Practice Review and Internal Audit—Risk-Based Plan for the 2021–22 to 2023–24 Fiscal Years
Table of Contents
- Message from the Chief Audit Executive
- Practice Review and Internal AuditPRIA at the Office of the Auditor General of CanadaOAG
- Three-Year Risk-Based Plan
- Appendix—Results for the 2020–21 Fiscal Year
Message from the Chief Audit Executive
I am pleased to present the Practice Review and Internal Audit (PRIA) Risk-Based Plan for the 2021–22 to 2023–24 fiscal years. The PRIA team developed this plan to ensure that PRIA’s planned engagements meet the Office of the Auditor General of Canada’s (OAG’s) assurance needs.
While the development of a multi-year plan always involves dealing with some unknowns, the past year has been like no other. The coronavirus disease (COVID‑19) pandemic has caused uncertainty in many aspects of our personal and work lives and has required us to adapt as well as possible. Because of this ongoing uncertainty, risks and opportunities have and will continue to present themselves. For PRIA, it is crucial that we continue to identify and address emerging and high-risk areas while adapting to new realities as they evolve. It also means that while we have developed a list of anticipated projects for the next 3 years, this list is subject to change on the basis of emerging events and evolving OAG priorities.
This document contains details about the PRIA team’s role, an overview of the planned engagements, and information about PRIA’s resources and capacity for the 2021–22 fiscal year. To establish its practice review and internal audit priorities, PRIA conducts environmental scans, risk assessments, and consultations with senior management and staff. PRIA also reviews the OAG’s plans and priorities and the results of the OAG’s latest integrated risk management process. PRIA will review this plan periodically to reassess and refine the timing, objective, and scope of engagements on the basis of organizational priorities and evolving risk areas to ensure that we continue to deliver value.
I would like to thank the OAG’s senior management, staff, and Audit Committee members for their cooperation and assistance in developing this plan. Their input will allow PRIA to assess the adequacy and effectiveness of governance, risk management, and internal control processes at the OAG.
Louise Bertrand
Chief Audit Executive
Office of the Auditor General of Canada
March 2021
PRIA at the OAG
Oversight
As an officer of Parliament, the OAG is independent from government and reports directly to the Parliament of Canada. Given its mandate, the OAG is not subject to direct Treasury Board of Canada Secretariat oversight. Consequently, the OAG’s internal oversight mechanisms are of particular importance for ensuring that adequate management practices are in place. PRIA’s work is one of these oversight mechanisms, providing assurance to management through internal audits and practice reviews.
Reporting relationships
The Chief Audit Executive leads the OAG’s PRIA team and reports functionally to the OAG’s Audit Committee and administratively to the Auditor General.
The Chief Audit Executive is responsible for developing and updating PRIA’s risk‑based plan annually and presenting the plan to the Audit Committee for review. The Audit Committee recommends the approval of the plan to the Auditor General. The Auditor General is the final approval authority for the plan.
Scope and purpose
Exhibit 1 shows the scope and purpose of the activities conducted by the PRIA team.
Exhibit 1—Activities and the professional standards and other guidance used
Exhibit 1—text version
This flowchart shows the activities of the Practice Review and Internal Audit team, the purpose of those activities, and the professional standards and other guidance used.
There are 2 activities conducted by the Practice Review and Internal Audit team: internal audits and practice reviews.
One purpose of internal audits is to provide the Auditor General with independent, objective assurance and consulting activities to add value and improve the Office of the Auditor General of Canada’s, or the OAG’s, operations. A second purpose of the internal audits is to bring a systematic and disciplined approach to evaluate and improve the effectiveness of the OAG’s risk management, control, and governance processes.
For internal audits, 2 professional standards and other guidance are used: the International Professional Practices Framework issued by the Institute of Internal Auditors and the Treasury Board’s Policy on Internal Audit and Directive on Internal Audit as they apply to the OAG.
One purpose of practice reviews is to determine whether engagement leaders are complying with professional standards, OAG policies, and applicable legislative and regulatory requirements when conducting their audits. A second purpose is to ensure that audit reports are supported and appropriate.
For practice reviews, 2 professional standards and other guidance are used: the Canadian Professional Accountants of Canada’s Canadian Standard on Quality Control 1, and the Institute of Internal Auditor’s Attribute Standards for independence, objectivity, proficiency, and due professional care.
Measuring performance
The PRIA team’s has developed a set of performance measures to quantify and track its performance. PRIA developed indicators (objectives) for 4 key perspectives (Exhibit 2).
Exhibit 2—Key perspectives for measuring performance
Exhibit 2—text version
This graphic shows 4 key perspectives for measuring performance: Financial, Learning and growth, Internal, and Customer. The 4 perspectives are part of a cycle that repeats itself, with the financial perspective for measuring performance leading to the learning and growth perspective, which leads to the internal perspective, and then to the customer perspective. The cycle continues with the customer perspective leading to the financial perspective, and so on.
The Appendix at the end of this document provides details on each perspective and associated performance measure.
Three-Year Risk-Based Plan
Objectives
The PRIA team’s risk-based plan has 2 key objectives (Exhibit 3).
Exhibit 3—Key objectives of the risk-based plan
Key objectives
Identify potential internal audits and engagements through an assessment of the Office of the Auditor General of Canada’s (OAG’s) risks and risk management procedures and an understanding of the OAG’s plans and priorities.
Identify a practice review schedule that meets the requirements of professional standards and addresses the OAG’s intent to continue improving the conduct of its audits.
PRIA’s planning process ensures that all internal audit and practice review activities are relevant, timely, and strategically aligned to support the achievement of the OAG’s strategic objectives. As a result, the PRIA risk-based plan is adjusted as required.
Internal audit plan for the 2021–22 to 2023–24 fiscal years
Internal audit planning and prioritization process
To establish its internal audit plan, PRIA follows 5 steps (Exhibit 4).
Exhibit 4—Steps for establishing the internal audit plan
Environmental scan
External scan
- Scan for changes in the external environment that could affect the Office of the Auditor General of Canada’s (OAG’s) strategic objectives or Practice Review and Internal Audit’s (PRIA’s) internal audit mandate.
- Scan for changes in professional standards that could affect PRIA’s internal policies and procedures.
Internal scan
- Scan for changes in the OAG’s internal environment, such as the introduction of new policies, procedures, and activities.
- Scan for previous internal audit and practice review plans and findings.
Risk assessment
- Review results of the OAG’s integrated risk management exercise, including the risk registers for each of the audit practices and audit services.
- Participate on multiple OAG committees to increase the team’s knowledge of the business and help it validate the completeness of the risks identified by management.
- Review government-wide risks identified by the Office of the Comptroller General of Canada and in other government departments and agencies’ plans that may be relevant to the OAG.
Consultations
- Seek clarification, if required, from management to better understand its assessment of risk.
- Seek input from senior management as part of PRIA’s annual risk-based audit planning process.
Prioritization
- Assess all identified significant risks considering the OAG’s strategic objectives and specific risk factors.
- Identify and prioritize audit projects in relation to these risks on the basis of their importance and timing.
Key considerations for this year’s planning exercise
The OAG continued to undergo significant changes to its executive team over the last year. Following the appointment of the new Auditor General in June 2020, and the retirement of an Assistant Auditor General, 2 individuals were promoted from within the OAG to the position of Assistant Auditor General. In addition, a new Commissioner of the Environment and Sustainable Development was appointed in February 2021 for a 7‑year term. When planning new engagements, PRIA will consider the need to assess governance at the operational level and the risks associated with leadership changes, including the impact on internal controls during transition periods.
The COVID‑19 pandemic continues to have a profound impact on how the OAG operates. While we have adapted to remote working, the demands that these arrangements have placed on both OAG staff and the entities that we audit have strained all sectors of the OAG. We have also had to develop and implement new processes and tools to adapt to remote working arrangements. The risks associated with the pandemic are an important component of our risk assessment and are reflected in a few of the projects we plan to carry out, in addition to the internal audit on the OAG’s preparedness and response to the pandemic, including information technologyIT security, that is already underway.
The OAG received a significant increase in its base funding prior to year‑end, with an additional increase expected for the 2021–22 fiscal year. This increase was necessary to build the capacity required to deliver on the COVID‑19 audits that Parliament has requested and to proceed with the modernization of the OAG’s approaches, tools, and products. This expected growth in many areas of the OAG presents a risk for people management and project management, which we have incorporated into our plan.
The Institute of Internal Auditors requires that an assessment of conformance with International Standards for the Professional Practice of Internal Auditing be conducted every 5 years. The next external assessment is to be conducted in the 2022–23 fiscal year. In response to this upcoming review, PRIA plans to conduct a self-assessment in the 2021–22 fiscal year of its internal audit practices against these standards and implement an action plan to address any gaps. Efficiencies will be gained if the external reviewers can rely on the self-assessment we perform.
Internal audit schedule for the 2021–22 to 2023–24 fiscal years
In addition to prioritizing its projects, PRIA considers what type of audit approach will deliver the best value. As a result, PRIA intends to pilot an “agile” internal audit in the 2021–22 fiscal year. Initial adoption of an agile methodology will require an investment of time and resources, including obtaining expert external advice and guidance. However, this methodology has the potential to result in more timely and valuable insights from PRIA’s work. It will also require buy‑in from senior management, as it will involve close collaboration with management through each step of the process. We are confident that the current growth mindset being embraced by the organization will lend itself well to this trial. We have categorized the rest of the planned projects as either internal audits or internal reviews for the purposes of this year’s plan.
PRIA is also committed to investigating how to use new audit tools in its work to help gain efficiencies and insights. This will involve drawing on the expertise that is available within the OAG to assist in such areas as data analytics and visualization.
PRIA plans to conduct the following internal audits and engagements over the next 3 fiscal years (Exhibit 5).
Exhibit 5—Planned projects for the next 3 fiscal years (revised October 2021)
| Project | Estimated hours |
2021–22 Fiscal year |
2022–23 Fiscal year |
2023–24 Fiscal year |
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Internal audit: Resourcing the audit practices (finalize) | 300 | ||||||||||||
| Internal review: Office of the Auditor General of Canada’s preparedness and response to the COVID‑19 pandemic, including IT risks (finalize) | 150 | ||||||||||||
| Internal audit: Protection of personal information | 2,000 | ||||||||||||
| Independent reviews of OAG projects, including OAG Flex, Caseware and Digital Transormation Outsourcing | 1,000 | ||||||||||||
| Internal review (agile methodology): Adaptability to change Part 1—Budget managementNote * | 600 | ||||||||||||
| Self-assessment: Practice Review and Internal Audit’s self-assessment of its internal audit activity | 400 | ||||||||||||
| Internal review: Approach to enterprise architecture, including modernization | 1,500 | ||||||||||||
| Internal audit: Diversity and inclusion | 1,500 | ||||||||||||
| External review: External assessment of Practice Review and Internal Audit’s internal audit function | 250 | ||||||||||||
| Internal audit: Selection and scoping of performance audits | 2,000 | ||||||||||||
| Internal audit: Health and safety | 1,500 | ||||||||||||
While the scope of the planned projects is still to be determined, we expect that they will all involve some aspects of governance, risk management, and internal controls.
Practice Review Plan for the 2021–22 Fiscal Year
Context for performing practice reviews
The PRIA team conducts practice reviews in accordance with the Chartered Professional Accountants of Canada’s Canadian System of Quality Control 1 standard (Exhibit 6).
Exhibit 6—Responsibility and procedures when conducting practice reviews
| Authority | Standard requirement | Practice Review and Internal Audit responsibility | Practice Review and Internal Audit procedures |
|---|---|---|---|
|
Chartered Professional Accountants of Canada’s Canadian System of Quality Control 1 |
Establish a monitoring process that provides reasonable assurance that policies and procedures for quality control are relevant, adequate, and operate effectively. Cyclical inspection of at least 1 completed engagement for each engagement leader. |
Cyclical inspections at the engagement level to provide the Auditor General of Canada with assurance that
|
Annually conduct systematic practice reviews of completed assurance engagement files that cover all engagement leaders over a 4‑year period. |
Approach to engagement selection
PRIA uses a random sampling approach to select engagement leaders for practice reviews who completed an audit during the audit period under review. PRIA ensures that the sample selected for practice review includes the following considerations:
- Select engagement leaders responsible for financial audits and direct engagements (performance audits and special examinations).
- Review audit work of all engagement leaders at least once every 4 years.
- Ensure that a new engagement leader is selected within 2 years of initial appointment.
- Ensure that engagements of higher risk are included in the sample selection.
Practice reviews planned for the 2021–22 fiscal year
As of February 2021, there are 30 engagement leaders in the audit practices, consisting of 17 from the financial audit practice and 13 from the performance audit practice.
There are 12 practice reviews planned for the 2021–22 fiscal year (Exhibit 7).
Exhibit 7—Number of practice reviews planned for the 2021–22 fiscal year
| Financial audits | Direct engagements | Total | |
|---|---|---|---|
| Number of practice reviews planned | 6 | 6 | 12 |
Other planned activities
In addition to performing internal audits and practice reviews, the PRIA team plans to
- maintain and monitor PRIA’s internal system of quality assurance
- participate on OAG committees to acquire knowledge of business developments and identify emerging risks
- refresh its risk assessment and project priorities
- provide consultation services as required
- jointly coordinate and administer monthly OAG audit committee meetings
- monitor and report on the status of management’s actions to address PRIA recommendations
- monitor and report on the status of management’s actions to address the recommendations included in the International Peer Review report
- coordinate provincial practice inspections by Chartered Professional Accountants of Canada and other oversight bodies
- participate in conferences and other training to remain current
Resources
Team
The team to carry out PRIA’s risk-based plan consists of 5 members:
- Louise Bertrand, Chief Audit Executive
- Patrick Polan, Director
- Michelle Robert, Director
- Caroline Viens, Director
- Karen O’Reilly, Administrative Assistant
PRIA may engage temporary resources as needed. Specifically, external expertise will be necessary to guide and train existing team members through the adoption of agile internal audit methodology, as well as subject matter experts in the specific fields that are under audit. In addition, with forecasted growth in all areas of the OAG in order to build audit capacity and modernize operations, we expect that there will also be an increased demand on the services provided by PRIA, which could require a more permanent expansion of the team at certain levels.
Budget
PRIA will require a total budget of approximately 10,000 hours to perform its planned work in the 2021–22 fiscal year (Exhibit 8).
Exhibit 8—Budget allocation for the 2021–22 fiscal year
| Activities | Estimated hours |
|---|---|
| Internal audit engagements | 3,450 |
| Practice reviews—Financial audit and direct engagement audit practices | 1,800 |
| Self-assessment of internal audit activities (in preparation for external review next year) | 400 |
| Knowledge of business, assessments of internal controls, consulting engagements, projects, the Quality Assurance and Improvement Program, and risk-based planning | 1,500 |
| Audit Committee and follow‑up of recommendations | 1,500 |
| Administration and team management | 1,500 |
| Total | 10,150 |
Appendix—Results for the 2020–21 Fiscal Year
Status of the 2020–21 risk-based plan
The PRIA team completed most of its planned activities for the 2020–21 fiscal year as described in its Risk-Based Plan for the 2020–21 to 2022–23 Fiscal Years. The following is the status of the most significant projects and activities:
- There were 2 internal audit engagements planned for the 2020–21 fiscal year. The “Resourcing the Audit Practices” internal audit is expected to be substantially completed by the end of the year. The planning and execution phases for the “Office of the Auditor General of Canada’s Preparedness and Response to the COVID‑19 Pandemic, Including IT Risks”internal review are expected to be completed in the 2020–21 fiscal year, and reporting should be finalized by the first quarter of the 2021–22 fiscal year.
- All of the practice reviews that were required for the 2020–21 fiscal year were completed on time. It should be noted that the planned reviews of certain direct engagement leaders did not occur, as their assurance engagements were not completed in the fiscal year as expected.
- PRIA underwent a provincial practice inspection by the Chartered Professional Accountants of Ontario and liaised with our regional office for an inspection by the Chartered Professional Accountants of British Columbia. Neither inspection resulted in any reportable observations.
- PRIA coordinated and reported at OAG audit committee meetings, which began meeting monthly starting in April 2020.
Performance against measures
Exhibit 9 shows PRIA’s performance measures and projected results for the 2020–21 fiscal year.
Exhibit 9—2020–21 performance according to 4 key perspectives
Customer perspective
Objective: Be independent, objective, and non‑partisan
| Measure | Target | Result |
|---|---|---|
| Percentage of Practice Review and Internal Audit (PRIA) employees who comply with professional standards and are independent. | 100% | 100% |
| Percentage of returned Client Satisfaction Survey results that indicate that PRIA staff demonstrated independence, objectivity, and non‑partisanship. | 100% | 100% |
Objective: Report what is working, areas for improvement, and recommendations in a manner that is understandable, timely, fair, and adds value
| Measure | Target | Result |
|---|---|---|
| Percentage of internal audit and practice review recommendations that are addressed by management within the planned timeline provided in management’s action plan (as monitored by PRIA). | At least 90% | 85% |
| Percentage of internal audit and practice review recommendations that are agreed to by management. | At least 90% | 100% |
Financial perspective
Objective: Be a financially well-managed organization accountable for the use of resources entrusted to it
| Measure | Target | Result |
|---|---|---|
| Percentage of PRIA contracts that are in compliance with Office of the Auditor General of Canada (OAG) policies. | 100% | 100% |
| PRIA’s activities are delivered within its operational budget of hours. | Within 15% of budget | Within 5% of budget |
Internal perspective
Objective: Ensure selection and continuance of audit products likely to have significant impact and value
| Measure | Target | Result |
|---|---|---|
| The Audit Committee recommended the approval of PRIA’s risk‑based plan to the Auditor General. | Compliance | Met |
Objective: Ensure internal audits comply with professional standards
| Measure | Target | Result |
|---|---|---|
| External reviews find the PRIA team complies with the highest Institute of Internal Auditors professional standards in the conduct of internal audits. | Compliance | Met (Last conducted in 2017–18) |
Objective: Ensure effective, efficient, and accountable OAG governance and management
| Measure | Target | Result |
|---|---|---|
| Percentage of PRIA activities completed in the 2020–21 fiscal year as planned in its 2020–21 risk‑based plan. | At least 80% | 87.5% |
| Audit Committee finds the PRIA team is carrying out its activities as expected. | Compliance | Met |
Learning and growth perspective
Objective: Develop and maintain a skilled, engaged, and bilingual workforce
| Measure | Target | Result |
|---|---|---|
| Percentage of PRIA employees who complete mandatory training within the allotted time frame. | 100% | 100% |
| The Chief Audit Executive is a Certified Internal Auditor (CIA). | Compliance | Met |
| Percentage of PRIA management who are certified (CIA, Chartered Professional Accountant (CPA)). | At least 50% | 75% |
| Percentage of PRIA employees who meet the language requirements of their positions. | 100% | 100% |