E.3 PRIA’s Risk Based Annual Internal Audit Planning

A. The Office’s Integrated Risk Management Framework

  1. The Office of the Auditor General of Canada (Office) audits federal government departments and agencies, most Crown corporations, and many other federal organizations, and reports to Parliament. The Office is also the auditor for the governments of Nunavut, Yukon, and the Northwest Territories, and reports directly to their legislative assemblies. Its Practice Review and Internal Audit (PRIA) team consists of auditors who complete internal audits throughout the organization and practice reviews of engagement leaders. Based on PRIA’s risk assessment, audit activities may be outsourced or co-sourced.

  2. The Office’s Integrated Risk Management Framework encompasses a risk management policy and a risk register. PRIA considers these when developing its own risk assessment for annual internal audit planning. Practice review addresses a fundamental risk to the Office that audits we perform are not conducted in conformance with audit standards, Office policies, and applicable legislative and regulatory requirements, or that audit reports are not supported. Practice reviews are conducted annually as a part of the PRIA team activities.

  3. The Office Risk Assessment involves a review of the significant risks that could have a detrimental impact on the successful achievement of the Office’s objectives, including its vision, goals, and strategies. Internal auditing, based on a clear understanding of this risk assessment, meets with key senior management to further discuss specific risks, controls, and monitoring responsibilities for each key risk and Office objective.

B. PRIA’s Risk Assessment

  1. This information collected and used during the integrated risk management process is then assessed and analyzed by the PRIA team and forms the basis of the annual internal audit planning process, including: meetings with management, ranking the priority of the components of their auditable inventory, and considering the risks of a similar nature that may be identified in various service areas. To assist with the prioritization, PRIA makes use of an Institute of Internal Auditors (IIA) template for its overall assessment of keys risks and considers things such as:

    Risk Factors (Generic)

    • Susceptibility to fraud

    • Reputation/corporate image implications

    • Complexity of operations

    • Results of last audit or other known deficiencies

    • Change in systems, policies, or procedures

    • Level of regulatory/compliance implications

  2. PRIA also assessed whether risk management processes are effective by determining whether:

    1. The Office’s objectives support and align with the OAG’s mission and mandate

      Five year (Office) Strategic Objectives

      • Be independent, objective, and non-partisan.

      • Report what is working, areas for improvement, and recommendations in a manner that is understandable, timely, fair, and adds value.

      • Contribute to the development and adoption of professional standards and best practices.

      • Build and maintain relationships with parliamentarians and key stakeholders.

      • Be a financial well-managed organization accountable for the use of resources entrusted to it.

      • Ensure selection and continuance of audit products likely to have significant impact and value.

      • Ensure audit products that comply with professional standards and Office policies in an economical manner.

      • Ensure effective and efficient support services.

      • Ensure effective, efficient, and accountable Office governance and management.

      • Ensure a culture of empowerment.

      • Develop and maintain a skilled, engaged, and bilingual workforce.

  3. Once the assessment is complete, it provides a risk ranking and ultimately identifies the potential areas to audit during the upcoming years. The primary focus of audit prioritization is the improvement of governance, risk management, and control processes. Governance could involve promoting ethics, ensuring effective organizational performance, and communicating risk information. Governance does not exist as a separate process but rather in relationship with risk management and internal controls.

  4. In addition, the results of the risk analyses are discussed with strategic planning, the various business owners, and the Audit Committee.

  5. It should be noted that an important part of the overall PRIA risk assessment process involves the various meetings conducted throughout the year by all levels of management, the Audit Committee, and the Auditor General. Because internal auditing is represented at many of the meetings, appropriate consideration is given to these risk discussions when developing and updating the annual internal audit plan.

Last modified:
2018-03-06