Practice Review and Internal Audit—Risk-Based Plan for the 2018–19 to 2020–21 Fiscal Years
Practice Review and Internal Audit—Risk-Based Plan for the 2018–19 to 2020–21 Fiscal Years
Table of Contents
- Foreword
- Introduction
- The Office of the Auditor General of Canada
- Practice Review and Internal Audit
- Status of the 2017–18 PRIA Risk-Based Plan
- Internal Audit Plan for the 2018–19 to 2020–21 Fiscal Years
- Practice Review Plan for the 2018–19 Fiscal Year
- Resourcing
- Appendix A—Internal Audit Project Descriptions
This document presents the Practice Review and Internal Audit Risk-Based Plan for the 2018–19 to 2020–21 fiscal years as reviewed by the Office’s Audit Committee and approved by the Auditor General on 13 April 2018.
Foreword
The Practice Review and Internal Audit (PRIA) function of the Office of the Auditor General of Canada developed the Risk-Based Plan for 2018–19 to 2020–21. The purpose of this plan is to ensure that PRIA’s planned internal audit activities, engagements, and practice reviews meet the Office’s assurance needs.
This document contains
- details about the PRIA team’s role;
- an overview of the planned internal audit engagements and practice reviews for the next three fiscal years; and
- information about PRIA’s resources and capacity for the 2018–19 fiscal year, the first year of delivering the activities described in the Risk-Based Plan.
In establishing its practice review and internal audit priorities, PRIA conducts environmental scans, risk assessments, and consultations. For this current update to the Risk-Based Plan, PRIA consulted with the Office’s senior management and staff. PRIA also reviewed the Office’s plans and priorities, and the results of its latest integrated risk management process. PRIA updates the Risk-Based Plan annually, according to organizational priorities, the availability of resources, and evolving risk-assessment needs.
I would like to thank the Office’s senior management, staff, and the members of the Audit Committee for their cooperation and assistance with the development of this plan. Their input will allow PRIA to assess the adequacy and effectiveness of governance, risk management, and internal control processes in the Office.
Louise Bertrand
Chief Audit Executive
Office of the Auditor General of Canada
April 2018
Introduction
As an agent of Parliament, the Office of the Auditor General of Canada is independent from government and reports directly to the Parliament of Canada. Given its mandate, the Office is not subject to direct Treasury Board of Canada Secretariat oversight. Consequently, the Office’s internal oversight mechanisms are of significant importance to ensuring that adequate management practices are in place. Practice Review and Internal Audit (PRIA) is one of these oversight mechanisms, as it provides assurance to management through internal audits and practice reviews.
This document presents PRIA’s Risk-Based Plan for the 2018–19 to 2020–21 fiscal years for the Office. PRIA has updated the plan to consider the latest results of the Office’s integrated risk management process and the detailed work and analysis completed by PRIA in 2017–18. The plan combines proposed internal audit engagements and practice reviews to be completed over the next three fiscal years. In determining its planned activities, PRIA sought to allocate its resources to the Office’s areas of significant risk.
The Office of the Auditor General of Canada
Mandate
The Auditor General of Canada is an Officer of Parliament, reporting directly to the Parliament of Canada. The Auditor General is independent of the government in the execution of his work and responsibilities. The Office of the Auditor General of Canada’s mandate and the Auditor General’s responsibilities are set out in the Auditor General Act, the Financial Administration Act, and other acts and orders-in-council.
The Commissioner of the Environment and Sustainable Development carries out the Auditor General’s mandate related to the environment and sustainable development.
The Office is the legislative audit office for the federal government and for the three territorial governments (Nunavut, Yukon, and the Northwest Territories).
The Office conducts independent audits and studies that provide objective information, advice, and assurance to Parliament, territorial legislatures, governments, and Canadians. The Office conducts audits according to professional auditing standards and Office policies.
