Internal Audit Charter

June 2011

Mandate

The Treasury Board (TB) of Canada's Policy on Internal Audit, effective July 1, 2009, positions Internal Audit as a key underpinning of governance within departments and agencies. Internal audit in the Government of Canada is a professional, independent appraisal function that provides objective, substantiated conclusions as to how well the organization's risk management, control, and governance processes are designed and working. The focus of internal audit is on all management systems, processes and practices, including the integrity of financial and non-financial information.

Internal audit adds value by assessing and making recommendations on the effectiveness of mechanisms in place to ensure that the organization achieves its objectives and in a way that demonstrates informed, accountable decision-making with regard to ethics, compliance, risk, economy, and efficiency.

For the internal audit profession, the above-described role is referred to as providing assurance. It is intended to contribute to the basis by which decision-makers achieve oversight and control of their organizations, apply sound risk management, target their attention to areas in need of improvement, and demonstrate accountability. Accordingly, internal audit takes a disciplined, evidence-based approach to determining whether or not assurance can be provided that key systems and processes are appropriately designed and are functioning as intended.

To this end, as mandated by the CIHR Internal Audit Policy, the primary purpose of Internal Audit in CIHR is to provide assurance services designed to add value and improve CIHR's operations. Other services will be provided on an exception-basis only.

Accountability

In the discharge of his/her duties, the CIHR Chief Audit Executive (CAE) shall be directly accountable to the CIHR President, who is mandated by the TB Policy with responsibility for the adequacy of internal audit coverage at CIHR. The CAE reports administratively to the CIHR Executive Vice-President.

Responsibility and Scope of Work

CIHR management is primarily responsible and accountable to the CIHR Governing Council for establishing and maintaining adequate, effective, and efficient risk management, control, and governance processes for CIHR. These responsibilities include the prevention of fraud.

CIHR Internal Audit is responsible for determining whether CIHR's risk management, control, and governance processes, as designed and represented by management, are adequate and functioning in a manner to ensure that:  

  • risks are appropriately identified and managed;
  • significant financial, managerial, and operating information is accurate, reliable, and timely; 
  • employees' actions are in compliance with applicable laws, regulations, policies, standards, and procedures;
  • resources are acquired economically, used efficiently, and adequately protected;
  • programs, plans, and objectives are achieved;
  • quality and continuous improvement are fostered in CIHR's control processes;
  • significant legislative or regulatory issues impacting the organization are recognized and addressed appropriately; and 
  • interaction with governance and management committees at CIHR occurs as needed. 

Internal Audit shall communicate to management the opportunities for improving control and operational efficiency identified during audits.

Internal Audit shall have sufficient knowledge to identify the indicators of fraud, but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

As required by the CIHR Internal Audit Policy, the CAE shall:

  • report at least annually to the CIHR Audit Committee (AC) on Internal Audit's conformance with professional standards;
  • inform the Comptroller General of Canada without delay, after discussion with the President, of any issue of risk, control, or management practice that may be of significance to the government and, or, require the Treasury Board of Canada Secretariat's involvement; and
  • provide annually to the President and AC an annual assurance report on the adequacy and effectiveness of CIHR's risk management, control, and governance processes.

Other Responsibilities of the CAE

In addition to Internal Audit, the CAE is responsible for:

  • the provision of advice, training, and facilitation services related to CIHR Corporate Risk Management (CRM), and
  • the Evaluation function.

Corporate Risk Management

  • The CAE's responsibilities for Corporate Risk Management are restricted to:
    • Facilitating the identification, assessment, and treatment of risks;
    • Developing and facilitating corporate training on risk management processes and products; and
    • Providing quality assurance on risk management processes and products.
  • Management remains accountable for:
    • Articulating and communicating the objectives of the organization;
    • Establishing an appropriate internal control environment, including a risk management framework;
    • Identifying potential threats to the achievement of the objectives;
    • Assessing the risks (i.e., the impact and likelihood of the threats occurring);
    • Determining the risk tolerance levels of the organization;
    • Selecting and implementing risk mitigation;
    • Communicating information on risks in a consistent manner at all levels in the organization; and
    • Providing management's assurance that risks are being managed cost-effectively

Evaluation

  • The CAE is responsible for managing an efficient and effective evaluation unit that ensures evaluations are conducted in a neutral, cost-effective manner.

To protect the independence and objectivity of Internal Audit, the following measures are taken:

  • If independence or objectivity is impaired in fact or appearance, the CAE shall disclose the details of the impairment to appropriate parties, including the CIHR Audit Committee.
  • Internal Audit shall refrain from assessing specific operations for which it is, or was previously, responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.
  • Assurance engagements for functions over which the CAE has responsibility shall be overseen by a party outside the internal audit activity.

Authority

In accordance with the CIHR Internal Audit Policy, the CAE, staff of Internal Audit, and external resources mandated by the CAE, are authorized to: 

  • have unrestricted access to all functions, records, property, personnel, and contractors in CIHR as required for internal auditing purposes;     
  • allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives;      
  • obtain the necessary assistance of personnel in units of CIHR where audits are performed, as well as other specialized services from within or outside the organization; and
  • have full and free access to AC.      

The CAE and his/her staff are not authorized to perform any duties that place them in a conflict of interest and impair their independence or objectivity in fact or appearance. Therefore, Internal Audit shall not perform any management or staff duties related to CIHR's operations and programs, with the exceptions noted below.

Standards and Code of Conduct for Internal Auditing

The TB Policy on Internal Audit establishes the standards to be followed by Internal Audit in carrying out its mandate in the Government of Canada. These standards include the Professional Practices Framework of The Institute of Internal Auditors (IIA). As reflected in the CIHR Internal Audit Policy, CIHR Internal Audit shall abide by the TB Policy and its attendant standards. Furthermore, CIHR Internal Audit shall adopt the Code of Ethics contained in the Framework, in addition to the Values and Ethics Code for the Public Service of Canada.

CIHR's conformance with TB Policy is reflected in the CIHR Internal Audit Policy. Professional standards require the application of care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

Related Policies and References

Prepared by: Chief Audit Executive, CIHR
Recommended by: CIHR Audit Committee, March 16, 2011
Approved by: CIHR Governing Council, June 23, 2011