Practice Review and Internal Audit—Multi-year Plan for the 2013–14 to 2015–16 Fiscal Years
Practice Review and Internal Audit—Multi-year Plan for the 2013–14 to 2015–16 Fiscal Years
Introduction
Background
Practice review plan
Internal audit plan
Resourcing
Appendix 1—Major functions, systems, and processes
Appendix 2—Critical risks facing the Office of the Auditor General
This document presents the Practice Review and Internal Audit Plan for the 2013–14 to 2015–16 fiscal years as reviewed by the Office’s Audit Committee and approved by the Auditor General.
Introduction
The Practice Review and Internal Audit (PRIA) function provides independent and objective assurance, information, and advice to the Auditor General concerning
- the extent that Office administrative processes and practices are appropriately designed and effectively implemented; and
- the extent that audit practitioners are complying with professional standards, legal requirements, and Office policies when conducting their audits and issuing audit reports.
This work is conducted under two sets of professional standards. Internal audits are conducted in accordance with the International Standards for the Profession of Internal Auditing established by the Institute of Internal Auditors. They follow the spirit of the Treasury Board Policy on Internal Audit and are implemented in a way that respects the Auditor General’s independence as an Officer of Parliament. Practice reviews are conducted in compliance with CSQC 1 (Canadian Standard on Quality Control—quality control for firms that perform audits and reviews of financial statements and other assurance engagements) issued by The Canadian Institute of Chartered Accountants (CICA).
The PRIA Plan is based on interviews with all product and service leader assistant auditors general and a sample of audit practitioners. It takes into account input from the Office’s Audit Committee. As well, it is based on a review of previous PRIA plans, the research conducted to prepare them, and the findings of previous internal audits and practice reviews.
The PRIA Plan for the 2013–14 to 2015–16 fiscal years has two objectives:
- Identify desired internal audits based on an assessment of Office risks, risk management procedures, and an understanding of Office plans and priorities.
- Identify a practice review schedule that meets the requirements of professional standards and addresses the Office’s intent to continuously improve the conduct of its audits.
Background
The Office faces risks because of the nature of its work. The major risks facing the Office are in its audit operations, not its administrative functions.
Practice review. The number one risk identified by the Office’s Executive Committee during its latest comprehensive review of the Office’s risk management framework in 2011 is the need to support auditors when exercising their professional judgment. The risk of failing to comply with professional standards was ranked third. (For a complete list of risks, please see Appendix 2 at the end of this report.) During the renewal of the Office’s strategic plan in 2012, one of three learning and growth objectives identified was to ensure a culture of empowerment. Thus, practice reviews should focus on assessing compliance with professional standards, legal requirements, and Office policies while supporting practitioners exercising their professional judgment.
Internal audit. Overall, the Office has mature management systems and processes that provide administrative support to the Office and effectively manage operational risks. None of the seven critical risks identified in the Office’s risk management framework in 2011 relates to administrative systems or practices.
Over the past 10 years, we have conducted 12 internal audits that have confirmed the effective functioning of these systems, while making a number of recommendations for improvements. Some of the most important observations addressing significant risks faced by the Office were in the 2008 assessment of the design of the Office’s Quality Management System for audits. In 2012, a follow-up was conducted of all past internal audit recommendations. The follow-up found that of the 46 recommendations made to management, 41 were implemented and 5 were outstanding, but had made satisfactory progress.
External review. In addition to the Office’s internal audit and practice review functions, the Office’s systems and practices are subject to review by external financial auditors and peer reviewers, provincial professional accounting bodies, and various federal government oversight bodies, such as the Public Service Commission, the Commissioner of Official Languages, the Privacy Commissioner, and the Canadian Human Rights Commission.
Practice review plan
CSQC 1 requires that a monitoring process be established that provides reasonable assurance that the policies and procedures relating to quality control are relevant, adequate, and operating effectively. This process must include, on a cyclical basis, inspection of at least one completed engagement for each engagement partner (Principal), but does not prescribe a defined cycle of review.
There are currently 38 audit practitioners in the Office: 24 are essentially financial auditors, 4 of whom have conducted special examinations; 20 are essentially performance auditors, a couple of whom have conducted special exams; and a small number work in all three product lines.
While a practice review focuses on the practitioner, it is useful to be able to draw conclusions not only on the extent of compliance with standards by individual practitioners, but also on the state of compliance for the Office as a whole as a way to meet the objective of continuous improvement of the Office’s audit practices. Although we have three product lines, these fall into two categories of assurance: financial audits that are attest engagements, and performance audits and special examinations that are direct report engagements conducted under the professional standards contained in General Assurance and Auditing Section 5025 of the CICA Handbook.
Under the practice review plan, we will do the following:
- Create two pools of practitioners: attest practitioners and direct report practitioners. These pools will support making observations, where appropriate, for each of these two categories of assurance engagements.
- Employ a random sampling program to identify practitioners to be reviewed in each pool. This will manage any potential bias in the selection process and support the extrapolation of results from individual practice reviews across the relevant assurance category. There are a number of practitioners, who have been promoted within the last two to three years, and who have not yet had a practice review. In the 2013–14 fiscal year, the results of the random sampling may be modified to address this situation.
- Review each practitioner in each pool. This will support making observations, where appropriate, for each of the two categories of assurance engagement based on the results of reviews of all practitioners who conduct each type of engagement. While this will mean some practitioners will be reviewed twice within a cycle, the value gained by including all practitioners in each pool outweighs the impact of multiple reviews of a practitioner within a cycle.
- Establish a four-year review cycle for each assurance category. This will allow reviewing each practitioner within a reasonable time frame and manage any predictability in the selection process.
Because the number of financial audit practitioners and financial audits has decreased, the extrapolation period for attest audits is being increased from two to three years. This will allow us to make practice-wide observations beginning in the 2014–15 fiscal year, one year later than planned. Having conducted nine practice reviews in 2012, we are planning to conduct six in each of the next three years. This will allow us to review all practitioners within four years as planned, with a 15 percent chance of reviewing a practitioner more than once in the cycle.
The extrapolation period for direct report audits is three years. This means that practice-wide observations will be made for the direct report practices in the 2014–15 fiscal year as originally planned. Having conducted seven practice reviews in 2012, we are planning for five in the coming year and likely six in each of the following two years. This will allow us to review all practitioners within the four years as planned, with a 10 percent chance of reviewing a practitioner more than once in the cycle.
In addition to the randomly selected practitioners, additional practice reviews may be conducted in any given year to address situations where it is desirable to accelerate the review of a given practitioner, due to the results of past reviews, or to address other Office concerns or specific practice risks.
Practice reviews of attest practitioners will continue to be conducted in the fall. Practice reviews of direct reporting practitioners will continue to be conducted in the fall and winter.
Internal audit plan
Under the internal audit plan, we have three responsibilities:
- auditing the implementation of the Office’s risk management policy;
- providing constructive feedback through internal audit reports to managers on how well they have identified and assessed risk, as well as on the effectiveness, efficiency, and economy of existing measures to manage risk; and
- providing assurance to the Auditor General about the effectiveness of the Office’s risk management practices.
Over the past 10 years, the 12 internal audits conducted have covered mostly low- and medium-risk areas. The current internal audit plan has identified two higher-risk areas. We are proposing the following internal audits to address these risk areas, as well as the internal audit function itself:
- 2014—Implementation of information management practices
- 2015—Implementation of the Office’s Departmental Security Plan
- 2016—External assessment of the internal audit function
Other major functions, such as Office governance and performance management, are currently under review as part of the Office’s strategic plan renewal. The Office’s communications function, where a 2005 benchmarking report assessed spending as significantly higher than in comparable organizations in certain areas, is a function where no internal audits have been conducted in the past 10 years. Thus, it will be high on our list of considerations for future internal audits.
While those we interviewed in preparing this plan identified some areas where they believed improvements could be made in managing the Office, in most of these cases, an internal audit would not be the best approach. An internal audit could be useful in some other cases; however, the Office’s current comprehensive review of strategic planning and performance management provides an excellent opportunity for the Office to identify and consider potential improvements in its management and administration. The next update of this internal audit plan will consider the results of the strategic planning review.
In addition to our work on higher-risk areas, we will be conducting an internal audit each year of an administrative function to provide assurance that administrative procedures within the Office are sufficient, appropriate, and functioning as intended.
Resourcing
To deliver the PRIA plan, we require temporary resources to help us conduct practice reviews. As in the past, we will continue counting on senior management to provide people at the principal and director levels. All practice reviews will be carried out internally.
The PRIA team has 4,500 hours available. We will need additional resources (equivalent to 3,800 hours) to be provided by other internal groups to complete our planned activities for the year.
External resources will be used in areas of special expertise and for internal audits. The internal audit on the implementation of information management practices scheduled for the 2013–14 fiscal year will require outside expertise. We have budgeted $25,000 of contract funds for this audit.
A similar level of activity and effort is expected for the 2014–15 and 2015–16 fiscal years.
Appendix 1—Major functions, systems, and processes
We have reviewed the major functions, systems and processes of the Office, noted recent internal audits in each area, made an assessment of the risk inherent in each area, and proposed internal audits to address the highest risk areas.
Function, system, or process | Internal audit work performed | Current assessment | Planned internal audits |
---|---|---|---|
Governance Roles and responsibilities, delegation of authority, reporting relationships, accountabilities, organizational structures, committee structure, decision-making structure |
None |
Risk: low to moderate. Governance has been identified in the strategic plan renewal as one of four change agenda areas. The Executive Committee will be addressing this area in the coming months. |
None planned at this time. |
Corporate Office Strategic planning, performance management, risk management, stewardship reporting, internal audit, legal services |
None |
Risk: low. Performance management is being reviewed as part of the strategic plan renewal; RPP and DPR reporting practices are sound; legal services practices are well established; risk management practices should be reviewed as part of strategic plan renewal. |
External assessment of the internal audit function should be undertaken within three years. (2016) |
Human Resources Management of the function: capacity analysis, strategic planning, retention strategy, succession planning, policies, information systems. Staff relations: Collective bargaining, employee relations, employee survey. Other: Classification and compensation, staffing/recruiting, official languages, performance management, training and development, mentoring, awards, recognition, employment equity |
Classification and compensation (2004); management of Human Resources and Professional Development functions (2006); staffing (2008) |
Risk: low to moderate. The Office is able to attract and retain staff to meet its needs; an office-wide capacity review is completed annually and individual audits are assessed for quantity and expertise of staff assigned. There are no major staff relations issues (the pay equity dispute was recently settled). |
Succession planning |
Comptroller's Group Internal control, resourcing and process management (budgeting, funding, salary management, resource allocation), general accounting and financial controls and reporting, financial systems, contracting and administration services, time reporting system |
Professional services contracting (2001); travel (2004); hospitality expenses (2005, 2010); controls over financial transactions (2009); financial management and budgeting (2012) |
Risk: low. Financial statements are subject to external audit, an annual review of internal controls is conducted. Travel and hospitality have mature policies in place including public disclosure of senior management expenditures. |
None proposed at this time. |
Information Technology and Knowledge Management Management of function: Treasury Board compliance, strategic planning, advisory role, awareness training; management of government information; Access to Information and Privacy; information and records management; knowledge transfer, management and audit support; Web administration; hardware/software acquisitions, project management, maintenance, licence management, user support; telecom |
None |
Risk: moderate to high. Enterprise electronic document and records management system deployed in 2009. TeamMate R10 conversion completed in 2012—such major conversions pose significant risks related to adoption in practice. Library and Archives Canada review completed in 2012 assessed systems as being in “mature” state according to Treasury Board Secretariat Recordkeeping Compliance Maturity Model. Acquisitions by Information Technology are subject to good oversight; project management has not been assessed. |
Internal audit of implementation of information management practices. |
Security Physical and personnel |
Security at headquarters (2003); security at regional offices (2004) |
Risk: high. The Office does not have a Departmental Security Plan (DSP) to comply with Treasury Board Secretariat requirements. |
The Office is preparing a DSP. An internal audit of its implementation is proposed for 2015. |
Professional Practices Methodology development and deployment; professional development and training; audit advisory services |
Assessment of the design of the Office’s quality management system1 (2008) |
Risk: low to moderate. The Office has recently completed the renewal of audit methodology (RAM) project; hence, low risk. It is renewing its curriculum, the key vehicle for training staff on the Office’s audit methodology and professional standards; hence, moderate risk. |
An audit of curriculum design and deployment could be undertaken. |
Communications Internal communication; external reports publication, translation, editing, graphics. Other: audio-visual, media, public enquiries |
None |
Risk: low to moderate. The 2005 corporate services benchmarking report identified communication services as one of two areas where the Office spends proportionally more than comparable organizations—Knowledge and Information management is the other. |
None proposed at this time. |
Parliamentary Liaison Liaison with members of Parliament and parliamentary committees; audit practices support |
None |
Risk: low. While the impact of the function is high on the Office’s reputation and effectiveness, its work is overseen at the highest levels of the organization. |
None proposed at this time. |
1 This has since been renamed the System of Quality Control.
Appendix 2—Critical risks facing the Office of the Auditor General
The following summarizes the seven critical risks identified for the Office in 2011, the current activities to manage these risks, and the potential internal audits to address these risks.
2011 Risk management update—critical risks | Risk management activities | Potential internal audit |
---|---|---|
Failure to empower our people to exercise their professional judgment. |
“Empowering our people” is a key objective of the Office’s strategic plan. Specific actions have not yet been identified. |
No work planned pending completion of Office’s strategic plan. |
Failure to establish/maintain effective relationships with all of our stakeholders. |
Establishing a stakeholder relations plan with key activities and objectives is on the strategic plan project list. |
No work planned pending articulation of the stakeholder relations plan. |
Failure to comply with professional standards. |
“Ensuring compliance with professional standards in an economical manner” is a key objective of the Office’s strategic plan. Specific actions have not yet been identified. |
Addressed through regular practice reviews. Additional work to be considered following completion of the Office’s strategic plan. |
Failure to maintain resource levels sufficient to sustain our capacity to fulfill our mandate (including effectively and efficiently managing resources in a time of restraint). |
An office-wide capacity review is completed annually that analyzes needs based on the planned audits going forward. For each audit, professional auditing standards require a review by the responsible Principal on the number and expertise of staff assigned to the audit. |
Internal audit of recruitment and succession planning. |
Failure to effectively respond to a changing Parliament. |
The Office recognizes that maintaining an effective working relationship with Parliament—especially given the number of new parliamentarians—will help facilitate an understanding of its legislative mandate and ensure that its audits continue to have an impact. |
No work planned pending articulation of the stakeholder relations plan. |
Failure to be relevant to Parliament and territorial legislatures. |
Select parliamentarians will be interviewed in 2013 as part of the renewal of the Office’s strategic plan. |
No potential internal audit proposed. |
Failure to innovate. |
Continuous improvement is one of the key objectives in the Office’s strategic plan. Specific actions have not yet been identified. |
No potential internal audit proposed. |
PDF Versions
To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet: