list of planned audit engagements for the coming fiscal year

The attributes in this report have been selected because they demonstrate to an external audience that, at a minimum, the fundamental elements necessary for oversight are in place, are operating as intended and are achieving results. The key attributes of compliance with the policy and standards are:

  • internal auditors who are trained to effectively perform the work
  • audit work that is performed in conformance with the international standards for the profession
  • audit work that is performed according to a systematically developed risk-based audit plan, which has been approved by the head of the organization, and that results in management actions being taken in response to report recommendations
  • audit work that is perceived by stakeholders as adding value in the pursuit of organizational objectives

Publishing departmental key compliance attributes provides information to Canadians and parliamentarians about the professionalism, performance and impact of the internal audit function in departments. The attributes are not performance measures, and no targets are attached to them. Under the policy, the Comptroller General has the authority to amend these attributes in response to changes in the internal audit environment and/or due to the evolving maturity of the internal audit function.

Results of key compliance attributes

Performance indicator

Key compliance attribute

Fiscal year 2022 to 2023 (First quarter)

Definition or comments

Do internal auditors in departments have the training required to do the job effectively?

Are multidisciplinary teams in place to address diverse risks?

Number of internal audit employees

21

The number of current full-time equivalent positions

Percentage of staff with an internal audit or accounting designation (Certified Internal Auditor (CIA), Chartered Professional Accountant (CPA))

52%

n/a

Percentage of staff with an internal audit or accounting designation (CIA, CPA) in progress

33%

In progress: The staff member (an indeterminate employee) has formally registered with and has been accepted by the certifying body to complete the requirements of the professional designation in a prescribed time frame and has registered for at least one component of the certification process.

Percentage of staff holding other designations (for example, Certified Government Auditing Professional, Certified Information Systems Auditor)

19%

Several staff also held other designations, for example:

  • Certified Government Auditing Professional
  • Certified Information Systems Auditor
  • Certified Fraud Examiner
  • Certification in Risk Management Assurance
  • Certification in Control Self-Assessment

Is internal audit work performed in conformance with the international standards for the profession of internal audit as required by Treasury Board policy?

Date of last comprehensive briefing to the Departmental Audit Committee on the internal processes, tools, and information considered necessary to evaluate conformance with the Institute of Internal Auditors (IIA) Code of Ethics and the standards and the results of the quality assurance and improvement program (QAIP)

September 2021

Last comprehensive briefing: A comprehensive briefing includes updates on all pertinent elements of the QAIP. In accordance with IIA Standard 1320, this comprehensive briefing would include:

  • the scope and frequency of both the internal and external assessments
  • the qualifications and independence of the assessor(s) or the assessment team, including potential conflicts of interest
  • conclusions of assessors
  • corrective action plans

External assessments (practice inspections) must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.

Date of last external assessment

March 2019

Are the risk-based audit plans submitted to audit committees and approved by deputy heads implemented as planned with resulting reports published?

Is management acting on audit recommendations for improvements to departmental processes?

Refer to table below for internal audit status and related information for fiscal year 2022 to 2023.

n/a

n/a

Is internal audit credible and adding value in support of the mandate and strategic objectives of the organization?

Average overall usefulness rating from senior management (assistant deputy minister-level or equivalent) of areas audited

 80%

Average “overall usefulness” rating: Post-audit surveys to senior management of the area audited should include a question on the overall usefulness of the audit and should be done for all audits approved in the applicable fiscal year.

Internal audit engagement status and related information for fiscal year 2022 to 2023

Additions and adjustments to planned internal audit engagements may occur in order to address emerging risks and priorities of the organization.

Internal audit engagements

Audit status

Report approved date

Report published date

Original planned management action plan (MAP) completion date

MAP implementation statustable 2 note 1

Horizontal Internal Audit Engagements

Blended Horizontal Engagement of Information Technology (IT) Security

Part 1: Review of the IT Security Risk Management process supporting the Government of Canada (GC) Digital Direction (Advisory)

Approved – Not publishedtable 2 note 2

November 9, 2020

n/a

March 31, 2021table 2 note 3

n/atable 2 note 4

Blended Horizontal Engagement of IT Security

Part 2: Small Departments IT Security Self‑Assessment and Audit

Approved – Not published

April 7, 2022

n/a

March 31, 2024

n/atable 2 note 5

Blended Horizontal Engagement of IT Security

Part 3: Review of the Effectiveness of User Awareness and Training and Incident Detection (Advisory)

Approved – Not publishedtable 2 note 6

October 19, 2020

n/a

n/atable 2 note 7

n/a

Targeted Review of Project Governance (Advisory)

Approved – Not publishedtable 2 note 8

November 19, 2021

n/a

n/atable 2 note 9

n/a

Departmental Implementation of Digital Standards

Planned

n/a

n/a

n/a

n/a

Small Departments Internal Audit Engagements

Core Control Audit: Veterans Review and Appeal Board

Published – MAP not fully implemented

December 21, 2020

 

February 12, 2021

September 30, 2021

n/atable 2 note 10

Core Control Audit: Immigration and Refugee Board

In progress

n/a

n/a

n/a

n/a

Core Control Self-Assessment Tool (Advisory)

Approved – Not publishedtable 2 note 11

June 29, 2021

n/a

n/atable 2 note 12

n/a

Targeted Annual Core Control Self-Assessment Audit

Planned

n/a

n/a

n/a

n/a

Audit of Contracting

Planned

n/a

n/a

n/a

n/a

Regional Development Agencies Internal Audit Engagements

Regional Relief and Recovery Fund (RRRF) Fraud Risk Assessment (Advisory)

In progress

n/a

n/a

n/a

n/a

Table 2 Notes

Table 2 Note 1

In accordance with the Treasury Board Directive on Internal Audit, the OCG has established and maintains a system to determine whether the actions scheduled by management in response to audit recommendations have been implemented. For federal government departments without an internal audit function, including most small departments and regional development agencies, the OCG performs an annual MAP monitoring exercise related to OCG-led audits. The implementation of MAPs is rated on a scale of 1- Planning Stage to 5- Fully Implemented. The results are verified by the OCG and presented at least annually to the Small Department Audit Committee. For federal government departments with an internal audit function, the responsibility for monitoring MAPs, including MAPs stemming from audits performed by the OCG, rests with their respective Chief Audit Executive. The MAP implementation status reported in this table is the percentage of MAPs that have been assessed and validated by OCG as level 5- Fully Implemented.

Return to table 2 note 1 referrer

Table 2 Note 2

Due to the advisory nature of this engagement, and in accordance with the Treasury Board Policy on Internal Audit, this engagement report will not be published.

Return to table 2 note 2 referrer

Table 2 Note 3

The Office of the Comptroller General is only responsible for monitoring the implementation of MAPs in one small department. The MAPs for three other departments are monitored by their respective internal audit functions.

Return to table 2 note 3 referrer

Table 2 Note 4

The MAP monitoring exercise was in progress at the time of publishing.

Return to table 2 note 4 referrer

Table 2 Note 5

Monitoring these MAPs is planned to begin in fiscal year 2022-23.

Return to table 2 note 5 referrer

Table 2 Note 6

Due to the advisory nature of this engagement, and in accordance with the Treasury Board Policy on Internal Audit, this engagement report will not be published.

Return to table 2 note 6 referrer

Table 2 Note 7

There are no MAPs for this advisory engagement.

Return to table 2 note 7 referrer

Table 2 Note 8

Due to the advisory nature of this engagement, and in accordance with the Treasury Board Policy on Internal Audit, this engagement report will not be published.

Return to table 2 note 8 referrer

Table 2 Note 9

There are no MAPs for this advisory engagement.

Return to table 2 note 9 referrer

Table 2 Note 10

The MAP Monitoring exercise was in progress at the time of publishing.

Return to table 2 note 10 referrer

Table 2 Note 11

Due to the advisory nature of this engagement, there is no engagement report to publish. Engagement reports will be published for future targeted audits based on the results of the Core Control Self-Assessment Tool.

Return to table 2 note 11 referrer

Table 2 Note 12

There are no MAPs for this advisory engagement.

Return to table 2 note 12 referrer

Page details

Date modified: