Office of the Information Commissioner of Canada
Internal Audit Charter
The following constitutes the Internal Audit Charter of the Office of the Information Commissioner (OIC) and is based on the Joint Agreement between Agents of Parliament and the Treasury Board Secretariat (TBS), the 2017 Treasury Board Policy on Internal Audit and the Institute of Internal Auditors’ International (IIA) Standards for the Professional Practice of Internal Auditing.
This Internal Audit Charter replaces the previous version adopted in 2009 by the Audit and Evaluation Committee.
2. Purpose of the Internal Audit and the Internal Audit Function
By definition, an internal audit is an independent and objective assurance activity designed to add value and improve the OIC’s operations. Internal audit helps to improve the OIC’s operations and targeted objectives by bringing a systematic, disciplined approach to evaluate and add value to the processes of:
- Effective and efficient risk management;
- Control frameworks and their systems monitoring; and
- Governance and oversight.
Assurance refers to an auditor’s professional judgment about the appropriateness of his or her conclusions on risk management, control, and governance. Accordingly, the level of assurance is the level of confidence that auditors have in the appropriateness of their conclusions. As indicated in IIA standard 1000.A1, "the nature of assurance services provided to the organization must be defined in the internal audit charter."
3. Mission and Scope of Internal Audit Function
The mission of the internal audit function is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight to the OIC and insure that it is meeting its objectives by improving the effectiveness of governance, risk management, and the control processes.
The scope of work of the internal audit function encompasses, but is not limited to, determining whether the OIC’s network of risk management, control, and governance processes, as designed and represented by management, is adequate and achieves its intended objectives. The OIC’s network should function in a manner that ensures the following:
- Risks are appropriately identified and managed;
- Significant financial, managerial and operating information is accurate, reliable and timely;
- Activities and actions are in compliance with policies, standards, procedures and applicable acts and regulations;
- Resources are acquired economically, used efficiently and protected adequately;
- Programs, plans and objectives are achieved;
- Quality and continuous improvement are fostered in the department’s control process; and
- Significant legislative or regulatory issues impacting the department are recognized and addressed properly.
When opportunities for improving management control, sound resource stewardship, and the OIC’s image are identified during audits, they will be communicated to the audit and evaluation committee (AEC).
Please refer to the OIC Audit Committee Charter for responsibilities of the AEC.
The Chief Audit Executive (CAE)
The CAE, in the discharge of his or her duties, is accountable to the Commissioner for:
- Preparing a report annually for the Commissioner and the AEC addressing internal audit’s independence, proficiency, performance and results relative to its plan including resource utilization, lessons learned and influences on future years’ plans;
- Reporting significant issues related to the processes for controlling the OIC’s activities, including potential improvements to those processes, and provide information concerning such issues through resolution;
- Providing information periodically on the status and results of the annual audit plan and the sufficiency of internal audit resources; and
- Coordinating with and providing oversight of other assurance control and monitoring functions (risk management, evaluation, compliance, security, legal, ethics, environmental and external audit).
5. Independence And Objectivity
To provide for the independence of the internal audit function, its personnel report to the CAE, who reports directly to the Commissioner. To ensure objectivity and independence, any audits of functions for which the CAE has responsibility (such as evaluation, ethics, etc.) will be performed by either an external auditor or by a contracted third party. For further details, consult the IIA Standard on independence and objectivity (IIA Standard 1100 – Independence and Objectivity).
The CAE is responsible for developing a flexible annual audit plan using appropriate risk-based methodology. The plan is to ensure that it incorporates any risks or control concerns identified by management or external auditors.
The Commissioner shall ensure that the CAE is authorized to:
- Have unrestricted access to all records, databases, workplaces and employees to carry out the risk-based audit plan or other engagements and have the authority to obtain related information and explanations from individuals employed by the OIC and contractors;
- Attend the meetings or have full and free access to the departmental audit committee and to the committee chair and other external members;
- Obtain the necessary assistance of personnel in units of the OIC where they perform audits: and
- Have unimpaired ability to carry out their responsibilities, including reporting findings to the Commissioner, to the AEC and, as appropriate, to the Comptroller General.
The CAE is not authorized to be responsible for investigation of wrong doing and identification of potential fraud activities.
The Commissioner is responsible for all aspects of internal audit in the OIC, including:
- Ensuring that internal audit in the department is carried out in accordance with the Institute of Internal Auditors’ International Professional Practices Framework unless the framework is in conflict with this policy or its related directive; if there is a conflict, the policy or directive will prevail;
- Informing the Comptroller General of Canada, without delay, of any risk, control or governance issues that may require the involvement of the Treasury Board of Canada Secretariat;
- Ensuring that a formal response is provided to the recommendations arising from internal audit engagements and that actions are assigned and implemented in a timely manner; and
- Investigating and acting when significant issues regarding policy compliance arise and ensuring that appropriate remedial action is taken to address these issues within the OIC.
- Approving reports on the results of internal audit engagements;
- Supporting the professional development and certification of internal auditors at the OIC;
- Establishing an independent AEC that includes a majority of external members who are not currently in the federal public service;
- Appointing a Chief Audit Executive (CAE), reporting to the Commissioner, to lead and direct Internal Audit;
- Approving the OIC’s Risk Based Audit and Evaluation Plan that addresses all areas of higher risk and significance. The plan should also include individual internal audit engagements as well as being designed to support separate annual assurance overview reporting by the CAE on risk management, control and governance processes.
- Ensuring that the AEC receives all of the information and documentation needed or requested to fulfill its responsibilities, subject to applicable legislation;
- Ensuring that the IIA Function and their agents, for the purposes of carrying out assigned responsibilities, are given full access to OIC’s records, databases, workplaces and employees, and have the right to obtain information and explanations from OIC’s employees, subject to applicable legislation.
Approved on January 11, 2018, by:
Information Commissioner of Canada
Chair, Audit and Evaluation Committee