F.1 Practice Review and Internal Audit Programs

  1. Although every internal audit program is developed specifically to cover risks in a particular audit, practice review has a program developed for each product line, which is updated annually.

Practice Review

  1. A review program is developed for each product line. The reviewer should begin with taking the previous year’s program and modifying it to reflect changes in the Office of the Auditor General of Canada (Office) policies, procedures, and professional standards. As well, modifications may be made to identify previously identified areas of concern.

  2. All engagement leaders selected are subject to the same review program based on their product line.

  3. For paragraphs 10 and 11, discussing internal audit conceptually applies to practice review as well.

Internal Audit

  1. The audit program should be prepared after the completion of the preliminary survey. It is a detailed internal audit program for the work to be performed during the audit. A well-constructed program considers the Office’s strategies, objectives, and risks relevant to the engagement and assists in completing the audit project in an efficient manner.

  2. The audit program should include the audit scope, objectives, criteria, timing and resource requirements.

  3. The scope of the internal audit engagement must be sufficient to achieve the objectives of the engagement and include consideration of relevant systems, records, personnel, and physical properties, including those under the control of a third party.

  4. The audit program is intended to guide, among other actions, tests to

    1. confirm the adequacy of the indicated design of controls,

    2. confirm the continued effectiveness of the operation of controls,

    3. evaluate the effects or potential effects of inadequately designed or missing controls in order to develop recommendations for improvement, and

    4. gather missing information needed to evaluate risks and their related controls and the overall control environment.

  5. The audit program guides the internal audit by documenting detailed audit procedures to be performed during the audit. The procedures should be designed to gather evidence upon which the internal auditor can draw conclusions or make recommendations. The procedures are steps the internal auditor needs to take to meet the audit objectives within the scope of the audit project. The program should be designed to answer the following questions, among others:

    1. What is to be done?

    2. Why it is to be done (the audit objective)?

    3. How it is to be done (including guidance on sample selection)?

    4. Where it is to be done?

    5. Who will do it?

    6. How long it should take?

    7. When it is to be complete?

  6. A well-constructed program provides

    1. a systematic plan for each phase of the work that can be communicated to all audit personnel concerned;

    2. a means of self-control for the audit staff assigned;

    3. a means by which the audit supervisor can review and compare performance with approved plans;

    4. assistance in training inexperienced staff members and acquainting them with the scope, objectives, and work steps of an audit;

    5. the basis for a summary record of work actually performed;

    6. an aid to the supervisor/manager making possible a reduction in the amount of direct supervisory effort needed; and

    7. assistance in familiarizing successive audit staff with the nature of the work previously carried out.

  7. The program consists of specific directions for carrying out the assignment. It should contain a statement of the objectives of the operation being reviewed. For each segment of the audit, the program should

    1. list the risks that must be covered in that segment;

    2. show for each risk the controls that exist or that are needed to protect against the indicated risk;

    3. show for each of the listed controls the work steps required to test the effectiveness of those controls, or set forth the recommendations that will be required to install needed controls; and

    4. once approved and included as individual steps in TeamMate, the results area will be used to document the auditor completing the audit step, reference to the related audit working papers, and brief comments.

  8. A risk and control matrix may be developed to summarize the above information.

  9. When using a prior audit program as a reference document in developing a program, adapting an audit program from another similar audit, or using a “canned” audit program, the internal auditor is cautioned to follow all the above steps in reassessing and customizing his or her program. Using the same program without diligent reconsideration, risks missing changes that have occurred in the operations/controls, and missing opportunities to improve the internal audit process.

  10. Internal audit and review programs must be approved by the Chief Audit Executive prior to their implementation. Any adjustment to these programs must be approved by the CAE prior to implementation.

Last modified:
2018-02-23