E.4 Practice Review and Internal Audit (PRIA)—Policy Ongoing Risk Assessment Process

  1. This policy outlines PRIA’s on-going approach to monitor, identify and track risks at the Office of the Auditor General of Canada (OAG or the Office) for the PRIA risk assessment and allows the PRIA team to determine the potential impact on our original work plan.

Current annual risk assessment performed by PRIA

  1. The PRIA team conducts an annual risk assessment to identify risk areas to pursue for internal audit. The risk based audit plan is developed using the following approach:

    • PRIA develops the audit plan by identifying auditable activities, then organizing the audit universe by the Office’s core businesses (all practice and service areas) to ensure completeness. For each component identified in the audit universe, we review the risks identified using the component’s respective risk register. The Office’s corporate, practice, and service risk registers identify key risks that must be monitored and managed to ensure the Office meets its commitments and achieves its objectives. The Office framework assesses risks and assigns them to strategic, compliance, and operations categories.

    • Team members attend the service and practice leader sessions with the risk management team in order to observe, assess and seek clarification as needed.

    • PRIA classifies the risks as low or high, and considers the mitigation activities in place, by practice and service areas. Risks identified as being reported to the Office’s Executive Committee for ongoing monitoring are classified as low risk for our purposes and are excluded from further review, since management is taking action on them. We also look at all of the areas together to note similar risks identified across a variety of service areas. We consider such risks to be higher.

  2. In addition to the annual approach, PRIA monitors the changing risk environment within OAG governance, risk management and control environment. PRIA will inform the Auditor General and Audit Committee members on an on-going basis, as needed.

  3. Current PRIA involvement in committees throughout the Office:

PRIA Member Committee affiliation or formally scheduled risk meetings and role Frequency
Chief Audit Executive (CAE) Executive committee (observer Weekly – 1 hour
Monthly – full day
CAE Audit Committee (technical resource At least 4 times per year
CAE Performance Audit Management Committee Weekly
CAE and Directors PX/DX Attest forum Monthly
Director, Annual Attest Annual Audit Champion Network (observer) Approximately every 6 weeks
Director, Direct Engagement Performance Audit Directors Forum Monthly
Director Workplace Health and Safety Committee At least 9 per year
Director, Annual Attest DX attest audit Every two weeks
CAE PX Performance Audit Bi-weekly
CAE PX Attest Bi-weekly
CAE CCOLA – Practice Review quarterly
CAE CAE meetings As called but at least annually
CAE Performance Audit Practice Oversight Committee As required
CAE Annual Audit Oversight Committee As required
CAE One on one with Auditor General At a minimum quarterly pre Audit Committee meeting

Ongoing risk assessment approach

  1. To address ongoing risks, the approach outlined above (see Current annual risk assessment performed by PRIA) has been modified to consider factors discussed at committee meetings or through other meetings. Presently the PRIA team meets on a weekly basis to discuss ongoing tasks, projects and the like. Each meeting lasts 1.5 hours.

  2. To better monitor risks, we recently added a recurring agenda item to allow for a risk assessment discussion.

  3. We are using the template developed for our annual risk planning exercise as a discussion starting point. Questions for consideration include:

    • Are any of the risks elevated from their previous assessment?

    • Are any new risks coming to our attention which were previously not considered?

    • Are any of the previously identified critical risks changing or do we believe that management is taking unnecessary risks with regards to managing those risks?

  4. A positive response to any of the three main areas will initiate a new or changed risk being added to the risk factors analysis for consideration. The relative risk ranking will determine next steps.

  5. For example, the team may need to conduct additional research to determine the nature and extent of the risk, mitigating activities etc.

  6. After conducting sufficient research, if PRIA believes a serious, unmitigated or under-mitigated risk has been identified, a project may be proposed to further assess the situation. Discussion with the Auditor General and the Audit Committee members will take place. A management letter or internal audit may be the result of the discussion.

Last modified:
2018-02-22