Guidelines for audit committees in Crown corporations and other public enterprises guidelines on exemptions from internal audit

Financial Statements

The audit committee has a duty to “review, and advise the board of directors with respect to, the financial statements that are to be included in the annual report of the corporation.”^{Footnote 1}

Accountability of a Crown corporation to the Minister and to Parliament rests heavily on the integrity of the corporation’s financial reports. No corporation can afford doubts about the quality of its financial reporting. The government and lenders need timely disclosures to assess the corporation’s financial and business soundness and risks. The reports should also adequately communicate any significant issues confronting the corporation and fairly present its financial condition and performance.

A parent Crown corporation is required to maintain financial accounts and records, as well as financial and management control and information systems, for itself and for any wholly-owned subsidiaries. The audit committee’s role is to provide the board of directors with reasonable assurance that:

• The corporation’s assets are safeguarded and controlled;
• Its transactions are in accordance with the law;
• Its financial, human and physical resources are managed economically and efficiently; and
• Its operations are carried out effectively.^{Footnote 2}

The audit committee is expected to provide the board of directors with reasonable assurance that the corporation’s financial statements are fairly presented in accordance with the underlying financial reporting framework in all material respects. This assurance should be based on the committee’s review and discussion of the corporation’s year-end financial statements with management and the auditors.

The audit committee’s assessment of the relevance and the reliability of the year-end financial statements is key because the board of directors depends on the committee’s advice to help it make informed decisions regarding the corporation’s financial condition and performance; its accounting policies, practices, and disclosures; and its approval of the corporation’s annual report.

In addition to the audited year-end financial statements, the annual report should include a management discussion and analysis (MD&A) section. The MD&A provides additional contextual information that helps readers, including the government and stakeholders, more fully understand the corporation’s business, performance and prospects. It also helps in evaluating the appropriateness of management’s business strategies and risk assessment. When relevant, this section also discusses how the accounting policies are applied and explains the basis for significant accounting estimates. Thorough MD&A therefore improves transparency and corporate governance.

The audit committee should review the annual report with management, the Auditor General and any other external auditor. Because of the timing of meetings, the audit committee may review a draft version of the annual report so that management and the auditors can continue working on the final version. The purpose of the audit committee’s review is to ensure that the annual report paints a balanced and complete portrait of the corporation’s financial situation and financial performance.

For more information, see Appendix A - “Questions to Consider - Financial Statements” and “Questions to Consider-External Auditor’s Report”.

Internal Audit

The audit committee oversees the corporation’s internal audits.

Internal audit is a key resource for the audit committee. The primary role of internal audit is to provide ongoing objective, substantiated assessments on the design and function of the organization’s risk management, control and governance processes and to make recommendations where warranted. Internal audit focuses on the corporation’s management systems, processes and practices and on the integrity of financial and non-financial information.

Although the internal auditors are independent of the activities they audit, they are integral to the corporation and provide assessments and monitoring of management systems, processes and practices on an ongoing basis. External auditors, however, are independent of the corporation. Their work focuses on providing an opinion on the financial statements every year and a special examination at least every 10 years. Although the work of a Crown corporation’s internal auditors and external auditors (the Auditor General and in some cases, the joint external auditor) has different focuses, it should be coordinated for maximum effectiveness and efficiency.

Internal audit adds value by assessing and making recommendations on the effectiveness of mechanisms in place to ensure that the organization achieves its objectives in a way that demonstrates informed, accountable decision-making with regard to ethics, compliance, risk, economy and efficiency. A best practice is to have the assessment take the form of an internal audit report that includes the key findings and why they are important, recommendations to address noted weaknesses, and a management response and action plan to address the key findings and recommendations.

The audit committee reviews internal audit reports and discusses them with the internal auditor and with management. To ensure the effective and timely implementation of any agreed-upon management actions, the audit committee should receive periodic follow-up reports from internal audit or management.

To help determine the areas of focus in a particular year, the internal audit function should prepare a risk‑based internal audit plan. The audit committee should play an active role in reviewing and discussing this plan to ensure that it focuses on the areas of highest risk and significance for the corporation. A best practice is to have the audit committee approve the plan.

The audit committee should also follow up on management’s implementation of actions required to address areas of weakness noted by internal audit.

For more information, see Appendix A - “Questions to Consider - Internal Audits”.

Annual External Auditor’s Report

All federal Crown corporations are required to obtain an annual auditor’s report on the financial statements and any other quantitative financial information contained in the annual report. The Auditor General of Canada is appointed as the external auditor, or a joint auditor, of each Crown corporation, unless he or she waives the requirement, or unless it is otherwise dictated in the corporation’s legislation.^{Footnote 3} To strengthen its independence from the corporation’s management, the external auditor reports directly to the audit committee, not to management.

The external audits of Crown corporations are similar to those done in the private sector, but they include two additional opinions:

• Whether generally accepted accounting principles have been applied consistently; and
• Whether the transactions examined conform to laws, regulations, the governing instruments by-laws of the corporation and any government directive given to it.

The external auditor can also report on any other matters that he or she thinks should be brought to the attention of the responsible Minister, after consulting with the board of directors, or to the attention of Parliament, after consulting with the board and the responsible Minister.

The audit committee reviews, and advises the board of directors on, the external auditor’s report. To ensure the effective and timely implementation of any agreed-upon management actions, the audit committee should receive periodic follow-up reports from internal audit and or management.

The audit committee should discuss with its external auditors the details of any practices or transactions they identified as being in possible violation of the legal authorities. This discussion should also cover the details of any other matters the auditors considered bringing to the attention of the board of directors, the responsible Minister, or Parliament.

Under paragraph 150(3)(b) of the FAA, the external auditor’s report is to be included in the corporation’s annual report.

For more information, see Appendix A - “Questions to Consider - External Auditor’s Report” and “Questions to Consider-Financial Statements”.

Special Examinations

Under subsections 138(1) and (2) of the FAA, a special examination of the financial and management control and information systems and management practices of each Crown corporation, including any wholly-owned subsidiaries, is carried out by the Auditor General solely or jointly with a private sector auditor, at least every 10 years. Special examinations can be carried out more frequently, if required by the Governor in Council, the appropriate minister, the board of directors of the corporation or the Auditor General.^{Footnote 4} There are two exceptions to this requirement: the Bank of Canada and the Canada Pension Plan Investment Board, which have unique requirements.^{Footnote 5}

A special examination is an important accountability mechanism for Crown corporations. Its purpose, as set out in the FAA, is to provide an independent opinion on whether there is reasonable assurance that a Crown corporation has systems and practices in place to ensure that:

• Assets are safeguarded and controlled;
• Financial, human, and physical resources are managed economically and efficiently; and
• The operations of the corporation and any wholly-owned subsidiaries are carried out effectively.

The audit committee plays a key role in these examinations by reviewing, and advising the board of directors on, the special examination plan and reports.

Under the FAA, before starting a special examination of a Crown corporation, the Office of the Auditor General of Canada is required to survey the systems and practices of the corporation and to submit to the audit committee a plan for the examination, including a statement of the criteria to be applied.

The examination team will then meet with the audit committee to discuss the following:

• The objectives of the special examination;
• The criteria against which the corporation’s systems and practices will be measured;
• The expected timing of key communications and phases of the special examination; and
• Any questions the audit committee may have concerning the draft special examination plan.

The audit committee typically makes a resolution to accept the plan. If there are subsequent changes to the special examination plan, the examination team will resubmit the plan or submit an addendum to the audit committee and will meet again with the committee, as appropriate.^{Footnote 6}

If the audit committee and the Auditor General disagree on the special examination plan, the responsible Minister can resolve issues related to the plan for a parent Crown corporation, and the board of directors can resolve issues related to the plan for its wholly-owned subsidiaries.

Present and former directors, officers, employees or agents of the corporation are required to provide the special examiner with any requested information, explanations and records related to the corporation and its subsidiaries. The special examiner can also rely on internal audits conducted by the corporation.

The Office of the Auditor General of Canada’s policy requires that the Auditor General give the Crown corporation an opportunity to review the draft special examination report in order to confirm and validate the facts it contains, and to make comments, before the report is finalized. The examination team will then seek management’s views on the validity and completeness of the observations, the conclusions, the recommendations, and the statement of opinion.

Once it receives management’s responses to its recommendations, the examination team will provide the draft report, including the responses, to the audit committee. The Office of the Auditor General of Canada encourages the audit committee to play an active role in reviewing and assessing the adequacy of management’s responses and in providing feedback.

After considering the feedback and making any changes it deems appropriate, the special examination team submits its final report to the corporation’s board of directors.

The board of directors then provides the Minister and the President of the Treasury Board with a copy of the special examination report within 30 days of receipt of the report and makes it available to the public within 60 days.

To ensure the effective and timely implementation of any agreed-upon management actions, the Audit Committee should receive periodic follow-up reports from internal audit or management.

For more information, see Appendix A - “Questions to Consider-Special Examination”.

Standards of Integrity and Behaviour

Crown corporations are expected to demonstrate a strong commitment to ethical and lawful behaviour. Through their actions and words, senior management and the board of directors are responsible for creating an environment of integrity-the cornerstone of effective corporate governance.

Some boards of directors retain responsibility for standards of integrity and behaviour directly for themselves, often with the understanding that the board’s main committees will include the oversight responsibility for standards of ethics and behaviour as a component of their other responsibilities.

Because audit committees play an oversight role in key aspects of the corporation, they are in a good position to assist their boards of directors in obtaining assurance that management is operating the corporation in an ethical manner.

An audit committee that has been delegated responsibility for overseeing standards of integrity and behaviour should request that management report periodically on how its processes encourage and maintain high ethical standards. The report could cover topics such as the following:

• Employee relations, customer and supplier relations;
• Compliance with laws and regulations;
• Reports of examinations by regulatory agencies;
• Current and pending litigation claims;
• Security of company assets and records;
• Sanctions imposed and planned changes; and
• Sensitive information such as information on employment “perks,” expense accounts and out-of-pocket expenses for officers and directors.

Audit committees themselves can take steps to ensure their own integrity and behaviour, for example, they can establish practices for dealing with conflicts of interest, develop a code of conduct and create a process for members to make annual declarations related to the code.^{Footnote 8}

For more information, see Appendix A - “Questions to Consider - Corporation’s Standards of Integrity and Behaviour”.

Risk Management

Risk-the uncertainty that surrounds future events and outcomes-is an integral part of each Crown corporation’s business and operational reality. Identifying and assessing the likelihood of an event and its potential to impact the achievement of a corporation’s objectives is a key step in formulating a corporation’s plans and in developing its controls.

Because every Crown corporation has a unique set of risks, opportunities and challenges, boards of directors, audit committees, management and auditors all need to understand the principal risks facing the corporation.

Management must identify and assess the corporation’s risks in order to manage them and to ensure that they are considered in decision making, strategic planning, and designing the corporation’s information and control systems. Since business risk is inextricably linked to the understanding of financial reporting risk, risk assessment procedures are included in the generally accepted bases for planning audits.

In addition to acquiring an understanding of the major risks facing the corporation, the audit committee often plays a key role in ensuring that management monitors and controls those risks. The audit committee should therefore review the nature and frequency of the risk reports that management provides, paying particular attention to how financial risks and the risk of unethical behaviour, including fraud, are controlled.

Managing financial risk means striking a balance that accepts a reasonable level of risk and contains financial exposure within the levels established by the government.

For more information, see Appendix A - “Questions to Consider-Risk Management”.

Management Control Practices

Management control frameworks include a broad array of policies, practices, internal control systems, processes and structures. These frameworks support the management team in:

• Formulating and achieving the corporation to the committee by the Learning and adapting to change;
• Managing risks; and
• Recognizing and acting on opportunities.

Management must establish and maintain adequate control systems and practices. To do that, it must periodically assess the effectiveness of the internal control structure and procedures.

The audit committee should review these control systems and practices to ensure that they are functioning effectively. A poorly functioning framework can have a negative effect on the corporation’s performance, its financial reports, and its standards of integrity and ethical behaviour. The committee should seek the views of the auditors (internal, external and special examiner) on the adequacy of the control systems and on management’s assessment of their effectiveness. It should discuss with management and the auditors ways to improve the effectiveness of the internal controls, including the corporation’s system for monitoring and managing business and financial risk, as well as legal and ethical compliance.

For more information, see Appendix A - “Questions to Consider-Management Control Practices”.

Quarterly Financial Reports

Under section 131.1 of the FAA, most Crown corporations must prepare a quarterly financial report for each of the first three quarters of the fiscal year and to make them public within 60 days after the end of the quarter to which they relate.^{Footnote 9} These reports do not have to be audited.

