Office of the Auditor General of Canada. Practice Review and Internal Audit. Multi-year Plan for the to Fiscal Years

Similar documents
Status Report of the Auditor General of Canada to the House of Commons

Internal Audit Manual

Public Sector Pension Investment Board

Audit of Policy on Internal Controls: Selected Business Processes

Audit of the Test of Design of Entity-Level Controls

Quality Assurance Checklist

Building a Strong Organization CORPORATE GOVERNANCE AND ORGANIZATIONAL STRUCTURE

DRAFT Report on Office of the Superintendent of Financial Report on Institutions Office of the Superintendent of Financial

Department of Audit and Compliance. Quality Self-Assessment

Audit of the Canada Student Loans Program

Social Sciences and Humanities Research Council of Canada

INTERNAL AUDIT REPORT ON THE FINANCIAL MANAGEMENT CONTROL FRAMEWORK FOR INITIATIVES RELATED TO CANADA S ECONOMIC ACTION PLAN (EAP) REPORT.

MISSION VALUES. The guide has been printed by:

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL

EXAMINING PUBLIC SPENDING. Estimates Review: A Guide for Parliamentarians

Statement of Management Responsibility Including Internal Control Over Financial Reporting

2007 Follow-Up Report on the Audit of Information Technology January 2005

BUILDING A CROWN CORPORATION DIRECTOR PROFILE

The Compliance Universe

How quality assurance reviews can strengthen the strategic value of internal auditing*

Auditor General of Canada to the House of Commons

How To Manage Risk At Atb Financial

Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit

Aboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Internal Controls Over Financial Reporting.

Office of the Auditor General of Canada. Internal Audit of Document Management Through PROxI Implementation. July 2014

The National Food Policy Council of Canada

Internal Audit Framework

A Risk-based Approach to Performance Auditing

Audit of the Policy on Internal Control Implementation

J u n e N a t i o n a l R e s e a r c h C o u n c i l C a n a d a. I n t e r n a l A u d i t, N R C. Audit of Risk Management.

Audit of the Management of Projects within Employment and Social Development Canada

Phase II of Compliance to the Policy on Internal Control: Audit of Entity-Level Controls

Five-Year Strategic Plan

Internal Controls and Risk Management Report

OF CPAB INSPECTION FINDINGS

Canada Media Fund/Fonds des médias du Canada

Management Employees Pension Board

Strategic Plan to Building a safer future for Canadians

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

Hunter Hall International Limited

PACIFIC ISLANDS FORUM SECRETARIAT FEMM BIENNIAL STOCKTAKE 2012

Annual Assessment of the External Auditor

THE OFFICE OF THE INTERNAL AUDITOR STATUS UPDATE MARCH 11, 2014

PRIVY COUNCIL OFFICE. Audit of Information Technology (IT) Security. Final Report

CCAF BRIEF FOR CCPAC- CCOLA PANEL DISCUSSION ON AUGUST 11, 2014: OBTAINING STATUS UPDATES/ACTION PLANS ON THE IMPLEMENTATION OF AUDITOR GENERAL

Annual Report to Parliament

Internal Audit of the Sport Canada Hosting Program

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

The Advanced Certificate in Performance Audit for International and Public Affairs Management. Workshop Overview

Audit of Community Futures Program

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

IIROC Priorities

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

How to protect yourself against cyber crime in 7 practical steps

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Audit of Procurement Practices

COMPLIANCE CHARTER 1

Central bank corporate governance, financial management, and transparency

Aboriginal Affairs and Northern Development Canada. Internal Audit Report

East Carolina University Office of Internal Audit Risk Assessment Preliminary Work

PRUDENTIAL FINANCIAL, INC. CORPORATE GOVERNANCE PRINCIPLES AND PRACTICES

Courts Administration Service (CAS) Audit of Integrated Risk Management

MARKET CONDUCT ASSESSMENT REPORT

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF GLOBAL MEDICAL REIT INC. ADOPTED AS OF JUNE 13, 2016

Performance Measures for Internal Auditing

Office of the Chief Information Officer

STATEMENT OF CORPORATE GOVERNANCE GUIDELINES

enhancing deposit insurance effectiveness and the stability of financial systems worldwide.

AUDIT COMMITTEE MANDATE

BUSINESS PLAN

How To Support The Justice System In Canada

Audit of Occupational Safety and Health (OSH)

CREDIT UNION CENTRAL OF CANADA NNUAL OVERNANCE REPORT

Office of the Executive Council. activity plan

Aboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Management of Negotiation Loans. Prepared by:

Position Description

Implementing an Integrated City-wide Risk Management Framework

MARITIME OPERATOR SAFETY SYSTEM: MARITIME RULE PARTS 19 AND 44

4.01. Auto Insurance Regulatory Oversight. Chapter 4 Section. Background. Follow-up to VFM Section 3.01, 2011 Annual Report

Re: CAPSA Consultation on the Revisions to the Pension Plan Governance Guideline

Background. Audit Quality and Public Interest vs. Cost

Larry Laine, Deputy Land Commissioner and Chief Clerk. Annual Report on the Internal Audit Quality Assurance and Improvement Program

SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT

EDUCATION AND CULTURE - REGULATION OF PRIVATE TRADE SCHOOLS

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

TABLE OF CONTENTS BACKGROUND AND INTRODUCTION... 5 PURPOSE... 5 SCOPE... 6 RISK ASSESSMENT PROCESS... 6

Guide to Intervention for Federally Regulated Life Insurance Companies

Final Report. Audit of the Project Management Framework. December 2014

TransAlta Corporation Energy Trading Compliance Program Assessment

Audit of Financial Reporting Controls

Division of Insurance Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014

IT Infrastructure Audit

Internal Audit Practice Guide

Fraud Risk Assessment FINAL REPORT

Web Version. Information Technology (IT) Security Management Practices

Department of Finance. Strategic Plan A vibrant and self-reliant economy and prosperous people.

Framework for Compliance Audits Under the Employment Equity Act

Charter of the Audit Committee of the Board of Directors

Transcription:

Office of the Auditor General of Canada Practice Review and Internal Audit Multi-year Plan for the 2015 16 to 2017 18 Fiscal Years July 2015

This document presents the Practice Review and Internal Audit Plan for the 2015 16 to 2017 18 fiscal years as reviewed by the Office s Audit Committee and approved by the Auditor General on 9 July 2015. Her Majesty the Queen in Right of Canada, represented by the Minister of Public Works and Government Services, 2015. Cat. No. FA1-16E-PDF ISSN 1925-8488

Table of Contents Introduction 1 Background 2 Practice review plan 2 Internal audit plan 3 Resourcing 4 Appendix Critical risks facing the Office of the Auditor General of Canada 6 Practice Review and Internal Audit iii

Multi-year Plan for the 2015 16 to 2017 18 Fiscal Years July 2015 Introduction The Practice Review and Internal Audit (PRIA) function provides independent and objective information, advice, and assurance to the Auditor General of Canada concerning the extent that the risk management, control, and governance processes of the Office of the Auditor General of Canada (OAG or the Office) are appropriately designed and effectively implemented; engagement leaders are complying with professional standards, Office policies, and applicable legislative and regulatory requirements when conducting their audits; and audit reports are supported and appropriate. This work is conducted under two sets of professional standards. Internal audits are conducted in accordance with the International Standards for the Professional Practice of Internal Auditing established by the Institute of Internal Auditors. The Treasury Board of Canada Secretariat s Policy on Internal Audit follows the spirit of the Institute s standards, which are implemented in a way that respects the Auditor General s independence as an Officer of Parliament. Practice reviews are conducted in compliance with CSQC 1 (Canadian Standard on Quality Control 1 Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements) issued by the Chartered Professional Accountants of Canada. The PRIA Plan was developed taking into consideration the Office risk review process, leading to the creation of the Office risk register, which was approved by the Executive Committee on 25 February 2015; the risks identified by the Executive Committee as critical following a residual risk analysis (please see the Appendix); and the Office strategic priorities. As well, the PRIA Plan is based on a review of previous PRIA plans and findings of previous internal audits and practice reviews. Practice Review and Internal Audit 1

July 2015 Multi-year Plan for the 2015 16 to 2017 18 Fiscal Years The PRIA Plan for the 2015 16 to 2017 18 fiscal years has two objectives: Identify desired internal audits based on an assessment of Office risks, risk management procedures, and an understanding of Office plans and priorities. Identify a practice review schedule that meets the requirements of professional standards and addresses the Office s intent to continuously improve the conduct of its audits. Background Risk management is an essential component of good management. The Office monitors potential opportunities and threats that may have an impact on its ability to fulfill its mandate and meet its strategic, compliance, and operational objectives. Office risk register. The Office risk register holds a list of key risks to be monitored and managed to ensure the Office meets its commitments and achieves its objectives. The risk register is organized around the enterprise risk management framework of the Committee of Sponsoring Organizations of the Treadway Commission. This framework places risks into strategic, compliance, and operations categories. Practice review. One of the risks identified by the Executive Committee during the 2014 risk review process is the failure to ensure compliance with professional standards, policies, and legal requirements. Thus, practice reviews should focus on assessing these criteria while supporting engagement leaders exercising their professional judgment. Internal audit. Overall, the Office has systems and processes in place that provide administrative support and effectively manage operational risks. Over the past 10 years, we have conducted eight internal audits that have confirmed the effective functioning of these systems while making a number of recommendations for improvements. We believe that it is important to ensure that we perform at least one internal audit per year for the next three years to assess these systems and processes. External review. In addition to the Office s internal audit and practice review functions, the Office s systems and practices are subject to review by external financial auditors and peer reviewers, provincial professional accounting bodies, and various federal government oversight bodies, such as the Public Service Commission of Canada, the Office of the Commissioner of Official Languages, the Office of the Privacy Commissioner of Canada, and the Canadian Human Rights Commission. Practice review plan CSQC 1 requires that a monitoring process be established that provides reasonable assurance that the policies and procedures relating to quality control are relevant, 2 Practice Review and Internal Audit

Multi-year Plan for the 2015 16 to 2017 18 Fiscal Years July 2015 adequate, and operating effectively. This process must include, on a cyclical basis, an inspection of at least one completed engagement for each engagement leader (Principal), but does not prescribe a defined cycle of review. There are currently 31 engagement leaders in the Office who conduct audits: 16 primarily perform attest engagements, and 15 primarily perform direct report engagements (performance audits and special examinations). We noted that on an exception basis, some directors have assumed the responsibilities of an engagement leader; however, this has not been reflected in the count of engagement leaders. While a practice review focuses on the engagement leader, it is useful to be able to draw conclusions not only on the extent of compliance with standards by individual engagement leaders, but also on the state of compliance for the Office as a whole as a way to meet the objective of continuous improvement. We have designed a sampling approach for the selection of the engagement leaders: We will create two pools of engagement leaders: annual attest and direct report. These pools will support making observations, where appropriate, for each of these two categories of assurance engagements on an annual basis. We will review each engagement leader in each pool at least once every four years. We have established a four-year review cycle for each assurance category, which will allow the review of each engagement leader within a reasonable time frame and manage any predictability in the selection process. We will randomly sample engagement leaders each year. If the engagement leader has more than one audit in a pool, we will randomly sample the audit as well. The value gained by including all engagement leaders in each pool outweighs the impact of multiple reviews of an engagement leader within a cycle. Internal audit plan Under the internal audit plan, we have two responsibilities: provide constructive feedback through internal audit reports to managers on how well they have identified and assessed risk, as well as on the effectiveness, efficiency, and economy of existing measures to manage risk; and provide assurance to the Auditor General about the design and the effectiveness of the Office s risk management, control, and governance processes. Over the past 10 years, eight internal audits were conducted. As previously noted, we have included in the Appendix the critical risks facing the Office as identified by the Executive Committee. We are monitoring management actions on these risks and have taken them into consideration for current and future plans. For the PRIA multi-year plan for the 2015 16 to 2017 18 fiscal years, we are proposing the following internal audits: Practice Review and Internal Audit 3

July 2015 Multi-year Plan for the 2015 16 to 2017 18 Fiscal Years 2015 16 Completion of the internal audit on integrated human resources planning 2015 16 Office costing model for audits 2016 17 Key components of the implementation of the Office s Departmental Security Plan 2017 18 External assessment of the practice review and internal audit function During the 2015 16 fiscal year, we are also planning to develop a follow-up process on all internal audit observations and associated recommendations to provide assurance on management s progress on implementing outstanding recommendations. One of the Chief Audit Executive s responsibilities is to implement processes designed to provide reasonable assurance to the various stakeholders that the practice review and internal audit activities operate effectively and efficiently. These processes include appropriate supervision, periodic internal assessments, ongoing monitoring of quality assurance, and periodic external assessments. In preparation for our initial external assessment of the practice review and internal audit function planned for the 2017 18 fiscal year, we are currently developing our Practice Review and Internal Audit Manual. We will subsequently perform a self-assessment of the practice review and internal audit function prior to requesting the external assessment. Since 1999, our Office has been subject to the International Peer Review (IPR). The purpose is twofold: to assess whether the Office s quality management system is appropriately designed and whether it is being implemented effectively. The expectation is that at a minimum there should be one IPR within an Auditor General s mandate. This means that an IPR should take place before 2021, the end of the current Auditor General s mandate. The PRIA team wants to be proactive in ensuring that the Office is ready. As a starting point, the team would likely participate, as a reviewer, in an IPR of another country to gain a better understanding of the IPR process. That knowledge will help the PRIA team to perform the Office self-assessment exercise, which will lead to management developing a remediation plan. Resourcing To deliver the PRIA Plan, we have a team of three people, who will carry out all the practice reviews: Louise Bertrand, Chief Audit Executive; Heather Miller, Director; and Marc Gauthier, Director. 4 Practice Review and Internal Audit

Multi-year Plan for the 2015 16 to 2017 18 Fiscal Years July 2015 As needed, we might require temporary resources to help us conduct our work. The PRIA team has a budget of 3,750 hours to perform practice reviews and a budget of 1,250 hours for internal audit work. A similar level of activity and effort is expected for the 2016 17 and 2017 18 fiscal years. Practice Review and Internal Audit 5

July 2015 Multi-year Plan for the 2015 16 to 2017 18 Fiscal Years Appendix Critical risks facing the Office of the Auditor General of Canada The following summarizes the 11 critical risks identified for the Office in 2015, the current activities to manage these risks, and the potential internal audits to address these risks. 2015 risk management update critical risks Failure to innovate Failure to ensure selection and continuance of audit products likely to have significant value and impact Failure to access information that unduly limits our work Failure to effectively govern the Office Failure to ensure that audit reports and recommendations are riskbased, understandable, fair, timely and guide corrective action towards the most serious deficiencies reported Failure to effectively manage potential information leaks Risk management activities A proposal on how the Office should explore innovation opportunities is being prepared for the Executive Committee. Practice leaders are reviewing the Office s approach to audit selection. Practice leaders are working with legal services to redress these situations as they arise. In addition, the Office is working with the Privy Council Office to develop a longer-term solution. A review of the Office s governance framework will be completed with the objective to implement one that is better suited to support the new roles and responsibilities, and the operational needs. Product leaders are working with Strategic Planning to develop indicators on measures of audit value. Performance Audit value improvement steps are being defined, and the Attest Practice is developing an annual derivative report highlighting value-added from financial audits. The Office has made substantial investment in its security infrastructure in the last year to strengthen its resilience, and the Office is continually monitoring the environment to mitigate/reduce its exposure to cyber-attacks. A rights management e-solution will control access to various OAG-controlled documents. The solution uses encryption to limit the operations authorized users can perform on them (i.e. forwarding to unauthorized users, printing, copying). Potential internal audits Potential audit on security in the 2016 17 fiscal year 6 Practice Review and Internal Audit

Multi-year Plan for the 2015 16 to 2017 18 Fiscal Years July 2015 2015 risk management update critical risks Failure to effectively plan succession and manage talent Failure to have staff with the competencies to meet job requirements Failure to effectively manage employee engagement Failure to maintain a work environment where employees can work and be supervised in the official language of their choice Failure to effectively manage transition to new roles and responsibilities Risk management activities The Assistant Auditor General, Corporate Services, supported by the Human Resources team, is leading the succession planning and talent management activities. A questionnaire has been sent to the audit community to incorporate, in Retain (audit resource planning tool), the specialized skills, educational background, and work experience for each auditor. This information will be available to audit managers and resource managers. Activities include to action the Learning Performance Index Survey results and update the Office s professional development plan. The Executive Committee approved replacing the term motivated with engaged to better reflect the true nature and scope of the Office s objectives. Motivation is a process that initiates, guides, and maintains goal-oriented behaviours. Engagement is a workplace approach designed to create the conditions in which employees freely and willingly give discretionary effort, not because they are motivated by a specific reward, but as an integral part of their daily activity at work. The Executive Committee has approved a 2015 18 Bilingualism in the Workplace Strategy, which will be implemented in the 2015 16 fiscal year. A group/practice-level action plan will follow. The project management office has been developed to oversee the transition to new senior audit roles and responsibilities. The office s implementation will lead to more streamlined decision making and ensure that decision making can occur at the most appropriate level in the organization. Potential internal audits Practice Review and Internal Audit 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information