Internal Audit Policy
Prepared by: Chief Audit Executive, CIHR
Recommended by: CIHR Audit Committee, June 1, 2016
Approved by: CIHR Governing Council, June 22, 2016
Table of Contents
- Effective Date
- Policy Statement
- Policy Requirements
1. Effective Date
This Internal Audit Policy takes effect on June 22nd, 2016, replacing the 2014 CIHR Internal Audit Policy and Charter.
This Policy applies to the entire CIHR with the exceptions noted in section 6.2.1.
This policy is issued pursuant to the Treasury Board (TB) of Canada's Policy on Internal Audit effective April 1, 2012. The TB Policy is designed to ensure that, at both departmental and government-wide levels, internal audit provides deputy heads and the Comptroller General, respectively, with added assurance and advice, independent from line management, on risk management, control, and governance processes.
The Canadian Institutes of Health Research Act, which establishes CIHR, mandates the CIHR Governing Council with responsibility for the management of CIHR, including development of its strategic directions, goals, and policies; evaluation of its overall performance, including the achievement of its objectives; and approval of its budget. The Act appoints the CIHR President the Chairperson of the Governing Council as well as the Chief Executive Officer responsible for the day-to-day management and direction of CIHR.
Definitions to be used in the interpretation of this Policy and related directives and standards are included in the Appendix of the Treasury Board Policy on Internal Audit.
5. Policy Statement
The objective of this Policy is to contribute to the improvement of CIHR's management by ensuring a strong, credible, effective and sustainable internal audit function within the agency. Accordingly, CIHR shall comply with the requirements of the TB Policy on Internal Audit.
5.2 Expected Results
The President is effectively supported in their role of accounting officer by a strong, credible internal auditing regime that undertakes the objective examination of evidence for the purpose of providing an independent assessment on the risk management, control, and governance processes of the organization.
6. Policy Requirements
6.1 The CIHR President shall:
6.1.1 Ensure the internal audit resources are sufficient to achieve the risk-based internal audit plan and that the function operates in accordance with the TB Policy on Internal Audit, Directive on Internal Auditing in the Government of Canada and the Internal Auditing Standards for the Government of Canada.
6.1.2 Appoint a qualified CAE at a senior executive level, reporting and accountable directly to the President, to lead and direct the Internal Audit functionFootnote 1. The CAE will meet the requirements described in section 6.1.2: Expected Qualifications of the CAE, of the Directive on Internal Auditing in the Government of Canada.
6.1.3 Ensure the Comptroller General, or his or her representative:
- is a member of the selection committee during the CAE's appointment process;
- is advised of the appointment, transfer or departure of the CAE; and
- is consulted on the proposed position description of the CAE.
6.1.4 Ensure the Comptroller General:
- is consulted on the establishment of clear responsibilities and performance expectations for the CAE;
- is consulted on the periodic performance evaluation of the CAE; and
- is consulted on the intention to remove a CAE for reasons relating to the CAE's professional performance.
6.1.5 Ensure that, on a timely basis, the Office of the Comptroller General and its agents, for the purpose of carrying out assigned responsibilities, are provided full access to departmental records, databases, workplaces and employees, and have the right to obtain information and explanations from departmental employees and contractors;
6.2 The CIHR Chief Audit Executive shall:
Independence and Objectivity
6.2.1 Be independent from CIHR line management and operations to allow objective assurance services on all areas of CIHR responsibility. The exceptions to this policy requirement are the CAE's responsibilities for the provision of advice, training, and facilitation services related to Corporate Risk Management, Evaluation, Internal Control, and Planning, Reporting, Measurement and Data. To protect the independence and objectivity of Internal Audit, the following measures shall be taken:
- if independence or objectivity is impaired in fact or appearance, the CAE shall disclose the details of the impairment to appropriate parties, including the CIHR Audit Committee (AC). The AC has approved a process for addressing these situations;
- CIHR Internal Audit shall refrain from assessing specific operations for which it is, or was previously, responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year; and
- assurance engagements for functions over which the CAE has responsibility shall be overseen by a party outside the internal audit activity.