In addition to a financial statement for the quarter and for the period from the start of the fiscal year to the end of that quarter and comparative financial information for the preceding fiscal year, the quarterly financial report must include the following:

• A discussion of financial results and cash flow for the reporting period and for the year to date, as well as the financial position at the end of the period;
• An explanation of significant differences between the actual financial results and those anticipated in the corporation’s corporate plan; and
• If changes are made to the goals, objectives or financial results, the rationale for the changes, as well as actual performance relative to the revised goals, objectives or targets for the remainder of the year.

The audit committee’s approach to overseeing quarterly financial reports will depend on the unique circumstances of the corporation. In determining the extent and nature of their due diligence in relation to these reports, the board and audit committee may want to consider the following:

• The impact of the information;
• The time required to review it within the 60-day window; and
• Their assessment of management’s processes to produce and review this information before its release.

For more information, see the Appendix A - “Questions to Consider - Quarterly Financial Reports”.

Corporate Plans, Operating and Capital Budgets

Under sections 122 to 124 of the FAA, most Crown corporations are required to submit an annual corporate plan, operating budget and capital budget to the responsible Minister, for Treasury Board approval.^{Footnote 10} These documents must encompass all of the businesses and activities of the Crown corporation and its wholly-owned subsidiaries. The board of directors must approve the corporate plans and budgets before they are submitted for approval by the Governor in Council (in the case of the corporate plan) or by the Treasury Board (in the case of the capital and operating budgets).

The audit committee is often asked to undertake a more thorough review of the financial forecasts and the risks associated with the proposed plan, as well as the viability and practicality of the proposed operating and capital budgets before they are submitted to the board for review and approval.

For more information, see Appendix A - “Questions to Consider-Corporate Plans and Operating and Capital Budgets”.

Accounting Policies, Standards and Practices

• Are the corporation’s accounting policies and practices consistent with generally accepted accounting principles? If not, why not?
• In migrating to a new accounting standard:
  • Is there a clear project plan that includes key timelines and that is approved by senior management?
  • How is the implementation of this plan being monitored?
  • What process is in place to identify and resolve any negative impacts that the migration to the new accounting standard might have on the financial statements?
  • What other impacts are envisioned as a result of adopting the new standard (e.g., information technology, non-financial performance)?
• What is the process for obtaining advice on the appropriate accounting treatment when significant accounting issues arise (e.g., consultation with the Treasury Board of Canada Secretariat, the Auditor General or other external auditor)?
• Do the financial statements disclose the corporation’s significant accounting policies, and do they include changes in the accounting policies from the previous year?
• Does the audit committee understand management’s processes for controlling fraud and error? Does management keep the committee up to date on cases of fraud and error?

Capacity and Resources

• Does the team responsible for financial reporting have sufficient resources (personnel and funds) to carry out its responsibilities?
• Does the team have the necessary complement of skills and experience? If not, what is the plan to acquire them?
• Is the corporation’s finance unit able to access specialist skills where and when required?

Presentation of Financial Statements

• Do the financial statements comply with generally accepted accounting principles? If not, why not?
• Are there significant legal matters, contingencies, claims or assessments that could have a material impact on the corporation’s financial statements? If so, how have they been reflected in the financial statements?
• What are the significant accounting accruals, reserves and other estimated liabilities in the financial statements? What processes are in place to properly account for these items in the corporation’s financial statements?
• What analysis supports any significant valuations, assumptions or judgments that are reflected in the financial statements?
• How have financial instruments been accounted for in the financial statements, including the notes?
• Do the financial statements reflect any significant, unusual transactions that occurred during the year? Are they adequately explained and fairly presented?
• What risk factors, if any, has management, the internal auditor or the Auditor General identified and assessed with respect to potential fraudulent financial reporting?
• Have significant variances from the budget and from the previous year’s financial statements been satisfactorily explained?

Review and Sign-off

• Although it is not mandatory, is there a process in place for a timely review of the financial statements by the chief financial officer and management?
• What is the process for informing senior management and the audit committee throughout the year of significant issues that could impact the corporation’s financial statements?
• If there is a certification regime in place, has the chief financial officer signed-off on the financial statements, including on certification of the internal controls over financial reporting?
  • If not, why not?
  • If so, what procedures, systems, resources and tasks are in place to allow management and users of financial statements to have reasonable assurance that:
    • Records that fairly reflect all financial transactions are maintained;
    • The recording of financial transactions permits the preparation of internal and external financial information, reports and statements in accordance with policies, directives and standards; and
    • Revenues received and expenditures made are in accordance with delegated authorities, and unauthorized transactions that could have a material effect on financial information and financial statements are prevented or are detected in a timely manner. This includes providing reasonable assurance that financial resources are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities.

Annual Report

• Does the annual report include the following, as required under subsection 150(3) of the FAA:
  • The financial statements;
  • The auditor’s report;
  • A statement of the extent to which the corporation has met its financial objectives for the year;
  • Relevant quantitative information with respect to the financial performance of the corporation in relation to its objectives; and
  • Any other information that is required under the FAA or under another Act of Parliament, or by the responsible Minister, the President of the Treasury Board or the Minister of Finance.
• How have all the material facts necessary for understanding the corporation’s financial performance been reflected in the management discussion and analysis (MD&A)?
• What processes and procedures are in place for ensuring that the financial information reflected in the MD&A is complete, accurate and consistent with the financial statements?
• What processes and procedures are in place for ensuring the completeness and accuracy of other quantitative information related to financial matters reflected in the annual report?
• Has the Auditor General (and, if applicable, another external auditor) reviewed the corporation’s annual report? If so, to what extent? If not, why not?

Internal Audit Policy or Charter

Does the corporation have an internal audit policy or charter? If so:

• Does it reflect the purpose, authority and responsibility of the internal audit activity?
• Has it been reviewed and approved by the audit committee or by the president and chief executive officer?
• Is it periodically reviewed and revised?

Independence and Objectivity

• Is the internal audit function free from interference in determining the scope of its work, in performing the work and in communicating the results?
• Does the internal audit function have unencumbered access to all of the corporation’s information, records and locations as required?

Internal Audit Planning

• Does the internal audit function have sufficient resources to carry out its mandate?
• Does the corporation have an internal audit plan? If not, why not? If so:
  • What is the process for developing the annual internal audit plan?
  • How does it link with the corporation’s areas of highest risk, including financial risks?
  • How were the proposed internal audit projects determined and prioritized?
  • Does the plan outline the scope, timing and resource requirements for the proposed internal audit projects?
  • Have there been any disagreements between management and internal audit in developing this plan? If so, have they been appropriately resolved or addressed?
• Is a method in place for measuring the efficiency and effectiveness of the internal audit function?

Internal Audit Delivery

• What is the corporation’s internal audit service delivery model (e.g., centralized, decentralized, outsourced, co-sourced), and does it meet the corporation’s needs?
• If internal audit service delivery is outsourced, what process is in place to ensure compliance with the universally accepted internal audit standards outlined in the Institute of Internal Auditors’ International Professional Practices Framework?
• In carrying out internal audits, did the auditors have unencumbered access to the required records and management of the corporation?
• To what extent has the internal auditor assessed the corporation’s legal and ethics compliance program or practices? What were the findings of these assessments?
• To what extent has the internal auditor assessed the risk of fraud?

Internal Audit Reports

• Are the internal audit reports clear and concise and do they satisfactorily address the audit objectives?
• Are the internal audit reports issued on a timely basis (i.e., How much time is there between the start of the engagement and the issuing of the final report)?
• Are the recommendations relevant and practical?
• Do audit reports include management’s response and an action plan to address all agreed upon actions? If not, why not? If so,
  • Do these responses or plans appear to effectively respond to the problems and issues outlined in the report?
  • Is a senior manager assigned responsibility for the implementation of the required management actions?

Internal Audit Follow-up on Management Responses and Action Plans

• What process and procedures are in place for monitoring the implementation of management action plans?
• What methodology and process is in place to follow up on whether the actions taken by management have been effective?
• How is management follow-up reported to the audit committee (i.e., verbal, written report)? Does the report:
  • Reflect the extent to which management action plans are being implemented within the specified time frame? Are delays explained effectively?
  • Indicate the extent to which implemented actions effectively address the problems outlined in the report? If not, why not?

Audit General Management Letter

Did the external auditor issue a management letter as part of its audit of the financial statements? If so:

• What is the nature of the issues noted?
• What steps is management taking to address those issues?

Leadership and Support

• How does the corporation ensure effective coordination and support for the special examination?
• When was the last special examination carried out? What is the status of any required management actions stemming from that examination?
• When is the next special examination expected to take place?
• What steps has management taken, or does it plan to take, to prepare for this examination?
• What work has the internal audit function undertaken, or does it plan to undertake, to support the Auditor General in this examination?

Planning

• Has the audit committee discussed the special examination plan with the special examiner?
• Has the audit committee received a copy of the special examination plan? If so, does the plan outline the criteria to be applied in the examination?
• What questions or concerns does management have about the planned criteria for the special examination?
• What questions or concerns does the board have about the planned criteria for the special examination?

Delivery

In carrying out the special examination, did the Auditor General have unencumbered access to the required records and management of the corporation? If so, to what extent? If not, why not?

Special Examination Report

• Will the audit committee have an opportunity to discuss the draft report with the special examiner?
• Does the report contain a statement as to whether, in the examiner’s opinion, with respect to the established criteria for the special examination, there is reasonable assurance that there are no significant deficiencies in the systems and practices examined?
• Does the report contain a statement of the extent to which the examiner relied on internal audits?
• Does the report indicate any significant deficiencies?
• Does the Auditor General intend to inform the Minister of the report as required under section 140 of the FAA?
• Does the report include management’s response and action plan to address all agreed-upon recommendations? If so,
  • Do these responses and plans appear to respond effectively to the problems and issues outlined in the report?
  • Is a senior manager assigned responsibility for the implementation of the required management actions?
• Was there an opportunity to discuss the draft report with the special examination team?
• What process is in place to ensure that a copy of the special examination report is provided to the Minister and to the President of the Treasury Board within 30 days of the board of directors receiving the report?
• What process is in place to ensure that the report is made available to the public within 60 days of the board receiving the report? The normal practice would be to post it on the corporation’s website.

Special Examination-Follow-up on Management Responses and Action Plans

• What process is in place for monitoring the implementation of management action plans?
• What process is in place to follow up on whether the actions taken by management have been effective?
• How is management follow-up reported to the audit committee (e.g., verbally, in a written report)? Does the reporting:
  • Reflect the extent to which management action plans are being implemented within the specified time frame? Are delays explained effectively?
  • Indicate the extent to which actions implemented are effective? If not, why not?

Leadership

What support does the president / chief executive officer provide to set the tone for integrity and ethical behaviour throughout the corporation?

Policies and Guidelines

• Does the corporation have a code of conduct or an ethics policy that covers employees as well as members of the board of directors?
  • If so, is the code of conduct or the ethics policy at least as stringent as the Values and Ethics Code for the Public Sector? Does it clearly state acceptable and unacceptable behaviour, particularly in areas of significant ethical risk (e.g., executives’ and officers’ expenses, use of corporate assets)? Is it tailored to the specific risks the corporation faces?
  • If not, what mechanisms are in place to ensure that there are clear expectations and standards for integrity and ethical behaviour, as well as for legal compliance?
• What protection mechanisms does the corporation have in place to manage disclosures (whistle-blowing) by employees, in accordance with the requirements of the Public Servants Disclosure Protection Act? Does the corporation’s code of conduct or ethics policy reflect the provisions of the Act regarding the management of disclosures?

Monitoring and Reporting

• How does the corporation identify, assess and manage ethical risks?
• Are there any significant legal or regulatory matters that could affect compliance with laws and financial viability? If so, what are they?
• What procedures does management have in place to monitor compliance with the law and with the corporation’s code of conduct and ethics policy? For example, do employees know to whom to report suspected cases of wrongdoing? How are such cases reported to senior management? Are they reported in a consistent and timely manner?
• Do employees periodically attest to their understanding of and adherence to the corporation’s code of conduct?
• To what extent have the internal or external auditors assessed the risk of fraud?
• How does management report the indication or detection of fraud, as well as the corrective action to be taken, to the president / chief executive officer? What were the circumstances under which fraud was suspected or reported?
• Have regulatory agencies, including tax authorities, conducted assessments of the corporation? If so, to what extent and what were the results of the assessments?
• How are potentially unlawful activities reported in the corporation and to whom?

Risk Management Leadership

• Does the corporation have a risk champion and if so, is this individual a member of the corporation’s executive team?
• How is the risk champion held to account for his or her risk management responsibilities?
• How are the corporation’s executives held to account for managing and mitigating risks in their programs, functions or areas?

Risk Management Policy or Framework

• Does the corporation have a risk management policy or framework?
• If so, does the policy or framework:
  • Have the approval of the board of directors?
  • Outline the process for identifying, measuring, monitoring, controlling and reporting all risks to which the corporation is exposed?
  • Establish an approach for integrating risk management into the corporation’s decision-making processes?
  • Tie in with the corporation’s strategic documents (e.g., corporate plan, annual report)?
  • Tie in with the corporation’s internal and/or external audit plans?
  • Reflect key roles and responsibilities for identifying, measuring, monitoring, controlling and reporting risks?
  • Outline the process by which management informs the audit committee in writing of its adherence to the corporation’s risk management policy or framework?
• What are the key elements of the corporation’s approach to risk management (e.g., annual risk assessment; business continuity planning; disaster recovery planning; risk assessment for all significant corporate changes, projects, programs, etc.)? How are these elements coordinated?

Integrated Risk Management

• How are risk management practices integrated into the management of programs and activities across the corporation? For example, have risk management plans been developed and implemented?
• How is risk management integrated into the corporation’s key business planning and decision-making processes?
• How is it ascertained that the corporation is functioning in accordance with its approved business plan and within the established risk tolerance limits?

Risk Management Reporting and Monitoring

• Are risks or control failures followed up on in the corporation (e.g., risk and incident reporting and tracking)? If so, to whom, through what mechanisms and how quickly? If not, why not?
• What risk management reports or information does the president / chief executive officer receive from management throughout the year?
• Does management provide the audit committee with timely and accurate reports on risks, the procedures and controls in place to manage these risks, and the overall effectiveness of risk management policies?
• What role does internal audit play in providing assurance on risk management practices, on key risks and on controls for mitigating the highest inherent risks?
• Does the corporation report publicly, at least once a year, the existence of its risk management guidelines, including those for financial risks (e.g., through the annual report)?
• What reports does the corporation’s finance team provide to management to aid in the monitoring of operating and capital budgets throughout the year? For example, does it provide budget variance reports and do those reports describe the reasons for any significant variances between budgeted and actual expenditures, as well as any resulting changes in forecasted expenditures to year end?
• What processes are in place to ensure that the corporation does not exceed its approved operating or capital budget for the year?
• What reports or information does the audit committee receive from management throughout the year to aid in its oversight of the operating and capital budgets?

Management Controls—Roles and Responsibilities

• Is it clearly articulated and understood that the president / chief executive officer has overall responsibility for the corporation’s systems of internal control?
• Are delegations of authority and responsibility documented, properly approved, communicated and kept up to date?

Control Framework and Departmental Systems

• Does the corporation have a control framework that does the following:
  • Outlines the corporation’s key controls to ensure sound management and reporting practices?
  • Identifies other controls that help mitigate the corporation’s major strategic and business risks?
  • Identifies roles and responsibilities for developing, reviewing, implementing and sustaining key controls?
  • Includes reporting and monitoring requirements to ensure compliance with the framework?
• If not, what is the corporation’s strategy for developing one?
• How does management identify and implement controls required to mitigate or manage new or emerging risks?

Control Certifications

• Although it is not mandatory that they do so, do the chief executive officer and the chief financial officer provide an annual certification for financial controls and internal controls over financial reporting?
• If so, what evidence underpins this certification?
• What other internal control certifications are provided and what evidence underpins them?

Reporting and Monitoring of Controls

• Are risks or control failures followed up on in the corporation?
• How are required changes to the design or implementation of key controls identified and implemented and are they implemented in a timely manner?
• What performance information (i.e., actual performance vs. budget and performance targets), does each level of management receive? How often does management receive that information?
• In addition to the control certifications, what arrangements are in place to periodically assess the effectiveness of the corporation’s control framework (e.g., internal audits, management review and sign offs)?
• How does management ensure that internal or external audit findings on control weaknesses are addressed in a timely manner?

Accounting Policies, Standards and Practice

Have any changes in the accounting policies been implemented since the most recently audited annual financial statements? How have these been disclosed in this report to ensure that the corporation’s significant accounting policies are consistent with the previous annual report?

Presentation of Quarterly Financial Reports

• Are there any significant legal matters, contingencies, claims or assessments that could have a material impact on the corporation’s quarterly financial report? If so, have they been reflected in this report and how?
• What are the significant accounting accruals, reserves and other estimated liabilities in the quarterly financial report? What processes are in place to properly account for these items in the report?
• Is there support for significant assumptions or judgments? If so, is it reflected in the report?
• Does the quarterly financial report reflect any significant, unusual transactions that occurred during the quarter? If so, how have they been accounted for?
• Have significant variances from the budget and from the corresponding quarter in the preceding year been satisfactorily explained?
• Does the report explain any significant changes to goals, objectives or financial targets set out in the corporate plan that may impact the current and future quarters?

Review and Sign off

• Have the chief financial officer and president / chief executive officer signed-off on the statement of management responsibility for the quarterly financial report?
• What processes are in place to ensure that:
  • The quarterly financial reports fairly present, in all material respects, the financial results as of the date and for the periods presented;
  • Internal controls, as management determines are necessary, enable the preparation of (consolidated) quarterly financial statements that contain no material misstatements, whether due to fraud or to error; and
  • Significant variances in total revenues and expenses from the same period (quarter and year-to-date) in the previous fiscal year have been identified and explained?

Production and Distribution

• What issues, if any, have been identified that may impede the timely production of quarterly financial report? Are these being managed effectively? If so, how? If not, what needs to be improved?
• What process has management put in place to ensure that the quarterly financial report will be made available to the public, to the Minister and to the Comptroller General of Canada within 60 days of the end of the quarter?

Leadership

Who has the lead role for developing and overseeing the corporation’s operating and capital budgets?

Process and Timing

• What process is in place for preparing the operating and capital budgets?
• How can the audit committee assist the board of directors in the processes leading up to the board’s approval of the corporate plan and, where applicable, the preparation and submission of the summaries of the approved corporate plan and budgets for tabling in Parliament?
• How does management ensure that the budgets are consistent with the goals and objectives set out in the corporate plan?

Presentation

• Are the operating and capital budgets presented in compliance with the most recent accounting standard?
• Do the operating and capital budgets encompass all of the corporation’s major businesses or activities?
• How has historical data been used in the development of the operating and capital budgets?
• Do the operating and capital budgets reflect the resources available to the corporation?

Review and Sign off

Did the chief financial officer and the president / chief executive officer review and sign-off on these budgets before they were submitted to the audit committee?

General duties

• Act as an advisor and support person to the chairperson, as requested by the chairperson.
• Become familiar with the work of the board of directors and with that of the audit committee, as well as with its mandate, objectives and issues.
• Assist the audit committee, particularly the chairperson, in developing its annual work plan.
• Help identify relevant issues for the committee through discussions with the chairperson, the senior managers involved and others.
• Assist the committee in its formal review of its committee charter, the review of the charter by the corporate governance committee (if applicable) and its annual approval by the board of directors.
• Help document the progress in implementing the committee’s work plan.
• Help the committee perform its annual self-assessment.

Introducing new committee members

• Prepare an introductory briefing package for new audit committee members that includes items such as the following:
  • The audit committee’s charter;
  • The Guidelines for Audit Committees in Crown Corporations and Other Public Enterprises
  • The names of the committee members;
  • The relevant legislation to which the corporation is subject;
  • The minutes from the two previous committee meetings;
  • The approved corporate plan and budgets; and
  • Background reading material on any current committee business.
• Offer an opportunity for a personal briefing to ask any questions.
• Arrange meetings for the new member with selected members of the management team and representatives of the auditors.

Audit committee meetings

• Prepare draft meeting agendas, in consultation with the chairperson.
• Prepare and collect meeting materials.
• Prepare a briefing note outlining the issues to be discussed at the upcoming meeting.
• Take notes during meetings.
• Prepare a summary of the discussion immediately after meetings for the use of the committee chairperson at the subsequent meeting of the board of directors.
• Prepare meeting minutes for consideration by the committee’s chairperson.
• Initiate follow-up, where appropriate, by seeking relevant information and by preparing any subsequent studies, reviews or business for the chairperson.
• Liaise with senior management.
• With the approval of the chairperson, inform management, at appropriate times, about the issues the audit committee is considering and about its views and preferences in relation to those issues.
• Seek advice from senior managers about issues that should be, or are being, addressed by the committee.