Internal Audit Policy

March 2025

Prepared by: Chief Audit Executive, CIHR
Recommended by: CIHR Audit Committee, April 8, 2025
Approved by: CIHR Governing Council, July 22-23, 2025

Effective Date
Authorities
Objectives and expected result
Requirements
Application
Consequences of non-compliance
Review
References
Enquiries

1. Effective Date

1.1 This Internal Audit Policy takes effect on June 15, 2023.

1.2 This Policy replaces the CIHR Internal Audit Policy - 2022.

2. Authorities

2.1 This Policy is issued pursuant to the Treasury Board (TB) of Canada's Policy on Internal Audit effective June 15, 2023 and pursuant to sections 7 and 11.1 of the Financial Administration Act. The TB Policy is designed to ensure that, at both departmental and government-wide levels, internal audit provides deputy heads and the Comptroller General, respectively, with added assurance and advice, independent from line management, on risk management, control, and governance processes.

2.2 The Canadian Institutes of Health Research Act, which establishes CIHR, mandates the CIHR Governing Council with responsibility for the management of CIHR, including development of its strategic directions, goals, and policies; evaluation of its overall performance, including the achievement of its objectives; and approval of its budget. The Act appoints the CIHR president as the Chief Executive Officer responsible for the day-to-day management and direction of CIHR.

3. Objective and expected results

3.1 The objective of this Policy is to ensure that the oversight of public resources throughout CIHR is informed by a professional and objective internal audit function that is independent of management. This function provides assurance as to whether CIHR's activities are managed in a way that demonstrates responsible stewardship to Canadians. Accordingly, CIHR shall comply with the requirements of the TB Policy on Internal Audit.

3.2 The expected results of this Policy are:

3.2.1 The President is supported in their role of accounting officer as defined in section 16.4 (1) and 16.4 (2) of the Financial Administration Act, by an internal auditing function that contributes directly and proactively to improving risk management, control, and governance.

3.2.2 The President receives advice from the Audit Committee (AC) and assurance from the internal audit function to inform decision making at CIHR.

4. Requirements

4.1 The President is responsible for the following:

4.1.1 Ensure the internal audit resources and capacity are sufficient to achieve the Risk-Based Internal Audit Plan (RBAP) and are appropriate to the needs of CIHR.

4.1.2 Ensure, through the oversight of the Chief Audit Executive (CAE) and internal audit activities, that the function operates in accordance with the TB Policy on Internal Audit, Directive on Internal Audit and the mandatory elements of the Institute of Internal Auditors' International Professional Practices Framework (IPPF), which include the Global Internal Audit Standards and Topical Requirements. If the framework is in conflict with the Treasury Board Policy or its related Directive; then the Policy and Directive will prevail.

4.1.2.1 The Office of the Comptroller General of Canada has provided guidance that, for the purposes of the IPPF which assigns various responsibilities to "the board", the Deputy Head of a department shall be considered "the Board". For CIHR, this means that these roles and responsibilities are assigned to the President. The President is supported in this role by the Audit Committee as set out in its Terms of Reference.

4.1.3 Brief the appropriate minister on matters arising from the work of internal audit which merit their attention.

4.1.4 Inform the Comptroller General of Canada, without delay, of any risk, control or governance issues that may require the involvement of the Treasury Board of Canada Secretariat.

4.1.5 Ensure that a formal response is provided to the recommendations arising from internal audit engagements and that actions are assigned and implemented in a timely manner^{Footnote 1}.

4.1.6 Ensure that completed internal audit reports are released on platforms as prescribed by the Treasury Board of Canada Secretariat and within the timeframe prescribed by the Comptroller General of Canada.

4.1.7 Ensure that the Comptroller General of Canada is provided with full and timely access to all information, documentation or explanations required or requested by the Comptroller General of Canada in order to carry out his or her responsibilities.

4.1.8 Investigate and act when significant issues regarding policy compliance arise and ensure that appropriate remedial action is taken to address these issues within CIHR.

4.1.9 Ensure the Comptroller General of Canada is consulted when appointing a new CAE to manage the internal audit function.

4.1.10 Ensure the CAE meets the requirements described in section 4.2.1 of the Treasury Board Policy on Internal Audit.

4.1.11 Ensure the Comptroller General is informed when a new CAE position is created, and prior to the appointment, deployment, replacement or departure of a CAE.

4.2 The President will ensure that:

4.2.1 Report directly to the President of CIHR.

4.2.2 Be independent from CIHR line management and operations to allow objective assurance services in all areas of CIHR responsibility. The Head of Evaluation and the Evaluation function report to the CAE. Evaluation is the systemic and neutral collection of evidence to assess the value and merit of programs and policies. To protect the independence and objectivity of the Office of Internal Audit, the following measures shall be taken:

if independence or objectivity is impaired in fact or appearance, the CAE shall disclose the details of the impairment to the President and appropriate parties, including the CIHR AC. The AC has an approved a process for addressing these situations;
CIHR's Office of Internal Audit shall refrain from assessing specific operations for which it is, or was previously, responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year; and
assurance engagements for functions over which the CAE has responsibility shall be overseen by a party outside the internal audit activity.

4.2.3 Have unrestricted access to the CIHR AC and the Committee Chair.

4.2.4 Have unrestricted access to all CIHR records, databases, workplaces, and employees, and have the authority within the context of internal audit planning and approved engagements to obtain information and explanations from CIHR employees and contractors.

