External Practice Inspection
Table of Contents
- 1.0 EXECUTIVE SUMMARY
- 1.1. Purpose of the Report
- 1.2. Background / Context
- 1.3. Objective and Scope
- 1.4. Methodology
- 1.5. Summary of Findings
- 1.6. Conclusion
1.0 EXECUTIVE SUMMARY
1.1. Purpose of the Report
This document presents the results of an external practice inspection conducted of the Department of Justice Canada's Internal Audit Services (IAS). The practice inspection was conducted to assess conformance with the Treasury Board Policy on Internal Audit and related Directives and Standards as well as the Institute of Internal Auditors' International Professional Practices Framework (IIA Standards).
1.2. Background / Context
The Treasury Board Policy on Internal Audit makes deputy heads responsible for ensuring that an external practice inspection of the internal audit function is conducted at least every five (5) years, by a qualified independent reviewer.
The Government of Canada has adopted the IIA International Professional Practices Framework and Departments are required to meet the IIA Standards in undertaking their internal auditing responsibilities, unless the Standards are in conflict with the Treasury Board Policy on Internal Audit or any related Directives or Standards in which case the Policy, Directives or Standards will prevail.
In 2012, an independent firm was contracted to conduct an external validation of the self-assessment conducted by the Internal Audit Branch (IAB) at the Department of Justice Canada.
The primary objectives of the external validation were to verify the assertions made in the self-assessment report concerning:
- Conformity to the requirements of the Treasury Board Internal Audit Policy Suite, as well as the Internal Auditing Standards for the Government of Canada, as stated in the Treasury Board of Canada Secretariat's Internal Audit Practice Inspection Guidebook (June 2010); and
- Conformance with the Institute of Internal Auditors' (IIA) International Standards for the Professional Practice of Internal Auditing (Standards), and the Code of Ethics.
The overall conclusion of the 2012 external validation was that the IAB at the Department of Justice Canada generally conformed to the Treasury Board Internal Audit Policy Suite, the Internal Auditing Standards for the Government of Canada, the Institute of Internal Auditors' (IIA) International Standards for the Professional Practice of Internal Auditing (Standards), and the Code of Ethics. The rating of "generally conforms" is the highest rating an internal audit function could receive from a practice inspection.
Four years have now elapsed since the last external practice inspection was conducted. The Chief Audit Executive (CAE) of the Department of Justice Canada contracted the services of Raymond Chabot Grant Thornton Consulting Inc. (RCGT) to conduct an external practice inspection of IAS.
1.3. Objective and Scope
The principal objective of the external practice inspection was to ensure that the Department of Justice Canada's IAS conformed with the Treasury Board's Internal Audit Policy Suite, namely the Policy on Internal Audit, the Directive on Internal Auditing in the Government of Canada, the Internal Auditing Standards for the Government of Canada, the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors (IIA), and the Code of Ethics.
The external practice inspection was conducted between April and June 2016. The scope included audit reports that were approved by the Audit Committee during fiscal 2014-15 and 2015-16 (April 1, 2014 – March 31, 2016), as well as, all associated processes in place over that time period.
The audit reports reviewed included:
|Audit Reports Reviewed||Presented to the Departmental Audit Committee|
|Audit of Talent Management||October 2015|
|Audit of the Monitoring of the System of Internal Control Over Financial Reporting||October 2015|
|Audit of Timekeeping Practices||December 2015|
The external practice inspection was conducted using the methodology outlined in the Office of the Comptroller General's (OGC) Practice Inspection Guidebook and included the three main domains: (1) Governance; (2) Professional Practices; and (3) Monitoring and Reporting.
Conformance to the Policy on Internal Audit requirements were evaluated using the following scale:
- Generally Conforms (GC): means there is no material deficiency, although there may be some minor deficiencies;
- Partially Conforms (PC): means there is one material deficiency and there may be some minor deficiencies; and
- Does Not Conform (DNC): means that there is more than one major deficiency in practice that are judged to be so significant as to seriously impair or preclude the internal audit function from performing adequately in all or in significant areas of its responsibilities.
As part of the external practice inspection, the assessor (RCGT):
- Reviewed documentation provided by IAS (e.g. Internal Audit Charter, Departmental Audit Committee (DAC) Charter, CAE Annual Report, DAC Annual Report; Risk-based Audit Plans, DAC Records of Decisions (ROD), reports to DAC, organizational charts and staff competencies, etc.);
- Reviewed IAS's audit processes including the Internal Audit Manual;
- Reviewed the audit file and working papers of three audits completed during the scope period;
- Carried out interviews with Auditors, Senior Auditors, Managers, Directors, the CAE, the DAC, two (2) auditees / clients, as well as, with the Deputy Minister and Associate Deputy Minister;
- Summarized observations and findings, noted best practices, and prepared recommendations for improvement that could assist IAS in continuous improvement;
- Prepared the Conformance Evaluation Summary and the Draft Report; and
- Presented the findings to the CAE and the DAC.
1.5. Summary of Findings
A number of good practices were noted during our practice inspection.
Talent Management Program (Standard 1200):
The CAE has implemented a Talent Management program to develop auditor's soft skills and includes job shadowing opportunities with senior executives to observe the leadership behaviours applied by senior executives and expand knowledge of the department's operations.
Pool of Qualified, Designated Individuals (Standard 1200):
There is currently a good mix of expertise and credentials within the audit team (i.e. Certified Fraud Examiner (CFE), Certified Information Systems Auditor (CISA), Certification in Risk Management Assurance (CRMA), Certified Government Auditing Professional (CGAP), Chartered Professional Accountant (CPA), Certified Internal Auditor (CIA), Certification in Control Self-Assessment (CCSA), etc.) and audit community leadership is provided by multiple levels within IAS.
Balanced Risk Based Audit Plan (Standard 2010) and Performance Measurement (Standard 1300):
The 2016-19 Risk-based Audit Plan includes a balance of corporate and operational audits as well as the use data analytics in helping determine the audits to be selected; there is a well-developed performance measurement framework in place with a dashboard of key performance indicators being presented semi-annually to the Departmental Audit Committee.
Advanced Implementation of TeamMate Audit Management Software (Standard 1300):
IAS is advanced in its' implementation of the TeamMate audit management software. IAS has implemented TeamRisk, Electronic Working Papers (EWP), TeamTec and TeamCentral modules. This advanced implementation has created a number of efficiencies during the life cycle of an audit from the annual risk-based audit planning process, to engagement planning, examination and reporting through to the follow-up on management action plans, client satisfaction surveys and performance reporting.
Quality Assurance and Improvement Program (Standard 1300):
A quality assurance and improvement program has been developed and implement.
Quality assurance reviews were conducted on all audit files reviewed.
Fraud and Wrongdoing Matrix (Standard 2100):
IAS developed a fraud and wrongdoing matrix to establish roles and responsibilities to report potential fraud and/wrongdoing events to DAC.
Although our observations were mainly positive, two opportunities for consideration were noted; 1) working level management awareness of internal audit's mandate and value; and, 2) augmenting documentation of fraud risk consideration during the planning phase of an audit.
The following table provides a summary of the assessment against each area reviewed:
|OCG PI Program No.Footnote 1||Program Title||Applicable IIA Standard||Rating|
|A1||Values and Ethics||1100||GC|
|A3||Departmental Audit Committee||N/A||GC|
|A4||Chief Audit Executive||1100 and 2040||GC|
|A5||Internal Audit Charter||1000||GC|
|B1||B1.1 – Risk-based Audit Plan||2010 / 2020||GC|
|B1.2 – Coordination with / Support of Other Assurance Providers||2050||GC|
|B2||Assurance Services / Audit Roles and Responsibilities||2100||GC|
|B3||B3.1 – Audit Engagement Planning Phase||2200||GC|
|B3.2 – Audit Engagement Examination Phase||2300||GC|
|B3.3 – Audit Engagement Reporting Phase||2400||GC|
|B3.4 – Audit Engagement Follow-up Phase||2500||GC|
|B4||Proficiency and Due Professional Care||1200||GC|
|B5||Quality Assurance and Improvement Program||1300||GC|
|C1||Departmental Audit Committee||N/A||GC|
|C2||CAE Annual Report||N/A||GC|
The conclusion of the external practice inspection is that the Department of Justice Canada's IAS Generally Conforms with the Treasury Board's Internal Audit Policy Suite, the Policy on Internal Audit, the Directive on Internal Auditing in the Government of Canada, the Internal Auditing Standards for the Government of Canada, the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors (IIA), and Code of Ethics. The rating of "generally conforms" is the highest rating an internal audit function could receive from a practice inspection.
- Date modified: