Practice Review and Internal Audit—Risk-Based Plan for the 2019–20 to 2021–22 Fiscal Years
Practice Review and Internal Audit—Risk-Based Plan for the 2019–20 to 2021–22 Fiscal Years
Table of Contents
- Foreword
- Introduction
- The Office of the Auditor General of Canada
- Practice Review and Internal Audit
- Status of the 2018–19 PRIA Risk-Based Plan
- Internal Audit Plan for the 2019–20 to 2021–22 Fiscal Years
- Practice Review Plan for the 2019–20 Fiscal Year
- Resourcing
- Appendix A—Performance of PRIA Against Its Measures
- Appendix B—Internal Audit Project Descriptions
This document presents the Practice Review and Internal Audit Risk-Based Plan for the 2019–20 to 2021–22 fiscal years as reviewed by the Office’s Audit Committee and approved by the Interim Auditor General on 24 April 2019.
Foreword
In 2019, the Practice Review and Internal Audit (PRIA) team lost one of its greatest champions. Michael Ferguson, the Office of the Auditor General of Canada’s leader from 2011 to his death, was a strong believer in good governance, accountability, and employee engagement. Recognizing the importance that internal auditing plays in promoting good governance and accountability, Mike supported the mandate of the PRIA team and respected its observations and conclusions, without reservation. He held management accountable for implementing the recommendations made by the team and for acting on its observations in a timely manner. Most importantly, Mike supported and encouraged all members of the team to strive for excellence in their work and to continuously seek to deliver the best value to the organization and to Canadians. He will be dearly missed by all. Thank you, Mike.
The Practice Review and Internal Audit (PRIA) team of the Office of the Auditor General of Canada developed the Risk-Based Plan for the 2019–20 to 2021–22 fiscal years to ensure that PRIA’s planned engagements meet the Office’s assurance needs.
This document contains details about the PRIA team’s role, an overview of the planned engagements for the next three fiscal years, and information about PRIA’s resources and capacity for the 2019–20 fiscal year.
In establishing its practice review and internal audit priorities, PRIA conducts environmental scans, risk assessments, and consultations with senior management and staff. PRIA also reviews the Office’s plans and priorities, and the results of its latest integrated risk management process. PRIA updates the Risk-Based Plan annually, according to organizational priorities, the availability of resources, and evolving risk-assessment needs.
I would like to thank the Office’s senior management, staff, and the members of the Audit Committee for their cooperation and assistance with the development of this plan. Their input will allow PRIA to assess the adequacy and effectiveness of governance, risk management, and internal control processes in the Office.
Louise Bertrand
Chief Audit Executive
Office of the Auditor General of Canada
April 2019
Introduction
As an agent of Parliament, the Office of the Auditor General of Canada is independent from government and reports directly to the Parliament of Canada. Given its mandate, the Office is not subject to direct Treasury Board of Canada Secretariat oversight. Consequently, the Office’s internal oversight mechanisms are of significant importance to ensuring that adequate management practices are in place. Practice Review and Internal Audit (PRIA) is one of these oversight mechanisms, as it provides assurance to management through internal audits and practice reviews.
This document presents PRIA’s Risk-Based Plan for the 2019–20 to 2021–22 fiscal years for the Office. PRIA has updated the plan to consider the latest results of the Office’s integrated risk management process and the detailed work and analysis completed by PRIA in the 2018–19 fiscal year. The plan combines proposed internal audit engagements and practice reviews to be completed over the next three fiscal years. In determining its planned activities, PRIA sought to allocate its resources to the Office’s areas of significant risk.
The Office of the Auditor General of Canada
Mandate
The Auditor General of Canada is an Officer of Parliament, reporting directly to the Parliament of Canada. The Auditor General is independent of the government in the execution of the position’s work and responsibilities. The Office of the Auditor General of Canada’s mandate and the Auditor General’s responsibilities are set out in the Auditor General Act, the Financial Administration Act, and other acts and orders-in-council.
The Commissioner of the Environment and Sustainable Development carries out the Auditor General’s mandate related to the environment and sustainable development.
The Office is the legislative audit office for the federal government and for the three territorial governments (Nunavut, Yukon, and the Northwest Territories).
The Office conducts independent audits and studies that provide objective information, advice, and assurance to Parliament, territorial legislatures, governments, and Canadians. The Office conducts audits according to professional auditing standards and Office policies.
The Office’s mission is to contribute to a well-managed and accountable government for Canadians.
Strategic objectives
The Office identified the following three strategic objectives for the 2019–20 fiscal year:
- Be a financially well-managed organization accountable for the use of resources entrusted to it.
- Ensure effective, efficient, and accountable Office governance and management.
- Develop and maintain a skilled, engaged, and bilingual workforce.
Practice Review and Internal Audit
Mission
The Office of the Auditor General of Canada’s Practice Review and Internal Audit (PRIA) team’s mission is to enhance and protect the Office’s value by providing risk-based and objective assurance, advice, and insight.
Scope of activities
The PRIA team’s scope of activities serves two separate but related purposes:
- Internal Audit. PRIA’s Internal Audit team has adopted the Institute of Internal Auditors’ Definition of Internal Auditing to help the Office accomplish its organizational vision, mission, and strategic objectives. The team provides independent, objective assurance and consulting activities to add value and improve the Office’s operations. The team brings a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
- Practice Review. PRIA’s Practice Review team helps the Office meet its obligations under the Chartered Professional Accountants of Canada’s Canadian Standard on Quality Control 1 (CSQC 1). It does this work by conducting inspections to determine the extent to which engagement leaders comply with professional standards, Office policies, and applicable legislative and regulatory requirements when conducting their audits. These reviews also ensure that audit reports are supported and appropriate.
PRIA conducts its work in accordance with established professional standards:
- Internal audits are conducted in accordance with the International Professional Practices Framework issued by the Institute of Internal Auditors and with the Treasury Board’s Policy on Internal Audit and Directive on Internal Audit as they apply to the Office.
- Practice reviews are conducted in compliance with the Chartered Professional Accountants of Canada’s CSQC 1, Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements. PRIA also conforms to the Institute of Internal Auditors’ Attribute Standards for independence and objectivity, for proficiency and due professional care, and for the Quality Assurance and Improvement Program.
Reporting relationships
The Office’s Chief Audit Executive reports functionally to the Audit Committee and administratively to the Deputy Auditor General.
The Chief Audit Executive is responsible for developing and updating PRIA’s Risk-Based Plan annually. PRIA presents its Risk-Based Plan to the Audit Committee for review. The Audit Committee recommends the approval of the Risk-Based Plan to the Interim Auditor General. The Interim Auditor General is the final approval authority for PRIA’s Risk-Based Plan.
Objectives of PRIA’s Risk-Based Plan
PRIA’s Risk-Based Plan has two key objectives:
- Identify potential internal engagements on the basis of an assessment of the Office’s risks and risk management procedures and an understanding of the Office’s plans and priorities.
- Identify a practice review schedule that meets the requirements of professional standards and addresses the Office’s intent to continue improving the conduct of its audits.
The PRIA planning process ensures that all internal audit and practice review activities are relevant, timely, and strategically aligned to support the achievement of the Office’s strategic objectives.
PRIA’s performance measures
In 2018, PRIA developed a set of performance measures to quantify and track its performance. Using a balanced scorecard approach, PRIA developed indicators for four key perspectives:
- financial perspective,
- internal perspective,
- customer perspective, and
- learning and growth perspective.
Appendix A provides details on each perspective and associated performance measure as well as the results for the 2018–19 fiscal year.
Status of the 2018–19 PRIA Risk-Based Plan
In the 2018–19 fiscal year, Practice Review and Internal Audit (PRIA) completed two of five planned activities as described in its Risk-Based Plan for the 2018–19 to 2020–21 fiscal years (Exhibit 1).
Exhibit 1 Status of PRIA’s Risk-Based Plan for the 2018–19 fiscal year
| Engagement | Name | Description | Status |
|---|---|---|---|
| Internal audit | The effectiveness of the Office’s management control framework for learning and development | The audit examined whether the Office had an adequate and effective management framework for learning, training, and development to ensure that employees received the training and development they needed, when they needed it, to carry out their duties. | Completed |
| Assessment of internal controls | Assessment of internal controls for the management of contracts | The objective of the review is to provide moderate assurance that the Office’s internal controls for contract management are working as intended and support the Office’s compliance with relevant legislation, regulations, and Treasury Board and Office policies. | Examination phase |
| Assessment of internal controls | Financial reporting—Review and re-performance of payroll | The objective of the review is to provide moderate assurance that the work that the Office’s Internal Control over Financial Reporting (ICFR) team performed on internal controls for payroll was properly planned and executed. The review examines whether key controls are in place, are working as intended, and are supporting the Office’s compliance with relevant legislation, regulations, and Treasury Board and Office policies. | Examination phase |
| Practice reviews | Summary report for financial audits completed in the 2017–18 fiscal year | The Audit Committee recommended that the Auditor General approve the report at its October 2018 meeting. The report was subsequently approved by the Auditor General. | Completed |
| Practice reviews | Summary report for direct engagement audits completed in the 2017–18 fiscal year | Four out of seven practice reviews have been completed. The summary report is expected to be completed by July 2019. | In progress |
Additional work completed by PRIA in 2018–19
PRIA undertook the following additional activities in the 2018–19 fiscal year:
- Completed Canadian Council of Legislative Auditors peer reviews of
- the Office of the Auditor General of Quebec’s performance audit file,
- the Office of the Auditor General of British Columbia’s performance audit file,
- the Office of the Auditor General of Nova Scotia’s attest audit file, and
- the Office of the Auditor General of New Brunswick’s attest audit file.
- Reviewed the implementation of the project to replace the human resources management information system of the Office of the Auditor General of Canada.
- Helped coordinate a provincial practice inspection required by the Chartered Professional Accountants of Canada (CPA Canada); a review was completed by CPA Quebec.
- Monitored Office management’s follow-up on PRIA recommendations.
- Acted as an independent observer of the international peer review process.
- Conducted annual and multi-year planning for PRIA engagements.
- Attended conferences and professional development training related to PRIA’s work.
PRIA team participation in Office committees
In the 2018–19 fiscal year, PRIA team members participated on a number of Office committees. This participation helped members to increase their knowledge of business and identify risks. In 2018–19, the team observed at the following committees:
- Executive Committee
- Annual Audit Principal/Director (PX/DX) Steering Committee
- Annual Audit PX/DX Forum
- Annual Audit Champion Network
- Biweekly Financial Directors’ Meeting
- Performance Audit Practice Management Committee
- Performance Audit Practice Operations Committee
- PX Forum
Internal Audit Plan for the 2019–20 to 2021–22 Fiscal Years
Context for performing internal audits
The Office of the Auditor General of Canada complies, as required, with the Treasury Board’s Policy on Internal Audit and Directive on Internal Audit. Practice Review and Internal Audit (PRIA) adheres to the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing (Standards) when conducting its internal audit work.
In developing its Risk-Based Plan, PRIA considers the requirements of the Institute’s Standards. When planning its internal audits and assessments of internal controls, PRIA seeks to validate the effectiveness of the Office’s implementation of its internal control framework.
Internal audit planning and prioritization process
PRIA has developed a comprehensive strategy for establishing its risk-based internal audit plan, which includes environmental scanning, risk assessments, and extensive consultations.
Environmental scanning
PRIA performs internal and external environmental scans.
The external environmental scans look for changes in the environment that could affect the Office’s strategic objectives or PRIA’s internal audit mandate. PRIA monitors the external environment to ensure that its internal policies and procedures regarding internal audits comply with requirements. PRIA also considers the work of the Office of the Comptroller General of Canada and other government departments and agencies that may be relevant to the Office.
The internal scan looks for changes in the Office’s internal environment, such as the introduction of new policies, procedures, and programs. It also includes a review of previous PRIA plans and the findings of previous internal audits and practice reviews.
Risk assessments
PRIA’s Risk-Based Plan is based on an assessment of risk affecting audit services and audit practices. The Office uses its Integrated Risk Management Framework to assess risks and assign them to “strategic,” “compliance,” and “operations” categories. The key risks identified by leaders of the services and of the audit practices must be monitored and managed to ensure that the Office meets its commitments and achieves its objectives. PRIA reviews the risks the Office faces using the results of the Office’s integrated risk management exercise, including the risk registries for the audit practices and audit services. The main activities and processes of the Office’s corporate, practice, and service risk registers form the basis for PRIA’s audit universe.
For planning purposes, PRIA classifies risks from low to high by considering the risk mitigation activities presented by the leaders of the practice and service areas. PRIA also looks for risks that affect more than one service area and considers such risks higher.
In the 2018–19 fiscal year, the Office underwent significant changes to its senior management ranks. The recent passing of the Auditor General in February 2019 resulted in the appointment of an interim auditor general and a new chief financial officer. In addition, five new assistant auditors general were appointed to lead the audit practices and audit services in anticipation of upcoming retirements at this executive level. Also, the Commissioner of the Environment and Sustainable Development plans to retire in summer 2019. Management has taken actions to manage the risks that may result from these leadership changes. As a result, when planning new engagements and in developing its framework to assess governance at the Office, PRIA will consider the risks associated with this change in management and processes put in place by management.
Consultations
The PRIA team seeks clarification, if required, with senior management to better understand management’s assessment of risk. It also discusses other management activities undertaken to better document controls or mitigate risks.
PRIA uses these activities to establish a list of auditable activities.
Prioritization
To prioritize auditable activities and other types of work, PRIA prepares a template and considers how the issues identified link with risk factors and Office strategies.
PRIA defines risk factors as
- susceptibility to fraud;
- implications for reputation and corporate image;
- complexity of operations;
- results of the last audit or other known deficiencies;
- changes to systems, policies, or procedures; and
- implications for legal, regulatory, or policy compliance.
PRIA uses a rating scale of one to five to rank the impact of the auditable activity with the risk factors on the Office’s 11 strategic objectives, with one meaning low impact and five meaning high impact.
Prioritizing the auditable activities results in identifying new engagements and may also affect the scheduling of previously planned engagements.
New internal audit engagements
As a result of PRIA’s 2018 risk assessment and of the Office’s 2018 integrated risk management exercise, PRIA plans to conduct two new internal audits (Exhibit 2).
Exhibit 2 PRIA’s planned new internal audit engagement
| Engagement | Name | Objective | Planned fiscal year |
|---|---|---|---|
| Internal audit | Protection of Personal Information | To determine whether an effective Office framework is in place for ensuring compliance with the Privacy Act, including controls for the safeguarding, collection, accuracy, use, disclosure, retention, and disposal of personal information. | 2020–21 |
| Internal audit | Strategic Planning for Performance Audits | To determine whether an effective strategic audit planning system is in place for ensuring that the Office identifies audits that focus on areas of significance and relevance to Parliament and Canadians. | 2021–22 |
2018–19 to 2020–21 Risk-Based Plan—Scheduling updates
A few engagements noted in PRIA’s 2018–19 to 2020–21 Risk-Based Plan have been deferred as a result of PRIA’s most recent risk assessment exercise, stakeholder feedback, and PRIA’s capacity to deliver planned products (Exhibit 3).
Exhibit 3 Deferred engagements
| Engagement | Name | Planned fiscal year | Scheduled fiscal year |
|---|---|---|---|
| Internal review | Compliance Project | 2020–21 | 2021–22 |
| Internal control assessment | Access to Information—Acts and Regulations | 2019–20 | To be determined |
| Internal audit | Departmental Security Plan | 2020–21 | To be determined |
| Internal control assessment | Material Management—Specific Treasury Board Policy Requirements | 2020–21 | To be determined |
Internal audit plan for the 2019–20 to 2021–22 fiscal years
For the 2019–20 to 2021–22 fiscal years, PRIA plans to conduct several internal audits and engagements (Exhibit 4).
Exhibit 4 PRIA’s planned activities for the next three fiscal years
| Fiscal year | Activity | Name | Governance | Risk management | Internal controls |
|---|---|---|---|---|---|
| 2019–20 | Internal audit | Resourcing for Audit Practices | Yes | Yes | Yes |
| 2019–20 | Assessment of internal controls | Financial Reporting—Review and Re-performance of Executive Travel and Hospitality | not applicableN/A | Yes | Yes |
| 2020–21 | Internal audit | Protection of Personal Information | Yes | Yes | Yes |
| 2020–21 | Assessment of internal controls | Financial Reporting—Review and Re-performance of Operating Expenses and Executive Compensation | N/A | Yes | Yes |
| 2021–22 | Internal audit | Strategic Planning for Performance Audits | Yes | Yes | Yes |
| 2021–22 | Internal review | Compliance Project Review | Yes | Yes | Yes |
Details of the internal audits and internal review can be found in Appendix B.
