Internal Audit Manual

Date: April 2008

PDF Version  
(570 kb, 124 Pages)

Accessibility Notice

Help on accessing documents in PDF format
can be obtained on the help page.


Acknowledgements

The Institute of Internal Auditors (IIA) has kindly permitted the IIA International Standards for the Professional Practice of Internal Auditing (including elements of the glossary of terms) to be reprinted in this guide.



Table of Contents

1.0 Introduction

1.1 Preface

The Treasury Board of Canada's (TB) Policy on Internal Audit is designed to ensure that internal audit provides the Deputy Minister with added assurance, independent from line management, on risk management, control, and governance processes.

The Treasury Board of Canada's (TB) April 1, 2006 Policy on Internal Audit (the TB Policy) is designed to ensure that internal audit and audit committees provide deputy heads and the Comptroller General with added assurance, independent from line management, on risk management, control, and governance processes.

Under the TB Policy, the Deputy Minister of Indian and Northern Affairs Canada is responsible for establishing an internal audit function that is appropriately resourced and that operates in accordance with the Policy and professional internal auditing standards and for establishing an independent audit committee that includes a majority of external members who are not currently in the federal public service.

The Institute of Internal Auditors (the world-wide professional organization for internal auditing) (the IIA) defines the internal audit activity as "A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization's operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." 1

While the IIA definition includes consulting services, TB Policy does not extend the definition of internal audit to include consulting services.

1.2 Purpose and Scope

This Internal Audit Manual is intended to provide members of the Indian and Northern Affairs Canada's (INAC) Audit and Evaluation Sector (AES) with practical guidance, tools and information for managing the internal audit activity and for planning, conducting and reporting on internal auditing assurance engagements.

This Internal Audit Manual is intended to provide members of the Indian and Northern Affairs Canada's (INAC) Audit and Evaluation Sector (AES) with practical guidance, tools and information for managing the internal audit activity and for planning, conducting and reporting on internal auditing assurance engagements.

Users of this Manual are assumed to possess at least basic knowledge and understanding of management frameworks and controls and to be capable of exercising sound professional judgment. The Manual brings to the attention of users major items that should be considered when managing the internal audit activity, when identifying internal auditing engagements that will strengthen INAC's management control framework, and when planning, conducting and reporting upon an internal auditing engagements.

Users of the Manual are expected to draw upon the information provided to form their own judgments on the most suitable approaches to fulfilling the specific responsibilities that they have been assigned in the context of continuously striving for the most effective internal audit activity possible. If users encounter situations where they believe that the guidance provided in the Manual is in conflict with what they believe to be the most effective approach, they should consult with more senior AES officers.

While the Audit and Evaluation Sector is also responsible for providing evaluation services, this Manual is intended to facilitate the performance of internal auditing engagements with the rigour and professional due care necessary for the provision of assurance (as envisioned in the TB Policy on Internal Audit and related directives and in the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing (the IIA Standards)). Only engagements conducted with due care and rigour in accordance with professional standards and the process described herein provide the foundation for the provision of assurance services.

To demonstrate links with the TB Policy   or the IIA Standards  , related references are cited at the beginning of certain sections.

1.3 Organization of the Manual

This Manual is divided into nine sections:

Section Description
1.0 Introduction Describes the purpose and expected users of the Manual.
2.0 The Role and Context of Internal Audit at INAC Establishes the rationale, context, and role for the internal audit activity in general, i.e. at the global and the federal government levels, and in particular at INAC.
3.0 Managing the Internal Audit Function at INAC Identifies the organizational structure of AES, assigns generic responsibilities for the fulfillment of the tasks necessary to an effective internal audit activity, identifies the competencies required to fulfill those tasks, and establishes resourcing strategies to ensure that those competencies are available.
4.0 Strategic, Risk-based Audit Planning and Reporting at INAC Outlines the processes that are followed to identify the most appropriate internal audit engagements to be undertaken and to report upon the results of those engagements.
5.0 Conducting Internal Audit Engagements at INAC Describes the steps that are normally to be followed in planning, conducting and reporting upon an individual internal auditing engagement.
6.0 Applying Internal Audit Tools and Techniques Provides brief descriptions of the most commonly used tools and techniques and of the circumstances under which each is most appropriate.
7.0 Quality Assurance and Improvement Summarizes expectations and activities for quality assurance during the performance of individual internal auditing engagements and at periodic intervals with respect to the overall internal audit activity.
Appendices Expand upon the guidance provided in this Manual.

1.4 Conventions and Key Definitions

To supplement the descriptions and explanations in this Manual, a Glossary of Terms is provided in Appendix C.



2.0 The Role and Context of Internal Audit at INAC

2.1 Definition and Description of Internal Audit

The IIA Standards describe assurance services as an objective examination of evidence for the purpose of providing an independent assessment on:
  • risk management
  • control
  • governance

As noted above, the TB Policy on Internal Audit is designed to ensure that internal audit provides deputy heads with added assurance, independent from line management, on risk management, control, and governance processes. The IIA's International Standards for the Professional Practice of Internal Auditing (adopted as the Internal Auditing Standards for the Government of Canada in the absence of specific direction) describes assurance services as "An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence requirements."2

According to IIA Standard 2100, "the internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach."

Specifically, per standards:

  • 2110 on Risk Management, "the internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management control systems."
  • 2120 on Control, "the internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement."
  • 2130 on Governance, "the internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
    • Promoting appropriate ethics and values within the organization
    • Ensuring effective organizational performance management and accountability
    • Effectively communicating risk and control information to appropriate areas of the organization
    • Effectively coordinating the activities of and communicating information among the board (of directors), external and internal auditors and management."

2.2 The Federal Government Context for Internal Audit

The internal audit activity at INAC operates within a challenging, yet supportive, federal government environment consisting of:

  • The Federal Accountability Act (FAA) (2006) designated Deputy Ministers as accounting officers. Deputy Ministers are now accountable before the appropriate Committee of Parliament, and are required to establish appropriate internal audit capacity and audit committees.
  • The Treasury Board of Canada's Policy on Internal Audit
  • The Treasury Board of Canada's Internal Auditing Standards for the Government of Canada
  • The Institute of Internal Auditors' Standards for the Professional Practice of Internal Auditing
  • The Treasury Board of Canada's Policy on Transfer Payments
  • The Treasury Board of Canada's Policy on Integrated Risk Management
  • The Treasury Board of Canada's Policy on Active Monitoring
  • The Treasury Board of Canada's Management Accountability Framework
2.2.1 Treasury Board Policy on Internal Audit

The Treasury Board Policy on Internal Audit strengthens public sector accountability, risk management, resource stewardship and good governance by reorganizing and bolstering internal audit on a government-wide basis.

The objective of the April 2006 Treasury Board Policy on Internal Audit is to strengthen public sector accountability, risk management, resource stewardship and good governance by reorganizing and bolstering internal audit on a government-wide basis.

The TB Policy positions Internal Audit to provide its important contribution by making it mandatory for departments and agencies to:

  • Establish an internal audit function that is appropriately resourced and that operates in accordance with the Policy and professional internal auditing standards
  • Establish an independent departmental audit committee that includes a majority of external members who are not currently in the federal public service
  • Approve a departmental internal audit plan that addresses all areas of higher risk and significance and that is designed to support an annual opinion from the chief audit executive on departmental risk management, control, and governance processes
  • Ensure that management action plans are prepared that adequately address the recommendations and findings arising from internal audits and that the action plans have been effectively implemented.
  • Ensure that completed audit reports are issued in a timely manner and made accessible to the public with minimal formality.
2.2.2 Treasury Board Internal Auditing Standards for the Government of Canada

Internal Auditing Standards for the Government of Canada is a directive included in the TB Policy suite of direction and guidance. It indicates that the Government of Canada has adopted the Institute of Internal Auditors' Professional Practices Framework (a full range of internal audit guidance including a code of ethics, standards, and practice advisories) and that departments are required to meet the IIA Standards in undertaking their internal auditing responsibilities, unless the Standards are in conflict with the Treasury Board Policy on Internal Audit or any related directives or guidelines provided by the Comptroller General or Treasury Board.

Specific standards included in the Internal Auditing Standards for the Government of Canada primarily relate to the reporting activity, specifically that:

  • Communication of results of internal auditing engagements shall be in written reports
  • Reports on internal auditing engagements must provide sufficient context and must clearly identify risks and opportunities
  • Reports on assurance engagements must identify the criteria used, include a statement of assurance, and include a management action plan
  • Internal audit functions are expected to provide a holistic opinion on the effectiveness and adequacy of risk management, control and governance processes.
2.2.3 Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing

The Professional Practices Framework, developed and maintained by The IIA, offers practitioners a full range of internal audit guidance. The core elements of this Framework are the Code of Ethics and a set of professional standards.

The Code of Ethics

The purpose of the IIA's Code of Ethics is to promote an ethical culture in the profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control, and governance. The Institute's Code of Ethics extends beyond the definition of internal auditing to include two essential components:

  1. Principles that are relevant to the profession and practice of internal auditing
  2. Rules of Conduct that describe behaviour norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.

The Standards

The International Standards for the Professional Practice of Internal Auditing (the IIA Standards) provide guidance for the conduct of internal auditing at both the organizational and individual auditor levels. They are the result of careful study, consultation, and deliberation about the basic principles for providing internal audit services. The Standards were recently updated with relatively minor changes taking effect in January 2007.

Practice Advisories

The IIA also issues occasional Practice Advisories related to specific standards when it wishes to provide clarification on particular issues. The Practice Advisories deal with most aspects of planning, conducting and reporting the internal auditing engagement, as well as with governance and management aspects of the internal audit activity.

To ensure that the most recent versions of the standards and practice advisories are available to the internal auditing community, they can be accessed electronically through the IIA.  

2.2.4 Treasury Board /Policy on Transfer Payments

Treasury Board's Policy on Transfer Payments   sets out a number of key requirements for the management of Transfer Payments. Considering that over 90% of INAC's budget is transferred in the form of grants and contributions, it is critical that internal auditing focus on providing assurance that the management control framework governing those transfers is effective and efficient and that transfer payment programs are managed and delivered in compliance with the Policy.

2.2.5 Treasury Board Policy on Integrated Risk Management

Under Treasury Board's Integrated Risk Management Framework  , an expectation is created that departments and agencies will establish practices to continuously, proactively, and systematically assess and manage risks on an organization-wide basis.

A primary goal of internal audit, per the TB Policy, is to provide sufficient and timely assurance services on risk management. It is important, therefore, that the internal auditing activity in INAC be familiar with the expectations of the Policy and the Department's initiatives and progress in instituting a rigorous and integrated framework for management of risk.

2.2.6 Treasury Board Policy on Active Monitoring

Under the Treasury Board's Active Monitoring Policy   "…departments must actively monitor their management practices and controls using a risk-based approach". Managers are responsible to conduct active monitoring and warn senior management of INAC and the Treasury Board Secretariat of potential issues of public interest.

It is important that the internal auditing activity be familiar with the requirements of the Policy in order to respect it should the activity identify issues of public interest that should be communicated to senior management of INAC and the Treasury Board Secretariat.

2.2.7 Management Accountability Framework

Aligned to the vision of Results for Canadians, the Management Accountability Framework (MAF) is a set of 10 statements summarizing the Treasury Board of Canada Secretariat's (TBS) expectations for modern public service management. It was developed to provide public service managers with a clear list of management expectations within an overall framework for high organizational performance.

The ten statements of expectations are set out in the model below.

Management Accountability Framework (MAF)

As these expectations constitute critical standards for the success of INAC, the internal auditing activity must take them into consideration when determining annual and longer-term internal audit (and evaluation) plans and when conducting specific engagements.

2.3 The INAC Context for Internal Audit

IIA Standard 1000 – Purpose, Authority, and Responsibility - The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board.

IIA Standard 1000.A1 - The nature of assurance services provided to the organization should be defined in the audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances should also be defined in the charter.

IIA Standard 1100 – Independence and Objectivity – The internal audit activity should be independent, and internal auditors should be objective in performing their work.

Within INAC, the internal audit activity is solidly founded upon an Internal Audit Charter and an Audit and Evaluation Committee Terms of Reference.

2.3.1 INAC Internal Audit Charter

The INAC Internal Audit Charter (April 2008), Appendix A defines the roles and responsibilities of the Deputy Minister, the Audit and Evaluation Committee, the Chief Audit and Evaluation Executive, the INAC Management and the Comptroller General of Canada for establishing an internal audit function that is appropriately resourced and managed in accordance with this policy and professional internal auditing standards. The INAC Internal Audit Charteralso addresses the objectivity and independence of the internal audit function and its authority to access departmental records and employees.

2.3.2 Audit and Evaluation Committee Terms of Reference

The Audit and Evaluation Committee Terms of Reference (June 2007), Appendix B, defines the role, mandate, composition, and accountability of the Audit and Evaluation Committee and prescribes the requirements for the convening and conduct of meetings.

The Audit and Evaluation Committee Terms of Reference (June 2007) defines the role, mandate, composition, and accountability of the INAC Audit and Evaluation Committee.

The Terms of Reference specifically assigns a number of responsibilities to the Committee with respect to the internal audit function:

  • Approve and monitor progress against the annual and multi-year audit and evaluation plans
  • Provide advice on the objectives identified in specific audit or evaluation terms of reference when the Chief Audit and Evaluation Executive deems such guidance to be appropriate to better serve the needs of senior management
  • Approve internal audit and evaluation reports and the management action plans developed to address the recommendations made in these reports, including reviews, reports and studies undertaken by sectors and branches themselves
  • Direct the communication of broad corporate themes and issues arising from audits, evaluation activities and reviews to Indian and Northern Affairs Canada senior management for their attention and corrective action to ensure effective management
  • Review and comment on the plans and reports of external agencies (including the Auditor General and the Treasury Board Secretariat) and any proposed actions to be taken by Indian and Northern Affairs Canada.


3.0 Managing the Internal Audit Function at INAC

Standards

IIA Standard 1210 – Proficiency – Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills and other competencies to perform its responsibilities.

IIA Standard 2000 – Managing the Internal Audit Activity - The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization.

IIA Standard 2030 – Resource Management - The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.

IIA Standard 1230 – Continuing Professional Development - Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development.

3.1 Organizational Structure for the Internal Audit Activity

The Chief Audit and Evaluation Executive (CAEE) for INAC reports to the Deputy Minister. The Director, Audit and Assurance Services reports to the CAEE. Reporting to the Director, Audit and Assurance Services are an FI-04 and a number of AS-07 positions). The FI-04 and AS-07s will normally have FI and AS subordinate positions reporting to them.

In terms of generic responsibilities, the positions of FI-04 and AS-07 will normally function as audit managers while the positions of FI-03, AS-06, AS-05, AS-04, AS-03, AS-01 will function as team leaders, auditors or team members. Specific positions or individuals may be assigned additional responsibilities related to the management of the internal audit activity and may be requested from time to time to assume generic responsibilities branch-wide, e.g. quality assurance, not normally associated with their position. For example, an audit manager may be assigned to work as an audit team member on a particularly urgent or sensitive engagement.

Specific roles and responsibilities of the CAEE and the Director, Audit and Assurance Services and generic roles and responsibilities of the audit manager, team leader, and auditor are described below.

3.2 Roles and Responsibilities

3.2.1 CAEE

As Chief Audit and Evaluation Executive, per the INAC Internal Audit Charter (April 2008), the CAEE is responsible for:

  • establishing appropriate policies and procedures to guide the internal audit function
  • establishing risk-based audit plans to set out the priorities of the internal audit function
  • coordinating internal audit plans and activities with other internal and external providers of assurance activities
  • communicating the internal audit plan of engagements and the related resource requirements (including the impact of resource limitations) to the Deputy Minister and the Audit and Evaluation Committee
  • ensuring that internal audit resources are appropriate (i.e. professional qualifications and skills), sufficient and effectively deployed to achieve the approved plan
  • ensuring the timely completion of and reporting on individual internal audit engagements in accordance with professional standards
  • supporting and conducting horizontal and sectoral audits requested by the Office of the Comptroller General and any internal audits requested by other central agencies, Cabinet or Parliament
  • reporting periodically to the Audit and Evaluation Committee on whether management's action plans have been implemented and whether the actions taken have been effective
  • maintaining a quality assurance and improvement program that covers all aspects of the internal audit function
  • reporting annually to the Audit and Evaluation Committee on the internal audit function's conformance with professional internal auditing standards
  • providing annually a holistic opinion to the Deputy Minister and the Audit and Evaluation Committee on the effectiveness and adequacy of INAC's risk management, control, and governance processes
  • maintaining unfettered access to the Audit and Evaluation Committee and to the Committee Vice-Chair
  • informing the Comptroller General without delay, but after discussion with the Deputy Minister, of any issue of risk, control or management practice that may be of significance to the government or require Treasury Board Secretariat's involvement.
3.2.2 The Director, Audit and Assurance Services

Through the delegation of authority and accountability, the Director, Audit and Assurance Services, holds responsibilities very similar to those of the CAEE.

The Director's primary responsibilities include:

  • evaluating the risk management, control, and governance processes regarding all departmental activities and resources
  • evaluating the effectiveness and efficiency of internal controls
  • reviewing the reliability, integrity, and utility of financial and operational information
  • appraising the economy and efficiency with which departmental resources are employed
  • ascertaining whether programs or services are being implemented as intended
  • assessing compliance with laws, regulations, authorities and policies
  • supporting the Chief Audit and Evaluation Executive and the Deputy Minister in fulfilling their responsibilities for the internal audit function
  • being the point of contact with the Office of the Comptroller General, the Office of the Auditor General, the Commissioner for the Environment and Sustainable Development, the Public Service Commissioner, and other agencies involved in conducting audits that include INAC, with respect to the subject matter or content of their plans and their findings.
3.2.3 Audit Managers

Audit managers are responsible for implementing a set of assigned engagements over the course of a year.

Engagements are assigned taking into consideration the need to match the knowledge, skill and experience requirements of the engagement to the demonstrated competencies of the individual audit manager. Audit managers are normally responsible for the planning of each engagement and for ensuring the effective and efficient conduct and reporting of each engagement. The audit manager is responsible for the preparation and approval of the planning document and for the identification and presentation of key audit findings. The audit manager will often prepare but, at a minimum, will approve audit programs.

The audit manager is responsible for all phases of project management, including the preparation of the Statement of Work, the selection of the contractor, the oversight of the contractor, and the finalization and presentation of audit findings, including debriefings and reports.

3.2.4 Team Leaders

Team leaders are assigned to supervise a team of auditors in the performance of the audit engagement in one or more locations, following the approved audit program. Team leaders may be involved in the planning phase and may be involved in developing the audit program. Team leaders are primarily responsible for ensuring the performance of the audit in accordance with the audit program and budget and professional standards. This includes the coordination of team member efforts and the assurance that audit files support the findings and conclusions. Team leaders may lead the debriefing of auditees at the end of on site fieldwork.

3.2.5 Auditors

Teams of auditors are formed to complete audit engagements. Auditors are assigned to complete portions of the audit program under the guidance of the team leader. Auditors are responsible for completing all work according to professional standards and for communicating any critical or potentially significant findings to Team Leaders on a timely basis.

Auditors may on occasion be invited to work alongside contracted auditors or audit teams as a means to further their professional development or contribute expertise to a particular engagement.

3.3 Training and Development

As professionals, internal auditors must demonstrate proficiency in terms of the key knowledge, skills and abilities required to effectively conduct internal audit assurance engagements. In addition, they must stay abreast of recent developments in their profession.

To ensure that it collectively possesses the required skills and abilities to provide superior service, AES prepares an annual Human Resources Plan.

AES fully supports the training and development of staff members. Training is provided, either formally or on-the-job, when a need or opportunity is identified to acquire additional skills or knowledge that can be applied directly to the conduct of internal audit engagements or to the performance of supporting activities, e.g. risk assessment, audit planning. Development opportunities are provided to meet the interests of employees, e.g. acquisition of additional skills or knowledge towards promotion, and to meet the future needs of the organization, e.g. acquisition of knowledge of a new auditing tool or technique.

In addition, AES fully encourages and supports staff members to increase their professionalism and credibility through the acquisition of professional certifications. Among those supported are the Certified Internal Auditor (CIA), the Certified Government Auditing Professional (CGAP), the Certification in Control Self Assessment (CCSA), the Certified Financial Services Auditor (CFSA), the Certified Information Systems Auditor (CISA) and the Certified Fraud Examiner (CFE). The CIA, CGAP, CCSA and CFSA certifications are offered through the Institute of Internal Auditors and further information can be found at their website.   The continuing education requirements associated with these certifications are fully supported by AES.

3.4 Audit and Evaluation Sector Code of Ethics Report

As a means of formally attesting to their objectivity and independence in the performance of their duties, all members of the Audit and Assurance Services Branch are required to annually sign an Audit and Evaluation Sector Code of Ethics Report that confirms that they will respect the Code of Ethics of the Institute of Internal Auditors and that they have no potential conflicts of interest. The Report is attached as illustration 3.4.1.

3.4.1 Audit and Evaluation Sector Code of Ethics Report

Audit and Assurance Services Branch
Internal Auditor Code of Ethics Report

I, ___________________________ , declare that I have read and will observe the Code of Ethics of the Institute of Internal Auditors and abide by the following components:

  • The principles that are relevant to the profession and practice of internal auditing and
  • Rules of Conduct that describe behaviour norms expected of internal auditors.

Printed Name: ___________________________

Signature: ___________________________

Date: ___________________________



4.0 Strategic, Risk-based Audit Planning and Reporting at INAC

Standards

IIA Standard 2010 – Planning - The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals.

IIA Standard 2010.A1 - The internal audit activity's plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process.

IIA Standard 2110 – Risk Management - The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.

IIA Standard 2110.A1 - The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system.

IIA Standard 2110.A2 - The internal audit activity should evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the

  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations.
  • Safeguarding of assets.
  • Compliance with laws, regulations, and contracts.

IIA Standard 2120 – Control - The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

IIA Standard 2060 – Reporting to the Board and Senior Management - The chief audit executive should report periodically to the board and senior management on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management.

The TB Policy on Internal Audit states that annual internal audit plans should "…summarize an annual assessment of the overall materiality and risks associated with the departmental risk management strategy and practices, management control frameworks and practices, and financial and performance information, and identify and schedule planned audit engagements or other services to be provided by the internal audit function during the period of the plan."

4.1 The AES Risk-based Audit Planning Process

To be consistent with the TB Policy on Internal Audit and IIA Standards, AES undertakes an annual risk-based planning process to determine the internal audit priorities for the upcoming year and, notionally, for an additional two years. The following sections describe the steps in the planning process and identify some of the key factors that must be taken into consideration in developing effective plans.

4.2 Overview of the Risk-based Audit Planning Process

The annual planning process in the AES employs a collaborative and consultative risk-based approach relying heavily on the internal audit group's professional judgment and experience to identify areas of greatest audit priority.

Strategic, risk-based plans are designed to ensure that audit resources are allocated to areas that will help achieve strategic outcomes and reduce the possibility that the department will be exposed to significant risks.

The model below illustrates the principal components of the AES risk-based audit planning methodology.

Risk-based Audit Planning Process

4.2.1 Identification of the Audit Universe

All mandates, authorities, programs, corporate functions, organizational units, systems, assets, resources and processes of INAC are identified that are within the potential scope of internal audit.

4.2.2 Grouping of Universe into Manageable Auditable Units

All the potential universe entities and elements are grouped into units that would likely produce meaningful findings for senior departmental management and that would be of such size and scope that an audit engagement could be practically conducted within a reasonable timeframe or cycle of coverage.

4.2.3 Risk Assessment of Manageable Auditable Units

Each auditable unit is assessed, using a scale of 1 to 5 where 1 is low and 5 is high, in terms of risk related to its significance to achievement of INAC objectives, its complexity in terms of ensuring that intended outcomes are achieved, and its sensitivity in terms of the public or the intended beneficiaries.

4.2.4 Selection of Significant Audit Engagements

Audit projects are proposed that would be most appropriate to address the highest risk areas of the manageable audit units on a priority basis.

4.2.5 The Three Year Audit Plan

The annual plan outlines a prioritized list of proposed engagements including the initial objectives and scope for each engagement, an estimate of required resources and an identification of the most suitable timing for specific engagements. Appendix E provides a checklist for the desired qualities of the Annual Audit Plan.

4.3 The Internal Audit Annual Report

To fulfill the requirements of the Treasury Board Policy on Internal Audit, including that for an annual holistic opinion, AES prepares an annual report. The annual report describes the audit activities planned and undertaken for the fiscal year, identifies major findings of interest to INAC senior management, and offers a holistic opinion on controls, governance and risk management.



5.0 Conducting Internal Audit Engagements at INAC

Standards

IIA Standard 1200 – Proficiency and Due Professional Care - Engagements should be performed with proficiency and due professional care.

IIA Standard 1220 - Due Professional Care – Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

IIA Standard 1220.A1 - The internal auditor should exercise due professional care by considering the:

  • Extent of work needed to achieve the engagement's objectives.
  • Relative complexity, materiality, or significance of matters to which assurance procedures are applied.
  • Adequacy and effectiveness of risk management, control, and governance processes.
  • Probability of significant errors, irregularities, or noncompliance.
  • Cost of assurance in relation to potential benefits.

IIA Standard 2200 – Engagement Planning - Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing and resource allocations.

IIA Standard 2201 - Planning Considerations - In planning the engagement, internal auditors should consider:

  • The objectives of the activity being reviewed and the means by which the activity controls its performance.
  • The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.
  • The adequacy and effectiveness of the activity's risk management and control systems compared to a relevant control framework or model.
  • The opportunities for making significant improvements to the activity's risk management and control systems.

IIA Standard 2210 – Engagement Objectives - Objectives should be established for each engagement.

IIA Standard 2210.A1 – Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives should reflect the results of this assessment.

IIA Standard 2220 – Engagement Scope - The established scope should be sufficient to satisfy the objectives of the engagement.

IIA Standard 2240 – Engagement Work Program - Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded.

IIA Standard 2240.A1 - Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to its implementation, and any adjustments approved promptly.

IIA Standard 2300 – Performing the Engagement - Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives.

IIA Standard 2320 – Analysis and Evaluation - Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.

IIA Standard 2330 – Recording Information - Internal auditors should record relevant information to support the conclusions and engagement results.

IIA Standard 2400 – Communicating Results - Internal auditors should communicate the engagement results.

IIA Standard 2420 – Quality of Communications - Communications should be accurate, objective, clear, concise, constructive, complete, and timely.

Treasury Board Internal Auditing Standards for the Government of Canada 4.2.1.1 – Communication of results of internal auditing engagements shall be communicated in written reports.

Treasury Board Internal Auditing Standards for the Government of Canada 4.2.1.4 – Reports on internal auditing engagements are to be presented to, and reviewed by, the audit committee with minimum delay; completed reports are those that have been reviewed by the audit committee and approved by the deputy head.

5.1 Overview

While different internal audit organizations may identify a number of steps using a variety of terminology, the internal auditing process is essentially comprised of three main phases, namely:

  • Planning
  • Conduct and
  • Reporting.

At the most fundamental level, the audit manager must establish what is going to be audited (planning), ensure that the approved plan is implemented (conduct), and communicate the results achieved (reporting).

Once the engagement has been identified in the Risk-based Audit Plan, it must be effectively planned in order to determine the specific objectives, scope, audit criteria, and methodology.

At the outset of the planning phase, the audit engagement is usually defined in very broad terms. Since it is neither practical nor cost-effective to audit everything, the audit manager must identify the risks associated with the audit entity, formulate meaningful objectives and establish an appropriate scope. In so doing, the audit manager can ensure that audit resources and effort are devoted to a relatively few key areas that can have a significant impact on the performance and results of the program or activity being audited.

At the end of the planning phase, the audit manager will be able to clearly articulate what will be audited, why it will be audited, and how it will be audited.

5.2 Initiating the Engagement

5.2.1 Notifying the Auditee

The initial communication with the auditee is normally drafted by the audit manager and issued by the Director, Audit and Assurance Services.

Before any work formally commences on an audit, AES informs the auditee in writing normally via a bilingual e-mail message, with terms of reference attached. The auditee is normally the most senior manager directly responsible or accountable for the program, activity, organization or initiative. In some cases, there may be a shared accountability or an intersection of line and functional authority, e.g. national programs delivered at the regional level. In these cases, more than one auditee will be identified and informed of the audit. The individuals identified in regions as the Audit and Evaluation Coordinators should be copied on the communication.

The initial communication with the auditee is normally drafted by the audit manager and issued by the Director, Audit and Assurance Services. In the event of highly sensitive audit engagements the CAEE may be called upon to issue the announcement. The communication specifies information known at the outset of the engagement such as the initial objectives and scope, any specific considerations or concerns, and the names of the auditors assigned to the audit. The communication could request the scheduling of an opening meeting and the identification of a primary contact to facilitate the coordination of the audit work if an Audit and Evaluation Coordinator has not been identified to do so.

Shortly after the formal communication has been issued, the audit manager or Director should follow-up by telephone, if necessary, to ensure that the auditee has received the notification and taken the appropriate steps to schedule the opening meeting or otherwise facilitate the audit commencement. The audit manager can also address any questions that the auditee may have concerning the audit.

5.2.2 Holding an Opening Meeting

During an opening meeting, the audit manager should clarify with the auditee the known details of the program, activity or organization to be audited, e.g. mandate, resources, structure, and should explain the auditee's responsibilities in the process. The audit manager can request copies of documents deemed to be important to acquiring a good understanding of the auditee's activities.

If the auditee has any suggestions for the audit objectives or scope, or has raised any concerns that the audit might address, these can be discussed at this time.

5.3 The Planning Phase

The planning phase normally consists of three distinct, but often overlapping, activities, i.e. gaining an understanding of the nature of the program, activity, organization or initiative being audited, determining and assessing risks, and determining the most appropriate audit objectives, scope and criteria to be employed.

5.3.1 Understanding the Audit Entity

The audit manager needs to develop a sound understanding of the program, activity, organization or initiative being audited, including its management practices, business processes, policies and procedures, and external and internal environments.

Specifically, to be compliant with the TB Policy on Internal Audit, the audit manager needs to be focused on all important aspects of risk management, control, and governance processes for the program, activity, organization or initiative being audited.

5.3.2 Information Sources

Some of the key documents and information that the audit manager can use to gain a good understanding include:

  • Acts and related legislation or regulations
  • Policy, procedures and standards manuals and directives
  • Results of previous audits or evaluations by the AES or by the Office of the Auditor General
  • Organization charts
  • Job descriptions and delegation instruments
  • Listings of key personnel
  • Process and system maps or flowcharts
  • Operational and financial data and reports
  • Planning and performance reports (i.e. the INAC Performance Report, the INAC Report on Plans and Priorities)
  • Management meeting reports or minutes
  • Management control frameworks, e.g. results-based management and accountability frameworks (RMAFs), risk-based audit frameworks (RBAFs)
  • Risk assessments
  • Management studies or reports

In addition to reviewing documentation and analyzing financial and non-financial performance information, the audit manager may also want to consider visiting sites and observing operations, interviewing management, field staff, central agency representatives or subject matter experts, and reviewing any available internal controls documentation.

To consolidate and confirm the understanding acquired, the audit manager should prepare a summary of the program, activity, organization or initiative in the form of an auditable unit or auditee profile. Such a profile should be reviewed with the auditee in order to confirm the audit manager's understanding of the auditee's business. Appendix F provides a Template for an Auditable Unit Profile.

5.3.3 Assessing Risks

The risk assessment process provides a structured means of evaluating information and applying professional judgment as to the most important areas for audit examination.

A detailed risk assessment is undertaken during the planning phase of the engagement to confirm that the lines of enquiry and the initial objectives have indeed focused on the most important risks associated with the program or activity being audited.

The objective statements for the audit, as outlined in the Risk-based Audit Plan, may need to be amended if the more detailed risk assessment reveals additional risks or assigns higher or lower risk scores to those risks already identified.

The steps involved in performing a detailed risk assessment are:

  • Identify the risks associated with the achievement of the auditee's objectives and expected results
  • Assess the relative significance of the risks in terms of the likelihood of each risk occurring and the impact should it occur
  • Determine on a preliminary basis whether management's assertions on controls are likely to prevent or mitigate the occurrence of the risks of greatest concern and
  • Plan to focus audit objectives and scope on testing the existence or adequacy and effectiveness of key controls over areas of greatest risk. Appendix G provides a Template for Documenting Engagement Risk Assessment.

The Risk Based Audit Frameworks (RBAFs) that must be prepared to obtain Treasury Board approval of transfer payment programs can provide valuable insight to the internal auditor in overall audit planning or in engagement planning as to the risks that program management identifies as being relevant to the program and as to the control mechanisms that program management has put in place, or is intending to put in place, to manage those risks, including the auditing of recipients. For example if a program has had to recently complete a Risk-Based Audit Framework for a Treasury Board submission, the audit manager may be able to rely upon the completed risk assessment, although the audit manager must be satisfied that the process was as complete and impartial as possible and that the results can be relied upon.

The audit manager may complete the risk assessment alone or with the participation of auditee representatives.(See Section 6.2.2 for a brief description of Risk Self-Assessment.)

Whether the risk assessment is developed alone by the audit manager or with the participation of the auditee, the audit manager will want to ensure that the auditee understands the significance of the completed product as the audit manager employs it in developing the audit plan.

The audit manager must be sensitive to situations where management may have undertaken a risk assessment and made decisions with which the audit manager may not be comfortable. Since management can choose to accept, transfer, eliminate, reduce or mitigate risks, the audit manager may encounter situations where the auditee does not view a given risk with the same degree of concern that the audit manager might. For example, if the auditee has chosen to accept the risks associated with not developing and implementing a recipient audit plan, the audit manager may need to express, and be prepared to defend, an opinion that that course of action is inappropriate. In other situations, the audit manager may need to proceed with testing to demonstrate that a chosen course of action to address a risk may be insufficient or unnecessary. In the event that serious disagreements arise with the auditee, the audit manager may need to seek assistance from the Director, Audit and Assurance Services or the CAEE in pursuing discussions with the auditee and their more senior management.

5.3.4 Assessing Internal Control

Simply stated, control is making sure that what happens is what is supposed to happen and that, to the extent practical, undesirable results do not occur. A control is any action taken by INAC management or staff to enhance the likelihood that established goals and objectives will be achieved while eliminating or mitigating the impacts of risks and protecting assets, including money, reputation, physical property, and human resources.

Controls are commonly thought of as of two types, either preventive or detective. As implied by the name, preventive controls are intended to prevent unintended consequences occurring, i.e. they are intended to function during an activity or transaction, e.g. overpayment of salary, a contribution to an ineligible recipient. Preventive controls are intended to trigger an obstacle that prevents the routine processing of a particular transaction, e.g. a limit built into a payroll system, a certification of recipient eligibility. Some examples of preventive controls are providing (and reinforcing) training of employees on how to do the job correctly, segregating duties to reduce the opportunity for intentional wrongdoing, creating physical deterrents such as locks, alarms and building passes to deter theft, and convening peer review committees or expert panels to review project proposals and recommend funding. Preventive controls may also be thought of as application controls in the sense that they are embedded in the intended transaction, process, or activity.

Detective controls are intended to detect unintended consequences after they have occurred. Some examples of detective controls are reports which detail the information accessed by an employee from a department or agency's systems, reconciliation of an inventory listing to the actual physical materiel, and monitoring (or auditing) contribution recipients to ensure that funds have been used for the purposes intended. Detective controls may also be thought of as monitoring controls in the sense that they operate above of or outside of routine processes or activities and their preventive controls.

Many models of internal control will prescribe specific criteria against which the internal control framework, and its components, can be assessed. In that sense, the models serve as criteria against which internal control frameworks and individual controls can be assessed.

The audit manager who has gained an understanding of the auditee's objectives and control environment and has identified the key risks to the achievement of objectives is now in a position to identify and assess the related controls and their likely effectiveness in mitigating risks. In essence, the audit manager will document the process or activity for which the control is intended, evaluate the expected effectiveness, efficiency and cost effectiveness of the control, and test whether it is working as intended. In testing controls, the audit manager will pay particular attention to the extent to which it might be possible to rely upon detective, or monitoring, controls, as these may reduce the necessity for extensive testing of preventive controls. For example, a manager may have established a quality review team to review a sample of files or transactions on a regular basis. If this activity is reliable as a control, it may eliminate the necessity for the audit to test as many original files or transactions.

5.3.5 Determining Audit Objectives, Scope, Criteria and Approaches

5.3.5.1 Audit Objectives

Once an understanding of the program or activity has been acquired and the assessment of risks has been completed, including any limited testing of controls, the audit manager recommends the specific objectives and scope for the audit.

The audit objective is often thought of as the question(s) that the audit seeks to answer. Objectives should be carefully considered and clearly stated in such a way that a conclusion with respect to each is possible.

Objectives may be focused on key generic internal auditing outcomes, e.g. assurance on risk management, on controls, or on governance, or may be focused on specific high-risk issues or concerns identified during the planning phase.

5.3.5.2 Scope

The scope statement clearly describes the areas, processes, activities, or systems that will be the subject of the audit and to which the conclusions will apply. If there are numerical or geographic limitations to the scope of the audit, these should be specified, e.g. "Tests will be conducted on a random sample of 20 transaction files at each of five representative regional offices." The audit scope should describe any areas, processes, activities or systems which might normally be associated with the program or activity but which are excluded.

The scope will also describe the time period covered by the audit, for example, the period or fiscal year during which files or transactions to be examined were originally prepared.

5.3.5.3 Audit Criteria

Audit criteria are reasonable and attainable standards of performance and control against which compliance, the adequacy of systems and practices, and the economy, efficiency and cost effectiveness of operations can be evaluated and assessed. Audit criteria provide a basis for developing audit observations and formulating conclusions.

Criteria suitable for audit purposes must be appropriate to the nature of the audit. The failure to identify and obtain acceptance by the auditee or by the Audit and Evaluation Committee of criteria suitable to the audit may result in inappropriate, or highly contested, conclusions being drawn by the internal auditor.

Good audit criteria statements should be relevant, reliable, neutral, and complete.

In identifying relevant and reliable criteria, AES can usually rely upon acts and regulations, policy, guidelines or standards, and recognized experts. In the absence of such criteria, the audit manager can draw upon a wide variety of potential sources for audit criteria, e.g. professional associations' standards, generally recognized industry norms, accepted good practice, generic management control frameworks, and the auditee's own standards.

The Audit and Evaluation Sector has developed a specific set of expected controls for INAC's grants and contributions programs in the form of a publication entitled Grants and Contributions Audit Criteria.

The audit manager must review and discuss the proposed audit criteria with the auditee, particularly when there are no generally accepted criteria, to obtain an acknowledgement that the criteria are suitable for the audit. If agreement on the audit criteria cannot be reached, this should be reflected in the planning documentation, with an explanation as to why the audit manager believes the criteria remain appropriate. If necessary to the successful completion of the audit, the Director may need to seek approval of the criteria by the AEC. Appendix H provides a Checklist for Reviewing Audit Objectives and Criteria Statements.

5.3.5.4 Approach

Once the audit objectives, scope and criteria have been clearly established, the audit manager needs to design an approach to carrying out the audit that will provide the most meaningful result in the most cost-effective manner.

The purpose of articulating the audit approach is to ensure that sufficient, appropriate audit evidence is collected to enable the drawing of a conclusion with respect to each of the audit objectives.

Using professional judgment, the audit manager develops the approach and methodology based on the nature and extent of evidence needed to reach a conclusion with a high degree of assurance and the most appropriate and cost-effective mix of audit tests and procedures to gather that evidence.

  • An effective approach will normally incorporate a variety of auditing tools and techniques. Different tools and techniques have various strengths and weaknesses. For example, one may require a high degree of technical skill while another a high degree of interpersonal skill; one may be expensive but reliable, another inexpensive but less reliable.
5.3.5 Preparing Planning Stage Output Documents

At the end of the planning phase, the audit manager will prepare a Preliminary Survey Report or Terms of Reference to document the results.

The purpose of the document is to demonstrate and communicate the following decisions:

  • Significant audit issues and the reasons for pursuing them further (e.g. the results of the risk assessment)
  • Audit objectives
  • Audit scope, i.e. the areas, activities, systems, or processes to be examined, together with the rationale for not pursuing any related ones
  • Audit criteria against which assessments will be made
  • Approach or methodology that will be used for the engagement
  • The process for communicating audit findings
  • The projected timeline for the audit and
  • Resource requirements.

Once approved by the Director, Audit and Assurance Services or, if necessary, by the Audit and Evaluation Committee, the document serves as the basis for conducting the audit. Appendix I provides in the form of a Template for an Audit and Engagement Plan, a checklist as to the key elements to be addressed in the document detailing the results of the planning phase.

5.3.6 Suspending Audit Activity

On occasion, the planning phase may result in a recommendation to suspend additional audit activity. For example, if there is an absence of even basic controls and the auditee accepts the need for immediate improvement action, AES may recommend the auditee seek assistance to establish the basic elements of a management control framework. Alternatively, the planning phase, including limited testing of controls, may reveal that there are no significant risks that are not apparently well mitigated by established control processes.

In these circumstances, the audit manager should prepare for the CAEE, a recommendation to defer or cancel the engagement, or to revisit the objectives, so that the necessary senior management approval may be obtained administratively or via a formal recommendation to the AEC.

5.3.7 Developing the Audit Program

The audit program specifies who is doing what, why it is being done, how it is to be done, when it is to be done and where it is to be done, while allowing some flexibility for the use of initiative and sound judgment in deviating from prescribed procedures or extending the audit work where warranted.

Audit programs document and detail the audit tests and procedures that the audit manager has designed as the approach to collect and analyze audit evidence in the most cost-effective manner while ensuring objectivity, independence and uniformity. The purpose of the audit program is to provide:

  • A guide for conducting and coordinating the audit work to be done
  • A framework for assigning audit work
  • A framework for effectively supervising work and assessing the cost and the quality of the work performed and
  • A vehicle to document the exercise of due care and compliance with professional standards and policies.

Once the objectives and scope have been determined, the efficiency and effectiveness of an audit depend largely on how well the audit program has been designed and executed. The key component of an effective audit program is the tests and procedures (Section 6.0) to be followed in gathering and analyzing audit evidence. The tests and procedures should be structured and described so that it is clear to which criterion and to which audit objective each procedure is directly linked. The format should also include a provision for recording cross-references to working papers. Appendix J provides a Template for Presenting an Audit Program, Appendix K, a Checklist for Reviewing an Audit Program (e.g. by a quality assurance reviewer or by an audit manager), and Appendix L, an Engagement Planning Checklist to ensure all required steps have been completed.

5.4 Conducting the Engagement

The purpose of the conduct phase of the audit is to gather sufficient, appropriate audit evidence to reach a conclusion on each of the objectives identified in the planning phase. Fieldwork is generally regarded as the beginning of the conduct phase and is interpreted as the point at which the audit team is implementing the audit program, usually on site with the auditee.

5.4.1 Hold An Initial Meeting with the Auditee

An entrance meeting will normally be held on the first day of fieldwork with the audit team and the manager and supervisors directly responsible for the program, activity or organization being audited. Where practical, the Director, Audit and Assurance Services will attend the meeting, especially if the meeting includes executive heads responsible for the program, activity, or organization being audited.

The agenda for the entrance meeting will normally include:

  • Introductions - members of the audit team and their areas of responsibility as well as key auditee staff and their areas of responsibility
  • The audit objectives and scope - including any limitations or exclusions
  • The audit process - the approach or methodology to be followed, the schedule, and the locations to be included
  • Expectations - the internal auditor has for auditee cooperation and involvement and the auditee has in terms of professional conduct and respect of the auditee's environment
  • Debriefing and reporting - activities and products

After the entrance meeting audit team members will normally meet individually with the supervisor responsible for the activity, organization or program that they have been assigned. This meeting can be used to gain an understanding of how the supervisor's responsibilities are carried out, to obtain access to required documentation, and to meet other staff.

5.4.2 Complete the Audit Program

Once the entrance meeting has been held, the team members proceed to carry out their assigned parts of the audit program. As activities are completed there will be ongoing processes of analyzing and evaluating evidence (Section 6.1 provides guidance on audit evidence) and formulating, discussing, presenting and refining observations and findings. Appendix M provides a Sample Audit Observation Worksheet to aid in ensuring that each observation is well developed.

5.5 Reporting the Engagement

As outlined in the TB Policy on Internal Audit, internal audit is to "provide …added assurance…on risk management, control and governance processes."3 In order to accomplish this objective, AES must effectively communicate its audit conclusions and recommendations.

Throughout the audit, the team leader will have discussions with the auditee to review and discuss observations and findings and potential recommendations. This helps ensure that all pertinent information has been considered in developing conclusions and provides an opportunity for the audit team and the auditee to work to develop effective solutions to identified deficiencies. At the end of the audit this informal communication process is formalized through closing or exit meetings and written reports.

The reporting phase of the audit includes debriefing the auditee, drafting the report, issuing initial and subsequent drafts, reviewing management action plans, preparing the report for the Audit and Evaluation Committee, and distributing the final audit report.

5.5.1 Debrief the Auditee
  • The team leader or audit manager should formally discuss all significant audit findings and conclusions with auditee management (normally at the Director General or above level) before the report is drafted. This formal debriefing helps ensure that:
  • There are no "surprises" with respect to reporting results.
  • There have been no misunderstandings or misinterpretations.
  • The internal auditor is aware of all relevant evidence and any corrective action already taken.

In addition, this process will help ensure there is buy-in and feedback on proposed recommendations.

A debriefing meeting may also be used to discuss points that are of interest but are not significant enough for the written audit report. These findings of lesser significance may be addressed in a management letter to the auditee. Appendix N provides a Checklist for Conducting the Engagement.

5.5.2 Prepare the Draft Report

The purpose of the written report is to communicate. The messages must be clear and precise to ensure that the reader will understand what the report is trying to achieve. The report should be fair and balanced and presented in an unbiased tone, noting where management has taken actions to correct deficiencies and pointing out exemplary performance.

Only matters of significance should be included in the report – thus not all observations and recommendations recorded during the conduct of the audit will be brought forward to the report. Reports are normally more effective when related observations can be aggregated and addressed with higher-level recommendations, e.g. to improve controls.

The TB Policy on Internal Audit, Section 5.5.5 states that Deputy Heads are responsible for ensuring that completed audit reports are:

  • issued in a timely manner and made accessible to the public with minimal formality and
  • posted on departmental web sites in a timely manner, in both official languages.

In addition, the Internal Auditing Standards for the Government of Canada, section 4.2.1.2, states that reports on internal auditing engagements must:

  • Provide sufficient context by describing the area that has been examined, how it fits into the organization, its importance, and the relevant laws, policies and standards and
  • Clearly identify risks and opportunities for improvement to be addressed by management.

Section 4.2.1.3 requires that reports on assurance engagements must:

  • Identify the criteria used in the engagement
  • Include a statement of assurance which describes the level of assurance the auditor is providing and
  • Include a management action plan that clearly identifies actions to be taken by management to address recommendations and findings, the timing of such actions, and who is responsible for their implementation.

To achieve this standard, AES has adopted the following standard report outline:

Outline for AES Internal Audit Reports

Executive Summary

1.0  Statement of Assurance

2.0  Objectives

3.0  Scope

4.0  Approach or Methodology

5.0  Conclusions

6.0  Observations and Recommendations

7.0  Management Action Plan

Executive Summary

(May not be required when reports can be kept short)
The executive summary should reiterate the objectives and scope of the engagement and include brief descriptions of the audit entity, the rationale for the audit, and the criteria and approach employed, including references to professional standards. A conclusion is required for each objective, and a summative conclusion may be provided. A statement of assurance should be included or referenced if it is located in the conclusions section or provided in a covering memorandum. Key recommendations and management responses may also be included. Above all, management should be able to readily focus on and understand the important issues being reported.

Statement of Assurance

The Statement of Assurance Section is a fundamentally new component of audit reports that came into force by the change in the definition of internal audit as an "assurance" service as explained in Section 2.1.

The Statement of Assurance provides a conclusion, relative to the audit objective(s), that conveys to management a clear understanding of what was assessed, the criteria against which the assessment was made, and the level of assurance supporting the conclusion. The conclusion must be put in context in the Statement of Assurance by including the following:

  • the professional auditing standards (IIA, TBS) in accordance with which the audit was conducted
  • the objectives of the audit
  • a description of what the audit did and did not examine (scope)
  • the time periods during which the audit was conducted and represented by any transactions examined or tests conducted
  • the criteria on which the conclusion is based
  • a statement that sufficient and appropriate audit procedures were followed and evidence gathered.

Objectives

  • Reason for the engagement and the specific objectives

Scope

  • Context of the subject matter (e.g. a description of the program, activity, issue, organization, or system examined, its place within the department, and its importance or a description of exclusions)
  • Timing (the period covered by the evidence examined)

Approach or Methodology

  • Criteria (against which the observations and assessments were made and conclusions were drawn)
  • Work conducted
  • Standards used (any professional standards, e.g. IIA, governing how the work was done)
  • Timing (the period during which the work was done)

Conclusions

  • Conclusions on objectives and any qualifications
  • Compliance with relevant laws, regulations, policies, and standards
  • A summative conclusion may be desirable
  • A statement of assurance may be included or may be referenced if it is addressed in a covering memorandum
  • Other higher level results relative to engagement objectives

Observations and Recommendations

For each area of observation:

  • (A topic sentence may be employed to introduce the essence of the observation)
  • Condition
  • Criteria
  • Cause
  • Impact and Exposure to Risk
  • Recommendation (action required and responsibility)

Management Action Plan

  • Action to be taken for each recommendation
  • Timing

Appendix O provides a Checklist for Reviewing Audit Reports.

Discuss with Auditee

Once the first draft has been completed and reviewed by the Director, Audit and Assurance Services, the audit manager shares a copy with the auditee so that they may review it to correct possible errors, misinterpretations, or omissions, e.g. it may be desirable to have more context provided. If observations and recommendations have been shared with the auditee throughout the audit, this process should flow relatively smoothly.

In the event that the auditee significantly disagrees with the audit report and the audit manager cannot resolve those disagreements by sharing findings and evidence with the auditee and by considering the auditee's perspective, the audit manager may need to be prepared to seek resolution at more senior levels. Normally this would involve discussions with the Director, Audit and Assurance Services and the CAEE to ensure that they would draw the same conclusions and formulate the same recommendations based on the evidence collected and analyzed.

In some cases, the Director may decide to seek additional evidence and this would be communicated to the auditee. In other cases, it may be determined that evidence is sufficient and the conclusions are appropriate; the issues would then be discussed with a more senior level of management responsible for the auditee, e.g. ADM level. If the issues cannot be resolved through this means, the CAEE will issue the report, request the management response and then table the report with the AEC for approval.

5.5.3 Issue Draft Report and Request Management Action Plan

Once the auditee has had the opportunity to suggest corrections, the Director, Audit and Assurance Services issues the report with a request for formal response and inclusion of a management action plan. The auditee should be given reasonable and sufficient time to properly review the report and provide a formal response and action plan, bearing in mind the desirability of finalizing the report in a timely fashion. If observations and recommendations have been discussed throughout the process, the auditee may be well advanced in developing their action plan before the formal draft report is issued.

5.5.4 Review the Management Action Plan

As required by the TB Policy on Internal Audit, the Deputy Minister is responsible for ensuring that management action plans are prepared that adequately address the recommendations and findings arising from internal audits. Normally, the action plan should indicate where there is:

  • Agreement with the recommendation and a commitment to undertake corrective action or
  • Agreement with the recommendation and an explanation as to why corrective action cannot be taken at this time or
  • Disagreement with the recommendation together with an explanation.

Although AES will not normally comment on management responses in the audit report, the audit manager should review the action plan to determine whether it adequately addresses the recommendations, since the action plan is expected to be a key element of the report that goes forward to the Audit and Evaluation Committee. In particular, the audit manager should ensure that:

  • The proposed action will fix the underlying problem(s) and will produce concrete results at a reasonable cost
  • The auditee has the capacity and authority to complete the actions and
  • It is clear who is responsible for doing what and within which timeframe.

If the audit manager is not satisfied with the response or the action plan (e.g. too much risk in not correcting the deficiency) a meeting should be scheduled with the auditee to present the concerns and suggest means by which the action plan might be improved.

The review of the action plan will allow the auditor to assess whether there is any undue risk in the action plan proposed.

The review of the action plan will also help the audit manager determine the most appropriate follow-up action, e.g. regular status reports or a scheduled formal follow-up activity.

If the audit manager is not satisfied with the response or the action plan (e.g. too much risk in not correcting the deficiency) a meeting should be scheduled with the auditee to present the concerns and suggest means by which the action plan might be improved. In the event that direct discussion with the auditee does not lead to a more acceptable plan, the audit manager should raise the issue with the Director, Audit and Assurance Services and may wish to express concerns when the report is presented to the AEC, as long as the intention to do so has been communicated to the auditee.

5.5.5 Prepare the Report for Audit Committee Approval

The AEC is responsible for approving all internal audit reports. To provide the Committee with a fair and complete picture, the management action plan should be integrated into the audit report. This integration should be done in such a way as to clearly identify, for each recommendation provided in the report, the action to be taken, the position or person responsible, and the related timing.

In any situation where a management action plan is not forthcoming within a reasonable period of time, the internal audit report should be presented to the AEC for timely approval as a completed report without the management action plan.

Audit reports and management action plans should be tabled, in both official languages, at the next scheduled AEC meeting. In exceptional circumstances, e.g. TBS requires a final report to release program funds, final reports can be approved administratively.

5.5.6 Finalize and Make the Report Available

Once the AEC has approved the final audit report, there are a number of additional steps required, including:

  • The Communications Branch receives a copy of the approved report in order to develop and execute the necessary communication plan in conjunction with the responsible auditee (e.g. Questions and Answers, media lines)
  • The Access to Information and Privacy Coordinator receives a copy to ensure that there are no passages which should be excluded from publication.
  • Consistent with the TB Policy on Internal Audit, a copy of the final report is forwarded to TBS in both official languages
  • The final report is posted on the INAC website in both official languages on the department's web site.
5.6.7 Close the Audit

Once the final report has been issued, the following steps are taken to close the audit:

  • Finalize and archive working papers (see Section 6.3).
  • Complete project performance discussions
  • Provide input to future audit plans, e.g. update the auditable unit profile, recommend follow-up activity, or identify potential risk areas for consideration for audit.


6.0 Applying Internal Audit Tools and Techniques

Standards

IIA Standard 1200 – Proficiency and Due Professional Care - Engagements should be performed with proficiency and due professional care.

IIA Standard 1220 - Due Professional Care - Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

IIA Standard 2100 – Nature of Work - The internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.

IIA Standard 2300 – Performing the Engagement - Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives.

IIA Standard 2310 – Identifying Information - Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives.

IIA Standard 2320 – Analysis and Evaluation - Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.

IIA Standard 2330 – Recording Information - Internal auditors should record relevant information to support the conclusions and engagement results.

6.1 Audit Evidence

As discussed above, audit evidence is collected to enable the drawing of conclusions with respect to each of the engagement objectives.

Audit evidence is the information collected, analyzed and evaluated to support an audit finding or conclusion. The decisions on which type of evidence to seek and on how much evidence is enough require professional judgment. To support the exercise of that judgment, knowledge of the concepts underlying evidence is necessary.

6.1.1 Concepts

There are a number of attributes that are normally associated with good audit evidence, i.e.:

  • Sufficiency - the measure of the quantity of evidence – enough evidence should be collected and evaluated so that a reasonably informed unbiased person would agree with the auditor's findings and conclusions
  • Reliability – the measure of the appropriateness and trustworthiness of sources and techniques – generally evidence is more reliable if from a credible independent source than from the auditee, if obtained through direct physical examination, observation, computation and inspection than indirectly, documentary rather than oral, and confirmed rather than sole source
  • Relevance – the measure of the pertinence of the evidence - evidence shall have a logical relationship to what it purports to prove.

When considering the adequacy of evidence, the internal auditor should keep in mind:

  • The audit is seeking reasonable, but not absolute, conclusions
  • Incomplete data may result in the inability to reach reasonable conclusions
  • Examination of extensive evidence may be uneconomical, inefficient and ineffective

Evidence shall be reasonably representative of the population being reviewed or addressed.

6.1.2 Types of Audit Evidence

Evidence used to support audit conclusions may be categorized into different types:

  • Physical – consists of direct observation and inspection of people, property and events.
  • Testimonial – is provided in statements of auditee personnel and others. Examples of testimonial evidence include letters in response to audit enquiries and interview notes. If possible, testimonial evidence should be supported by documentary evidence.
  • Documentary – is that which exists in some permanent form such as records, purchase orders, invoices, memoranda, and procedure manuals.
  • Analytical – stems from analysis, verification, and assessment of compliance-non-compliance, consistency-inconsistency, or cause-effect relationships. The sources of such evidence are computations, comparisons with prescribed standards, past operations, similar operations, or laws or regulations, and reasoning.

In general, evidence accumulated from different sources and of different types is strongest. The determination of when it is necessary to gather corroborating evidence from different sources or of a different nature is a matter of professional judgment. Factors that may be taken into consideration when deciding whether or not to seek additional evidence include:

  • Is there a high degree of consistency among the evidence already collected (i.e. the lack of contradictory evidence)? If so, the need for additional evidence is decreased; if not, the need is increased.
  • Is there a high degree of risk, significance or sensitivity associated with the matter to be reported? If so, additional evidence may reinforce the internal auditor's conclusion; if not, existing evidence may be sufficient to gain acceptance of the conclusion.
  • Is the cost of obtaining additional evidence worth the benefits to be obtained in terms of supporting the finding? If not, don't bother; if so, proceed.
6.1.3 Methods of Obtaining

An effective approach to gathering audit evidence will normally incorporate a variety of auditing tools and techniques. Different tools and techniques have various strengths and weaknesses. For example, one may require a high degree of technical skill while another a high degree of interpersonal skill; one may be expensive but reliable, another inexpensive but less reliable.

The following sections describe some common methods of creating or gathering audit evidence.

6.1.3.1 Interviews

Interviewing is a frequently used technique to gather evidence and opinions. Interviews can help to define the issues, furnish evidence to support audit findings, and clarify positions between the auditor and the auditee on audit observations and recommendations. Interviews can also be used to solicit the opinions and experiences of stakeholders or recipients of the auditee's products or services. Adequate preparation and good skills are needed to use interviews effectively in building or confirming audit evidence.

6.1.3.2 Audit Tests

Testing implies placing selected activities or transactions "on trial" to reveal inherent qualities or characteristics.

Audit tests are developed and conducted for either compliance or substantive verification purposes. Compliance oriented tests are designed to assess the adequacy and effectiveness of controls, e.g. if a transaction exceeding a set limit is submitted into a system or process, will it be pulled out for special consideration, or, if a funded project has a risk score warranting a special monitoring plan, will it be implemented? Substantive test procedures include the detailed examination of selected transactions, e.g. a sample of pay transactions could be reviewed against collective agreements to ensure correct processing or a sample of contribution files could be examined to ensure terms and conditions have been respected.

In practice, many tests fall into the category of "dual purpose" tests. The checking of calculations may show that an internal control checking function is being properly executed (compliance) and may provide assurance as to the accuracy of the amount recorded in the system (substantive).

Many tests may include the re-performance or mathematical checking of source documents and other records.

Once the appropriate test has been selected, it is important to determine how it will be applied, either as a:

  • Specific Item (or "judgmental") Test where individual items are selected for examination because of their size or other characteristic and reliable conclusions can only be drawn relative to the items tested; or
  • Representative Item Test where the objective is to examine a random selection of items, usually accomplished through statistical sampling techniques, to support the formulation of conclusions with respect to the entire population based on the sample examined.

6.1.3.3 Sampling

Sampling is the process of selecting part of a population to determine parameters and characteristics of the whole population. The objective of sampling is to gather data on a limited number of observations (people, things, processes, documents, etc.) that represent the larger group about which more descriptive, normative, or cause-and-effect statements need to be made. Since it is rarely feasible to study an entire population (i.e. do a census), sampling must suffice. Unless the sample represents the population, however, sampling accomplishes little.

Sampling may be random or purposeful. The major difference between the two is that random sampling is more confirmatory while purposeful sampling is more exploratory. In the context of testing, specific item tests would more likely be applied on the basis of purpose whereas representative item tests would be applied on a random basis. Both types of sampling may be applied to attributes, to reach a conclusion about a population in terms of the proportion, percentage, or total number of items that possess some characteristic (attribute) or fall into some defined classification, or to variables, to draw conclusions about a population in terms of numbers, such as dollar amounts.

6.1.3.4 Surveys

Surveys are structured approaches to gathering information from a large population. Examples of survey use would include efforts to obtain input from all the members of the auditee on the perceived opportunities for training and development or to obtain opinions from recipients of services (either internal or external) on the quality and timeliness of services provided. Whether the survey is administered in person, by telephone, by Internet, or by mail, the key element is the existence of a structured, tested questionnaire.

6.1.3.5 Inspection

Inspection consists of confirming the existence or status of records, documents or physical assets. Inspection of physical assets provides highly reliable evidence of their existence or condition. Inspection of records could confirm the existence of source documents for data entry, e.g. program participant questionnaires or evaluations.

6.1.3.6 Flowcharting

Flowcharting is the graphic representation of a process or system and provides a means for analyzing complex operations, e.g. key control points, redundant activities. A system flowchart would provide an overall view of the inputs, processes and outputs while a document flowchart would depict value adding activities and critical controls.

6.1.3.7 Modeling

Modeling includes the field of quantitative techniques, often referred to as operations research. It makes use of mathematical and statistical models designed to simulate real processes and help in decision-making. Models are identified in terms of their intended uses, i.e. descriptive, which classify variables and explain their relationships, predictive, which forecast on the basis of variable relationships how the variables will behave if one of more of them are changed, and planning, which decide the best way of combining or changing relationships to achieve some result.

6.1.3.8 Observation

Similar to inspection, observation entails personally verifying or attesting to a process or procedure, e.g. the application of controls by members of the auditee's staff or the manner in which clients are treated. Many service transactions and internal control routines can only be evaluated by seeing the auditee perform them.

Whenever possible, two or more auditors should be present to make observations in order to provide additional support to the observations.

6.1.3.9 Confirmation

Confirmation involves a request, usually provided in writing, seeking corroboration of information obtained from the auditee's records or from other less reliable sources, e.g. anecdotal information from a client of the auditee.

6.1.3.10 Analysis

Analysis consists of examining information obtained and using it to corroborate other findings or to compare auditee performance against performance indicators and policies, past operations, similar operations in other organizations, and legislation.

6.2 Control and Risk Self-Assessments

Facilitated processes are a relatively recent addition to the auditor's tool kit. During the downsizing of the 1990s in both the public and private sectors, many internal audit organizations had to make do with fewer resources. As a result, leading organizations often turned to the use of facilitated group sessions with auditees as a means to more efficiently identify potential risks or control weaknesses. Common to any facilitated process is a person who as facilitator is not necessarily an expert on a specific issue (but can be) but who is an expert on process. A facilitator is trained and effective in communication (verbal and non-verbal), working with people, resistance, group dynamics, effective meetings, decision-making, workshop design and implementation, and dealing with crises.

6.2.1 Control Self-Assessment

Control self-assessment is normally focused on having the members of a working group identify and assess the controls that govern their activities. The process is usually an iterative one wherein an effort is made to identify all controls and then focus on the ones that are most important or may be questionable in terms of their effectiveness. In many instances, the process of control self-assessment can be a learning opportunity for the group and can lead to the taking of immediate action by management to address the identified areas of concern.

In terms of the conduct of an audit, control self assessment can be a very efficient and helpful process during the planning phase of the audit by identifying potential control weaknesses. The auditor can not rely upon the self assessment alone but must always conduct sufficient testing to provide assurance as to whether a control is working as intended or not.

6.2.2 Risk Self Assessment

Risk self-assessment is similar to control self-assessment in terms of the process but may often be focused on having peer groups or knowledgeable stakeholders identify the risks associated with one or a group of programs, activities, or initiatives. For example, senior management may participate in risk self-assessment to identify the key risks facing the organization while a group of regional program officers may come together to identify the risks associated with a new program initiative.

Risk self-assessment is frequently employed when a new program or initiative is required to prepare a Risk-Based Audit Framework for submission to Treasury Board.

In terms of the conduct of an audit, risk self-assessment can be a valuable tool to identify potential risks but the auditor must be satisfied that the process has been as complete and independent as possible. The auditor must ensure that all potential risks have been identified and evaluated. The auditor can not abdicate that responsibility.

6.3 Methods of Documenting Audit Evidence – Working Papers

Working papers are the supporting documentation for the entire audit – they are the repository for the accumulated audit evidence. Working papers provide a complete audit trail and demonstrate, in detail, how the engagement was performed. They contain the evidence to support the report and any related products, such as management letters that are frequently used to report matters outside of the scope of the audit or of less significance. More specifically, working papers provide a demonstrable link between reports issued and the work performed, and support the findings, conclusions and recommendations. Working papers can also be used to:

  • Justify and provide proof of work carried out
  • Help auditors respond to questions about coverage or results
  • Facilitate supervisory quality assurance reviews and
  • Provide supporting evidence when external auditors or other reviewers want to rely on the results.

A completed set of working papers is normally prepared in the form of either paper or computer files, however, the set may be later stored in the form of tapes, diskettes, films or other media. The organization, design and content of a set of internal audit working papers will depend on the nature of the audit, however, the set should document all aspects of the audit process, including all meetings and discussions with the auditee, and should be consistently and efficiently prepared to facilitate review and control.

A completed set of working papers should be neat and uniform in size and appearance and include:

  • An index to contents
  • A legend of symbols and abbreviations used
  • A statement of the purpose of the working papers
  • Evidence of the application of the audit program
  • The results of the audit, e.g. debriefings, reports, action plans

Within the set of working papers, each page should include a descriptive heading (e.g. Interview Summary, Test Result, Document Examined), the auditor's name or initials and dates of preparation, appropriate cross-references and evidence of supervisory review and comments.

  • Each audit working paper file should have an indexing system to assist future users to easily consult the information it contains. Although there is no set format for the indexing system, common practice is an alphanumeric system whereby alpha identifies the section within the working paper file and numeric identifies the items within a section.
  • As previously noted, working papers should be properly cross-referenced. Cross-references should stand out clearly and provide direct and prompt access to information so that a reviewer can trace conclusions back to the original audit tests and the evidence gathered and vice versa. Cross-referencing of documents should follow the system established for the working paper file index. The extent of cross-referencing required may vary depending on the engagement; good practice indicates, however, that, at a minimum, the following items should be cross-referenced:
  • Specific items in the audit report to the pertinent audit observation worksheet
  • Audit observation worksheets to the supporting evidence
  • Evidence that relates to other evidence and
  • Audit program steps to the supporting evidence.

All audit working papers should be reviewed to ensure that all information contained is relevant and supports the report and that all necessary auditing procedures have been performed. Evidence of supervisory review (i.e. review of the working papers by at least one more senior member of AES should consist of the reviewer's initialling and dating each working paper after it has been reviewed.

Working papers are formal records belonging to INAC and their retention follows INAC's records retention policy. Appendix P provides a Checklist for Reviewing Audit Observations Worksheets and Supporting Evidence and Appendix O provides a specific Checklist for Reviewing Working Papers.

6.3.1 Access to Information and Privacy Acts

The Access to Information and Privacy Acts (ATIP) apply to all internal audit reports, records, working papers, and files. As a consequence, care has to be taken by the AES to ensure that protected information is not inadvertently disclosed.

All members of AES have to be aware of the possibility that their work products, including working papers, e-mail and any other documentation, may be subject to an access to information request.

In AES, formal requests for access to internal auditing related information are channeled through the CAEE to the Director who is responsible, in consultation with the AES ATIP coordinator and Departmental ATIP specialists, to ensure that a timely response is provided and that protected information is not inadvertently disclosed.

7.0 Quality Assurance and Improvement

Standards

IIA Standard 1300 – Quality Assurance and Improvement Program - The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring. Each part of the program should be designed to help the internal auditing activity add value and improve the organization's operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics.

IIA Standard 1310 – Quality Program Assessments - The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments.

IIA Standard 1311 – Internal Assessments – Internal assessments should include:

  • Ongoing reviews of the performance of the internal audit activity; and
  • Periodic reviews performed through self-assessment or by other persons within the organization, with knowledge of internal audit practices and the Standards.

IIA Standard 1312 – External Assessments – External assessments should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization.

IIA Standard 2340 – Engagement Supervision - Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.

7.1 Quality Assurance

An effective quality assurance and continuous improvement program helps internal audit groups achieve quality internal audits that effectively and consistently result in a value-added product for senior management.

The first and most important level of quality assurance is the due professional care exercised by the internal auditor and the supervisory review conducted of the internal auditor's work throughout all phases of the engagement by more senior members of the internal audit group. The supervisory review must encompass the planning, conduct, and reporting phases. To support these reviews, a number of checklists, referenced throughout this guide at the appropriate step for their use, are provided in the appendices.

For example, the management review certificate in Appendix D is to be employed by the Partner of a firm to which an entire audit engagement has been contracted, or by the Director, Audit and Assurance Services, in the case of AES led engagements, to provide assurance that there has been adequate supervision and management at all points in the engagement.

The second level of quality assurance in the Audit and Assurance Services Branch is an independent internal review to assess the quality and adequacy of the work performed, in accordance with TBS, IIA and department or agency policies and standards. These reviews comprise an examination of the working papers and the resultant audit report by a professional member of the Audit and Assurance Services Branch who has not participated in conducting the audit. These quality assurance reviews are performed either prior to reports being finalized or at any time after they have been finalized and are based upon the use of standardized questionnaires and checklists.

The purpose of these quality assurance reviews is twofold, i.e. to ensure performance of work in accordance with professional standards and to identify opportunities for improvement. From time to time, internal quality assurance reviews may be expanded to include other elements of the functioning of the Audit and Assurance Services Branch, e.g. annual risk-based audit planning.

Queries and deficiencies identified during the quality assurance review process are documented, and an action plan is developed to address significant deficiencies.

A report is provided to the Director, Audit and Assurance Services, at the completion of each quality assurance review. The report indicates the degree of compliance with standards and the level of audit effectiveness (i.e. whether the audit objectives were met) and provides recommendations for improvement. Appendix R provides a Checklist for Quality Assurance Review and Appendix S provides a Quality Assurance Review Observation Worksheet.

The third level of quality assurance is intended to comply with the IIA requirement that internal audit groups undergo a formal comprehensive review of effectiveness and compliance with relevant standards every five years. The external quality assurance review addresses all aspects of the work of the internal audit group and is performed by qualified external reviewers who are independent of the internal audit group being reviewed. The IIA has developed a number of standard tools and work instruments, such as questionnaires to gauge senior management perspectives, that can be employed in the external review process.

The IIA also permits a variation on the external quality assurance review that allows for internal review with external validation. As implied, the internal audit group can undertake its own review and have it recognized as meeting the standard, subject to validation by an external reviewer.



Appendices

TB IA Policy  

A – The Internal Audit Charter

Indian and Northern Affairs Canada

Internal Audit Charter

1. Purpose and Application

1.1  The purpose of this document is to establish the mandate of Indian and Northern Affairs Canada's (INAC) internal audit function and to assign the responsibilities and identify the standards according to which it will be implemented.

1.2  This Charter is effective as of the date of signature.

2. Role

2.1 In accordance with the Treasury BoardPolicy on Internal Audit, the role of the Departmental internal audit function, in conjunction with the Audit and Evaluation Committee, is to ensure that the Deputy Minister of Indian and Northern Affairs, and the Comptroller General, are provided with added assurance, independent from line management, on the department's risk management, control and accountability processes.

2.2 The internal audit function fulfills this role by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of the department's risk management, control, and governance processes.

3. Scope of Work

The scope of work of the internal audit function is to determine whether INAC's network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:

  • Risks are appropriately identified and managed
  • Significant financial, managerial, and operating information is accurate, reliable, and timely
  • Activities and actions are in compliance with policies, standards, procedures, and applicable laws and regulations
  • Resources are acquired economically, used efficiently, and adequately protected
  • Programs, plans, and objectives are achieved
  • Quality and continuous improvement are fostered in the department's control processes and
  • Significant legislative or regulatory issues impacting the department are recognized and addressed properly.

When opportunities for improving management control, governance, or resource stewardship are identified during audits, they will be communicated to the appropriate level of management.

4. Accountabilities

4.1 The Deputy Minister is responsible for:

  • establishing an internal audit function that is appropriately resourced and that operates in accordance with the Treasury Board Policy on Internal Audit and its related directives
  • establishing an independent audit committee and ensuring that it receives all the information needed to fulfill its responsibilities
  • appointing a qualified Chief Audit and Evaluation Executive, reporting to the Deputy Minister, to lead and direct the internal audit function, independent from departmental management and operations
  • approving a departmental internal audit plan that addresses all areas of higher risk and significance
  • putting in place effective procedures to ensure systematic review of control and accountability processes
  • taking into account the results of internal audits conducted by the Comptroller General
  • ensuring that management action plans are prepared that adequately address the recommendations and findings arising from internal audits, and that action plans have been effectively implemented
  • ensuring that completed audit reports are issued in a timely manner and made accessible to the public with minimal formality and posted on the INAC website in a timely manner, in both official languages and
  • ensuring that the Minister of Indian Affairs is briefed periodically on significant items arising from the work of internal audit and the Audit and Evaluation Committee.

4.2 The INAC Audit and Evaluation Committee is responsible for:

  • ensuring, in accordance with the INAC Audit and Evaluation Committee Terms of Reference, that the Deputy Minister has independent, objective advice, guidance and assurance on the adequacy of INAC's risk management, control and accountability processes and
  • preparing an annual report to the Deputy Minister on their activities, including an assessment of the internal audit function.

4.3 The Chief Audit and Evaluation Executive is responsible for:

  • establishing appropriate policies and procedures to guide the internal audit function
  • establishing risk-based audit plans to set out the priorities of the internal audit function
  • coordinating internal audit plans and activities with other internal and external providers of assurance activities
  • communicating the internal audit plan of engagements and the related resource requirements (including the impact of resource limitations) to the Deputy Minister and the Audit and Evaluation Committee
  • ensuring that internal audit resources are appropriate (i.e. professional qualifications and skills), sufficient and effectively deployed to achieve the approved plan
  • ensuring the timely completion of and reporting on individual internal audit engagements in accordance with professional standards
  • supporting and conducting horizontal and sectoral audits requested by the Office of the Comptroller General and any internal audits requested by other central agencies, Cabinet or Parliament
  • being the point of contact with the Office of the Comptroller General, the Office of the Auditor General, the Commissioner for the Environment and Sustainable Development, the Public Service Commission, and other agencies involved in conducting audits that include INAC
  • reporting periodically to the Audit and Evaluation Committee on whether management's action plans have been implemented and whether the actions taken have been effective
  • maintaining a quality assurance and improvement program that covers all aspects of the internal audit function
  • reporting annually to the Audit and Evaluation Committee on the internal audit function's conformance with professional internal auditing standards
  • providing annually a holistic opinion to the Deputy Minister and the Audit and Evaluation Committee on the effectiveness and adequacy of INAC's risk management, control, and governance processes
  • maintaining unfettered access to the Audit and Evaluation Committee and to the Committee Vice-Chair and
  • informing the Comptroller General without delay, but after discussion with the Deputy Minister, of any issue of risk, control or management practice that may be of significance to the government or require Treasury Board Secretariat's involvement.

4.4 INAC Management (including Associate and Assistant Deputy Ministers, Regional and Headquarters Directors General, Directors, and Managers) is responsible for:

  • ensuring the adequacy and effectiveness of risk management, control and governance processes
  • providing full and timely support and cooperation to the staff of the internal audit function in carrying out their approved engagements and
  • preparing and implementing corrective action plans with respect to approved audit recommendations.

4.5 The Comptroller General of Canada is responsible for directing horizontal audits and for focused, sustained functional leadership of internal audit across government in order to build and develop capacity, ensure adequate levels of professionally qualified resources, and ensure adherence to professional standards and rigorous methodology in the delivery of internal audits.

5. Authority

5.1 The internal audit function, as led by the Chief Audit and Evaluation Executive and implemented by the Audit and Assurance Services Branch, has access to all departmental records, databases, workplaces and employees and has the right to obtain information and explanations from departmental employees and contractors, subject to applicable legislation. Access to certain confidential personnel records is to be limited exclusively to such information as may be required in the conduct of a particular audit.

5.2 The staff performing the internal audit function must be independent of and objective towards the activities that they review. They do not have any direct authority over the activities of INAC managers or staff.

5.3 The internal audit staff will perform audits with the proficiency and due care expected of reasonably prudent and competent audit professionals.

6. Standards

6.1 The internal audit function will be conducted in accordance with the Internal Auditing Standards for the Government of Canada, the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Audit, and the INAC Internal Audit Manual. In the event of conflict with the International Standards for the Professional Practice of Internal Audit, the Internal Auditing Standards for the Government of Canada will prevail.

___________________________________
Deputy Minister

___________________________________
Date

B – Audit and Evaluation Committee Terms of Reference

Audit and Evaluation Committee
Terms of Reference

1. ROLE

In order to maintain accountability (including responsibilities under the government's policies on Internal Audit and Program Evaluation), the Deputy Minister, through the Audit and Evaluation Committee at Indian and Northern Affairs Canada, involves senior management and external members in planning and establishing audit, evaluation and review priorities; examining the results of audit and evaluation studies and reviews, including assessment of related actions taken; and promoting effective management and performance monitoring of departmental programs, services and operations.

2. AUTHORITY

The Audit and Evaluation Committee has authority to:

  • address issues and initiatives relating to the review, audit, evaluation and performance measurement of departmental programs, services, policies and management systems;
  • enquire into the management of any or all of the department's human, financial, physical or data resources, subject to statutory confidentiality requirements;
  • satisfy itself as to the existence of and satisfactory performance and use of systems for establishing managerial accountability, management plans, financial and operational processes, performance monitoring approaches and information systems;
  • evaluate and review departmental programs, policies, services and management systems to determine their effectiveness in meeting departmental and government objectives and the efficiency and economy with which they are being administered; and
  • approve evaluation and audit plans, and management action plans intended to address audit and evaluation recommendations
3. COMPOSITION

The committee is chaired by the Deputy Minister. Other members are:

  • two Associate Deputy Ministers;
  • two Senior Assistant Deputy Ministers;
  • two designated independent members; with at least one more designated in future;
  • the Chief Audit and Evaluation Executive acts as the Secretary to the AEC;
  • the Chief Financial Officer and the Senior General Counsel of Legal Services serve as ex-officio members
4. SPECIAL ATTENDANCE AT MEETINGS

In addition to members of the committee, the following may be invited to attend:

  • functional specialists from organizations such as the Human Resources Branch and sector Assistant Deputy Ministers for agenda items where their expertise or reporting may be required and where they may be required to report on their management action plans or follow-up to audits, evaluations or reviews.
5. FREQUENCY OF MEETINGS

Normally, the committee will meet four times per year, in March, June, September and December.

6. RESULTS STATEMENTS

The committee will assist the Deputy Minister to fulfil his management responsibilities by:

  • ensuring that the Deputy Minister is able to discharge his responsibilities to the government and to Parliament for the administrative performance of the department; This result includes the establishment of an adequate assessment framework for evaluating risks to and the effectiveness of programs, policies, services and management systems in achieving departmental objectives;
  • ensuring the accountability of managers for the effective control and good management of public resources. The focus of the Audit and Evaluation Committee is to identify problems and ensure that sectors effectively resolve them;
  • encouraging and recommending improved management practices and controls, including performance measurement approaches, and sharing best practices;
  • improving communications among senior management, the internal audit and program evaluation functions, the Auditor General and the central agencies;
  • monitoring and reporting on the implementation of recommendations resulting from audit and evaluation studies and their subsequent impacts on the department. The committee looks to management for action plans that address opportunities for improvement.
7. RESPONSIBILITIES

The Audit and Evaluation Committee is responsible for:

  • approving annual and multi-year audit and evaluation plans;
  • monitoring progress against the annual and multi-year audit and evaluation plans;
  • providing advice on the objectives identified in specific audit or evaluation terms of reference when the Chief Audit and Evaluation Executive deems such guidance to be appropriate to better serve the needs of senior management;
  • approving internal audit and evaluation reports and the management action plans developed to address the recommendations made in these reports, including reviews, reports and studies undertaken by sectors and branches themselves;
  • directing the communication of broad corporate themes and issues arising from audits, evaluation activities and reviews to Indian and Northern Affairs Canada senior management for their attention and corrective action to ensure effective management; and
  • reviewing and commenting on the plans and reports of external agencies (including the Auditor General and the Treasury Board Secretariat) and any proposed actions to be taken by Indian and Northern Affairs Canada.

All internal audit and evaluation project reports shall be presented for final approval to the Audit and Evaluation Committee by the Chief Audit and Evaluation Executive or the Directors. The management action plans shall be presented by the sectors Assistant Deputy Minister. In those instances where the Audit and Evaluation Sector did not manage the evaluation, an assessment of the conclusions and recommendations will be presented by the Chief Audit and Evaluation Executive. The committee is responsible for approving and recommending any changes or making suggestions concerning proposed management actions.

Once the reports and the management action plans are approved by the committee, and consistent with Treasury Board Policy, all completed Audit and Evaluation Sector reports will be made accessible to the public within 90 days.

Following final approval, the committee is responsible for reviewing the progress made by the department in implementing recommendations for change arising from audits, evaluations and reviews.

8. LINKAGE TO THE SENIOR EXECUTIVE COMMITTEE

As appropriate and for information purposes, the Audit and Evaluation Committee may direct that presentations be made to the Senior Executive Committee with respect to audit and evaluation findings of a department-wide nature.

Presented for approval to the June 15, 2007 meeting of the newly constituted Audit and Evaluation Committee.

_____________________
Secretary
Chief Audit and Evaluation Executive

C – Glossary of Terms

Accountability
The obligation to answer for a responsibility that has been conferred. It presumes the existence of at least two parties: one who allocates responsibility and one who accepts it with the undertaking to report upon the manner in which it has been discharged. (Manual on Value-for-Money Audit, Office of the Auditor General. Ottawa, December 2003.)
Add value
Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services. (IIA International Standards for the Professional Practice of Internal Auditing.Almonte Springs, Florida, December 2003.)
Adequacy
The quality or state of being adequate (i.e. sufficient for a specific requirement). (Webster's New Collegiate Dictionary. Thomas Allen and Son Ltd. Toronto, Ontario, 1977.)
Assurance services
An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. (IIA International Standards for the Professional Practice of Internal Auditing)
Board
A board is an organization's governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a non profit organization, or any other designated body of the organization, including the audit committee, to whom the chief audit executive may functionally report. (IIA International Standards for the Professional Practice of Internal Auditing)
Chief Audit Executive
Top position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. (IIA International Standards for the Professional Practice of Internal Auditing)
Compliance
Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements. (IIA International Standards for the Professional Practice of Internal Auditing)
Consulting services
Advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training. (IIA International Standards for the Professional Practice of Internal Auditing)
Control
Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. (IIA International Standards for the Professional Practice of Internal Auditing)
Control environment
The attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:
  • Integrity and Ethical Values
  • Management's philosophy and operating style
  • Organizational structure
  • Assignment of authority and responsibility
  • Human resource policies and practices
  • Competence of personnel.
(IIA International Standards for the Professional Practice of Internal Auditing)
Control processes
The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. (IIA International Standards for the Professional Practice of Internal Auditing)
Economy
Thrifty and efficient use of material resources: frugality in expenditures. (Webster's New Collegiate Dictionary)
Effectiveness
Production of a decided, decisive or desired effect. (Webster's New Collegiate Dictionary)
Engagement
A specific internal audit assignment, task, or review activity, such as an internal audit, Control Self-Assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives. (IIA International Standards for the Professional Practice of Internal Auditing)
Engagement objectives
Broad statements developed by internal auditors that define intended engagement accomplishments. (IIA International Standards for the Professional Practice of Internal Auditing)
Engagement work program
A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan. (IIA International Standards for the Professional Practice of Internal Auditing)
Evidence
Something that is intended to prove or to provide support for some belief. (Dictionary definition from Sawyer, Internal Audit Techniques and Practices, p. 139)
 Finding
In auditing, it is used to describe the result of comparison between a criterion and an actual situation, control or circumstance to which this criterion was applied. (Manual on Value-for-Money Audit)
Governance
The combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives. (IIA International Standards for the Professional Practice of Internal Auditing)
Independence
The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional and organizational levels. (IIA International Standards for the Professional Practice of Internal Auditing)
Internal audit activity
A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization's operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. (IIA International Standards for the Professional Practice of Internal Auditing)
Objectivity
An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. (IIA International Standards for the Professional Practice of Internal Auditing)
Risk
The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. (IIA International Standards for the Professional Practice of Internal Auditing)
Risk management
A process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organization's objectives. (IIA International Standards for the Professional Practice of Internal Auditing)


D – Management Review Certificate

Engagement name: ________________________________________________

________________________________________________

Based on my review of the draft audit report, the working papers, and other relevant documentation, I hereby certify that

  1. I regularly monitored progress throughout the engagement to assess the quality of work performed, to challenge emerging observations, and to ensure that the work carried out was appropriate and in accordance with professional standards;
  2. the working papers have been reviewed, that they are logically organized and appropriately indexed, and that they adequately reflect the work performed;
  3. observations and findings are well supported and material and that appropriate conclusions have been drawn;
  4. the audit team possessed sufficient knowledge of the subject matter being audited and completed the engagement with due professional care;
  5. the report is in compliance with TBS and Audit and Evaluation Sector internal policies and standards;
  6. the auditee has been debriefed at the appropriate stages within the process;
  7. the engagement has been performed in accordance with the audit objectives and the engagement plan (and any approved amendments); and
  8. throughout the course of the engagement, I have directed matters to the attention of the head of the internal audit group that, in my opinion, are of special importance.

Date: _______________________
Title:________________________
Name:_______________________   Signature:____________________

E – Annual Audit Plan Preparation Checklist

Desired Qualities
  • The annual audit plan is prepared and available for approval prior to the start of the fiscal year in which it will be implemented.
  • An updated audit universe/multi-year plan is desirable to demonstrate, in conjunction with the annual plan, sufficient internal audit coverage of all significant auditable units.
  • The annual plan demonstrates that the planned work is consistent with government and department or agency goals and priorities and is based upon an assessment of risk.
  • The plan clearly describes how the basic requirement of the Policy on Internal Audit is to be met (i.e. sufficient and timely assurance services provided on risk management, control and governance).
  • The annual plan describes the planning process undertaken and the extent of consultation with senior management.
  • The annual plan identifies and schedules (an indication of the activity by quarter of the fiscal year is usually sufficient) the engagements to be undertaken by the internal audit group during the period of the plan.
  • The expected outcomes for assurance engagements are clearly identified and, where possible, the criteria to be employed in reaching conclusions or opinions should be referenced.
  • The annual plan notionally allocates resources to engagements.
  • The annual plan allocates resources to ensure that there is a systematic monitoring and effective implementation of management action plans arising from earlier audit activities.
  • The annual plan includes summaries of the resources required to implement the plan and demonstrates how shortfalls in resources may affect the implementation of the plan.
  • The annual plan identifies known work of the Office of the Auditor General and other central agencies with review mandates and places it in the context of the internal audit effort.
  • The annual plan, or covering document, references the audit committee's approval and describes the circumstances under which any significant changes to the plan may be made and the levels of approval required.
  • Senior management is fully aware of the approved audit plan.
  • The approved annual plan and any subsequent significant changes are submitted to the TBS, in accordance with the Policy on Internal Audit.

F – Template for an Auditable Unit Profile

Background: The auditable unit and its structure, its goals, its products or services, its environment, and its stakeholders.

Objectives: The auditable unit's expected accomplishments or contributions.

Activities: The principal tasks that the auditable unit performs or administers to accomplish its objectives.

Outputs: The products, goods, or services that are produced or directly controlled by the auditable unit and distributed inside and outside the department.

Expected Results: The intended accomplishments or longer term outcomes of the auditable unit, expressed in quantitative or qualitative terms.

Resources: The authorized operating, capital, transfer payment and salary dollars devoted to the auditable unit.

Systems: The major system(s) used by the auditable unit in support of its key inputs, processes, and outputs.

Previous audits or reviews: The summarized results, including follow-up action taken, of any previous internal audits or reviews conducted on the auditable unit.

Major Changes: The significant changes, made in prior years or anticipated, that have affected, or may affect, the auditable unit.

Other Factors: The constraints or other considerations that may have an influence on the outputs of the auditable unit or on the way it operates.

Risk ranking: The results of the internal audit activity's assessment of the auditable unit's risks.

G - Template for Documenting Engagement Risk Assessment

Audit entity objectives: The key objectives of the audit entity, including those that may not be specifically stated but address the entity's obligations to account for results achieved and for the efficient and effective use of resources.

Key risks: The events or circumstances that could significantly prevent the audit entity from achieving each objective.

Effect: Each risk is evaluated as to whether the effect on achievement of objectives would be low, medium, or high should it occur.

Likelihood: Each risk is evaluated as to whether the likelihood that it will occur is low, medium, or high.

Risk exposure: The audit will normally focus on the risks with a combined effect and likelihood assessment in the medium or high exposure range.

Summary of key control considerations: From the engagement planning, the known control processes associated with the risks with a medium or high exposure are documented. A preliminary assessment or opinion may be provided as to whether or not the control appears to adequately mitigate the risk. This assessment will guide the extent of testing to be undertaken. (A reference to the documentation supporting the identification and assessment may be included.)

Inclusion in audit: An indication as to whether or not the risk should (and can) be addressed in the objectives and scope of the audit.

Engagement objectives and scope: Considering the audit entity objectives, the identified medium to high risks, and the availability of resources, the recommended audit objectives and scope.

H – Checklist for Reviewing Audit Objectives and Criteria Statements

Considerations re: Objectives Statements

  1. Does the audit objective address one or more key generic audit areas, e.g. risk, control, information for decision making? If not, is an important area of coverage being neglected?
  2. Does the objective clearly address at least one high-risk area or issue identified during engagement planning?
  3. Are any high-risk areas or issues not addressed by an audit objective?
  4. Does each audit objective clearly describe what is to be accomplished by the engagement, e.g. a conclusion or opinion with respect to assurance?

Considerations re: Audit Criteria Statements

  1. Are the criteria relevant, i.e. appropriate to the audit entity, and are they from a clearly reliable source (e.g. an industry association or an approved management control framework) or are they generally accepted, i.e. would reasonable people say that they suit the subject matter to be audited?
  2. Are the criteria consistent with those used for similar audits?
  3. Are the criteria reliable? (Would they result in the same conclusions or opinions when used by different auditors in the same circumstances?)
  4. Are the criteria neutral? (Are they free from any bias that could lead to misinterpretation?)
  5. Are the criteria complete? (Does the set of criteria cover all significant aspects required to reach a clear opinion or conclusion on the audit objective?)
  6. Will the criteria lead to findings and conclusions that directly address the related audit objective?
  7. Are all the criteria related to an audit objective necessary? (Are there too many? Is there overlap or duplication?)
  8. Can audit evidence be reasonably (e.g. practical, cost-effective) gathered in support of each criterion?
  9. Has the auditee accepted the criteria?

Considerations re: Objectives Statements

  1. Does the audit objective address one or more key generic audit areas, e.g. risk, control, information for decision making? If not, is an important area of coverage being neglected?
  2. Does the objective clearly address at least one high-risk area or issue identified during engagement planning?
  3. Are any high-risk areas or issues not addressed by an audit objective?
  4. Does each audit objective clearly describe what is to be accomplished by the engagement, e.g. a conclusion or opinion with respect to assurance?

Considerations re: Audit Criteria Statements

  1. Are the criteria relevant, i.e. appropriate to the audit entity, and are they from a clearly reliable source (e.g. an industry association or an approved management control framework) or are they generally accepted, i.e. would reasonable people say that they suit the subject matter to be audited?
  2. Are the criteria consistent with those used for similar audits?
  3. Are the criteria reliable? (Would they result in the same conclusions or opinions when used by different auditors in the same circumstances?)
  4. Are the criteria neutral? (Are they free from any bias that could lead to misinterpretation?)
  5. Are the criteria? (Does the set of criteria cover all significant aspects required to come to a clear opinion or conclusion on the audit objective?)
  6. Will the criteria lead to findings and conclusions that directly address the related audit objective?
  7. Are all the criteria related to an audit objective necessary? (Are there too many? Is there overlap or duplication?)
  8. Can audit evidence be reasonably (e.g. practical, cost-effective) gathered in support of each criterion?
  9. Has the auditee accepted the criteria?

I – Template for an Audit Engagement Plan

Background: An overview of the audit entity, including its main goals, objectives, and desired results and their linkage to the department or agency; its size (e.g. number of employees, budget); its structure and delivery or service points (e.g. local or regional offices); recent or pending changes of significance; and significant issues.

Auditee concerns: Management's issues or concerns raised during planning.

Risk assessment: A brief description of the risk assessment process used to determine the objectives and scope of the audit. If a risk assessment process was not used, the rationale for not doing so should be explained, e.g. special request audit.

Audit objectives: The statements developed by the internal auditor to define intended engagement accomplishments, e.g. a conclusion or opinion with respect to assurance.

Audit criteria: For each audit objective, the standards of performance and control against which the audit entity and its activities will be assessed.

Scope: A rationale for, and description of, the issues, programs, activities, transactions, or systems to be examined and a rationale for related activities excluded from examination. The period of time represented by the activities to be examined, e.g. transactions between April 1 and September 30.

Audit methodology: A general description of the audit work (nature and extent) that will be undertaken to gather and analyze sufficient, appropriate audit evidence. Reference may be made to the detailed audit program.

Time frames and reporting: The reporting process and target dates for completing work, e.g. oral debriefings, distribution and review of reports, audit committee tabling.

Budget and resource requirements: The anticipated staff and funding requirements to complete the work, e.g. travel, training, contracts.

Audit entity contact persons: The key audit entity contacts and their responsibilities with respect to the audit.

Audit responsibilities: To ensure team members have a clear understanding of expectations, the responsibilities of each internal audit group member.

Signature blocks: The required approval(s) by the senior member(s) of the internal audit group.



J – Template for Presenting an Audit Program

Engagement name:

1.0 Objective: The audit objective that is being addressed in this section of the program should be reprinted verbatim from the audit engagement plan.

Criterion Sub-Criteria Approach Results W/P Reference
1. 1.1, 1.2, 1.3, etc. 1.1.1, 1.1.2, 1.1.3, etc.
1.2.1, 1.2.2, 1.2.3, etc.
1.3.1, 1.3.2, 1.3.3, etc.
1.1.1, etc.
1.2.1, etc.
1.3.1, etc.
 
The first criterion related to the objective would be reprinted verbatim in this column. If a further breakdown of a criterion is useful to guide the audit approach, each element would be identified, e.g. if transactions are to be processed efficiently and effectively, there may be different audit tests designed to assess efficiency and effectiveness The approach, e.g. interview, testing of a sample of transactions, documentation review, that will be used to produce meaningful audit evidence with respect to the first (and each subsequent) criterion (or sub-criterion) would be described here in sufficient detail for any reasonably informed internal auditor to apply. The results of the approach could be summarized here, once known. Reference to the evidence generated as a result of the approach would be included here, once obtained.
2. 2.1, 2.2, 2.3, etc. 2.1.1, 2.1.2, 2.1.3, etc. 2.1.1, etc.  
3. 3.1, 3.3, 3.3, etc. 3.1.1, 3.1.2, 3.1.3, etc. 3.1.1, etc.  

K – Checklist for Reviewing an Audit Program

Considerations
  • Is it clear which audit objective and which related criteria each section of the audit program is intended to address?
  • Does the audit program cover all the audit objectives and all the criteria related to each audit objective?
  • Is the nature of evidence to be sought clear and appropriate for the expected audit accomplishments, e.g. to provide an assurance opinion or conclusion?
  • Is the evidence to be sought available?
  • Have the methods to be used to gather, analyze, and evaluate the evidence been clearly identified and are they appropriate, e.g. cost-effective, relevant, to generate sufficient reliable evidence?
  • Can the methods be completed in the allocated time frames, and is there sufficient flexibility built in to allow for unexpected opportunities or issues?
  • Does the internal audit group have the capability to gather, analyze, and evaluate the evidence sought?
  • Can the evidence to be gathered support coming to conclusions on other criteria, either related to the same objective or to another objective?

L – Engagement Planning Checklist

Audit Planning Step Date Completed W/P Ref.
The project is assigned to a lead internal auditor within the internal audit group.    
The auditee is notified in writing that the engagement has commenced.    
An initial meeting is held with the auditee to explain the initial audit objectives and scope as well as the process to be followed during the engagement.    
A sound understanding of the audit entity is developed, including its objectives and their linkage to those of the department or agency and any significant pending changes.    
An assessment of the audit entity's risks is conducted to focus further planning work into areas of potentially higher relative risk.    
A study or limited testing of controls in higher risk areas is completed.    
Engagement objectives are formulated based upon the results of the risk assessment and the study of limited testing of controls.    
Criteria suitable for drawing conclusions with respect to the objectives are established.    
An engagement plan, including time and resource requirement estimates, is approved at the appropriate level.    
The auditee understands the engagement plan.    
An audit program is developed to document the procedures for identifying, generating, analyzing, evaluating, and recording information during the engagement.    

M – Sample Audit Observation Worksheet

Audit name:
Audit objective:
Activity or function examined:
Audit criterion:
Audit observation:
Supporting evidence:
Cause:
Effect:
Potential recommendations:
Management comments:
Prepared by:
Date:
Approved by:
Date:

N – Checklist for Conducting the Engagement

Audit Step Date Completed
The auditee is provided with a copy of the approved plan for the engagement before the fieldwork is begun.  
An initial meeting is conducted at the commencement of fieldwork.  
The audit program is completed.  
The evidence gathered is consistent with the objectives and criteria and meets professional standards.  
Findings are developed and recorded on audit observation worksheets.  
Working papers are prepared and retained to support findings.  
The auditee is debriefed on observations as they develop and is provided an opportunity to comment on the observations and to provide input on recommendations.  


O – Checklist for Reviewing Audit Reports

The Substance of the Report

The body of the report:

  • Sufficient background information on the audit entity is provided to understand the context and significance of the audit report.
  • The audit objectives and the related criteria used to arrive at observations and conclusions are stated.
  • The audit scope states what was and was not included in the examination and specifies the period of time represented by the activities examined.
  • The timing of the audit, the methodology employed, and the professional standards followed are described. If appropriate, disclosure is made if any parts of the engagement were affected by non-compliance with professional standards.
  • Detailed audit observations relate to the stated objectives and criteria and logically support overall opinions and conclusions.
  • Each observation contains a statement of the condition (the situation supported by audit evidence), the criterion, the cause, the effect, and a recommendation.
  • Convincing or persuasive evidence is presented in support of each audit observation.
  • The impact of negative observations is quantified where possible but otherwise presented in a compelling argument, including an analysis of potential risks.
  • Recommendations flow logically from observations and causes, are specific and cost-effective, and are directed to specific positions or individuals with the authority to act upon them.
  • A conclusion, or a statement of inability to conclude, is provided for each audit objective and is supported by convincing evidence and analysis.
  • As appropriate, a statement of assurance is provided.
  • Positive observations and conclusions are provided where warranted.
  • Appendices included in the report add value in understanding the engagement results.

The executive summary:

  • The executive summary provides a brief overview of the audit entity, reiterates the audit purpose, objective, and scope, references the audit criteria and methodology, and repeats the opinions or conclusions with respect to each objective and with respect to the overall engagement, if provided.
  • The statement of assurance is referenced or reiterated, as appropriate.

The Style of the Report

  • The table of contents establishes the layout and structure of the report and correctly represents headings and page numbers in the body of the report.
  • Headings and text styles (e.g. italics, boldface, font size) are used effectively and consistently to draw the reader's attention, e.g. topic or lead sentences, highlighted recommendations.
  • Charts and other exhibits are referenced in the report and appropriately labelled.
  • Paragraph and sentence structure support understanding, e.g. single topic or issue, concise, logical.
  • Initialisms and acronyms are explained or defined upon their first use.
  • Language usage and terminology is appropriate to the intended audience(s), e.g. the active voice is used and jargon and overly technical terminology are avoided or clearly explained.
  • A balanced tone is maintained.
  • Grammar and spelling are correct.
  • Appendices are presented in a uniform format and are referenced in the body of the report.
  • Overall, the report is clear and concise - the important findings, recommendations, and conclusions are evident.

P – Checklist for Reviewing Audit Observation Worksheets and Supporting Evidence

Key Considerations: Audit Observation Worksheets  
Is the observation clear, i.e. does it provide sufficient information in a logical order to encourage positive management reaction?  
Does the observation clearly address a criterion (and its related objective) of the engagement?  
Is the cause of the problem or situation clearly defined?  
Is the impact or significance (effect) of the situation clear, and does it justify remedial action?  
If the recommendation were implemented, would the situation causing the observation be resolved?  
Is the recommendation within the auditee's capacity or capability to implement?  
Can the recommendation be implemented cost-effectively?  
Is the individual (or position) to whom the recommendation is addressed clear, and does the individual have the necessary authority to implement it?  
Key Considerations: Evidence  
Is the evidence supportive of the observation, and is it sufficient to lead to an opinion or conclusion on assurance?  
Are observation sheets cross-referenced appropriately to the supporting evidence, e.g. cause-effect analysis, impact analysis?  
Does the cross-referenced documentation demonstrate that the internal auditor has identified, analyzed, and evaluated sufficient information to achieve the engagement objectives, e.g. every program step has been completed or reasons for omission are clearly documented and appropriately approved?  
Is it evident that management has been orally debriefed on the observation and has had the opportunity to be involved in developing the recommendation?  

Q – Checklist for Reviewing Working Papers

Key Considerations: Mechanics W/P Reference Review Notes
Does the file contain a table of contents?    
Are the working papers arranged in a logical fashion?    
Is the file indexed consistently and appropriately?    
Do all working papers include proper heading and reference numbers, dates prepared, preparer's initials, and an indication of supervisory review.    
Do the working papers contain any extraneous or unnecessary pages or documentation?    
Is the draft copy of the audit report cross-referenced to the applicable audit observation work sheets?    
Key Considerations: Content W/P Reference Review Notes
Does the file contain all information required as per any internal audit group standard working paper index?    
Does the file contain copies of the audit programs and evidence that they were executed completely?    
Are key management interviews documented?    
Are the subsequent analysis of the results of carrying out the audit programs and the development of observations and conclusions clearly documented?    
Are discussions with supervisory staff or management on the initial observations adequately documented?    
Is the disposition of all of the audit observations and the logic behind those dispositions clearly documented?    
Have all ongoing and final review notes been addressed?    

R – Checklist for Quality Assurance Review

Engagement name: ___________________________________

  • The planning process undertaken is well documented in the working papers, e.g. initial audit objectives and scope specified as per annual plan, background program information researched, formal notification provided to auditee, interview notes recorded, risk assessments completed, and resource requirements and scheduling estimated and approved.
  • Final audit objectives and scope are clearly stated and supported by the planning undertaken, e.g. consistent with the key risks identified and the audit criteria are appropriate for the achievement of objectives.
  • Understanding of the plan for the engagement by the auditee is documented. (If necessary, approval by the audit committee is also recorded.)
  • The audit program is appropriate to achievement of the objectives and is approved by an appropriate senior level in the internal audit group.
  • The working papers demonstrate that the audit program has been completed as intended (or as modified with appropriate approval) and comprise information collected and analyses undertaken on all matters related to the audit objectives and the scope of the work.
  • Observations and conclusions are based on evidence that is contained in the working papers and that is appropriate (e.g. sufficient, reliable, and relevant).
  • Conclusions and recommendations are discussed at appropriate levels of auditee management before issuance of the draft report.
  • The draft report includes the audit objectives, scope, criteria, methodology, and results of the engagement, including findings, conclusions, and recommendations for improvement.
  • The findings documented in the draft report are cross-referenced to the supporting documentation in the working papers and provide relevant analysis and explanation of the exposure to risks for any significant problems.
  • Conclusions are consistent with the objectives defined in the plan for the engagement and with the detailed findings. An appropriate statement of assurance is provided.
  • The draft report is objective, balanced, clear, concise, constructive, and timely.
  • Management responses and action plans address the recommendations.
  • Significant issues raised in the report, particularly where there is disagreement, are discussed with appropriate senior officials.
  • There is evidence of appropriate supervisory review while the engagement is being conducted and of management review before closing the file, e.g. completion of a management review certificate.

S – Checklist for Reviewing an Audit Program

Engagement name: ____________________

The following observations have been raised during the quality assurance review of the engagement. Please review the observations and provide an appropriate response, or explanation, in the space provided and return to the undersigned.

W/P Ref. Observation Response Cleared/Signed off
 
 
     
 
 
     
 
 
     
 
 
     
 
 
     
 
 
     

Quality Assurance Reviewer: __________________________

Date: _______________

1. IIA The Professional Practices Framework, Glossary, July 2007 (return to source paragraph)

2. The IIA Standards (return to source paragraph)