Internal Audit Directive
The Directive establishes the requirements that support internal audit services and outlines the purpose, authority, application, and principles for the provision of internal audit services from the Ontario Internal Audit Division (OIAD), including key requirements for ministries and provincial agencies.
1. Introduction
Internal auditing is an independent, objective assurance and advisory activity and is integral to adding value and improving the operations of the Ontario Government.
The Ontario Internal Audit Division (OIAD) is a division within the Office of the Comptroller General of Ontario, Treasury Board Secretariat. OIAD offers independent assurance, advisory and forensic services aimed at adding value, improving operations, and supporting the Ontario Government in accomplishing its objectives. These activities are collectively defined as internal audit services. OIAD brings a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, internal controls, and governance processes.
Where noted, sections of this directive may apply only to assurance and advisory services within OIAD [OIAD Assurance and Advisory Services] or may apply to only forensic services provided by Forensic Investigation Team [FIT] or OIAD assurance and advisory services as well as forensic services delivered by the FIT [OIAD].
2. Purpose
This directive:
- Establishes the requirements that support internal audit services, and
- Provides a framework of governance, authority, and accountability for internal audit services.
This directive is divided into three main parts:
- Part A: Defines the requirements of ministries and provincial agencies when internal audit services are provided by OIAD.
- Part B: Establishes OIAD’s governance and accountability framework, including responsibilities of the internal audit function
footnote 1 - Part C: Outlines the key roles and responsibilities within ministries, agencies and the OIAD.
3. Authorities
This directive is issued by the Management Board of Cabinet pursuant to subsection 3(3) of the Management Board of Cabinet Act.
OIAD staff also operate under delegated authority to access information that is set out in section 1.0.25 of the Financial Administration Act and may rely on that authority when auditing entities subject to that Act.
4. Application
This directive applies to:
- ministries; and
- provincial agencies defined under the Agency and Appointments Directive (AAD)
This directive should be read in conjunction with any requirements in other directives (for example, AAD
OIAD may audit or investigate any entity in accordance with governing agreements or legislation. In the absence of applicable agreements or legislations, internal audit services access may also be granted by the entity.
5. Principles
The following general principles guide the application of this directive.
- The internal audit function supports the overall effectiveness and efficiency of Government operations.
- The internal audit function promotes strong governance, accountability, and risk management in the OPS.
- The internal audit function builds trust and fosters collaborative relationships with stakeholders through ongoing communication.
- Internal audit engagements are conducted in an open and transparent manner.
Part A: Key Requirements – Ministries and Provincial Agencies
Part A establishes the requirements for ministries and provincial agencies when internal audit services are provided by OIAD.
1. Access
- Ministries are required to obtain internal audit services through OIAD.
- Ministries and provincial agencies must support and accept the provision of internal audit services from OIAD as identified in the OPS-Wide Multi-Year Risk-Based Internal Audit Plan (Internal Audit Plan).
- Ministries and provincial agencies must provide OIAD and any contracted personnel by OIAD with unrestricted access to the entity’s place of business, systems, personnel, books of accounts, data, records, information, reports, files, and any assets or property, including Information and Technology systems that OIAD and any contracted personnel by OIAD deems necessary for the conduct of its services in accordance with this directive. This includes information in any media and considers any future form of storage.
- Where data, processes, information etc. for one ministry/provincial agency is administered, maintained, or managed by another ministry, that ministry must, when requested, provide information directly to OIAD.
- Where access to personal information is an issue, Freedom of Information and Privacy Coordinator in the subject ministry or provincial agency must work with OIAD to ensure personal information is accessed and managed in compliance with the Freedom of Information and Protection of Privacy Act.
2. Other requirements
- Ministries must inform OIAD, without delay, of any significant risk, internal control or governance issues including those pertaining to provincial agencies.
- Ministries and provincial agencies must accept and receive reports/informational updates from OIAD and/or the Ontario Internal Audit Committee (OIAC)/Sector Audit Committee (SAC) Chairs in accordance with this directive and with Audit and Accountability Committee (AAC) direction.
- Ministries and provincial agencies must provide a formal response to the recommendations arising from internal audit engagements and that actions are assigned and implemented in a timely manner as outlined in the OIAD’s assurance and advisory services follow-up process.
- Ministries are encouraged to provide feedback and input on the Internal Audit Plan prior to it being finalized, flagging areas of high risk and significance, including those pertaining to provincial agencies.
Part B: Ontario Internal Audit Division
Part B establishes the Ontario Internal Audit Division’s (OIAD) governance and accountability framework, including responsibilities of the internal audit function.
1. Mission and Purpose
OIAD provides independent assurance, advisory and forensic services aimed at adding value, improving operations, and supporting the OPS in accomplishing its objectives by assessing, evaluating, and improving the effectiveness of risk management, internal controls, and governance processes.
