This policy takes effect on April 1, 2017.This policy replaces the Treasury Board Policy on Internal Audit dated April 1, 2012.This policy is issued pursuant to sections 7 and 11.1 of the Financial Administration Act.The Treasury Board has delegated to the President of the Treasury Board the authority to: Amend directives,including mandatory procedures and other appendices related to this policy; andDirect a department that has a reference level of less than $300 million to establish an internal audit function.The objective of this policy is to ensure that the oversight of public resources throughout the federal public administration is informed by a professional and objective internal audit function that is independent of departmental management. This function provides assurance as to whether government activities are managed in a way that demonstrates responsible stewardship to Canadians.The expected results of this policy are as follows: Deputy heads are supported in their role as accounting officer, as defined in section 16.4 (1) and 16.4 (2) of the Financial Administration Act , by an internal audit function that contributes directly and proactively to improving risk management, control and governance;Deputy heads receive assurance and advice from their departmental audit committees and internal audit function to inform decision making in their departments;The Comptroller General of Canada receives assurance and advice from audit committees and internal audit functions to inform decision making in a broader government context; andInternal audit in the federal public administration is supported and assessed by the Comptroller General of Canada in order to build and sustain the capacity of a professional and qualified internal audit community and to ensure adherence to professional standards and rigour in internal auditing.Deputy heads of all departments are responsible for the following: Ensuring that internal audit resources and capacity are appropriate to the needs of the department. Departments that have a reference level of more than $300 million per year must have an internal audit function;Ensuring that internal audit in the department is carried out in accordance with the Institute of Internal Auditors’ International Professional Practices Framework unless the framework is in conflict with this policy or its related directive; if there is a conflict, the policy or directive will prevail;Briefing the appropriate minister on matters arising from the work of internal audit which merit their attention;Informing the Comptroller General of Canada, without delay, of any risk, control or governance issues that may require the involvement of the Treasury Board of Canada Secretariat;Ensuring that a formal response is provided to the recommendations arising from internal audit engagements and that actions are assigned and implemented in a timely manner;Ensuring that completed internal audit reports are released on platforms as prescribed by the Treasury Board of Canada Secretariat and within the timeframe prescribed by the Comptroller General of Canada;Ensuring that the Comptroller General of Canada is provided with full and timely access to all information, documentation or explanations required or requested by the Comptroller General of Canada in order to carry out his or her responsibilities; andInvestigating and acting when significant issues regarding policy compliance arise and ensuring that appropriate remedial action is taken to address these issues within the department.Deputy heads of departments that have an internal audit function are responsible for the following: Designating, in consultation with the Comptroller General of Canada, a chief audit executive to manage the internal audit function and who reports directly to the deputy head; For purposes of the Treasury Board Executive Group Qualification Standards, the CAE must either:

have a recognized internal auditor certification or professional accounting designation in Canada; or
possess an acceptable combination of education, training and/or experience as determined by the Comptroller General of Canada.

If the chief audit executive does not have a recognized internal auditor certification or professional accounting designation in Canada, the Comptroller General of Canada may determine any additional measures that may be appropriate to safeguard the integrity of the internal audit function.Consulting with the Comptroller General of Canada regarding the creation of a chief audit executive position and whenever a chief audit executive is to be appointed, transferred or upon notification of departure;Ensuring that the chief audit executive: Is not assigned any departmental management or operational responsibilities that may compromise his or her independence and objectivity with respect to his or her internal audit responsibilities;Has unrestricted access to the departmental audit committee;Has unrestricted access to all departmental records, databases, workplaces and employees to carry out the departmental risk-based audit plan or other engagements and has the authority to obtain related information and explanations from individuals employed by the department and contractors;Has unimpaired ability to carry out his or her responsibilities, including reporting issues to the deputy head, to the departmental audit committee and, as appropriate, to the Comptroller General of Canada.Approving a departmental risk-based audit plan that spans multiple years, focuses primarily on assurance, and considers the following: Departmental areas of high risk and significance;Horizontal audits led by the Comptroller General;Planned audits led by external assurance providers and other departments as appropriate; andOther oversight engagements.Submitting the approved departmental risk-based audit plan to the Comptroller General of Canada in the time and manner prescribed by that office;Approving reports on the results of internal audit engagements;Supporting the professional development and certification of internal auditors in the department;In consultation with the Comptroller General of Canada, establishing and maintaining an independent departmental audit committee that includes a majority of external members recruited from outside the federal public administration and appointed by Treasury Board;Ensuring that audit committee members are selected so that: Their collective skills, knowledge and experience allow the committee to carry out its duties competently and efficiently;They are free of any real or apparent conflict of interest; andThe committee reflects Canada’s diversity;Ensuring that all members of the departmental audit committee are provided with all information and documentation necessary to perform their duties; andEnsuring that any situation that might give rise to a real or apparent conflict of interest with the audit committee member’s responsibilities is prevented or effectively managed.Deputy heads of departments that do not have an internal audit function are responsible for the following: Considering the risk profile and control environment of their department and deciding whether the work performed by the Comptroller General of Canada meets their internal audit requirements or whether further internal audit engagements are necessary, or whether to establish an internal audit function; andEstablishing an internal audit function if directed to do so by the President of the Treasury Board.The Comptroller General of Canada is responsible for the following: Monitoring, providing guidance and recommending corrective actions regarding the following: Compliance with this policy and its supporting instruments;Internal audit performance of departments; andInternal audit function across government.Providing leadership to the internal audit function in the federal public administration, including: Development and sustainability of the internal audit community through talent management and community development strategies; andDetermining the professional requirements for internal audit in the federal public administration.Approving and sharing with deputy heads, a multi-year risk-based audit plan that identifies audit engagements that the Comptroller General of Canada plans to lead in departments;Leading internal audit engagements focused on departments that do not have an internal audit function;Leading internal audit engagements that address horizontal, sectoral or thematic risks or issues or any other audits that have been identified by the Comptroller General of Canada or the Secretary of the Treasury Board;Consulting with chief audit executives and deputy heads on significant issues of risk, control and governance in departments to ensure that effective and timely action is taken;Directing departments to undertake audits identified by the Comptroller General of Canada or the Secretary of the Treasury Board;Establishing competency profiles to guide the recruitment of external audit committee members;Establishing or proposing other requirements related to the terms and conditions for audit committee members;Determining areas of responsibility for departmental audit committees related to departmental management, control and accountability;Providing guidance on operational requirements and expected audit committee practices;Co-recommending, with deputy heads, audit committee members for approval by Treasury Board;Establishing and maintaining one or more independent audit committee(s) that includes a majority of external members recruited from outside the federal public administration and appointed by Treasury Board that: Meets the requirements for departmental audit committees in departments that have an internal audit function;Reviews and provides recommendations on the results of internal audit engagements performed by the Comptroller General of Canada; andProvides advice to deputy heads, the Comptroller General of Canada and the Secretary of the Treasury Board.Departmental Audit Committees are responsible for the following: Providing objective advice and recommendations to the deputy head on the sufficiency, quality and results of internal audit engagements related to the adequacy and functioning of the department’s frameworks and processes for risk management, control and governance;Using a risk-based approach, reviewing all areas of responsibility for departmental audit committees related to departmental management, control and accountability processes as determined by the Comptroller General of Canada; andProviding advice and recommendations on matters for which the deputy head, as accounting officer, is responsible and on other related matters as needed or requested by the deputy head.Not applicable.This policy and its supporting instruments apply to departments as defined in section 2 of the Financial Administration Act unless otherwise excluded by other acts, regulations or orders in council.The requirements set out in subsections 4.1.3, 4.1.6, 4.1.7, 4.2.1.1, 4.2.1.2, 4.2.5, 4.2.8, 4.4.1, 4.4.5, 4.4.7 and 4.4.12 of this policy do not apply to the following organizations:

Office of the Auditor General of Canada
Office of the Chief Electoral Officer
Office of the Commissioner of Lobbying of Canada
Office of the Commissioner of Official Languages
Offices of the Information and Privacy Commissioners of Canada
Office of the Public Sector Integrity Commissioner of Canada

The heads of these organizations are solely responsible for:

Monitoring and ensuring compliance with this policy within their organizations;Establishing and maintaining an audit committee; the members of these committees are not appointed through the Treasury Board appointment process led by the Comptroller General of Canada; andDetermining any additional measures that may be appropriate to safeguard the integrity of the internal audit function if the chief audit executive does not have a recognized internal auditor certification or professional accounting designation in Canada.For an outline of the consequences of non-compliance, refer to the Framework for the Management of Compliance (Appendix C: Consequences for Institutions and Appendix D: Consequences for Individuals).Legislation

Access to Information Act (section 22)
Financial Administration Act (section 16)
Official Languages Act (sections, 7, 13 and 46)
Privacy Act (subsection 8(2)h)
Public Service Employment Act (section 30)

Related policy instruments

Foundation Framework for Treasury Board Policies
Policy on Communications and Federal Identity (subsections 6.3.1, 6.3.2, 6.3.4, 6.3.5 and 6.3.7)

For interpretation of any aspect of this policy contact Treasury Board of Canada Secretariat Public Enquiries.Individuals from a departmental internal audit group may contact Internal Audit Enquiries for interpretations.

Definitions for the following terms can be found in the Glossary of the International Standards for the Professional Practice of Internal Auditing (Standards)

assurance services
consulting services
control
governance
independent (independence)
objectivity
risk
risk management