The Office’s strategic outcome for the 2018–19 fiscal year continues to be to contribute to better-managed government programs and better accountability to Parliament through legislative auditing.
Strategic priorities
The Office identified the following three strategic objectives for the 2018–19 fiscal year:
- Ensure effective, efficient, and accountable Office governance and management.
- Be a financially well-managed organization accountable for the use of resources entrusted to it.
- Develop and maintain a skilled, engaged, and bilingual workforce.
Practice Review and Internal Audit
Mission
The Office of the Auditor General of Canada’s Practice Review and Internal Audit (PRIA) team’s mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
Scope of activities
The PRIA team’s scope of activities serves two separate but related purposes:
- Internal Audit. PRIA’s Internal Audit team has adopted the Institute of Internal Auditors’ Definition of Internal Auditing to help the Office accomplish its organizational vision, mission, and strategic objectives. The team provides independent, objective assurance and consulting activities to add value and improve the Office’s operations. PRIA’s Internal Audit team brings a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
- Practice Review. PRIA’s Practice Review team helps the Office meet its obligations under the Chartered Professional Accountants of Canada’s Canadian Standard on Quality Control 1 (CSQC 1). It does this work by conducting inspections to determine the extent to which engagement leaders comply with professional standards, Office policies, and applicable legislative and regulatory requirements when conducting their audits. These inspections also ensure that audit reports are supported and appropriate.
Operational framework
The Office’s Chief Audit Executive reports functionally to the Audit Committee and administratively to the Auditor General.
The Chief Audit Executive is responsible for developing and updating PRIA’s Risk-Based Plan annually. PRIA presents its Risk-Based Plan to the Audit Committee for its review. The Audit Committee recommends the approval of the Risk-Based Plan to the Auditor General. The Auditor General is the final approval authority for PRIA’s Risk-Based Plan.
PRIA conducts its work in accordance with established professional standards:
- Internal audits are conducted in accordance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. PRIA also conducts internal audits in compliance with the Treasury Board’s Policy on Internal Audit and the related directives as they apply to the Office.
- Practice reviews are conducted in compliance with the Chartered Professional Accountants of Canada’s CSQC 1, Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements.
Objectives of PRIA’s Risk-Based Plan
The PRIA Risk-Based Plan has two key objectives:
- Identify potential internal engagements based on an assessment of the Office’s risks and risk management procedures and an understanding of the Office’s plans and priorities.
- Identify a practice review schedule that meets the requirements of professional standards and addresses the Office’s intent to continue improving the conduct of its audits.
The PRIA planning process ensures that all internal audit and practice review activities are relevant, timely, and strategically aligned to support the achievement of the Office’s strategic objectives.
Status of the 2017–18 PRIA Risk-Based Plan
At the end of the fiscal year, Practice Review and Internal Audit (PRIA) completed six of its eight planned activities for 2017–18 as described in its Risk-Based Plan for the 2017–18 to 2019–20 fiscal years. One activity was deferred and one other is in progress (Exhibit 1).
Exhibit 1 Status of PRIA’s Risk-Based Plan for the 2017–18 fiscal year
Engagement | Audit title or task | Description | Status |
---|---|---|---|
Internal audit |
The Office’s Framework for Employee Learning, Training, and Development. |
The audit examines whether the Office has an adequate and effective management framework for learning and development to ensure that employees receive the training and development they need, when they need it, to carry out their duties. The team is currently in the examination phase of the audit. The internal audit will be reported in fall 2018. |
In progress |
Business process review |
External review of PRIA’s internal audit activity |
A consultant has been selected to conduct an external validation of PRIA’s conformance with the International Standards for the Professional Practice of Internal Auditing and the Institute of Internal Auditors Code of Ethics. The external validator’s report was prepared in March 2018. |
Completed |
Assessment of internal controls |
Strategy to review internal controls |
In March 2018, PRIA finalized the strategy it had developed for assessing core internal controls. |
Completed |
Business process review |
Assessment of internal controls to manage fraud risks |
In 2017, the Office approved a new fraud prevention policy and fraud risk management framework. As a result, the team determined it would be premature to conduct this review as this new policy is currently being implemented. Once the Office’s policy is fully implemented, PRIA will re-assess the need to conduct an assessment of internal controls to manage fraud risks. In the interim, to address fraud risk, PRIA is implementing the requirements of the Institute of Internal Auditors Standard 2210.A2 during the planning of internal audit engagements and of assessments of internal controls. |
Deferred |
Review |
Ethics |
PRIA reviewed the ethics-related policies, programs, and activities of the Office to assess the need for an internal audit in this area. The team held meetings with internal stakeholders to provide high-level survey observations. PRIA considered ethics for internal audit as part of the current risk-based planning exercise. |
Completed |
Project management support |
International peer review |
PRIA coordinated the substantiation of management action in light of the 2010 peer review recommendations and observations. |
Completed |
Practice reviews |
Summary report for financial audits completed in the 2016–17 fiscal year |
The Audit Committee recommended that the Auditor General approve the report at its January 2018 meeting. The report was subsequently approved by the Auditor General. |
Completed |
Practice reviews |
Summary report for direct engagement audits completed in the 2016–17 fiscal year |
In March 2018, the draft summary report was discussed with the assistant auditors general and the principals responsible for the audit practices. PRIA will present the report to the audit committee at its April 2018 meeting. |
Completed |
Additional work completed by PRIA in 2017–18
In 2017–18, PRIA undertook the following work related to practice review and internal audit:
- Completed Canadian Council of Legislative Auditors peer reviews of
- a performance audit file from the Office of the Auditor General of Newfoundland and Labrador, and
- an attest file from the Office of the Auditor General of Manitoba.
- Coordinated Canadian Council of Legislative Auditors reviews of
- a performance audit file by the Office of the Auditor General of Quebec, and
- an attest audit file by the Office of the Auditor General of Manitoba.
- Completed an objective review of two sections of the Office’s 2017 Monitoring of the System of Quality Control.
- Coordinated provincial practice reviews required by the Chartered Professional Accountants (CPA); reviews were completed by CPA British Columbia, CPA Alberta, and CPA Ontario.
- Conducted an evaluation of key internal controls related to the Office’s Comptroller’s Services management of travel and hospitality expenses.
- Monitored follow-up on PRIA recommendations by Office management.
- Conducted annual and multi-year planning for PRIA engagements.
- Attended conferences and professional development training related to our work.
The internal audit report on Managing Information Technology Security, originally planned for completion in the 2016–17 fiscal year, took longer than anticipated to finalize. The report was completed in the 2017–18 fiscal year.
PRIA team participation in Office committees
In 2017–18, PRIA team members participated in a number of Office committees. This participation helped them increase their knowledge of business and identify risks. In 2017–18, the team observed at the following committees:
- Executive Committee
- Annual Audit PrincipalPX Committee
- Annual Audit Principal/DirectorPX/DX Forum
- Annual Audit Champion Network Committee
- Bi-weekly Financial Directors’ Meeting
- Performance Audit Practice Management Committee
- Performance Audit Practice Operations Committee
- Principals’ Forum
Internal Audit Plan for the 2018–19 to 2020–21 Fiscal Years
Context for performing internal audits
The Office of the Auditor General of Canada complies, as required, with the Treasury Board’s Policy on Internal Audit and the related directive, and Practice Review and Internal Audit (PRIA) adheres to the Institute of Internal Auditor’s Standards when conducting its internal audit work.
In 2015, the Office began to use the Committee of Sponsoring Organizations of the Treadway Commission’s model as a benchmark to assess its internal control framework. The Committee’s internal control framework (control environment, risk assessment, control activities, information and communication, and monitoring) serve to mitigate risks that could result in the organization’s failure to achieve its strategic, operational, reporting, and compliance objectives.
In developing its Risk-Based Plan, PRIA considers the requirements of the Internal Auditor’s Standards. When planning its internal audits and assessments of internal controls, PRIA seeks to validate the effectiveness of the Office’s implementation of its internal control framework.
Internal audit planning and prioritization process
PRIA has developed a comprehensive strategy for establishing its risk-based internal audit plan, which includes environmental scanning, risk assessments, and extensive consultations.
Environmental scanning
PRIA performs internal and external environmental scans.
The external environmental scans look for changes in the environment that could affect the Office’s strategic objectives or PRIA’s internal audit mandate. PRIA monitors the external environment to ensure that its internal policies and procedures regarding internal audit comply with requirements. PRIA also considers the work of the Office of the Comptroller General of Canada and other government departments and agencies that may be relevant to the Office.
The internal scan also looks for changes in the Office’s internal environment, such as the introduction of new policies, procedures, and programs. It also includes a review of previous PRIA plans and the findings of previous internal audits and practice reviews.
Risk assessments
PRIA’s Risk-Based Plan is based on an assessment of risk affecting audit services and audit practices. The Office uses its Integrated Risk Management Framework to assess risks and assign them to strategic, compliance, and operations categories. The key risks identified by leaders of the services and of the audit practices must be monitored and managed to ensure the Office meets its commitments and achieves its objectives. PRIA reviews the risks the Office faces using the results of the Office’s integrated risk management exercise, including the risk registries for the audit practices and audit services. The main activities and processes of the Office’s corporate, practice, and service risk registers form the basis for PRIA’s audit universe.
For planning purposes, PRIA classifies risks from low to high by considering the risk mitigation activities presented by the leaders of the practice and service areas. PRIA also looks for risks that affect more than one service area and considers such risks higher.
Consultations
The PRIA team seeks clarification, if required, with senior management to better understand management’s assessment of risk and discuss other management activities undertaken to better document controls or mitigate risks.
PRIA uses these activities to establish a list of auditable activities.
Prioritization
To prioritize auditable activities and other types of work, PRIA prepares a template and considers how the issues identified link with risk factors and Office strategies.
PRIA defines risk factors as
- susceptibility to fraud;
- implications for reputation and corporate image;
- complexity of operations;
- results of the last audit or other known deficiencies;
- changes to systems, policies, or procedures; and
- implications for the level of regulatory or compliance.
PRIA uses a rating scale of one to five to rank the impact of the auditable activity with the risk factors on the Office’s 11 strategic objectives, with one meaning low impact and five meaning high impact.
The result of the audit activity prioritization is the identification of new engagements. Audit activity prioritization may also affect the scheduling of previously planned engagements.
New internal audit engagement
As a result of PRIA’s 2017 risk assessment and the Office’s 2017 integrated risk management exercise, PRIA plans to conduct the following new internal audit engagement (Exhibit 2).
Exhibit 2 PRIA’s planned new internal audit engagement
Engagement | Name | Objective | Planned fiscal year |
---|---|---|---|
Internal audit | Departmental Security Plan | Determine whether the Office has an adequate Security Plan and whether it has been effectively implemented. | 2020–21 |
Updates to the 2017–18 Risk-Based Plan—Scheduling changes
Two internal audits noted in PRIA’s 2017–18 Risk-Based Plan have been rescheduled as a result of PRIA’s most recent risk assessment exercise (Exhibit 3).
Exhibit 3 Scheduling changes for internal audits
Engagement | Name | Planned fiscal year | Scheduled fiscal year |
---|---|---|---|
Business process review | Performance Audit Reporting and Redesign Project (PARRP)—External Review | 2018–19 | To be determined |
Internal audit | Compliance Project | 2019–20 | 2020–21 |
Performance Audit Reporting and Redesign Project—PRIA has decided to remove this engagement from its list of potential engagements. In early 2018, PRIA consulted the co-leads of the project to obtain a status update. They advised that the project had facilitated many changes in the performance audit process; however, a number of recommendations remained outstanding. The Direct Engagement Practice Team’s recent Efficiency Project has also introduced recommendations that aim to achieve the same goal of the Performance Audit Reporting and Redesign Project. The performance audit practice will have to decide which of these recommendations to implement. For this reason, PRIA decided to remove Performance Audit Reporting and Redesign Project from the list of planned business process reviews since this review has essentially been amalgamated into the Direct Engagement Practice Team’s Efficiency project. PRIA will reassess whether a business practice review of the performance audit process is needed during next year’s update to the PRIA Risk-Based Plan.
Compliance Project—PRIA has deferred this internal audit engagement from the 2019–20 fiscal year to the 2020–21 fiscal year. The objective of this internal audit will be to determine whether an appropriate management control framework is in place to ensure that the Office remains compliant with relevant legislation and Treasury Board policies and directives.
Overall internal audit plan for the 2018–19 to 2020–21 fiscal years
For the 2018–19 to 2020–21 fiscal years, PRIA plans to conduct the following internal audits and projects (Exhibit 4).
Exhibit 4 Planned activities for three fiscal years
Fiscal year | Activity | Name | Governance | Risk management | Internal controls |
---|---|---|---|---|---|
2018–19 | Assessment of internal controls | Assessment of internal controls for the management of contracts | not applicableN/A | Yes | Yes |
2018–19Note 1 | Internal audit | The effectiveness of the Office’s management controls framework for learning and development | Yes | Yes | Yes |
2018–19 | Assessment of internal controls | Financial reporting—Review and re-performance of payroll | N/A | Yes | Yes |
2019–20 | Internal audit | Resourcing for audit practices | Yes | Yes | Yes |
2019–20 | Assessment of internal controls | Access to information—Acts and regulations | Yes | Yes | Yes |
2019–20 | Assessment of internal controls | Financial reporting—Review and re-performance of executive travel and hospitality | N/A | Yes | Yes |
2020–21 | Internal audit | Compliance project | Yes | Yes | Yes |
2020–21 | Assessment of internal controls | Financial reporting—Review and re-performance of operating expenses and executive compensation | Yes | Yes | Yes |
2020–21 | Internal audit | Departmental security plan | Yes | Yes | Yes |
2020–21 | Assessment of internal controls | Material management—Specific Treasury Board policy requirements | Yes | Yes | Yes |
In addition to the work shown in the table above, in 2018–19, the PRIA team will closely follow up on management’s action plan on the Internal Audit on Managing information technologyIT Security, including randomly selecting scripts and performing tests to see if the PRIA team arrives at similar conclusions as management. Also in 2018–19, PRIA will be an independent observer of the International Peer Review process that is expected to begin during the fiscal year.
Details of internal audit engagements can be found in Appendix A.
Practice Review Plan for the 2018–19 Fiscal Year
Context for performing practice reviews
The Chartered Professional Accountants of Canada’s Canadian System of Quality Control 1 (CSQC 1), Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements requires the Office of the Auditor General of Canada to establish a monitoring process that provides reasonable assurance that the policies and procedures for quality control are relevant, adequate, and operate effectively. The process must include, on a cyclical basis, an inspection of at least one completed engagement for each engagement leader (Principal).
PRIA is responsible for conducting inspections at the engagement level by assessing the design and implementation of the Office’s System of Quality Control in accordance with the CSQC 1 for all product lines to ensure its operational effectiveness. To do so, PRIA periodically assesses the design of the system of quality control and annually conducts systematic and rigorous practice reviews that cover all senior practitioners over a multi-year cycle.
PRIA’s approach to engagement selection
There are 34 engagement leaders in the Office who conduct audits: 19 primarily lead financial engagements (including 3 who also perform special examinations), and 15 primarily lead performance audits. PRIA used a random sampling approach to select engagement leaders for practice reviews. To randomly select engagement leaders for review, PRIA created two pools of engagement leaders: one for financial attest and the other for direct report (performance audits and special examinations). Creating these pools allowed PRIA to make pertinent observations and recommendations for each engagement leader within their respective audit practices, where appropriate.
Engagement leader review
PRIA reviews the audit work of engagement leaders in each pool at least once every four years. If an engagement leader has more than one audit in a pool, PRIA selects the audit through random sampling. PRIA’s four-year review cycle for each assurance category allows for the review of each engagement leader within a reasonable period.
Practice reviews planned for the 2018–19 fiscal year
In the 2018–19 fiscal year, PRIA expects to perform up to six practice reviews of financial attest engagement leaders and up to seven reviews of direct report engagement leaders. In addition to the random selection of engagement leaders, PRIA may conduct additional practice reviews to review a given engagement leader due to the results of past reviews or to address other concerns or specific audit practice risks.
Resourcing
To deliver the Practice Review and Internal Audit (PRIA) Risk-Based Plan, a team of five people will carry out all the practice reviews and internal audits:
- Louise Bertrand, Chief Audit Executive;
- Lori-Lee Flanagan, Director;
- Marc Gauthier, Director;
- Kari Swarbrick, Director; and
- Sylvie Joly, Administrative Assistant.
Budget
PRIA has a total budget of approximately 7,400 hours available to perform all its work in the 2018–19 fiscal year. Of this, the team has budgeted the following:
- 2,470 hours for practice reviews (including preparing summary reports)
- 1,780 hours for internal audit work (including completing engagements and conducting follow-up on recommendations)
- 780 hours for general administration and small projects (including PRIA team support, project to develop PRIA performance indicators, Institute of Internal Auditors Awareness Month activities at the Office, and meeting external reporting requirements; that is, PRIA’s contribution to the Office’s Departmental Results Reports)
- 710 hours for multi-year planning and ongoing risk assessment
- 510 hours for external practice reviews (including Canadian Council of Legislative Auditors work and provincial and international inspections)
- 500 hours for quality assurance and improvement program (including quality assurance review of internal audits, update to internal audit manual, and action plan resulting from External Validation of Quality Assurance Review)
- 400 hours for audit committee
- 250 hours for team meetings
PRIA may engage temporary resources as needed.
Appendix A—Internal Audit Project Descriptions
Proposed title: Resourcing for Audit Practices
- Timing: 2019–20 fiscal year
- Budget: 1,200 hours
- Areas: Audit Practices, Corporate Services
- Type of engagement: Assurance (internal audit)
Audit coverage
Governance | Risk | Internal controls |
---|---|---|
Yes | Yes | Yes |
Was this engagement included in the PRIA Risk-Based Plan for 2017–20?
Yes. This internal audit was scheduled to be completed in the 2018–19 fiscal year. Resourcing at the Office has recently undergone significant changes, and PRIA feels resourcing needs to normalize before it conducts an internal audit in this area. For example, the Office has taken action to address elevated employee stress by determining a minimum number of direct engagements to be performed during a calendar year. In addition, the Office is refining the roles and responsibilities for resource decisions. The scope of this engagement will include audit practices, as the Office allocates the largest percentage of resources to the Annual Audit and Direct Engagement Audit Practices.
What does PRIA hope to accomplish with this internal audit?
The objective of this internal audit is to determine whether an effective management control framework is in place for ensuring the Office has sufficient resources in its audit practices to carry out its planned audit work. PRIA will examine how the audit practices prioritize the allocation of resources at the practice and engagement levels. PRIA will also examine how the practices use relevant, timely, accurate, and complete information to support decisions about resource allocations.
The internal audit will also include a review of how the Office forecasts its audit resource allocation. The review will assess the completeness of this forecasting process, and whether it is flexible enough to respond to unexpected events or changing priorities. PRIA will also look at the information that the audit practices collect to support the Office’s human resource strategies.
What will the internal audit examine and exclude?
The internal audit will look at the control environment; the risk identification, assessment, and mitigation strategies; and the control activities supporting audit resource planning and allocation.
The internal audit will exclude resource planning and allocation for Corporate Services.
Are there any significant risks for the Office related to this work?
There could be a reputational risk to the Office if the internal audit finds that the management control framework is ineffective in ensuring that sufficient resources are allocated to planned audits in the audit practices. There is also a risk that the Office may fail to deliver what it intended to do, or it may be unable to respond to unexpected events or changing priorities.
Proposed title: Compliance project
- Timing: 2020–21 fiscal year
- Budget: 750 hours
- Areas: Legal Services and Office-wide
- Type of engagement: Assurance (internal audit)
Audit coverage
Governance | Risk | Internal controls |
---|---|---|
Yes | Yes | Yes |
Was this engagement included in the PRIA Risk-Based Plan for 2017–20?
Yes. This engagement was included in the PRIA Risk-Based Internal Audit Plan for 2017–20. Proposed as an internal audit in PRIA’s 2017–18 Risk-Based Plan, this engagement was to take place in 2019–20. As a result of the most recent risk-based planning exercise, this internal audit engagement will now be deferred to 2020–21.
What does PRIA hope to accomplish with this internal audit?
The objective of this internal audit is to determine whether an appropriate management control framework is in place to ensure that the Office remains compliant with relevant legislation and Treasury Board policies and directives. The Office recently reviewed its policies and practices to ensure that it complied with relevant legislation and Treasury Board policies. This review, known as the Compliance Project, included three key activities: creating an inventory, determining responsibility for each instrument, and assessing the Office’s compliance with each instrument.
PRIA wants to examine whether the Office has met the Compliance Project’s objectives and whether management has appropriate controls to ensure that the Office remains compliant.
What will the internal audit examine and exclude?
PRIA will examine plans, activities, and outcomes related to the Office’s Compliance Project to assess whether they provide sufficient control to ensure that the Office remains compliant with relevant compliance requirements.
Are there any significant risks for the Office related to this work?
This is a sensitive topic; the audit might identify areas of non-compliance or vulnerability due to weak controls. A negative conclusion could affect the Office’s reputation with the public and the entities it audits.
Proposed title: Implementation of the Office’s Departmental Security Plan
- Timing: 2020–21 fiscal year
- Budget: 1,200 hours
- Areas: Office-wide with a focus on the Office’s Security team
- Type of engagement: Assurance (internal audit)
Audit coverage
Governance | Risk | Internal controls |
---|---|---|
Yes | Yes | Yes |
Was this engagement included in the PRIA Risk-Based Plan for 2017–20?
No. In its 2017 Risk-Based Plan, PRIA deferred this engagement, and requested that it be considered again in this current plan.
What does PRIA hope to accomplish with this internal audit?
The objective of the internal audit is to determine whether the Office has an adequate Security Plan and whether it has been effectively implemented.
What will the internal audit examine and exclude?
The audit will examine whether the Office’s Security Plan complies with Treasury Board policies and guidelines, and other relevant legislative requirements.
PRIA will assess the effectiveness of the Office’s management controls and procedures related to the implementation of the Security Plan. Specifically, the team will assess whether the plan includes the following items:
- Individual security screening
- Security contracting
- Security awareness and training
- Business continuity plan
- Incident management
- Physical security
- IT security
- Information management
The team will also assess the efficiency and effectiveness of governance and communication structures, mechanisms, and resources in place to ensure the effective management of security.
This internal audit will exclude IT security, since this aspect has been assessed in depth in the recent audit on Managing Information Technology Security.
Are there any significant risks for the Office related to this work?
This is a particularly sensitive topic; the audit could conclude that the Office does not have an adequate security plan and that there are potential weaknesses with the plan. A negative conclusion could affect the Office’s reputation with the public and the entities it audits.