4.2.5. Have unimpaired ability to carry out his or her responsibilities, including reporting issues to the President, Governing Council, AC and, as appropriate, to the Comptroller General of Canada.

4.2.6 Establish a RBAP that spans multiple years and considers the following:

CIHR's areas of high risk and significance;
Planned audits led by internal and external assurance providers^{Footnote 2} and other departments as appropriate;
Other oversight engagements;
The appropriate balance between assurance and advisory^{Footnote 3} engagements as part of a full suite of services in light of the organization's strategy, objectives, and risks; and,
Is reviewed and recommended for approval by AC and approved by the Governing Council.

4.2.7 Submit the approved RBAP to the Comptroller General of Canada in the time and manner prescribed by that office.

4.2.8 Ensure that the results of internal audit engagements result in a written report that includes:

A statement of conformance with the current IIA standards including a disclosure of any nonconformance with these standards;
The engagement's objective(s), scope, criteria, and context; and
Risks, opportunities for improvement identified, and recommendations made as a result of the engagement.

Reports are considered completed when they have been reviewed and recommended for approval by the Audit Committee, and are approved by the President. Advisory services, which may not result in a published report, are addressed in section 4.3.

4.2.9 Ensure that the internal audit function has appropriate professional qualifications, knowledge, and skills to deliver against its plan, applies due professional care in its duties, and that staff members have opportunities for sufficient training and development to maintain and develop their internal auditing competence and to obtain the Certified Internal Auditor (CIA) or Certified Government Audit Professional (CGAP) certification.

4.2.10 Ensure AC is aware of the resource requirements for the internal audit function and the impact of resource decisions.

4.2.11 Ensure the timely completion of all internal audit engagements, including internal audits of programs or services that are identified by the Comptroller General of Canada or the Secretary of the Treasury Board.

4.2.12 Ensure public reporting requirements prescribed by the Office of the Comptroller General and Treasury Board of Canada Secretariat are met by posting results on prescribed platforms, including:

Annual performance results; and
Planned audit engagements for upcoming fiscal years^{Footnote 4}.

4.2.13 Ensure that all members of CIHR's AC receive all of the information and documentation necessary to perform their duties and provide support to the CIHR AC as requested by the Committee Chair.

4.2.14 Report at least annually to AC whether the actions scheduled by management in response to audit recommendations, both internal and external, have been implemented, including an assessment of the impact of the proposed actions and whether these actions will address the risks identified.

4.3 Sections 4.1 and 4.2 of the policy apply to the provision of assurance services, as defined in the Policy on Internal Audit. The internal audit function may also provide advisory services within their sphere of expertise, principally as an adjunct to their assurance role.

Advisory services, also known as consulting services, are client service activities, the nature, scope, and administration of which are agreed upon with the client (principally senior management). These services are intended to add value and improve an organization's risk management, control, and governance processes. Advisory services do not include a statement of assurance. Examples of these services include advice, facilitation, and training. Advisory engagements are a means of adding value to CIHR operations, not a means of circumventing, or to allow others to circumvent, requirements that would normally apply to an assurance engagement. The following requirements apply to advisory engagements at CIHR:

4.3.1 Internal auditors may not assume management responsibility as part of any advisory activities.

4.3.2 Issues of significance identified as a result of advisory engagements must be communicated to the CIHR's executive-level management committee and AC.

4.3.3 The following issues must be determined through discussion between the CAE and the client beforehand, ideally as part of the annual RBAP:

Potential impairments to independence or objectivity^{Footnote 5};
Project scope, objectives, and the role of internal audit; and
The nature and extent of the reporting and follow-up process.

5. Application

This Policy applies to CIHR.

6. Consequences of non-compliance

6.1 For an outline of the consequences of non-compliance, refer to the Framework for the Management of Compliance (Appendix C: Consequences for Institutions and Appendix D: Consequences for Individuals).

7. Review

This policy will be reviewed at a minimum every three years or if one or more of the following occur:

Treasury Board updates the Policy on Internal Audit or the Directive on Internal Audit.
Changes to legal, regulatory, or standards requirements.
Significant organizational changes at CIHR.
A review is requested by the Audit Committee or Governing Council.

8. References

Relevant Legislation and Policy

Related Publications

9. Enquiries

9.1 Please address questions about this policy to: Chief Audit Executive, Office of Internal Audit, Canadian Institutes of Health Research

Appendix: Definitions

Definitions to be used in the interpretation of this Policy and related directives and standards are included in the Appendix of the Treasury Board Policy on Internal Audit.

Footnote 1

In cases where management has decided to accept a level of risk that the CAE concludes is unacceptable to the organization, the CAE must inform senior management and the AC.

Return to footnote 1 referrer

Footnote 2

External assurance providers include but are not limited to the Office of the Comptroller General and the Office of the Auditor General.

Return to footnote 2 referrer

Footnote 3

Advisory services should be included in the plan, and considered on the basis of their potential to add value, improve operations and risk management given available resources, in accordance with the Institute of Internal Auditors’ International Professional Practices Framework.

Return to footnote 3 referrer

Footnote 4

These items are published on the "CIHR IA Function Key Attributes" webpage.

Return to footnote 4 referrer

Footnote 5

Independence of the internal auditors is considered "impaired" for the purposes of conducting an assurance engagement for up to a year after the completion of a consulting engagement.

Return to footnote 5 referrer

Date modified:: 2025-11-07

Language selection

Search and menus

Search