G.1 Communication Policy on the Issuance of PRIA Reports

  1. This policy sets out the Practice Review and Internal Audit (PRIA) reporting obligation to management, the Audit Committee and the Auditor General, as well as its philosophy and practices aimed at ensuring high-quality PRIA reports. PRIA reports (except individual practice review reports) are reviewed by the Audit Committee and recommended to the Auditor General for approval.

  2. Practice Review and Internal Audit prepares a multi-year plan, internal audit reports, practice review reports (individual and summary) and administrative reports on performance. PRIA will ensure ongoing communication with concerned parties throughout the process. The standard for management responses will be five working days depending on the complexity and type of report.

  3. Reports that are approved by the Auditor General will be published in both official languages on the Internet and INTRAnet. The Chief Audit Executive (CAE) will inform all employees of the Office of the Auditor General of Canada (Office) about the publication of these reports via corporate email. Various information sessions will be offered to employees by PRIA to discuss observations and recommendations. PRIA will continue to work with the practice leaders and the assistant auditor general (AAG) of the Audit Services to discuss any implications of the reports on the design and implementation of the System of Quality Control (SoQC) matters and related training needs.

PRIA Multi-year Plan

  1. In consultation with the Auditor General, PRIA develops a multi-year plan that is consistent with the Office’s objectives and is based on a risk assessment that considers the input of senior Office management and the Audit Committee. PRIA discusses the proposed plan with the Auditor General, senior management, and the Audit Committee before receiving final approval from the Auditor General.

  2. The CAE shall report periodically on PRIA’s purpose, authority, responsibility, and performance relative to its multi-year plan (the Plan). Reporting should also include significant risk exposures the Office is facing and control issues, items related to management’s process of risk management, control and governance, management’s progress in addressing the issues, any areas where management has accepted a level of residual risk that may be unacceptable to the Office, scheduled and potential audits to be performed during the next fiscal year, and other matters needed or requested by the committee. Among other things, the Plan includes:

    1. internal audit activity goals and objectives;

    2. scheduled practice reviews and internal audits for the upcoming fiscal years;

    3. summary of previously planned practice reviews and internal audits, and a list of those outstanding;

    4. summary of completed audits and the significant results;

    5. risk assessments and changes in risk profiles;

    6. summary of internal and external resources required; and

    7. Audit Committee and management’s input and/or requests.

Internal Audit Reports

  1. Internal audits focus on management processes and administrative services within the Office. PRIA provides assurance to the Auditor General on whether the processes and services are appropriately designed and operating effectively. It also provides the Auditor General with assurance about the extent key risk areas within the Office are being adequately managed.

  2. The internal audits reports follow the Institute of Internal Auditors (IIA) Standards that include

    1. background of the audit;

    2. the audit plan which includes the objectives, scope (including any scope limitations), criteria, approach, covered period, and names of the audit team;

    3. summary of significant results of the engagement and deficiencies disclosed;

    4. an acknowledgement of satisfactory performance;

    5. an overall opinion and the reasons for an unfavorable overall opinion;

    6. recommendations for improving governance, risk management and/or internal controls;

    7. management’s response (improvement actions and timeline).

    8. The use of "Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing" will be used when supported by the results of the Quality Assurance and Improvement Program.

  3. The Chief Audit Executive will communicate the results of the internal audit engagement to the appropriate parties.

  4. Management has the option to

    1. agree with the observation and recommendation, and propose a date for the implementation of the improvement action;

    2. agree with the observation, but propose an alternative solution;

    3. agree with the observation, but choose not to act and to accept the related risk, stating reasons; or

    4. disagree with the observation stating reasons. As a result of our quality control process and detailed discussions with all levels of management, this should be a rare occurrence.

  5. Practice Review and Internal Audit will work actively with management in supporting and advising them on the formulation of their responses to ensure they fully address the recommendation, indicate adequate and timely improvement action, and take credit for actions already in place. Management must also prepare a formal action plan based on the PRIA template.

Practice Review and Practice-wide Reports

  1. Practice review focuses on the Office’s audit products. It provides assurance to the Auditor General that the Office is in compliance with Office policies and professional standards. Practice review is also required by the Chartered Professional Accountants of Canada (CPA).

  2. Individual practice reviews

    1. Individual practice review findings are addressed to the engagement leaders and are also shared with the responsible AAG if any significant observation(s) is/are raised. Engagement leaders are encouraged to share the results of the review with their audit team.

    2. Significant observations of non-conformance from individual practice reviews are communicated to the Auditor General and the Assistant Auditor Generals responsible for the audit practices, in addition to practice-wide and methodological observations and recommendations. The Assistant Auditor Generals responsible for the audit practices, are to consider the impact, if any, on the Engagement Leader’s annual performance evaluation.

    3. The reporting of findings is confidential and, therefore, does not identify the specific engagement leaders concerned. In exceptional cases, the Auditor General may request additional details.

  3. Practice-wide practice review

    1. A practice-wide practice review can be conducted to address a particular risk. The review can be conducted including the individual practice reviews already scheduled and/or an additional sample may be taken. Files selected from the additional sample will only be reviewed for that particular risk.

    2. The timing and nature of the additional sample practice reviews will dictate the reporting approach; i.e. separate report or integrated into the summary report.

  4. Summary annual report of practice review findings by product line

    1. For each type of assurance engagement (attest and direct report), a summary annual report is prepared that focuses on matters that are significant from a practice-wide or methodological perspective. Reviews of engagements help determine whether the Office’s system of quality control is operating effectively and is appropriately designed. In this respect, the preparation of an annual summary report on those activities is useful for objectively identifying shortcomings and improvements required, and identifying suitable corrective measures.

    2. The summary annual report of practice review findings by product line is based on a compilation of information from all practice reviews completed in that cycle. The reports contain:

      1. Practice review objective, scope, and approach

      2. Rating system

      3. Compliance with the System of Quality Control

      4. Description of the review procedures performed

      5. Results of the reviews

      6. Recommendations

      7. Management’s response to recommendation(s)

    3. The relevant practice leader is advised of practice-wide observations and the AAG of Audit Services is advised of methodological observations through the annual summary report and verbal briefings as necessary to provide timely feedback.

    4. When recommendations are included, the summary report is responded to by the appropriate practice leader or the AAG of Audit Services, who are usually given five working days to provide management responses. Those responding on behalf of management are expected to consult on the development and acceptance of the management responses, as required. When recommendations are not directed to a practice leader, the CAE may request their feedback within five working days.

Follow-up on recommendations

  1. PRIA provides assurance to the Auditor General and to the Audit Committee on management’s progress on implementing the outstanding recommendations issued by PRIA on practice reviews and internal audits, or by an independent public accountant. When the reported findings have not been corrected, they are reported until the issues are resolved. PRIA can obtain this assurance through confirming the status of the formal action plan with management or by completing a follow up audit. The follow-up audit report would include the following:

    1. Internal audit objective, scope, and approach (of the original audit)

    2. Status and assessment of management’s improvement actions

    3. Summary of the completed and outstanding recommendations

    4. Overall opinion

    5. Management’s response

Errors and Omissions

  1. If a final communication contains a significant error or omission, the Chief Audit Executive will communicate corrected information to all parties who received the original communication.

Disclosure of non-conformance

  1. Nonconformance with the IIA’s Code of Ethic and Standards that has had an impact on an engagement will be disclosed by the CAE and include the following information:

    1. Principle(s) or rule(s) of conduct of the Code of Ethics or the Standard(s) with which full conformance was not achieved.

    2. Reason(s) for non-conformance.

    3. Impact of non-conformance on the engagement and the communicated engagement results.

Administrative Information

  1. The CAE must also report to the Audit Committee and the Auditor General on the following:

Audit Costs (hours)

  1. Actual costs (hours) compared to plan

  2. Summary of internal and external audit costs

Practice Review and Internal Audit Personnel

  1. Internal audit department staffing and qualifications

  2. Training and development activities

Practice Review and Internal Audit Administration

  1. PRIA Charter review/update

  2. Quality assurance results

  3. Key performance measures

  1. The CAE will be responsible for

    1. providing the means to accumulate data needed for reports,

    2. ensuring that the PRIA reports are submitted to the Audit Committee and Auditor General in a timely manner, and

    3. reviewing periodically the contents of the reports with the Auditor General and the Audit Committee to see if the reports are meeting their needs.

Last modified:
2019-02-14