6.2.2 Have unfettered access to the CIHR AC and the Committee Chair.
6.2.3 Have access to all CIHR records, databases, workplaces, and employees, and have the authority within the context of internal audit planning and approved engagements to obtain information and explanations from CIHR employees and contractors.
6.2.4. Have unimpaired ability to carry out his or her responsibilities, including reporting findings to the President, to AC and, as appropriate, to the Comptroller General.
Policy, Plans and Reports
6.2.6 Establish a risk-based audit plan that:
- has a multi-year horizon;
- is based on a risk assessment;
- is updated annually;
- considers areas of high risk and significance within CIHR and government-wide audits led by the Comptroller General;
- focuses predominantly on the provision of assurance servicesFootnote 2; and
- is reviewed and recommended for approval by AC and approved by the Governing Council.
6.2.7 Coordinate internal auditing activities and plans with other assurance providers to minimize duplication of effort and demands on CIHR management.
6.2.8 Communicate the plan of engagements and resource requirements for the Internal Audit function, including any variances to this plan, and the impact of resource limitations, to the President and AC.
6.2.9 Ensure that internal audit resources are appropriate and effectively deployed to achieve the approved plan.
6.2.10 Ensure the timely completion of internal audit engagements, including internal audits led by the Comptroller General.
6.2.11 Ensure that internal audit engagement reports:
- are provided to the AC in written form, with a minimum of delay;
- clearly state the engagement's objective(s), scope and context by describing the area that has been examined, how it fits into the organization, its importance, and the relevant laws, policies and standards;
- identify the criteria used in the engagement;
- state a conclusion against the objective;
- include a statement of conformance that references the results of the internal audit quality assurance and improvement program and the results of the five-year practice inspection;
- clearly identify risks and opportunities for improvement to be addressed by management, and include a management response that adequately address the recommendations and findings arising from the auditsFootnote 3;
- upon completion, are made accessible to the public on CIHR's web site in a timely manner, in both official languages, and comply with the Access to Information Act; and
- disclose any nonconformance.
Completed reports are defined as those that have been approved by the AC.
6.2.13 The CAE shall prepare a written report annually to the President and the AC that will include sections on:
- Internal Audit's independence, proficiency, performance and results relative to its plan including resource utilization, lessons learned and influences on future years' plans;
- the results of the Quality Assurance and Improvement Program including internal audit's conformance with the Internal Auditing Standards for the Government of Canada;
- the results of the follow-up on the implementation of management action plans; and
- an overview of the aggregate findings following the execution of the risk-based audit plan including the actions taken by management to address key findings.
Support to the CIHR Audit Committee
6.2.14 Ensure that the AC receives all of the information and documentation necessary to fulfill its responsibilities and provide support to the CIHR AC as requested by the Committee Chair.
6.2.15 Support the CIHR AC's follow-up on the implementation of management action plans laid out in approved reports by reporting to the AC whether management's action plans have been implemented, including an assessment of the impact of the proposed actions and whether these actions will address the risks identified.
Support to the Comptroller General
6.2.16 Ensure that the Comptroller General is provided:
- access to internal auditing staff and their working papers;
- copies of internal audit plans as approved by the Governing Council;
- copies of any management letters resulting from the audits by external assurance providers;
- electronic copies of reports on all completed internal audits before they are posted on the CIHR web site;
- a copy of the CAE's annual report;
- a copy of the annual report from AC including the Committee's assessment of the CIHR Internal Audit function;
- a copy of practice inspection reports; and
- reports or information as requested by the Comptroller General or Treasury Board Secretariat.
6.2.17 After discussion with the President, inform the Comptroller General without delay of any issue of risk, control, or management practice that may be of significance to the government and, or, require Treasury Board of Canada Secretariat's involvement.
6.2.18 Ensure that the OCG and its agents are provided representations from management pertinent to supporting the planning, conduct, reporting and follow-up of internal audits led by the Comptroller General;
Proficiency and Due Professional Care
6.2.19 Ensure that the internal audit function has appropriate professional qualifications, knowledge, and skills to deliver against its plan, applies due professional care in its duties, and that staff members have opportunities for sufficient training and development to maintain and develop their internal auditing competence and to obtain the Certified Internal Auditor (CIA) or Certified Government Audit Professional (CGAP) certification.
6.2.20 Develop and maintain a quality assurance and improvement program that covers all aspects of the Internal Audit function, and continuously monitor its effectiveness.
6.2.21 Ensure that an external review of the Internal Audit function is conducted at least every five years by a qualified independent reviewer and that the results of this external assessment are communicated to the President, AC, and the Comptroller General.
6.2.22 Ensure that CIHR Internal Audit shall comply with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors' (IIA) International Professional Practices Framework. In cases where the Standards found in the IIA Framework are in conflict with the Treasury Board Policy on Internal Audit or any related directives or standards, the Treasury Board Policy, directives or standards will prevail.
6.2.23 Ensure that the internal audit function as a whole, and during the conduct of their duties, include consideration of the potential, prevention, and detection of fraudFootnote 4.
6.2.24 CIHR Internal Audit shall adopt the Code of Ethics contained in the IIA Framework, in addition to the Values and Ethics Code for the Public Sector.
6.3 Consulting Services
Sections 6.1 and 6.2 of the policy apply to the provision of assurance services, as defined in the Policy on Internal Audit. The internal audit function may also provide consulting services within their sphere of expertise, principally as an adjunct to their assurance role.
Consulting services are client service activities, the nature, scope, and administration of which are agreed with the client. These services are intended to add value and improve an organization's risk management, control, and governance processes. Consulting services do not include a statement of assurance. Examples of these services include advice, facilitation, and training. Consulting engagements are a means of adding value to CIHR operations, not a means of circumventing, or to allowing others to circumvent, requirements that would normally apply to an assurance engagement. The following requirements apply to consulting engagements at CIHR:
6.3.1 Internal auditors may not assume management responsibility as part of any consulting activities.
6.3.2 Issues of significance identified as a result of consulting engagements must be communicated to the Executive Management Committee and AC.
6.3.3 The following issues must be determined through discussion between the CAE discussed with the client beforehand, ideally as part of the annual Risk-Based Audit Plan:
- Potential impairments to independence or objectivityFootnote 5;
- Project scope, objectives, and the role of internal audit; and
- The nature and extent of the reporting and follow-up process.
6.3.4 The CIHR Executive Management Committee must approve reports on consulting engagements prior to their submission to the AC.
The President is responsible for investigating and acting when significant issues arise with respect to compliance with the Treasury Board Policy on Internal Audit. The President is also responsible for ensuring that appropriate remedial actions are taken to address the issues within CIHR. Failure to comply with the requirements of the policy may result in the consequences described in Section 7. Consequences of the Treasury Board Policy on Internal Audit.
- Relevant Legislation and Policy
- CIHR Act
- AC Terms of Reference
- Federal Accountability Act
- Financial Administration Act
- Access to Information Act
- Privacy Act
- Treasury Board of Canada Policy on Internal Audit
- Treasury Board of Canada Directive on Internal Auditing in the Government of Canada
- Treasury Board of Canada Internal Auditing Standards for the Government of Canada
- Related Publications
- Institute of Internal Auditors (IIA): The Professional Practices Framework
- Chartered Professional Accountants of Canada Standards and Guidance
- Results for Canadians: A Management Framework for the Government of Canada
- Treasury Board of Canada Secretariat Management Accountability Framework
- Treasury Board of Canada Secretariat Framework for the Management of Risk
- OCG Guidance on Consulting Engagements (GCPedia draft document)
Please address questions about this policy to:Chief Audit and Evaluation Executive & Director General Performance and Accountability
Canadian Institutes of Health Research
- Date modified: