D.1 Practice Review and Internal Audit’s Operating Policy

Organization

  1. The Chief Audit Executive reports functionally to the Audit Committee and administratively to the Auditor General, thereby insuring the degree of independence essential to the effectiveness of Practice Review and Internal Audit (PRIA). PRIA directors report to the Chief Audit Executive (CAE) and staff members report to their respective director, unless indicated otherwise. The PRIA staff shall normally be located at the head office of the Office of the Auditor General of Canada (Office); however, individual or groups of auditors may be located at other regional offices.

PRIA Personnel

  1. The team will be primarily staffed with Office audit employees on a rotational basis as required. PRIA team members’ departures should be staggered so that there is continuity within the team. Staff members may consist of individuals recruited externally, if deemed necessary. PRIA members must have the necessary knowledge, skills, and core competencies to complete the assigned work. Persons having a special expertise may on occasion be obtained on a loan basis from other functions within the organization to assist on a project basis.

  2. In some cases, to address independence issues, PRIA personnel may be assisted by senior auditors (normally at the PX and DX levels) or external agents who have sufficient and appropriate experience and influence and who are independent of the engagement under review or area under audit. PRIA team members, including the Chief Audit Executive, shall complete and sign a PRIA report on independence for each review or audit they are involved in.

PRIA Objectives and Responsibilities

  1. PRIA is responsible to review management’s processes and controls over compliance with the Values and Ethics Code for the Public Sector, the Office’s Code of Values, Ethics and Professional Conduct, the System of Quality Control, Treasury Board policies, and the Institute of Internal Auditors (IIA) standards to ensure they are adequately designed and operating effectively. This will be carried out by a combination of planned compliance audits especially designed to review and test processes related to specific laws or regulations, and by including review and testing of compliance to applicable laws and regulations in the scope of operational, financial, consulting, and other audits. Compliance with applicable standards, policies, laws, and regulations should be given consideration in all practice reviews and internal audits.

  2. PRIA is concerned with any phase of Office activities in which it can be of service to management, the Audit Committee, and the Auditor General. Therefore, it shall

    1. review and appraise the adequacy, soundness, and application of accounting, financial, management reporting, and other operating controls, and make recommendations for improved practices and techniques where appropriate;

    2. determine that policies and procedures are being interpreted properly and carried out as established, and are adequate and effective, and make recommendations for revision where changes in operating conditions have made them cumbersome, redundant, obsolete, or inadequate;

    3. determine the reliability, effectiveness, and efficiency of procedures designed to ensure that the Office is compliant with applicable standards, laws, and regulations;

    4. determine whether appropriate procedures exist within operations for self-assessment and continuous improvements;

    5. determine whether Office audits, reports, and other Office products are in conformance with practice review criteria;

    6. develop, maintain, and monitor a quality assurance and improvement program that covers all aspects of PRIA; and

    7. develop the guidance and tools to carry out reviews and audits.

  3. In carrying out these objectives, PRIA’s work should be performed with proficiency (Standard 1210) and due professional care (Standard 1220).

  4. Proficiency – “Internal auditors should possess the knowledge, skills, and competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and competencies needed to perform its responsibilities” (Standard 1210).

    1. “The chief audit executive should obtain competent advice and assistance if the individual internal audit staff lacks the knowledge, skills, or competencies needed to perform all or part of an engagement” (Standard 1210.A1).

    2. “The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud” (Standard 1210.A2).

    3. “Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing” (Standard 1210.A3)

    4. “The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement” (Standard 1210.C1).

  5. Due Professional Care – “Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility” (Standard 1220).

    1. “The internal auditor should exercise due professional care by considering the:

      1. Extent of work needed to achieve the engagement objectives.

      2. Relative complexity, materiality, or significance of matters to which assurance procedures are applied.

      3. Adequacy and effectiveness of risk management, control, and governance processes.

      4. Probability of significant errors, irregularities, or noncompliance.

      5. Cost of assurance in relation to potential benefits” (Standard 1220.A1).

    2. “In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.” (Standard 1220.A.2)

    3. “The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified” (Standard 1220.A3).

    4. “Internal auditors must exercise due professional care during a consulting engagement by considering the:

      1. Needs and expectations of clients, including the nature, timing, and communication of engagement results.

      2. Relative complexity and extent of work needed to achieve the engagement's objectives.

      3. Cost of the consulting engagement in relation to potential benefits” (Standard 1220 C.1)

  6. Continuing Professional Development – “Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development” (Standard 1230).

  7. All activities of PRIA shall be carefully planned by the Chief Audit Executive and internal auditors, in consultation with the Auditor General, to ensure consistency with the PRIA charter and procedures, and with the goals of the Office.

Criteria

  1. Individual practice reviews

    1. Criteria used in the practice reviews are based on selected aspects of the System of Quality Control (SoQC) and professional standards.

    2. Little or no discussion is required with management on the acceptance of criteria.

    3. Practice review programs are prepared for each type of engagement and updated annually for new standards and Office policies and procedures as necessary. The Chief Audit Executive, after consultation with the Audit Services Group, will review the programs, which will be made available to the Office staff.

  2. Internal audits and practice-wide practice reviews

    1. Internal audits shall have suitable criteria against which PRIA will assess evidence, in order to develop observations and draw conclusions with respect to the objectives, related to the Office’s governance, risk management and internal control practices. Internal auditors shall disclose the sources of criteria in audit reports.

    2. Criteria are shared, discussed with, and agreed to by the responsible assistant auditor general (AAG) and the manager at the beginning of the internal audit.

    3. When practice-wide practice reviews are conducted, criteria are similarly selected from professional standards, selected elements of the SoQC, or best practices. Criteria will be discussed with the AAGs of the practice, the AAG of the Audit Services Group, and others as deemed necessary by the CAE.

  3. Process of conducting practice reviews and internal audits

    1. File management

      1. Internal audits and practice reviews will be documented in TeamMate.

      2. Consulting files will be documented in Proxi.

    2. Individual practice reviews
      PRIA staff will notify engagement leaders of their selection for practice review at the beginning of the cycle. All audits must be closed prior to PRIA notification. Normally, a practice review will be carried out over a six-week period, from when the launch meeting is held to when the draft report to the engagement leader is completed. The process is as follows:

      1. A sample of engagement leaders and their audit files is conducted each year to determine which practice reviews will be performed. The number of reviews is based on Office methodology to ensure that each engagement leader is reviewed at least once every four years. As well, the number of reviews is in line with the PRIA Multi-year Plan. For more information on the sampling of engagement leaders, see PROxI document #757748 — Revised approach to Practitioner Selection for Practice Reviews.

      2. As they receive notification of a practice review, teams are expected to provide prompt access to all audit files (electronic and paper), usually within one week of the notification.

      3. File review is usually conducted, within a reasonable timeframe (usually over a two week period), by the responsible PRIA director.

      4. Ongoing discussion, between the practice reviewers and the team being reviewed, should occur throughout the practice review process, so the reviewed engagement leader is aware of the matters to be discussed at the final debriefing. The CAE should be aware and agree with the disposition of the observations made by the practice reviewers.

      5. After completing the review, the reviewers and the CAE will verbally brief the engagement leader and the responsible AAG, if required, on the findings of the review.

      6. A draft report to the engagement leader is usually issued within two weeks of the verbal briefing.

      7. The reviewed engagement leader is expected to provide comments on the factual accuracy of the findings (if any) and to prepare responses to recommendations (if any) within five working days of receiving the draft report to the engagement leader.

      8. The reviewer aims to obtain the agreement of the engagement leader on any findings. When this is not possible, any disagreements should be documented in the report.

      9. In exceptional cases, where the results of the review indicate that an engagement report may be inappropriate or that significant procedures were omitted during the performance of the engagement, the CAE is responsible for determining the further action needed to comply with professional standards and regulatory and legal requirements. Audit Services Group, and the AAGs responsible for the practice may be consulted to determine the best course of action. The engagement leader is accountable for ensuring these actions are taken. The Auditor General will be informed and consulted as needed.

      10. The final report to the engagement leader will be distributed to the engagement leader and the Assistant Auditor General. This report will be signed off by the engagement leader, the CAE, and the practice reviewer.

      11. Once all the practice reviews are completed, PRIA will draft a summary report per product line. At this point, the process follows what is indicated below for internal audit starting at item v in the section “Internal audit and practice-wide practice reviews”.

    3. Internal audit and practice-wide practice reviews

      1. Depending on the scope of the internal audit and the practice-wide practice reviews, and availability of reviewers, the period during which the work is conducted may vary. The estimated period is communicated to management and is subject to PRIA review at the beginning of the audit/review.

      2. As management receives notification of an audit/review, they are expected to provide prompt access to all documentation (electronic and paper), usually within one week of the notification.

      3. Staffing is done on a case-by-case basis.

      4. When the field work is complete, the responsible AAG and manager will be verbally briefed by the Chief Audit Executive on the findings.

      5. A draft report is after a discussion on finding blocks of the internal audit. It is PRIA’s policy to reach agreement with management under review or audit concerning the correctness of the facts surrounding the audit findings prior to distribution of the final report. Where appropriate, recommendations and management responses will be included in the report. Wherever possible, internal audit staff should work with management to seek the best improvement solution.

      6. Draft management responses and comments are provided by the responsible manager and AAG or by the Office’s delegates in charge of providing comments on behalf of management (for example, the AAGs of the practice, the AAG of the Audit Services Group, or another individual appointed by the parties subject to internal audit or practice review. Usually, these responses and comments are provided to PRIA within two weeks of the draft report being issued.

      7. If there are recommendations, management will prepare a detailed action plan addressing those. This action plan will be provided to the Audit Committee with the final report and be updated on a regular basis.

      8. The reviewer aims to obtain the agreement of the engagement leader on any findings. When this is not possible, any disagreements should be documented in the report.

      9. The final report is provided within two weeks of management responses and comments being received. It is then presented at the next Audit Committee meeting for review and its recommendation to the Auditor General for his approval. Management will be present at the Audit Committee meeting to discuss the report. The Executive Committee will receive the approved report for information purposes only, before it is posted on the Internet and INTRAnet in both official languages.

  4. It is the policy of PRIA to conduct internal audits in a constructive manner. Whenever possible, the assistance of division personnel will be solicited in the planning and performance of the assignment and the development of improvement actions. A spirit of collaborative teamwork between the auditor and those audited will be adhered to. This attitude shall not alter the fact that internal auditing personnel have full access to all records, personnel, properties, and any other sources of information needed in the performance of an audit. When necessary, special arrangements will be made for the examination of confidential or classified information.

  5. Prior to the start of each audit, management will be advised concerning the tentative time schedule and general scope of the audit via Audit Plan the Internal Summary document. A confirming memo, prepared by PRIA shall be sent to appropriate management for signature, who in turn are responsible for conveying the audit schedule to persons affected.

  6. The Audit Committee oversees the work of both the internal and external auditors. Given that the Office and PRIA are small organizations, there is no regular reliance on the work of internal audit by the external auditor. However, the CAE will be present at the Audit Committee meetings when the external auditor presents the audit plan, updates, and audit results. Accordingly, the CAE will be informed by the external auditor of any control issues, which may include significant control weaknesses, errors and irregularities, illegal acts, management judgments and accounting estimates, significant audit arrangements, disagreements with management, or difficulties encountered in performing audits.

  7. If required, coordination of internal audit activities with the external auditor would involve checking and working with each other to ensure: (1) optimum audit coverage is obtained, (2) there is an exchange of information, (3) a minimum duplication of effort and expense, and (4) cost-effective reliance on the work of the internal auditors.

  8. Internal audit work product sharing is subject to the chief audit executive’s authorization. Internal or external audit work product sharing is carefully performed to ensure proper safeguarding, confidentiality, and interpretation of audit results. Supplemental discussion is conducted as needed The chief audit executive receives copies of all external audit management letters in order to use them in the annual audit plan risk analysis input and as a preliminary survey reference item.

  9. From time to time, members of the internal audit staff may, upon request, be assigned to work directly for other Office departments on special projects that are in no way connected with internal audit. This may be done to provide needed expertise to the other area or to gain experience for the internal auditor. During such assignments, the auditor will report to the requesting organization concerning the work assignment; however, in other administrative matters, the auditor will look to the chief audit executive for direction.

  10. After completion of the special assignment, the internal auditor will be ineligible to take part in any audit in the area of the assignment for a period of two years in order to prevent any actual or perceived impedance of objectivity.

  11. Periodically, PRIA asks management about the actions it has taken on previous outstanding PRIA recommendations.

    1. For internal audit follow-ups. Prior to an Audit Committee meeting, the responsible manager is expected to update the management action plan. Those responding on behalf of management are expected to consult on the development and acceptance of the management responses as required. PRIA may assess the progress made by management on the recommendations and the status on the action plan. The CAE will provide a status report on management actions in response to PRIA’s internal audit recommendations to the Audit Committee for information.

    2. For external audit follow-ups. For matters reported by the external auditors, operating management will prepare an action plan, which will be presented to the Audit Committee. The CAE will assess progress made by the Office in addressing these items.

    3. For practice review follow-ups. Prior to an Audit Committee meeting, the AAG of Audit Services Group, or the AAGs responsible for the practice, are responsible for providing a status report on the recommendations and actions taken. PRIA may assess the progress made on the recommendations. The CAE will provide a status report on management actions in response to PRIA’s internal audit recommendations

  12. Once operating management has asserted that corrective action is complete, PRIA will validate the design and operating effectiveness. If effective, they will recommend to the Audit Committee that the matter may be closed. The Auditor General will approve the recommendations for closure.

Last modified:
2018-03-01