Practice Review and Internal Audit—Multi-year Plan for the 2015–16 to 2017–18 Fiscal Years
Practice Review and Internal Audit—Multi-year Plan for the 2015–16 to 2017–18 Fiscal Years
This document presents the Practice Review and Internal Audit Plan for the 2015–16 to 2017–18 fiscal years as reviewed by the Office’s Audit Committee and approved by the Auditor General on 9 July 2015.
Introduction
The Practice Review and Internal Audit (PRIA) function provides independent and objective information, advice, and assurance to the Auditor General of Canada concerning the extent that
- the risk management, control, and governance processes of the Office of the Auditor General of Canada (OAG or the Office) are appropriately designed and effectively implemented;
- engagement leaders are complying with professional standards, Office policies, and applicable legislative and regulatory requirements when conducting their audits; and
- audit reports are supported and appropriate.
This work is conducted under two sets of professional standards. Internal audits are conducted in accordance with the International Standards for the Professional Practice of Internal Auditing established by the Institute of Internal Auditors. The Treasury Board of Canada Secretariat’s Policy on Internal Audit follows the spirit of the Institute’s standards, which are implemented in a way that respects the Auditor General’s independence as an Officer of Parliament.
Practice reviews are conducted in compliance with CSQC 1 (Canadian Standard on Quality Control 1—Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements) issued by the Chartered Professional Accountants of Canada.
The PRIA Plan was developed taking into consideration the Office risk review process, leading to the creation of
- the Office risk register, which was approved by the Executive Committee on 25 February 2015;
- the risks identified by the Executive Committee as critical following a residual risk analysis (please see the Appendix); and
- the Office strategic priorities.
As well, the PRIA Plan is based on a review of previous PRIA plans and findings of previous internal audits and practice reviews.
The PRIA Plan for the 2015–16 to 2017–18 fiscal years has two objectives:
- Identify desired internal audits based on an assessment of Office risks, risk management procedures, and an understanding of Office plans and priorities.
- Identify a practice review schedule that meets the requirements of professional standards and addresses the Office’s intent to continuously improve the conduct of its audits.
Background
Risk management is an essential component of good management. The Office monitors potential opportunities and threats that may have an impact on its ability to fulfill its mandate and meet its strategic, compliance, and operational objectives.
Office risk register. The Office risk register holds a list of key risks to be monitored and managed to ensure the Office meets its commitments and achieves its objectives. The risk register is organized around the enterprise risk management framework of the Committee of Sponsoring Organizations of the Treadway Commission. This framework places risks into strategic, compliance, and operations categories.
Practice review. One of the risks identified by the Executive Committee during the 2014 risk review process is the failure to ensure compliance with professional standards, policies, and legal requirements. Thus, practice reviews should focus on assessing these criteria while supporting engagement leaders exercising their professional judgment.
Internal audit. Overall, the Office has systems and processes in place that provide administrative support and effectively manage operational risks. Over the past 10 years, we have conducted eight internal audits that have confirmed the effective functioning of these systems while making a number of recommendations for improvements. We believe that it is important to ensure that we perform at least one internal audit per year for the next three years to assess these systems and processes.
External review. In addition to the Office’s internal audit and practice review functions, the Office’s systems and practices are subject to review by external financial auditors and peer reviewers, provincial professional accounting bodies, and various federal government oversight bodies, such as the Public Service Commission of Canada, the Office of the Commissioner of Official Languages, the Office of the Privacy Commissioner of Canada, and the Canadian Human Rights Commission.
Practice review plan
CSQC 1 requires that a monitoring process be established that provides reasonable assurance that the policies and procedures relating to quality control are relevant, adequate, and operating effectively. This process must include, on a cyclical basis, an inspection of at least one completed engagement for each engagement leader (Principal), but does not prescribe a defined cycle of review.
There are currently 31 engagement leaders in the Office who conduct audits: 16 primarily perform attest engagements, and 15 primarily perform direct report engagements (performance audits and special examinations). We noted that on an exception basis, some directors have assumed the responsibilities of an engagement leader; however, this has not been reflected in the count of engagement leaders. While a practice review focuses on the engagement leader, it is useful to be able to draw conclusions not only on the extent of compliance with standards by individual engagement leaders, but also on the state of compliance for the Office as a whole as a way to meet the objective of continuous improvement.
We have designed a sampling approach for the selection of the engagement leaders:
- We will create two pools of engagement leaders: annual attest and direct report. These pools will support making observations, where appropriate, for each of these two categories of assurance engagements on an annual basis.
- We will review each engagement leader in each pool at least once every four years. We have established a four‑year review cycle for each assurance category, which will allow the review of each engagement leader within a reasonable time frame and manage any predictability in the selection process.
- We will randomly sample engagement leaders each year. If the engagement leader has more than one audit in a pool, we will randomly sample the audit as well. The value gained by including all engagement leaders in each pool outweighs the impact of multiple reviews of an engagement leader within a cycle.
Internal audit plan
Under the internal audit plan, we have two responsibilities:
- provide constructive feedback through internal audit reports to managers on how well they have identified and assessed risk, as well as on the effectiveness, efficiency, and economy of existing measures to manage risk; and
- provide assurance to the Auditor General about the design and the effectiveness of the Office’s risk management, control, and governance processes.
Over the past 10 years, eight internal audits were conducted. As previously noted, we have included in the Appendix the critical risks facing the Office as identified by the Executive Committee. We are monitoring management actions on these risks and have taken them into consideration for current and future plans. For the PRIA multi‑year plan for the 2015–16 to 2017–18 fiscal years, we are proposing the following internal audits:
- 2015–16—Completion of the internal audit on integrated human resources planning
- 2015–16—Office costing model for audits
- 2016–17—Key components of the implementation of the Office’s Departmental Security Plan
- 2017–18—External assessment of the practice review and internal audit function
During the 2015–16 fiscal year, we are also planning to develop a follow‑up process on all internal audit observations and associated recommendations to provide assurance on management’s progress on implementing outstanding recommendations.
One of the Chief Audit Executive’s responsibilities is to implement processes designed to provide reasonable assurance to the various stakeholders that the practice review and internal audit activities operate effectively and efficiently. These processes include appropriate supervision, periodic internal assessments, ongoing monitoring of quality assurance, and periodic external assessments. In preparation for our initial external assessment of the practice review and internal audit function planned for the 2017–18 fiscal year, we are currently developing our Practice Review and Internal Audit Manual. We will subsequently perform a self-assessment of the practice review and internal audit function prior to requesting the external assessment.
Since 1999, our Office has been subject to the International Peer Review (IPR). The purpose is twofold: to assess whether the Office’s quality management system is appropriately designed and whether it is being implemented effectively. The expectation is that at a minimum there should be one IPR within an Auditor General’s mandate. This means that an IPR should take place before 2021, the end of the current Auditor General’s mandate. The PRIA team wants to be proactive in ensuring that the Office is ready. As a starting point, the team would likely participate, as a reviewer, in an IPR of another country to gain a better understanding of the IPR process. That knowledge will help the PRIA team to perform the Office self-assessment exercise, which will lead to management developing a remediation plan.
Resourcing
To deliver the PRIA Plan, we have a team of three people, who will carry out all the practice reviews:
- Louise Bertrand, Chief Audit Executive;
- Heather Miller, Director; and
- Marc Gauthier, Director.
As needed, we might require temporary resources to help us conduct our work.
The PRIA team has a budget of 3,750 hours to perform practice reviews and a budget of 1,250 hours for internal audit work.
A similar level of activity and effort is expected for the 2016–17 and 2017–18 fiscal years.
Appendix—Critical risks facing the Office of the Auditor General of Canada
The following summarizes the 11 critical risks identified for the Office in 2015, the current activities to manage these risks, and the potential internal audits to address these risks.
| 2015 risk management update—critical risks | Risk management activities | Potential internal audits |
|---|---|---|
|
Failure to innovate |
A proposal on how the Office should explore innovation opportunities is being prepared for the Executive Committee. |
None proposed |
|
Failure to ensure selection and continuance of audit products likely to have significant value and impact |
Practice leaders are reviewing the Office’s approach to audit selection. |
None proposed |
|
Failure to access information that unduly limits our work |
Practice leaders are working with legal services to redress these situations as they arise. In addition, the Office is working with the Privy Council Office to develop a longer-term solution. |
None proposed |
|
Failure to effectively govern the Office |
A review of the Office’s governance framework will be completed with the objective to implement one that is better suited to support the new roles and responsibilities, and the operational needs. |
None proposed |
|
Failure to ensure that audit reports and recommendations are risk-based, understandable, fair, timely and guide corrective action towards the most serious deficiencies reported |
Product leaders are working with Strategic Planning to develop indicators on measures of audit value. Performance Audit value improvement steps are being defined, and the Attest Practice is developing an annual derivative report highlighting value-added from financial audits. |
None proposed |
|
Failure to effectively manage potential information leaks |
The Office has made substantial investment in its security infrastructure in the last year to strengthen its resilience, and the Office is continually monitoring the environment to mitigate/reduce its exposure to cyber-attacks. A rights management e-solution will control access to various OAG-controlled documents. The solution uses encryption to limit the operations authorized users can perform on them (i.e. forwarding to unauthorized users, printing, copying). |
Potential audit on security in the 2016–17 fiscal year |
|
Failure to effectively plan succession and manage talent |
The Assistant Auditor General, Corporate Services, supported by the Human Resources team, is leading the succession planning and talent management activities. A questionnaire has been sent to the audit community to incorporate, in Retain (audit resource planning tool), the specialized skills, educational background, and work experience for each auditor. This information will be available to audit managers and resource managers. |
None proposed |
|
Failure to have staff with the competencies to meet job requirements |
Activities include to action the Learning Performance Index Survey results and update the Office’s professional development plan. |
None proposed |
|
Failure to effectively manage employee engagement |
The Executive Committee approved replacing the term “motivated” with “engaged” to better reflect the true nature and scope of the Office’s objectives. Motivation is a process that initiates, guides, and maintains goal-oriented behaviours. Engagement is a workplace approach designed to create the conditions in which employees freely and willingly give discretionary effort, not because they are motivated by a specific reward, but as an integral part of their daily activity at work. |
None proposed |
|
Failure to maintain a work environment where employees can work and be supervised in the official language of their choice |
The Executive Committee has approved a 2015–18 Bilingualism in the Workplace Strategy, which will be implemented in the 2015–16 fiscal year. A group/practice-level action plan will follow. |
None proposed |
|
Failure to effectively manage transition to new roles and responsibilities |
The project management office has been developed to oversee the transition to new senior audit roles and responsibilities. The office’s implementation will lead to more streamlined decision making and ensure that decision making can occur at the most appropriate level in the organization. |
None proposed |