Internal Audit Directive

This content is licensed under the Open Government Licence. This does not include photos or logos, as well as some other exemptions.

This directive outlines the responsibilities and accountabilities of the Ontario Internal Audit Division (OIAD) within the Ontario Public Service (OPS). The directive applies to all OPS ministries and provincial agencies and it establishes OIAD as the provider of internal audit services and recognizes the principles of modern internal auditing.

On this page Skip this page navigation

Introduction

The Ontario Internal Audit Division (OIAD) assists the Ontario Public Service (OPS) in accomplishing its objectives through internal auditing services. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve the operations of the OPS. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, internal controls and governance processes.

OIAD provides internal audit services to all ministries. It conforms with the Institute of Internal Auditors’ mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, the Core Principles, and the International Standards for the Professional Practice of Internal Auditing. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance

Internal auditing is a service provided to management. OIAD's role is to support management by identifying where the organization is most vulnerable and how governance and controls can best be strengthened.

Purpose

This Directive provides a framework of governance and accountability, including responsibilities, to govern the operation of internal audit services throughout the OPS.

Application and scope

This Directive applies to:

all ministries and
provincial agencies defined under the Agencies & Appointments Directive.

Internal auditing includes, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization’s governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes:

Evaluating risk exposure relating to achievement of the organization’s strategic objectives.
Evaluating the reliability and integrity of information and the means used to identify measure, classify, and report such information.
Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws and regulations, which could have a significant impact on the organization.
Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
Evaluating the effectiveness and efficiency with which resources are employed.
Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
Monitoring and evaluating governance processes.
Monitoring and evaluating the effectiveness of the organization’s risk management processes.
Performing consulting and advisory services related to governance, risk management and control as appropriate for the organization.
Reporting periodically on internal audit activity’s purpose, authority, responsibility and performance relative to its plan.
Reporting significant risk exposures and control issues, including fraud risks, governance issues and other matters needed or requested by the audit committee.
Evaluating specific operations at the request of the audit committee or management, as appropriate.

Principles

Independence and objectivity

Internal audit activity is free from interference by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of necessary independence and objectivity.

Internal auditors are independent of the activities they audit and of the management directly responsible for the activities they audit. Internal auditors provide advice but do not implement internal controls, install procedures or systems, prepare records, or engage in any line activity that would compromise independence and objectivity.

Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.

Integrity

The integrity of internal auditors creates trust and provides a basis for the reliance on their judgment.

Confidentiality

Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

Competence

Internal auditors apply the knowledge, skills and experience needed in the performance of internal auditing services.

Risk-based and client-focused

Internal auditors are involved in significant business processes, functions and organizational units, and work with client management to support the identification and assessment of business risks and mitigation strategies.

Management supported

The Deputy Minister in each ministry ensures necessary resources for internal audit to be an integral component of the governance and control structure in the ministry and in its oversight of Agencies.

Continuous improvement

Internal audit contributes to the continuous improvement of processes within each ministry and throughout the OPS.

Partnerships

OIAD works in partnership with the Office of the Provincial Controller Division of Treasury Board Secretariat (TBS) to promote strong governance, accountability and risk management in the OPS.

Policy framework

Internal audit occurs within the overall OPS management policy framework to promote the consistent and effective application of policies across the OPS, including ministries and provincial agencies.

Mandatory requirements

Internal audit function

All ministries must have an internal audit function. The nature and size of this function will be decided by each ministry’s Deputy Minister in consultation with the Chief Internal Auditor/Assistant Deputy Minister, and will be based on the risk tolerance of the ministry.

Internal audit must undertake internal audit engagements approved by the ministry’s Audit Committee (AC), Corporate Audit Committee (CAC), or at the Minister’s request. The internal audit function created for a ministry must be sufficient to provide the internal audit services for the ministry and support, where necessary, and approved by responsible AC, its oversight role of provincial agencies (as defined in the Agencies & Appointments Directive).

Audit committees

Effective ACs promote a strong control and governance environment for the OPS. They also help OIAD establish the level of independence and objectivity required to effectively discharge its responsibilities. The committees are decision-making bodies functioning under the authority of their charters including provisions for external member(s) to serve on the committee.

Corporate Audit Committee:

The OPS must have a CAC, established by the Secretary of the Cabinet. The committee serves to promote an effective internal audit function that meets both enterprise and Ministries’ needs. The committee receives its authority to exercise its responsibilities from this Directive and the Deputy Ministers’ Council to which it reports. The CAC acts as a forum for communication between the Deputy Ministers, senior management, and OIAD.

The CAC must have a charter, highlighting its objectives, roles and responsibilities composition and tenure, and reporting requirements. At least once every two years, the CAC must conduct a review of the charter. The existing charter outlines the composition of the members including a provision to have external advisory members to demonstrate independence. The Deputy Minister of the ministry in which OIAD is organizationally located at any given time is a member of the CAC. Currently, the Deputy Minister, Treasury Board Secretariat / Secretary of Treasury Board and Management Board of Cabinet and the Deputy Minister of the Ministry of Finance are members of the CAC and will serve as the Chair and Vice-Chair of the CAC, respectively.

Ministry audit committee:

Each ministry must have an AC, which is chaired by the Deputy Minister and whose members include senior management representing key functional areas of the ministry. The AC will report to the executive management committee of the ministry on accountability, governance, risk management and control, and on the adequacy and effectiveness of the internal audit function.

Each ministry AC must have a charter highlighting objectives, roles and responsibilities, composition and reporting requirements. At least once every two years, the ministry AC must conduct a review of its charter.

OIAD memorandum of understanding

Ministries:

A written Memorandum of Understanding (MOU) must be established between each ministry and OIAD. The MOU sets out levels of service and operating protocols and provides a framework for the arrangement by which the OIAD provides internal audit services to each ministry including supporting their oversight of provincial agencies. The MOU must be signed by the Deputy Minister and the Chief Internal Auditor/Assistant Deputy Minister. The MOU must be reviewed at least once every two years by the Deputy Minister and the Chief Internal Auditor/Assistant Deputy Minister. The terms of the MOU remain in force until amended or terminated by MOU of the parties.

The MOU must include the following major components:

purpose of the MOU, including respective authority and mandate of OIAD
nature of internal audit services
distribution of audit plans and reports
access to information requests and protocol related to privacy complaints
budget and financial management
director appointment and performance
dispute resolution
service commitment and evaluation

Provincial agencies:

A written MOU for the provision of internal audit services must be in place between OIAD and a provincial agency or when services are requested by an agency with the approval of the relevant AC, or directed by a minister. The Chair of the agency, the Chief Internal Auditor/Assistant Deputy Minister, and the Audit Service Team (AST) Director will be the signatories of the MOU. In cases where provision of internal audit services is directed / requested by a Minister, the MOU is signed by the AST Director, the Agency Chair and the Minister.

At a minimum, the MOU must cover the following components:

purpose of the MOU, including respective authority and mandate of OIAD
nature of internal audit services
distribution of audit plans and reports
access to information requests and protocol related to privacy complaints
budget and financial management
dispute resolution
service commitment and evaluation

Audit plans

Ministry/Agency audit plan:

ASTs must prepare an annual or multi-year audit plan considering risks of their client ministries and provincial agencies, and available resources of the AST.

The plan will consist of internal audit services that best help the ministry manage their risks including, where deemed appropriate and approved by ministry AC, risk related to the oversight of its provincial agencies. The AST Director will be responsible for developing and implementing the approved audit plan, including amending the plan to reflect changes to risks or needs of the ministry. The ministry AC will be responsible for approving the plan and any amendments.

Enterprise-wide audit plan:

The Enterprise-wide AST, the Enterprise-wide Information and Information Technology AST, and the Corporate Financial Assurance AST must develop annual or multi-year enterprise-wide audit plan covering risks from an OPS-wide perspective. The Forensic Investigations Team (FIT) must develop an annual operational plan.

The Directors of the Enterprise-Wide AST, the Enterprise-Wide Information Technology AST, and the Corporate Financial Assurance AST are responsible for implementing the approved enterprise-wide audit plan, including amending the plan to reflect changes to risks or needs of the OPS. The Director of FIT is responsible for implementing the approved operational plan, including amendments to the plan.

The CAC is responsible for approving the annual or multi-year enterprise-wide audit plan and the operational plan and any amendments.

Access

Ministries and provincial agencies must provide OIAD with direct and ready access to all ministry and agency places of business, assets, IT systems, personnel, books of accounts, records, reports, files, and any other documentation that OIAD deems necessary for the conduct of its services. This includes information in any media and takes into account any future form of storage. Where access to personal information is at issue, OIAD shall work with the Freedom of Information and Privacy Coordinator in the subject ministry or provincial agency to ensure that personal information is accessed and managed in compliance with the Freedom of Information and Protection of Privacy Act.

OIAD must have free and unrestricted access to the chairs of the ACs to facilitate communication and direct interaction, including in executive sessions between AC meetings, as appropriate.

Reporting relationships

The Chief Internal Auditor/Assistant Deputy Minister and the AST Directors must be in positions that maintain the highest levels of independence and objectivity possible within their own ministry and enterprise-wide organizational structures. This is achieved through their direct reporting relationships and through annual confirmation of OIAD's independence to the ACs, in addition to periodic reporting to the ACs on the internal audit activity’s purpose, authority, and responsibility.

The Corporate Audit Committee is accountable for providing input for the appointment and removal of the Chief Internal Auditor/Assistant Deputy Minister to the Deputy Minister of the ministry in which OIAD is organizationally located
The Chief Internal Auditor/Assistant Deputy Minister reports to the Deputy Minister of the ministry in which OIAD is organizationally located.
The Chief Internal Auditor/Assistant Deputy Minister is also accountable to the CAC with respect to the conduct of his or her formal and regular performance evaluation and talent management assessments specifically related to meeting his/her commitments identified in the CAC Charter
The Chief Internal Auditor/Assistant Deputy Minister provides reports, as appropriate, to the CAC on all matters relating to divisional human resources, performance measurement, service quality, the quality assurance and improvement program that covers all aspects of the internal audit activity, communication strategies, audit standards, and financial management and administration.
AST Directors report to the Chief Internal Auditor/Assistant Deputy Minister for all matters relating to human resources, performance measurement, service quality, quality assurance, communication strategies, audit standards, financial management and administration.
AST Directors are also accountable to the Deputy Minister of their client ministry for all matters relating to delivery of internal audit services to that ministry.
AST Directors will communicate directly to the Minister of their client ministry or his or her delegate, when requested, for matters relating to the delivery of internal audit services to provincial agencies. AST Directors will report directly to the Chair of an Agency when internal audit services have been requested by the board with the approvals of the ministry AC, or to the Minister where the Minister has directed internal audit services.

Relationship with the Office of the Auditor General of Ontario

OIAD has established a clear working relationship with the Office of the Auditor General of Ontario (OAGO), supporting ongoing communication and co-ordination of internal audit activity amongst ministries, OIAD and the OAGO. AST Directors must work with their respective ACs to ensure that processes to support this are implemented, as approved by the ministry ACs.

Responsibilities

Secretary of the Cabinet

The Secretary of the Cabinet is responsible for:

Establishing the CAC, and appointing and removing the Chair and all members.

Ministers

Ministers are responsible for:

Receiving reports from Ministry AC Chairs or AST Directors on matters relating to the delivery of internal audit services, as appropriate.
Directing provincial agencies to accept the provision of internal audit services from or to be audited by OIAD where the minister considers it necessary or appropriate, and receiving reports from the AST Directors relating to those provincial agencies.

President of the Treasury Board and the Minister of Finance

Under the Financial Administration Act, the President of the Treasury Board is responsible for allocating funds for internal audits and working jointly with the Minister of Finance to monitor the use of funds with respect to internal audits.
In order to fulfill the above responsibilities, the President of the Treasury Board shares with the Minister of Finance a statutory right of access to information from every ministry and provincial agency regarding its powers, duties, activities, organization, financial transactions and methods of business and may delegate this power to any public servant under Part III of the Public Service of Ontario Act, 2006 who works in or provides services to the Treasury Board Secretariat, in which OIAD currently resides.

Provincial agencies

Provincial agencies are responsible for:

Accepting the provision of internal audit services from or to be audited by OIAD where the minister considers it necessary or appropriate, and receiving reports from the ministries and/or AST Directors.
Accepting reports from AC Chairs or OIAD on matters relating to the delivery of internal audit services, as appropriate.

Corporate Audit Committee

Establishing and reviewing at least every two years, the committee charter outlining purpose; authority; roles and responsibilities; composition and reporting arrangements.
Assisting the Deputy Ministers’ Council to discharge their governance, accountability and risk management responsibilities.
Providing input for the appointment and removal of the Chief Internal Auditor/Assistant Deputy Minister to the Deputy Minister of the ministry in which OIAD is organizationally located.
Approving enterprise-wide audit plans, FIT operational plans and any amendments as required.
Approving enterprise-wide audit reports and evaluating management responses to address significant risks.
Providing input to the Deputy Minister of the ministry in which OIAD is organizationally located with respect to:
- The Chief Internal Auditor & Assistant Deputy Minister’s performance evaluation and talent management assessment specifically related to meeting his/her commitments as identified in the CAC Charter.
Reviewing the adequacy and allocation of OIAD resources to allow the division to carry out its responsibilities, including performance measurement and the quality assurance and improvement program, completion of approved enterprise-wide, ministry and agency audit plans.
Reviewing OIAD's compliance with the Standards of Professional Practice of Internal Auditing, including adequate quality assurance practices, appropriate staffing and effective operational management.
Reviewing and recommending the internal audit directive for TB/MBC approval.
Determining if the appropriate structure, reporting, authority and access arrangements are in place or whether there are inappropriate scope or resource limitations.
The Chair will provide advice to the Secretary of the Cabinet, if requested to do so, regarding the appointment and removal of members.
Reviewing the coordination of audit activities conducted by OIAD and the OAGO.

Ministry Audit Committee

The Ministry Audit Committees are responsible for:

Establishing and reviewing at least every two years, the committee charter outlining purpose; authority; roles and responsibilities; composition and reporting arrangements.
Reviewing and approving the annual audit plan, and, in consultation with the AST Director, and ensuring that it is based on ministry risk assessments and incorporates government and ministry priorities.
Reviewing the adequacy and allocation of the AST resources to allow the AST to carry out its approved ministry and provincial agency internal audit plans.
Reviewing the coordination of audit activities conducted by the AST and the OAGO.
Reviewing audit reports and summaries of ministry/provincial agency key audit findings and, if necessary or as required, advising CAC or DMC of significant issues identified in audit reports and actions taken on issues raised, including identifying and recommending better practices.
Reviewing information on management’s implementation of action plans designed to address the AST's findings related to material or significant risks.
Reviewing the AST's compliance with the Standards of Professional Practice of Internal Auditing, including adequate quality assurance practices, appropriate staffing and effective operational management.

Deputy Ministers

The Deputy Minister of each ministry is responsible for:

Approving the level of internal audit services appropriate to meet the needs of the ministry and provincial agencies, based on the advice/direction of the ministry AC and the Chief Internal Auditor/Assistant Deputy Minister.
Supporting an appropriate effective internal audit function, including administrative supports and delegation, and ensuring internal audit findings are addressed.
Establishing and chairing the ministry AC or establishing the appropriate delegation for chairing the ministry AC.
Approving, as Chair of the ministry AC, the OIAD provision of internal audit services to an agency consistent with any agency-specific legislation and as provided for in this Directive.

Chief Internal Auditor/Assistant Deputy Minister, Ontario Internal Audit Division

The Chief Internal Auditor/Assistant Deputy Minister is responsible for:

Providing the Secretary of the Cabinet, through the CAC, with risk assessments, assurance and advice relating to the enterprise-wide governance and control systems that help support the achievement of OPS objectives.
Presenting an annual enterprise audit plan to the CAC for approval based on an enterprise risk assessment as confirmed with the Deputy Minister.
Maintaining the integrity and quality of the internal audit function including the quality of service; adherence to professional standards; quality assurance and improvement program; performance measurement; divisional human resources and professional development strategies, standards and practices; divisional financial management and administration; and communications strategies and practices.
Providing guidance to the CAC and relevant Deputy Ministers on the level and deployment of internal audit resources across the OPS.
Establishing a written MOU with each ministry, and establishing plans and procedures to guide ministry internal audit activity.
Maintaining a protocol-supporting liaison with the OAGO.
Providing advice to the Secretary of the Cabinet, if requested, regarding the appointment and removal of the Chair and members of CAC.

Audit Service Team Directors

The AST Director is responsible for:

Working with ministry management and the Chairs of its provincial agencies, as appropriate, to ensure that risk exposures are appropriately identified and managed. When assisting management in establishing or improving risk management processes, AST Directors and their staff must refrain from assuming any management responsibilities by actually managing risk.
Providing each client Deputy Minister, ministry AC, Chair of an agency, or Minister of a client ministry as appropriate, with independent risk assessments, assurance and advice, consistent with the MOU, relating to the control systems that help support the achievement of objectives.
Preparing and implementing an annual or multi-year audit plan, based on risk priorities and financial resources approved by the Deputy Ministers, as appropriate and approved by the respective AC. In the case of the Enterprise-wide Operational, Information Technology and Corporate Financial Assurance ASTs, develop and implement an annual or multi-year enterprise-wide audit plan based on enterprise risk assessments and government priorities and taking into account all ministries’ audit priorities.
Evaluating ministry processes for managing fraud risk.
Ensuring that significant audit findings and recommendations are reported and, as appropriate, followed up with and addressed by the level of management where direct accountability resides.
Supporting the quality of the internal audit function in the AST by ensuring high quality client service; adherence to divisional and professional standards; adherence to human resource and professional development strategies and practices; adherence to communications strategies and practices; and adherence to financial management standards and practices.
Advising on and assisting with ministry and provincial agency interactions with the OAGO.
Reporting to the Ministry AC regularly, ideally at least four times per year on the progress and results of the audit plan.
Providing the appropriate level of corporate and enterprise-wide support and information as determined by the Chief Internal Auditor/Assistant Deputy Minister and as outlined in the written MOU with their client ministries.

Definitions

Provincial Agency^{footnote 1[1]}

A provincial agency has the following characteristics:

is established by government through a constituting instrument (under or by statute, Order in Council or regulation)
is accountable to a minister for fulfilling its legislative obligations, the management of the resources it uses, and its standards for any services it provides
the majority of its appointments are made by the government
is not organizationally part of a ministry but is part of the Government of Ontario
has authority and responsibility, granted by the government, to perform an ongoing public function or service that involves adjudicative or regulatory decision-making, operational activity, or an advisory function.

Accountability^{footnote 2[2]}

the obligation to answer for results and the manner in which responsibilities are discharged. Accountability cannot be delegated.

Audit Service Team

the audit professionals under one Audit Service Team Director providing internal audit services to one or more Ministries and Agencies.

Chief Internal Auditor/ Assistant Deputy Minister

the head of the Ontario Internal Audit Division, responsible for internal audit services for the OPS.

Audit Service Team Director

the head of an Audit Service Team that provides internal audit services to a ministry or group of ministries and to provincial agencies.

Corporate Audit Committee

the committee that oversees the internal audit activity for the OPS and to which the Chief Internal Auditor/Assistant Deputy Minister directly reports for all functional and administrative matters relating to the delivery of internal audit services to the OPS and provincial agencies.

Governance^{footnote 3[3]}

the processes and structures used to ensure that a government entity is operating effectively, fulfilling its mandate and meeting its objectives, and is being held accountable for the expenditure of public funds

Internal Audit Services

refers to:

Assurance Services - value for money audits, performance audits, operational audits, financial and internal control audits, compliance reviews, and special reviews.
Advisory and Consulting Services - risk assessment and control design; consulting advice on controllership, accountability, governance and sound business practice; training and education on risk management and control; special projects; advice and liaison for audits conducted by the Auditor General of Ontario.
Information Management and Information Technology (IM&IT)– specialized audit, risk assessment and consulting services of IM&IT projects including new systems under development, systems and IT project management, information and infrastructure security and IT operations.
Forensic Investigations - conducted in accordance with Forensic Investigations Team (FIT) protocol

Ontario Internal Audit Division

the division that provides internal audit services to ministries, agencies, and the OPS.

Ministry Audit Committee

the committee chaired by the Deputy Minister, consisting of members of ministry senior management that oversees the internal audit activity for the ministry.

Risk Management^{footnote 4[4]}

the systematic process of identifying, analyzing and treating risk (the chance that a future event will impact the achievement of established objectives).

Updated: February 17, 2022

Published: May 12, 2017

Footnotes

footnote[1] Back to paragraph As defined in the Agencies & Appointments Directive
footnote[2] Back to paragraph As defined in the OPS Financial Management Gateway
footnote[3] Back to paragraph As defined in the Ontario Auditor General 1999 Annual Report
footnote[4] Back to paragraph As defined in the OPS Financial Management Gateway