Other planned projects
In addition, PRIA will conduct the following activities in the 2019–20 fiscal year:
- Follow up on management’s action plan in response to the Internal Audit Report—Managing Information Technology Security.
- Develop a framework to assess the Office’s governance practices.
- Develop a framework to use data analytics.
Practice Review Plan for the 2019–20 Fiscal Year
Context for performing practice reviews
The Chartered Professional Accountants of Canada’s Canadian System of Quality Control 1 (CSQC 1), Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements requires the Office of the Auditor General of Canada to establish a monitoring process that provides reasonable assurance that the policies and procedures for quality control are relevant, adequate, and operate effectively. The process must include, on a cyclical basis, an inspection of at least one completed engagement for each engagement leader (principal).
PRIA is responsible for conducting inspections at the engagement level by assessing the design and implementation of the Office’s System of Quality Control in accordance with CSQC 1 for all product lines to ensure its operational effectiveness. To do so, PRIA periodically assesses the design of the System of Quality Control and annually conducts systematic and rigorous practice reviews that cover all senior practitioners over a multi-year cycle.
PRIA’s approach to engagement selection
As of April 2019, there are 30 engagement leaders in the Office who conduct audits: 17 primarily lead financial engagements (including 3 who also perform special examinations), 12 primarily lead performance audits, and 1 who only leads special examinations. PRIA used a random sampling approach to select engagement leaders for practice reviews. To randomly select engagement leaders for review, PRIA created two pools of engagement leaders: one for financial audits and the other for direct engagements (performance audits and special examinations). Creating these pools allowed PRIA to make pertinent observations and recommendations for each engagement leader within their respective audit practices, where appropriate.
Engagement leader review
PRIA reviews the audit work of engagement leaders in each pool at least once every four years. If an engagement leader has more than one audit in a pool, PRIA selects the audit through random sampling. PRIA’s four-year review cycle for each assurance category allows for the review of each engagement leader within a reasonable period.
Practice reviews planned for the 2019–20 fiscal year
In the 2019–20 fiscal year, PRIA expects to perform up to six practice reviews of financial audit engagement leaders and up to seven reviews of direct engagement leaders. PRIA may conduct additional practice reviews, given the results of past reviews or to address other concerns or specific audit practice risks.
Resourcing
To deliver the Practice Review and Internal Audit (PRIA) Risk-Based Plan, a team of five people will carry out all the practice reviews and internal audits:
- Louise Bertrand, Chief Audit Executive;
- Lori-Lee Flanagan, Director;
- Marc Gauthier, Director;
- Patrick Polan, Director; and
- Karen Webber, Administrative Assistant.
Budget
PRIA has a total budget of approximately 7,400 hours available to perform all its work in the 2019–20 fiscal year (Exhibit 5).
Exhibit 5 PRIA’s budget allocation for the 2019–20 fiscal year
| Activities | Estimated hours |
|---|---|
| Internal audit engagements, assessments of internal controls, consulting engagements, projects, the Quality Assurance and Improvement Program, and risk-based planning | 3,050 |
| Practice reviews—financial audit and direct engagement audit practices | 2,500 |
| Audit Committee and follow-up of recommendations | 600 |
| Administration and team management | 1,000 |
| External inspections | 250 |
| Total | 7,400 |
PRIA may engage temporary resources as needed.
Appendix A—Performance of PRIA Against Its Measures
In the 2018–19 fiscal year, Practice Review and Internal Audit (PRIA) developed its balance scorecard of performance measures and began to track its performance against these measures.
Vision
The PRIA team is recognized and respected for the quality of its work and for its value-added contribution to the Office of the Auditor General of Canada.
Mission
The PRIA team’s mission is to enhance and protect the Office’s value by providing risk-based and objective assurance, advice, and insight.
Financial perspective
Be a financially well-managed organization accountable for the use of resources entrusted to it
| Measure | Target | Result | Comment |
|---|---|---|---|
|
Percentage of PRIA contracts that are in compliance with Office policies |
100% |
100% |
|
|
Percentage of PRIA products that are delivered within the established operational budget |
100% |
100% |
PRIA delivered its products within the established budget. |
Internal perspective
Ensure selection and continuance of audit products likely to have significant impact and value
| Measure | Target | Result | Comment |
|---|---|---|---|
|
The Audit Committee recommends the approval of PRIA’s Risk-Based Plan to the Auditor General (AG). |
AG Approval |
Met |
Ensure internal audits comply with professional standards in an economical manner
| Measure | Target | Result | Comment |
|---|---|---|---|
|
External reviews find the PRIA team does comply with professional standards in the conduct of internal audits. |
Highest level of Institute of Internal Audit Standards |
Met |
Ensure effective, efficient, and accountable Office governance and management
| Measure | Target | Result | Comment |
|---|---|---|---|
|
Percentage of PRIA objectives achieved according to the Risk-Based Plan |
At least 80% |
Met |
|
|
Audit Committee finds the PRIA team is carrying out its activities as expected |
Meets at least 80% of expectations |
Met |
Customer perspective
Be independent, objective, and non-partisan
| Measure | Target | Result | Comment |
|---|---|---|---|
|
Percentage of PRIA employees who comply with professional standards and are independent. |
100% |
Met |
|
|
Client Satisfaction Survey results indicate that the PRIA team staff demonstrated independence, objectivity, and non-partisanship |
Achieved |
Measure met for “independence.” Two surveys were received. With respect to objectivity and non-partisanship, one survey respondent indicated neither agreement nor disagreement. |
Report what is working, areas for improvement, and recommendations in a manner that is understandable, timely, fair, and adds value
| Measure | Target | Result | Comment |
|---|---|---|---|
|
Percentage of internal audit and practice review recommendations addressed by management within the planned timeline |
At least 90% |
Met |
Learning and growth perspective
Develop and maintain a skilled, engaged, and bilingual workforce
| Measure | Target | Result | Comment |
|---|---|---|---|
|
Percentage of PRIA employees who complete mandatory training within the allotted time frame |
100% |
Met |
|
|
The Chief Audit Executive (CAE) is a Certified Internal Auditor (CIA) |
Achieved |
Met |
|
|
Percentage of PRIA employees who are certified (CIA, Chartered Professional Accountant (CPA)) |
At least 50% |
Met |
|
|
Percentage of PRIA employees who meet the language requirements of their positions |
100% |
Met |
Appendix B—Internal Audit Project Descriptions
Proposed title: Resourcing for Audit Practices
- Timing: 2019–20 fiscal year
- Budget: 1,500 hours
- Areas: Audit practices and Corporate Services
- Type of engagement: Assurance (internal audit)
Audit coverage
| Governance | Risk | Internal controls |
|---|---|---|
| Yes | Yes | Yes |
Was this engagement included in the PRIA Risk-Based Plan for the 2018–19 to 2020–21 fiscal years?
Yes. This internal audit was scheduled to be completed in the 2019–20 fiscal year. Resourcing at the Office has recently undergone significant changes with the introduction of new management roles and responsibilities, budget pressures, and staff turnover. The scope of this engagement will include the audit practices, as the Office allocates the largest percentage of resources to the financial audit and direct engagement audit practices.
What does PRIA hope to accomplish with this internal audit?
The objective of this internal audit is to determine whether an effective management control framework is in place for ensuring that the Office has sufficient resources in its audit practices to carry out its planned audit work. PRIA will examine how the audit practices prioritize the allocation of resources at the practice and engagement levels. PRIA will also examine how the practices use relevant, timely, accurate, and complete information to support decisions about resource allocations.
The internal audit will also include a review of how the Office forecasts its audit resource allocation. The review will assess the completeness of this forecasting process, and whether it is flexible enough to respond to unexpected events or changing priorities. PRIA will also look at the information that the audit practices collect to support the Office’s human resource strategies.
What will the internal audit examine and exclude?
The internal audit will look at the control environment; the risk identification, assessment, and mitigation strategies; and the control activities supporting audit resource planning and allocation.
The internal audit will exclude resource planning and allocation for Corporate Services.
Are there any significant risks for the Office related to this work?
There could be a reputational risk to the Office if the internal audit finds that the management control framework is ineffective in ensuring that sufficient resources are allocated to planned audits in the audit practices. There is also a risk that the Office may fail to deliver what it intended to do, or that it may be unable to respond to unexpected events or changing priorities.
Proposed title: Protection of Personal Information
- Timing: 2020–21 fiscal year
- Budget: 1,000 hours
- Areas: Audit practices and Corporate Services
- Type of engagement: Assurance (internal audit)
Audit coverage
| Governance | Risk | Internal controls |
|---|---|---|
| Yes | Yes | Yes |
Was this engagement included in the PRIA Risk-Based Plan for the 2018–19 to 2020–21 fiscal years?
No. This internal audit was identified during PRIA’s risk-based planning process for 2018.
What does PRIA hope to accomplish with this internal audit?
The objective of the internal audit is to determine whether an effective framework is in place at the Office for ensuring compliance with the Privacy Act, including controls for the safeguarding, collection, accuracy, use, disclosure, retention, and disposal of personal information.
What will the internal audit examine and exclude?
The scope of this internal audit will include the collective suite of processes for the management of personal information that are in place, including threat and risk assessments and procedures in place to respond to requests under the Privacy Act.
Are there any significant risks for the Office related to this work?
The results of this audit could demonstrate that the Office does not manage the personal information it collects for administrative and audit purposes nor respond effectively to requests for personal information. Both situations pose a reputational risk to the organization.
Proposed title: Strategic Planning for Performance Audits
- Timing: 2021–22 fiscal year
- Budget: 700 hours
- Areas: Audit practices
- Type of engagement: Assurance (internal audit)
Audit coverage
| Governance | Risk | Internal controls |
|---|---|---|
| Yes | Yes | Yes |
Was this engagement included in the PRIA Risk-Based Plan for the 2018–19 to 2020–21 fiscal years?
No. This internal audit was identified during PRIA’s risk-based planning process for 2018.
What does PRIA hope to accomplish with this internal audit?
The objective of the internal audit is to determine whether an effective strategic audit planning system is in place for ensuring that the Office identifies audits focused on areas of significance and relevance to Parliament and Canadians.
What will the internal audit examine and exclude?
PRIA will closely examine the key components of the existing process, including the level of effort deployed, the internal and external consultations conducted, the identification of potential audit topics, and the selection process of specific audits.
Are there any significant risks for the Office related to this work?
The results of this audit could demonstrate that audit selection is not always based on risks.
Proposed title: Compliance Project Review
- Timing: 2021–22 fiscal year
- Budget: 750 hours
- Areas: Legal Services and Office-wide
- Type of engagement: Internal review
Review coverage
| Governance | Risk | Internal controls |
|---|---|---|
| Yes | Yes | Yes |
Was this engagement included in the PRIA Risk-Based Plan for the 2018–19 to 2020–21 fiscal years?
Yes. This engagement was scheduled for the 2019–20 fiscal year but was deferred to the 2021–21 fiscal year as the Compliance Project was still being implemented.
What does PRIA hope to accomplish with this review?
The objective of the internal review is to determine whether an appropriate policy control framework is in place to ensure that the Office remains compliant with relevant legislation and Treasury Board policies and directives. The Office recently reviewed its policies and practices to ensure that it complies with relevant legislation and Treasury Board policies. This review, known as the Compliance Project, included three key activities: creating an inventory, determining responsibility for each instrument, and assessing the Office’s compliance with each instrument.
PRIA wants to examine whether the Office has met the Compliance Project’s outcomes and whether management has appropriate controls to ensure that the Office remains compliant.
What will the review examine and exclude?
PRIA will examine plans, activities, and outcomes related to the Office’s Compliance Project to assess whether they provide sufficient control to ensure that the Office will remain compliant with relevant compliance requirements.
Are there any significant risks for the Office related to this work?
This is a sensitive topic; the review might identify areas of non-compliance or vulnerability due to weak controls. A negative conclusion could affect the Office’s reputation with the public and the entities it audits.