PCO Internal Audit Charter
This Internal Audit (IA) Charter (the IA Charter) formally defines the purpose, authority, and responsibility of the Privy Council Office (PCO) Internal Audit function. It establishes the IA function’s position within PCO; describes accountability; provides for independence from line management; and defines the scope of internal audit activities. It is based on the 2012 Treasury Board Internal Audit Policy Suite including the Policy on Internal Audit (the Policy), the Directive on Internal Auditing in the Government of Canada, and the Internal Auditing Standards for the Government of Canada.
Under the Policy, PCO is classified as a small department. The former Clerk exercised discretionary authority to maintain a PCO internal audit function and an independent audit committee. This Charter is built upon provisions in the IA Policy Suite that apply to small departments and agencies that have chosen to maintain their internal audit function and independent audit committee.
PCO’s Audit Committee is responsible to recommend this IA Charter for approval of the Clerk, and to annually review it thereafter.
This IA Charter becomes effective on the date it is approved by the Clerk, replacing all former IA Charter, policy or mandate documents.
Internal Audit in the Government of Canada
Internal audit in the Government of Canada is a professional, independent and objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes. PCO’s IA function provides assurance services that are intended to assist PCO decision-makers in exercising oversight and control and in applying sound risk management.
Assurance refers to an auditor’s professional judgment on the appropriateness of his/her conclusions on risk management, control, and governance1. Accordingly, the level of assurance provided by an auditor is the level of confidence the auditor has in the appropriateness of his/her conclusions. Assurance services are objective examinations of evidence for the purpose of providing an independent assessment on the risk management, control and governance processes within an organization.
To ensure the independence and objectivity of PCO’s IA function, its personnel report to the Chief Audit Executive, who in turn reports directly to the Clerk. To ensure this objectivity and independence are maintained, any audits conducted on functions for which the Chief Audit Executive is responsible (which are PCO’s Internal Audit and Evaluation functions) will be conducted by either an external auditor or by a contracted third party.
The authority of PCO’s IA function flows both from the 2012 IA Policy Suite and from the Clerk’s decision to maintain PCO’s IA function and independent Audit Committee. In this regard, the Clerk will ensure that the Department’s:
- IA resources are sufficient to achieve PCO’s Risk Based Audit Plan (RBAP);
- IA function operates in accordance with the IA Policy Suite; and
- Chief Audit Executive:
- Is not assigned any departmental management or operational responsibilities which may compromise his/her independence and objectivity in respect of the responsibilities of a Chief Audit Executive;
- Has full and free access to PCO’s Audit Committee and its Chair;
- Has unrestricted access to all PCO records, databases, workplaces and employees, and has the authority within the context of carrying out the departmental RBAP or other engagements to obtain information and explanations from PCO employees and contractors; and
- Has unimpaired ability to carry out his/her responsibilities, including reporting findings to the Clerk, to Audit Committee and as appropriate after discussion with the Clerk, to the Comptroller General.
PCO’s Chief Audit Executive, supported by the IA staff, is responsible for:
- Establishing and annually updating a multi-year plan of PCO internal audit engagements that is based on a risk assessment and is focused predominantly on the provision of assurance services;
- Coordinating internal auditing activities and plans with other assurance providers to minimize duplication of effort and demands on PCO management;
- Communicating the RBAP’s engagements and resource requirements for the IA function to the Clerk and Audit Committee, including significant interim changes and the impact of any resource limitations;
- Ensuring that IA resources are appropriate and effectively deployed to achieve the approved RBAP;
- Ensuring the timely completion of internal audit engagements, including internal audits led by the Office of the Comptroller General of Canada;
- Ensuring that internal audit engagement reports are provided to Audit Committee in a timely manner;
- Reporting to Audit Committee on whether management’s action plans have been implemented, including an assessment of the impact of the proposed actions, and whether these actions will address the risks identified;
- Ensuring that internal auditors have appropriate professional qualifications and skills and opportunities to maintain and develop their internal auditing competence. This includes the opportunity to become a Certified Internal Auditor or at minimum a Certified Government Auditing Professional, or to acquire any other relevant auditing certification;
- Developing and maintaining a quality assurance and improvement program covering all aspects of the IA function, and monitoring its effectiveness;
- In consultation with the Clerk and Audit Committee, ensuring that a practice inspection of the internal audit function is conducted at least every five years by a qualified independent reviewer competent in the professional practice of internal auditing and the external assessment process.2 The results of these external assessments with accompanied action plan are to be communicated to the Clerk, to Audit Committee and to the Office of the Comptroller General;
- Ensuring that the “Internal Auditing Standards for the Government of Canada” are followed; and
- Preparing an annual report for the Clerk and Audit Committee that includes information on:
- IA’s independence, proficiency, performance and results relative to the RBAP including resource utilization, lessons learned and influences on future years’ plans;
- The results of the Quality Assurance and Improvement Program including IA’s conformance with the Internal Auditing Standards for the Government of Canada;
- The results of the follow-up on the implementation of Management Action Plans; and
- An overview of the aggregate findings following the execution of the risk-based audit plan including the actions taken by management to address key findings.
Standards of Audit Practice
The internal audit function will meet or exceed requirements of the Treasury Board’s Policy on Internal Audit and its supporting Directive on Internal Auditing in the Government of Canada, and it will ensure its activities conform to the Internal Auditing Standards for the Government of Canada.
The Treasury Board Policy on Internal Audit recognizes the definitions for the terms "risk management", "control" and "governance" included in The International Professional Practices Framework published by the Institute of Internal Auditors. Other definitions of the Policy can be found in the appendix.
- Risk Management - A process or coordinated set of activities to identify risks and opportunities, to assess their implications and impact, and to assist in managing potential events or situations that may affect the organization. The objective is to contain the level of risk facing the organization to an amount that is within the organization’s risk appetite. This is done through measures that aim to affect the likelihood of events or the magnitude of their consequences.
- Control - Any action taken by management, the Clerk, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
- Governance - The policies, procedures and structures used to direct an organization’s activities to provide reasonable assurance that objectives are met and that operations are carried out in an ethical and accountable manner.
- Definitions of risk management, control, and governance are found at the back of this Charter.
- Practice Inspection of the PCO IA function was conducted from June - September 2013. All recommendations from the Practice Inspection were implemented by April, 2014.
- Date Modified: