Internal Audit Policy

June 2016

Prepared by: Chief Audit Executive, CIHR
Recommended by: CIHR Audit Committee, June 1, 2016
Approved by: CIHR Governing Council, June 22, 2016

Table of Contents

  1. Effective Date
  2. Application
  3. Context
  4. Definitions
  5. Policy Statement
  6. Policy Requirements
  7. Consequences
  8. References
  9. Enquiries

1. Effective Date

This Internal Audit Policy takes effect on June 22nd, 2016, replacing the 2014 CIHR Internal Audit Policy and Charter.

2. Application

This Policy applies to the entire CIHR with the exceptions noted in section 6.2.1.

3. Context

This policy is issued pursuant to the Treasury Board (TB) of Canada's Policy on Internal Audit effective April 1, 2012. The TB Policy is designed to ensure that, at both departmental and government-wide levels, internal audit provides deputy heads and the Comptroller General, respectively, with added assurance and advice, independent from line management, on risk management, control, and governance processes.

The Canadian Institutes of Health Research Act, which establishes CIHR, mandates the CIHR Governing Council with responsibility for the management of CIHR, including development of its strategic directions, goals, and policies; evaluation of its overall performance, including the achievement of its objectives; and approval of its budget. The Act appoints the CIHR President the Chairperson of the Governing Council as well as the Chief Executive Officer responsible for the day-to-day management and direction of CIHR.

4. Definitions

Definitions to be used in the interpretation of this Policy and related directives and standards are included in the Appendix of the Treasury Board Policy on Internal Audit.

5. Policy Statement

5.1 Objective

The objective of this Policy is to contribute to the improvement of CIHR's management by ensuring a strong, credible, effective and sustainable internal audit function within the agency. Accordingly, CIHR shall comply with the requirements of the TB Policy on Internal Audit.

5.2 Expected Results

The President is effectively supported in their role of accounting officer by a strong, credible internal auditing regime that undertakes the objective examination of evidence for the purpose of providing an independent assessment on the risk management, control, and governance processes of the organization.

6. Policy Requirements

Overall Requirements

6.1 The CIHR President shall:

6.1.1 Ensure the internal audit resources are sufficient to achieve the risk-based internal audit plan and that the function operates in accordance with the TB Policy on Internal Audit, Directive on Internal Auditing in the Government of Canada and the Internal Auditing Standards for the Government of Canada.

6.1.2 Appoint a qualified CAE at a senior executive level, reporting and accountable directly to the President, to lead and direct the Internal Audit functionFootnote 1. The CAE will meet the requirements described in section 6.1.2: Expected Qualifications of the CAE, of the Directive on Internal Auditing in the Government of Canada.

6.1.3 Ensure the Comptroller General, or his or her representative:

6.1.4 Ensure the Comptroller General:

6.1.5 Ensure that, on a timely basis, the Office of the Comptroller General and its agents, for the purpose of carrying out assigned responsibilities, are provided full access to departmental records, databases, workplaces and employees, and have the right to obtain information and explanations from departmental employees and contractors;

Internal Audit

6.2 The CIHR Chief Audit Executive shall:

Independence and Objectivity

6.2.1 Be independent from CIHR line management and operations to allow objective assurance services on all areas of CIHR responsibility. The exceptions to this policy requirement are the CAE's responsibilities for the provision of advice, training, and facilitation services related to Corporate Risk Management, Evaluation, Internal Control, and Planning, Reporting, Measurement and Data. To protect the independence and objectivity of Internal Audit, the following measures shall be taken:

6.2.2 Have unfettered access to the CIHR AC and the Committee Chair.

6.2.3 Have access to all CIHR records, databases, workplaces, and employees, and have the authority within the context of internal audit planning and approved engagements to obtain information and explanations from CIHR employees and contractors.

6.2.4. Have unimpaired ability to carry out his or her responsibilities, including reporting findings to the President, to AC and, as appropriate, to the Comptroller General.

Policy, Plans and Reports

6.2.6 Establish a risk-based audit plan that:

6.2.7 Coordinate internal auditing activities and plans with other assurance providers to minimize duplication of effort and demands on CIHR management.

6.2.8 Communicate the plan of engagements and resource requirements for the Internal Audit function, including any variances to this plan, and the impact of resource limitations, to the President and AC.

6.2.9 Ensure that internal audit resources are appropriate and effectively deployed to achieve the approved plan.

6.2.10 Ensure the timely completion of internal audit engagements, including internal audits led by the Comptroller General.

6.2.11 Ensure that internal audit engagement reports:

Completed reports are defined as those that have been approved by the AC.

6.2.13 The CAE shall prepare a written report annually to the President and the AC that will include sections on:

Support to the CIHR Audit Committee

6.2.14 Ensure that the AC receives all of the information and documentation necessary to fulfill its responsibilities and provide support to the CIHR AC as requested by the Committee Chair.

6.2.15 Support the CIHR AC's follow-up on the implementation of management action plans laid out in approved reports by reporting to the AC whether management's action plans have been implemented, including an assessment of the impact of the proposed actions and whether these actions will address the risks identified.

Support to the Comptroller General

6.2.16 Ensure that the Comptroller General is provided:

6.2.17 After discussion with the President, inform the Comptroller General without delay of any issue of risk, control, or management practice that may be of significance to the government and, or, require Treasury Board of Canada Secretariat's involvement.

6.2.18 Ensure that the OCG and its agents are provided representations from management pertinent to supporting the planning, conduct, reporting and follow-up of internal audits led by the Comptroller General;

Proficiency and Due Professional Care

6.2.19 Ensure that the internal audit function has appropriate professional qualifications, knowledge, and skills to deliver against its plan, applies due professional care in its duties, and that staff members have opportunities for sufficient training and development to maintain and develop their internal auditing competence and to obtain the Certified Internal Auditor (CIA) or Certified Government Audit Professional (CGAP) certification.

6.2.20 Develop and maintain a quality assurance and improvement program that covers all aspects of the Internal Audit function, and continuously monitor its effectiveness.

6.2.21 Ensure that an external review of the Internal Audit function is conducted at least every five years by a qualified independent reviewer and that the results of this external assessment are communicated to the President, AC, and the Comptroller General.

6.2.22 Ensure that CIHR Internal Audit shall comply with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors' (IIA) International Professional Practices Framework. In cases where the Standards found in the IIA Framework are in conflict with the Treasury Board Policy on Internal Audit or any related directives or standards, the Treasury Board Policy, directives or standards will prevail.

6.2.23 Ensure that the internal audit function as a whole, and during the conduct of their duties, include consideration of the potential, prevention, and detection of fraudFootnote 4.

6.2.24 CIHR Internal Audit shall adopt the Code of Ethics contained in the IIA Framework, in addition to the Values and Ethics Code for the Public Sector.

6.3 Consulting Services

Sections 6.1 and 6.2 of the policy apply to the provision of assurance services, as defined in the Policy on Internal Audit. The internal audit function may also provide consulting services within their sphere of expertise, principally as an adjunct to their assurance role.

Consulting services are client service activities, the nature, scope, and administration of which are agreed with the client. These services are intended to add value and improve an organization's risk management, control, and governance processes. Consulting services do not include a statement of assurance. Examples of these services include advice, facilitation, and training. Consulting engagements are a means of adding value to CIHR operations, not a means of circumventing, or to allowing others to circumvent, requirements that would normally apply to an assurance engagement. The following requirements apply to consulting engagements at CIHR:

6.3.1 Internal auditors may not assume management responsibility as part of any consulting activities.

6.3.2 Issues of significance identified as a result of consulting engagements must be communicated to the Executive Management Committee and AC.

6.3.3 The following issues must be determined through discussion between the CAE discussed with the client beforehand, ideally as part of the annual Risk-Based Audit Plan:

6.3.4 The CIHR Executive Management Committee must approve reports on consulting engagements prior to their submission to the AC.

7. Consequences

The President is responsible for investigating and acting when significant issues arise with respect to compliance with the Treasury Board Policy on Internal Audit. The President is also responsible for ensuring that appropriate remedial actions are taken to address the issues within CIHR.  Failure to comply with the requirements of the policy may result in the consequences described in Section 7. Consequences of the Treasury Board Policy on Internal Audit.

8. References

9. Enquiries

Please address questions about this policy to:

Chief Audit and Evaluation Executive & Director General Performance and Accountability
Canadian Institutes of Health Research
Date modified: