Internal Audit Policy

June 2011

Prepared by: Chief Audit Executive, CIHR
Recommended by: CIHR Audit Committee, March 16, 2011
Approved by: CIHR Governing Council, June 23, 2011

Table of Contents

1. Effective Date
2. Application
3. Context
4. Policy Statement
5. Policy Requirements
6. Consequences
7. References
8. Enquiries

---

1. Effective Date

This Internal Audit Policy takes effect on June 23, 2011, replacing the 2009 CIHR Internal Audit Policy.

2. Application

This Policy applies to the entire CIHR without exception.

3. Context

This policy is issued pursuant to the Treasury Board (TB) of Canada's Policy on Internal Audit effective July 1, 2009. The TB Policy is designed to ensure that, at both departmental and government-wide levels, internal audit provides deputy heads and the Comptroller General, respectively, with added assurance and advice, independent from line management, on risk management, control, and governance processes.

The Canadian Institutes of Health Research Act, which establishes CIHR, mandates the CIHR Governing Council with responsibility for the management of CIHR, including development of its strategic directions, goals, and policies; evaluation of its overall performance, including the achievement of its objectives; and approval of its budget. The Act appoints the CIHR President the Chairperson of the Governing Council as well as the Chief Executive Officer responsible for the day-to-day management and direction of CIHR.

4. Policy Statement

The objective of the CIHR Internal Audit Policy is to strengthen accountability, risk management, resource stewardship, and good governance by positioning Internal Audit as a key underpinning of governance within CIHR. Accordingly, CIHR shall comply with the requirements of the TB Policy on Internal Audit.

5. Policy Requirements

Overall Requirements

1. The CIHR President shall:

1. Establish an Internal Audit function that is appropriately resourced and that operates in accordance with the TB Policy and professional internal auditing standards.
2. Appoint a qualified Chief Audit Executive (CAE) at a senior executive level, reporting directly to the President, to lead and direct the Internal Audit function.
3. Consult with the Comptroller General:
   • prior to the initiation of recruitment and, or, selection processes for the CAE;
   • for feedback, in instances where the performance of the CAE is judged to be exceptional or, alternatively, falls short of expectations; and
   • along with the Employer Representation Group, Labour Relation and Compensation Operations Sector of the Treasury Board Secretariat (in accordance with the Treasury Board Guidelines for Discipline), prior to any action being taken to discipline or terminate the employment of the CAE.

Internal Audit

2. The CIHR Chief Audit Executive shall:

Independence and Objectivity

1. Be independent from CIHR line management and operations to allow objective assurance services on all areas of CIHR responsibility. The exceptions to this policy requirement are the CAE's responsibilities for the provision of advice, training, and facilitation services related to Corporate Risk Management (CRM) and for Evaluation as defined in the CIHR Internal Audit Charter. To protect the independence and objectivity of Internal Audit, the following measures shall be taken:

   • If independence or objectivity is impaired in fact or appearance, the CAE shall disclose the details of the impairment to appropriate parties, including the CIHR Audit Committee.
   • Internal Audit shall refrain from assessing specific operations for which it is, or was previously, responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.
   • Assurance engagements for functions over which the CAE has responsibility shall be overseen by a party outside the internal audit activity.

   Corporate Risk Management

   To maintain separation between the roles of risk management and internal audit, the CAE is responsible for only those tasks related to provision of advice, training, and facilitation services. Internal audit is not charged with making substantive decisions related to setting the organization's risk tolerance, identifying or assessing the magnitude of risks affecting the organization, or choosing or implementing the risk mitigation strategies. This enables internal audit to independently examine and draw objective conclusions about the effectiveness of mitigation strategies and controls put in place by management to address identified risks.

   Evaluation

   The CAE is responsible for managing an efficient and effective evaluation unit that ensures evaluations are conducted in a neutral, cost-effective manner.

2. Have unfettered access to the CIHR Audit Committee (AC) and the Committee Chair.
3. Have access to all CIHR records, databases, workplaces, and employees, and have the authority within the context of internal audit planning and approved engagements to obtain information and explanations from CIHR employees and contractors, subject to applicable legislation.
4. Have unimpaired ability to carry out his or her responsibilities, including reporting findings to the President, to AC and, as appropriate, to the Comptroller General.

Policy, Plans, and Reports

5. Establish appropriate policy and procedures to guide the Internal Audit function.
6. Establish risk-based audit plans to set out the priorities of the Internal Audit function, consistent with organizational objectives. The plan shall:
   • have a multi-year horizon;
   • be updated through a risk assessment done at least annually;
   • consider the input of senior management, AC, and Treasury Board of Canada Secretariat;
   • ensure appropriate internal audit coverage for all entities within CIHR and under CIHR control;
   • address risks and internal audits identified by the Comptroller General as part of government-wide coverage;
   • be designed to provide assurance services on all significant aspects of risk management, control, and governance processes. Other services shall be provided on an exception basis only;
   • be designed to support annual assurance reporting on the overall adequacy and effectiveness of CIHR's risk management, control, and governance processes; and
   • be reviewed by AC and approved by the Governing Council.
7. Coordinate internal auditing activities and plans with the Office of the Auditor General (OAG), the Office of the Comptroller General (OCG), and any other provider of assurance and consulting activities to ensure proper coverage and minimize duplication of effort.
8. Communicate the plan of engagements and resource requirements for the Internal Audit function, including significant interim changes and the impact of resource limitations, to the President and AC.
9. Ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.
10. Ensure the timely completion of internal auditing engagements.
11. Ensure that reports on internal auditing engagements are provided to AC with a minimum of delay, along with management action plans that adequately address the recommendations and findings arising from the audits.
12. Ensure that completed audit reports are:
    • issued in a timely manner and made accessible to the public with minimal formality; and
    • posted on the CIHR web site in a timely manner, in both official languages. Reports posted on the web site must respect the Access to Information Act and the Privacy Act.

    Completed reports are those that have been reviewed and approved by AC.

13. Provide an annual assurance report to the President and AC on the adequacy and effectiveness of CIHR's risk management, control, and governance processes.

Support to the CIHR Audit Committee

14. Provide support to the CIHR Audit Committee as requested by the Committee Chair.

Support to the Comptroller General

15. Ensure that the Comptroller General is provided:
    • copies of internal audit plans approved by the Governing Council;
    • copies of any management letters resulting from the audits of the Office of the Auditor General, after review by AC;
    • electronic copies of reports on all completed internal audits before they are posted on the CIHR web site;
    • copy of the annual assurance report;
    • access to internal auditing staff and their working papers;
    • copy of the annual report from AC including the Committee's assessment of the CIHR Internal Audit function; and
    • copy of practice inspection reports.
16. After discussion with the President, inform the Comptroller General without delay of any issue of risk, control, or management practice that may be of significance to the government and, or, require Treasury Board of Canada Secretariat's involvement.

Proficiency and Due Professional Care

17. Ensure that internal auditors have appropriate professional qualifications and skills, and opportunities for sufficient training and development to maintain and develop their internal auditing competence and to obtain the Certified Internal Auditor (CIA) certification.
18. Develop and maintain a quality assurance and improvement program that covers all aspects of the Internal Audit function, and continuously monitor its effectiveness.
19. Ensure that professional internal auditing standards are followed.
20. Report at least annually to AC on the Internal Audit function's conformance with professional internal auditing standards.
21. Ensure that an external review of the Internal Audit function is conducted at least every five years and that the results of this external assessment are communicated to the President, AC, and the Comptroller General.

Internal Auditing Standards

22. Ensure that CIHR Internal Audit shall:
    • Comply with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors' (IIA) Professional Practices Framework.¹
    • Communicate results of internal auditing engagements in written reports. Reports on internal auditing engagements must:
      • provide sufficient context by describing the area that has been examined, how it fits into the organization, its importance, and the relevant laws, policies, and standards; and
      • clearly identify risks and opportunities for improvement to be addressed by management.

      Furthermore, reports on assurance engagements must:

      • identify the criteria used in the engagement;
      • include a statement of assurance which describes the level of assurance the auditor is providing. The purpose of this statement is to inform the users of the report of the auditor's own judgement about the confidence that may be placed on the auditor's opinion or conclusions; and
      • include a management action plan that clearly identifies actions to be taken by management to address findings and recommendations, the timing of such actions, and who is responsible for their implementation.

6. Consequences

In the case of a department's or agency's non-compliance with the TB Policy, which is the basis of the CIHR Internal Audit Policy, consequences that are applicable to all Treasury Board policies, and as set out in the Financial Administration Act, will apply.

7. References

1. Relevant Legislation and Policy
   • CIHR Act
   • CIHR Internal Audit Charter
   • AC Terms of Reference
   • Federal Accountability Act
   • Financial Administration Act
   • Access to Information Act
   • Privacy Act
   • Treasury Board of Canada Policy on Internal Audit
2. Related Publications
   • Institute of Internal Auditors (IIA): The Professional Practices Framework
   • Canadian Institute of Chartered Accountants (CICA) Handbook
   • Results for Canadians: A Management Framework for the Government of Canada
   • Treasury Board of Canada Secretariat Management Accountability Framework
   • Treasury Board of Canada Secretariat Framework for the Management of Risk

8. Enquiries

Please address questions about this policy to:

Chief Audit Executive
CIHR
613-941-3557
martin.rubenstein@cihr-irsc.gc.ca

---

1. The IIA Professional Practices Framework contains the International Standards for the Professional Practice of Internal Auditing. Departments and agencies are required by TB Policy to meet IIA Standards in undertaking their internal auditing responsibilities, unless the Standards are in conflict with the Policy or any related directives or guidelines provided by the Comptroller General or Treasury Board.