Practice Review and Internal Audit Charter

Introduction

  1. The Practice Review and Internal Audit (PRIA) Charter defines the vision, mission, functions, core principles, authority, independence, objectivity, responsibilities, core values, and scope of work of the PRIA team. The PRIA Charter was approved by the Auditor General of Canada and the Audit Committee of the Office of the Auditor General of Canada.

Functions

  1. The PRIA team serves two separate but related functions:
    • Internal Audit. The Internal Audit function has adopted the definition of internal auditing by the Institute of Internal Auditors (IIA) to help the Office accomplish its organizational vision, mission, and strategic objectives. The Internal Audit function provides independent, objective assurance and consulting activities designed to add value and improve the Office’s operations, by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes. This is done by reviewing processes for governance, risk management, and internal controls, and by providing analyses of, assessments of, recommendations for, counsel on, and pertinent comments on the activities reviewed. The Internal Audit function follows the International Professional Practices Framework issued by the IIA.
    • Practice Review. The Practice Review function helps the Office meet its obligations under the Chartered Professional Accountants of Canada’s Canadian Standard of Quality Control 1 (CSQC 1). The PRIA team helps the Office meet this obligation by providing the Auditor General with assurance that practice reviews comply with CSQC 1, Office policies, and applicable legislative and regulatory requirements, and that reports are appropriate and supported by evidence found in audit files. In its conduct of practice reviews, the PRIA team conforms to IIA’s Attribute Standards on independence and objectivity, on proficiency and due professional care, and on the Quality Assurance and Improvement Program, as well as conforms to the IIA’s Code of Ethics and the Core Principles of the IIA’s International Professional Practices Framework.
  1. The Treasury Board’s revised Policy on Internal Audit came into effect on 1 April 2017. The policy and the Treasury Board’s Directive on Internal Audit provide the Auditor General with the authority to deviate from specific requirements as deemed appropriate, in light of the governance arrangements and statutory mandate of the Office.

Core Principles for the Professional Practice of the Practice Review and Internal Audit Team

  1. The core principles, taken as a whole, articulate the PRIA team’s effectiveness. For the PRIA team to be considered effective, all of the following core principles should be present and operating effectively:
    1. Demonstrates integrity.
    2. Demonstrates competence and due professional care.
    3. Is objective and free from undue influence (independent).
    4. Aligns with the strategies, objectives, and risks of the organization.
    5. Is appropriately positioned within the organization and adequately resourced.
    6. Demonstrates quality and continuous improvement.
    7. Communicates effectively.
    8. Provides risk-based assurance.
    9. Is insightful, proactive, and future-focused.
    10. Promotes organizational improvement.
  1. Annually, the Chief Audit Executive (CAE) will confirm the following with the Audit Committee:
    1. The PRIA team conforms to the PRIA Charter.
    2. The CAE is independent and objective, and the associated risks and safeguards are in place specifically in relation to the Practice Review function assigned to the CAE.
  1. The PRIA team will be periodically subject to independent reviews of the quality and effectiveness of its Internal Audit function, including its compliance with the IIA’s International Standards for the Professional Practice of Internal Auditing as well as with relevant Office and Treasury Board policies, procedures, and standards. The findings of all independent reviews will be presented to the Audit Committee.

Authority

  1. The PRIA team has unrestricted access to all records, properties, functions, and personnel necessary to effectively carry out its responsibilities. All Office employees are expected to cooperate fully with PRIA staff and staff assigned to conduct their work under the direction of the PRIA team. The team also has full and independent access to the Audit Committee. All Office operations may be subject to periodic audits by the PRIA team.

Independence

  1. The PRIA team has complete independence with respect to the subject matter and teams under audit and, consequently, the scope of the PRIA team’s work is not subject to any restriction imposed by Office management. PRIA plans are submitted to the Audit Committee for review. The Auditor General approves the scope of work and coverage of the plans, taking into account the Audit Committee’s advice. The Auditor General may require the PRIA team to carry out special reviews or audits.
  1. The authority and responsibilities of the PRIA team are established by the Auditor General in consultation with the Audit Committee. The CAE reports functionally to the Audit Committee and administratively to the Auditor General. The approval of the Auditor General, in consultation with the Audit Committee, is required for the recruitment, appointment, or other actions intended to discipline or terminate the CAE’s employment. The CAE will not have any Office management or operational responsibilities that may compromise the independence and objectivity required for the position.
  1. The CAE will be available for an in-camera session with the Audit Committee, whenever needed. The CAE will also meet regularly with the Auditor General outside the Audit Committee. As well, the CAE has direct access to the Chair of the Audit Committee.
  1. The PRIA team is responsible for informing and advising the Auditor General and the Audit Committee about significant deficiencies or other substantive issues noted in the course of its activities.

Objectivity

  1. In performing its activities, the PRIA team shall have no direct responsibility or authority over any of the operations reviewed. It shall not design and install procedures, prepare records, or engage in any other activity that it would normally review and assess and that could reasonably be construed to compromise its independence and objectivity. The PRIA team holds an advisory function and, therefore, does not exercise authority over non-PRIA employees.

Responsibilities

  1. The PRIA team has the following reporting responsibilities:
    1. Provide individual audit results of significance to appropriate management on a timely basis.
    2. Provide PRIA summary reports to the Audit Committee, management, the engagement leaders, and the Auditor General using predetermined reporting criteria.
    3. Provide periodic updates to the Audit Committee on the PRIA team’s quality assurance and improvement program, including
      • the results of the CAE’s annual review and self-assessment of the PRIA team’s independence and objectivity with respect to the team’s role in conducting practice reviews; and
      • the results of the CAE’s periodic self-assessments of non-engagement activities, which include assessing whether the PRIA team conforms to the PRIA Charter, the IIA’s Code of Ethics, and all the IIA Standards.
    4. Advise the Audit Committee and Executive Committee on the progress that the Office is making in addressing previously reported matters.
    5. Submit internal audit risk assessments and internal audit plans for the Audit Committee’s input and approval.
    6. Report periodically to the Audit Committee on the Internal Audit function and its authority, responsibility, and performance relative to its plan and on its compliance with the IIA’s Code of Ethics and the IIA’s International Standards for the Professional Practice of Internal Auditing. Reporting will also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management or the Audit Committee, or both.
    7. Inform the Audit Committee of work products that do not result in a report to the Committee and of all matters of significance arising from such work.
  1. The PRIA team will periodically review the PRIA Charter and obtain the recommendation for the Auditor General’s approval from the Audit Committee.

Core Values

  1. The PRIA team follows the Values and Ethics Code for the Public Sector and the Office’s Code of Values, Ethics, and Professional Conduct. The Office’s Code is intended to be consistent with those of professional associations, and in some cases may be more specific or demanding.
  1. The Auditor General and the CAE will ensure that individuals involved in internal audits and practice reviews are sufficiently qualified and independent of the activities under examination.

Scope of Work

Internal audit

  1. The PRIA team follows the IIA’s standards in conducting internal audits. Once the PRIA team is IIA-certified, its audit reports will disclose the adherence to the IIA’s standards.
  1. The authorized scope of the PRIA team’s activities encompasses the evaluation and improvement of the design, adequacy, and effectiveness of the Office’s risk management, internal controls, and governance processes, and the quality of performance in carrying out assigned responsibilities. This can include the following core responsibilities:
    1. evaluating the design, implementation, and effectiveness of the Office’s ethics-related objectives, programs, and activities;
    2. assessing the governance related to the management of information technology in terms of supporting the Office’s strategies and objectives;
    3. reviewing and assessing the soundness of the Office’s management of risk through active, continuous support and involvement in the risk management process, such as participation in oversight committees, monitoring activities, and status reporting;
    4. evaluating the potential for the occurrence of fraud and how the organization manages fraud risk;
    5. reviewing and assessing the soundness of internal controls, and the reliability and integrity of financial, managerial, and operating data;
    6. reviewing and assessing compliance with the Office’s policies and procedures;
    7. reviewing and assessing compliance with Treasury Board policies;
    8. reviewing and assessing asset safeguards and accountability;
    9. evaluating the economy and efficiency with which resources are employed;
    10. reviewing operations or programs to assess whether they are being carried out as planned and whether results are consistent with established Office objectives; and
    11. providing advice or counsel, such as consulting services, in order to add value and improve the Office’s governance, risk management, and control processes, recognizing that management responsibility rests with the Office’s senior management.

Practice review

  1. The PRIA team will review a selection of completed audits on a cyclical basis, which will include at least one engagement by product line for each engagement leader over a four-year monitoring cycle. Engagement leaders and engagements are randomly selected or selected after a risk assessment by the CAE without prior notification to management. All audit engagements are subject to practice review, including:
    1. performance audits of departments and agencies;
    2. audits of the financial statements of the Government of Canada, of Crown corporations, of territorial governments and corporations, and of other entities, including departmental financial statements;
    3. special examinations of Crown corporations; and
    4. forensic audits.
Approved by

Karen Hogan, CPA, CA
Auditor General of Canada
Office of the Auditor General of Canada

Bruce Joyce
FCPA, FCA (Ontario)
Chair of the Audit Committee
Office of the Auditor General of Canada

Louise Bertrand, CPA, CA, CIA
Chief Audit Executive
Office of the Auditor General of Canada

Date: 26 October 2021

Last modified:
2021-12-31