D.2 Practice Review and Internal Audit’s Operating Principles

  1. To ensure the Practice Review and Internal Audit (PRIA) activity meets its goal of effectively serving the Office of the Auditor General of Canada (Office), we follow a number of basic operating principles or core concepts.

  2. These operating principles are:

    1. Office Objectives Focus
    2. Value-added Internal Auditing
    3. Risk-based Allocation of Internal Audit Resources
    4. Individual Professionalism
    5. Management's Responsibility for Control
    6. Forward Emphasis
    7. Objectivity
    8. Independence
    9. Confidentiality
    10. Reasonable Error Level
    11. Free Flow of Communication
    12. Continual Staff Development
    13. Completed Staff Work

  3. Understanding these principles is essential for the success of both the individual auditor and the Office. All employees should make it their objective to learn these principles so well that they become "second nature." They should be considered in the planning and execution of every task and assignment.

A. Office Objectives Focus

  1. Practice Review and Internal Audit’s common goal is to provide independent and objective assurance services in order to help the Office attain its objectives. Continual focus on the Office’s strategy and objectives will help to ensure they are closely reflected in internal audit objectives, both at the annual planning stage and in the planning and execution of individual audits. This in turn will enhance the meaningfulness and value of PRIA observations and recommendations for improvement, and increase the stature of the PRIA activity.

B. Valued-added Practice Review and Internal Auditing

  1. Value-added auditing seeks to provide management with value‑added services by reporting on activities as well as showing through analytical assessments where improvements can be made. Each individual auditor contributes something different, but all contribute toward a common goal. Their efforts must all pull in the same direction, and their contribution must fit together to produce a whole—without gaps, without friction, and without duplication of effort.

  2. PRIA’s goal is to assist management at all levels in the attainment of their objectives through the control of the operations and assets for which they are responsible. This is done by providing management with evaluations on the adequacy and effectiveness of internal controls over operations, accounting, and administrative functions. The PRIA activity is always to be conducted using the highest standards of business ethics, integrity, and honest dealings in all areas and functions within the Office and with all outside parties.

  3. With the objective of meeting auditing's common goal as stated in the previous paragraph, PRIA develops a comprehensive audit schedule each year, which is submitted to and approved by the Audit Committee and the Auditor General via the multi-year plan.

  4. When internal auditors are assigned to an audit, their challenge is to work with the Chief Audit Executive (CAE) to develop a set of audit objectives that contribute to internal auditing's common goal. Each audit has been allocated a certain amount of time. It is the responsibility of the internal auditors to work with the CAE to develop a plan to best utilize that time to achieve the set of agreed audit objectives.

  5. If the auditors have adequately developed the set of audit objectives and plan, then they and the audit management group will be in agreement regarding

    1. the purpose and objectives of the audit or assignment,
    2. what is to be accomplished,
    3. the areas of audit concentration,
    4. the special points of management concern,
    5. the audit risk areas,
    6. number of audit days to be expended in this audit or assignment,
    7. when the audit report is scheduled for issuance, and
    8. what means will be used to measure the individual auditor's effectiveness in accomplishing the agreed objectives.

C. Risk-based Allocation of Internal Audit Resources

  1. The International Standards for the Professional Practice of Internal Auditing (Standards) state, "The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goal ." It is important for internal auditors to remember that the Office responsibility for the economical and efficient use of resources also applies to the internal auditors themselves.

  2. Internal auditing manpower is a limited resource and, as such, it is critical that such resource be allocated and utilized in a fashion that results in the greatest benefit to the Office. In order to effectively allocate auditing manpower over all Office assets and operations, PRIA uses an audit risk evaluation approach.

  3. Note: In an organization utilizing an enterprise risk management (ERM) process, the results of this process will be the starting point for internal audit to determine audit risk. (The ERM process will also be part of the internal audit universe.)

  4. Audit risk is deemed principally to be actual or potential expenditures or usage of labour, materials, and other resources, and the custodianship of Office assets. Determination and quantification of such audit risk is made by the PRIA team. This allocation is based on the judgment and past experience of internal audit management.

  5. A budget for each audit is established. Each internal audit director is then faced with the challenge of using those audit days allocated to their audits in the most economic and efficient manner. It is not productive to spend a significant amount of internal audit resources in areas of lower audit risk and lower probability of loss. The economic and efficient use of our internal audit resources dictates that internal auditors should put their emphasis in areas of higher risk and higher probability of loss. In summary: Focus on the important areas and pass by the trivia.

D. Individual Professionalism

  1. Modern internal auditing, with its demands for intelligence, creativity, technical competence, and the ability to deal with people at all levels of the Office, sets high standards for its practitioners. These standards should never be compromised. Therefore, it is far better to be understaffed than to have unprofessional internal auditors who can tear down in one assignment what took years for PRIA to build.

  2. Certain qualities of character are needed to meet the demands made by modern internal auditing. Such qualities include adaptability, understanding, and determination, among others.

  3. Adaptability is needed to cope with the diversity of internal auditing assignments. This includes the ability to accommodate the ever‑changing environment that internal auditors meet in their varied assignments. It also includes the facility to readily absorb the jargon used by the activity being audited, together with the ability to translate what is learned into plain language. The ability to react quickly to new problems, new product lines, new management viewpoints, and new Office objectives is all a part of this quality of adaptability.

  4. Because internal auditors are constantly dealing with people, understanding is needed. This is the ability to grasp what makes the audit customer react favourably or with hostility and the empathy that enables the internal auditor to comprehend audit customer problems. This quality includes the sensitivity to what frustrates audit customers, as well as the perception of how they feel about their jobs, their managers, and the Office. It is also the tact that enables the internal auditor to ask productive questions without raising the hackles of the person being questioned. In performing our responsibilities, we must maintain respect for both the audit customer and other fellow internal auditors. Every attempt should be made to avoid suspicion or accusation in the audit customer's view and to treat all members of the audit customer's department with respect as fellow Office employees.

  5. Determination is needed to deal with difficult problems and to venture into new areas. The resistance to pressures that could sway internal auditors from their goals and the willingness to work as hard and as long as is necessary to establish the facts and to document them so that they will be supportable to management is an important aspect of determination.

  6. The knowledge that audit recommendations are based on facts, and that the facts are placed in their proper perspective, are key traits of professionalism.

  7. The objective evaluation of the materiality of audit findings with no personal ends to achieve, as well as a reputation for being absolutely trustworthy and completely responsible, cap the characteristics of professionalism.

  8. Internal auditors must have the ability to communicate, both orally and in writing. A strong, positive attitude toward our profession that sells both the auditor and the audit, and the imagination and initiative that find new ways of attacking old problems, contribute to communication. Remember at all times that the internal audit activity is always to be conducted using the highest standards of business ethics, integrity, and honest dealings in all areas and functions within the Office and with all outside parties. In sum, the internal audit activity is to be conducted in a manner consistent with the Standards.

E. Management’s Responsibility for Controls

  1. Internal auditors shall, to the maximum extent possible, have no authority over, or responsibility for, any of the activities audited, and shall not perform accounting or other operational functions outside the Office, which might require a subsequent audit. Therefore, PRIA neither seeks nor accepts responsibility for line or day‑to‑day processing functions. It does not wish to place itself in the position of auditing its own performance. Internal auditing efforts are most effective when they are able to objectively and impartially review, analyze, and interpret information, conditions, procedures, organization, and controls. Objectivity and impartiality are weakened when a staff function assumes direct line responsibility.

  2. The Office’s policy is that the primary responsibility for compliance with prescribed policies and procedures and for identification of needed changes in controls rests with the managers who supervise their daily operations. As a part of its responsibilities for the exercise of control, management requires the maintenance of financial and operating records that fairly reflect the assets, liabilities, and operations of the Office.

  3. A significant aspect of the system of management control is the accounting function. In the Office, the chief financial officer and comptroller have primary responsibility for the design and operation of the overall system for collecting and reporting financial control information. However, the use of this information for administration and operations is the primary responsibility of all levels of management.

  4. Therefore, controls are primarily the responsibility of management. They are charged with the job of devising, establishing, implementing, and assuring the adequacy, effectiveness, and efficiency of controls. Controls should not be implemented simply on an auditor's recommendation. In situations where this is stated as the justification for a control, indications are that the responsible managers have not been effectively convinced that these controls are for their benefit. Controls are instituted to help all levels of management execute their responsibilities in the most effective and efficient manner. The related procedures are nothing more than attempts to make management policy routine. PRIA’s responsibilities are to

    1. review the adequacy and effectiveness of management’s processes for risk management, control, and governance;
    2. review, appraise, test, and evaluate the extent of compliance with established controls and procedures;
    3. determine adequacy, effectiveness, and efficiency of controls and performance of employees responsible for implementing the controls;
    4. share knowledge regarding controls, weaknesses, and problems resulting from audits, research, or ideas;
    5. advise management on the meaning, importance, methodology, techniques, and kinds of controls;
    6. recommend when and where controls are needed and evaluate the risk involved in not having them;
    7. determine that proper risk-based controls exist in all phases of the Office’s activities and that they are effectively administered and implemented; and
    8. help management understand that they are primarily responsible for controls and not to depend on internal auditing for all control ideas and recommendations.

F. Forward Emphasis

  1. In appraising and testing internal controls conceived and implemented by management, auditing is more concerned with future implications than with the historical record. It is only through placing FORWARD EMPHASIS on findings that PRIA can be effective in assisting and improving the future performance of the Office.

  2. It is necessary, therefore, for auditors to interpret their findings with this theory in mind. It is imperative that auditing does not present an attitude of judgment. When auditors present the number of times items were wrong or did not comply with existing procedure, it is done only as a basis for interpreting recommendations for improvement of future performance. Errors are merely examples of an underlying condition. Internal auditors are more interested in correcting the problem and improving the process than focusing on the specific errors.

G. Objectivity and Independence

  1. In view of the nature of internal auditing's role as an independent appraisal activity that functions as a service to management, internal auditors continually strive to be as objective as possible in carrying out responsibilities, and base findings and recommendations on facts rather than impressions.

  2. For all engagements that PRIA performs, PRIA employees shall adhere to

    1. the IIA's Code of Ethics;
    2. the Office’s Code of Values, Ethics and Professional Conduct, and
    3. the rules of professional conduct and/or code of ethics applicable to the employee by virtue of his or her personal professional standing or membership in a professional body in Canada.

  3. Internal auditors must be particularly careful to maintain their independence given that they are auditing an organization that they work for. They shall promptly communicate identified threats and breaches of relevant ethical requirements to the Chief Audit Executive for resolution.

H. Confidentiality

  1. The very nature of PRIA, the relationship established between auditor and audit customer, and the type of information frequently provided or uncovered make it IMPERATIVE that PRIA continually consider the confidentiality of such information and sources and limit dissemination to a "need‑to‑know" basis. One indiscretion can compromise PRIA's credibility and undermine its overall effectiveness.

I. Reasonable Error Level

  1. Any normal public organization system is not error free. Therefore, a certain level of error may be expected. Only when the error level becomes unreasonably high, develops a trend toward significant increase, has a material risk, or has a material financial effect, should internal auditors consider the errors a critical matter and induce management to devote more of their resources to error detection and prevention. Very low error levels could indicate an excessive investment in control and represent an opportunity for process improvement.

Free Flow of Communications

  1. In light of the frequently unstructured, dynamic, and demanding assignments performed by the staff, a team relationship is essential to overall effectiveness. Establishment and maintenance of this team relationship calls for a free flow of both formal and informal communications upward and downward as well as between members of the internal auditing staff.

J. Continual Staff Development

  1. While individual development is essentially self‑developing, the process is sped up by

    1. creating an environment in which it thrives;
    2. offering sufficient challenge, demand, variety, and participation to maintain interest at the highest possible level;
    3. providing for quick results in terms of productivity and effectiveness on the job;
    4. requiring a professional approach to the performance of responsibilities;
    5. promoting high performance standards, competitive spirit, and pride in the Office; and
    6. encouraging participation in development activities both inside and outside the Office.

K. Completed Staff Work

  1. When a project has been assigned, internal auditors must do the job on their own initiative, putting themselves in the position of responsibility and turning over a complete package that facilitates maximum management action with a minimum input of effort on the part of the in‑charge auditor and audit manager.

  2. The operating principle of completed staff work requires that every person within PRIA perform every task in the above method. This represents the most effective use of staff while rapidly developing their capability to carry out ever-increasing responsibilities. For the operating principle of completed staff work to function effectively, the following must be carefully observed:

    1. Know what is wanted or needed (PURPOSE, OBJECTIVE, and SCOPE).
    2. Tackle the assignment as a whole and accept responsibility for the whole assignment.
    3. Coordinate plans with all concerned.
    4. Keep the Chief Audit Executive informed.
    5. Present a finished package so that the Chief Audit Executive need only approve it to be completed.

  3. The final test of completed staff work is this: If you were the supervisor, would you be willing to sign the work you prepared and stake your professional reputation on it being correct? If the answer is no, the task is not complete.

Last modified:
2018-03-01