OIAD’s mission is to provide independent and value-added internal audit and forensic services that supports the delivery of excellence to Ontarians.
2. Conformance to Professional Standards
OIAD assurance and advisory services must adhere to the principles and standards in the Institute of Internal Auditors (IIA) Global Internal Audit Standards (GIAS) or equivalent. OIAD assurance and advisory services also follow the IIA’s Global Practice Guides/Recommended Guidance, if applicable.
OIAD investigative and forensic services must be governed by an Investigative Quality Management System which outlines standards of practice in quality objectives as aligned with International Organization for Standardization ISO 9001 – Quality Management and CPA Canada Standard Practices for Investigative and Forensic Accounting Engagements (2006).
3. Governance Structure
OIAD is a division within the Office of the Comptroller General of Ontario, Treasury Board Secretariat. The internal audit function is centrally funded. Investigative and forensic services are funded on a fee for service basis.
3.1 Reporting Relationships
The AAC is a sub-committee of TB/MBC. It has oversight on functional matters for the internal audit services provided by OIAD.
The OIAC is an advisory agency that in consultation with the Secretary of the Cabinet, provides advice and recommendations to the AAC regarding functional internal audit activities. The OIAC Chair monitors the independent operation of OIAD. The OIAC Chair also serves as a communication forum between the AAC and SACs, the Secretary of the Cabinet, Deputy Ministers, and senior management.
SACs have been established as subcommittees of the OIAC, with several ministries in each sector. Sector Audit Branches within OIAD serve various ministries within their respective sector. The internal audit function also includes enterprise-wide audit branches.
OIAD’s Chief Internal Auditor (CIA) reports to the OIAC on functional matters, which entails key audit updates and outcomes to help inform the OIAC’s strategic advice to the AAC. The CIA is also accountable and has an organizational reporting relationship to the Comptroller General, who in turn reports to the Deputy Minister of the Treasury Board Secretariat.
Appropriate reporting relationships are critical to achieve independence, objectivity, and organizational stature for an internal audit function necessary to effectively fulfill its obligations.
Appendix A provides further details on the Internal Audit Governance Structure.
4. Scope of Internal Audit Activities
- The scope of OIAD’s assurance and advisory services encompasses, but is not limited to, the objective examination and evaluation of the adequacy and effectiveness of the organization’s governance, risk management, and internal control processes. OIAD’s CIA or designate reports periodically to audit committees and senior management on the results of internal audit work performed.
- OIAD also provides forensics services, including investigations through its FIT. FIT reporting to the SAC/OIAC/AAC is generally limited to receiving fraud and ethical business risk themes and lessons learned reports.
- OIAD may carry out their duties pursuant to transfer payment or other agreement requirements and relevant legislation, as required.
5. Internal Audit Principles
The following internal auditing principles guide and provide a framework for the internal audit function.
Internal Audit Services:
Maintains Independence and Objectivity
- OIAD’s CIA must ensure the internal audit activity remains free of conditions that threaten the ability of OIAD to carry out its activities in an unbiased and impartial manner. If independence or objectivity is impaired in fact or appearance, the CIA must disclose the details of the impairment to the appropriate parties.
- The internal audit activity must have no direct operational responsibility or authority over any of the activities audited or investigated.
- If the CIA has or is expected to have roles and/or responsibilities that fall outside of internal auditing or investigations, safeguards must be established to limit impairments to independence and objectivity.
Demonstrates Integrity – The integrity of internal auditors is essential to establishing trust and earning respect. Internal audits are conducted in a fair, unbiased and impartial manner.
Demonstrate Competency – Internal auditors develop and apply the knowledge, skills and abilities needed to provide internal auditing services.
Exercise Due Professional Care – Internal auditors perform internal audit services with the diligence, judgment and skepticism possessed by prudent and competent internal auditors.
Maintain Confidentiality – Internal auditors respect the value and ownership of information they receive by using it only for professional purposes and protecting it from unauthorized access or disclosure, internally or externally.
Regulatory compliance
Conforms with the IIA standards and core principles of ethics and professionalism, as well as other relevant professional standards.
6. Quality Assurance and Improvement
6.1 External Quality Assessments
An independent assessor or assessment team that is qualified in the professional practice of internal auditing as well as the quality assessment process must conduct an external quality assessment of OIAD periodically in accordance with IIA GIAS or equivalent.
6.2 Internal Quality Assessments
The CIA or designate must establish a methodology for internal assessments as outlined in the IIA GIAS.
Part C: Roles and Responsibilities
1. Chief Internal Auditor, Ontario Internal Audit Division
1.1 Assurance and Advisory Services
The CIA is responsible for the following:
- Ensuring conformance with IIA GIAS or equivalent in the division.
- Establishing at least annually for OIAD’s Assurance and Advisory Services, and updating as required, an Internal Audit Plan that spans multiple years, focuses primarily on providing assurance services, and considers the following:
- Areas of highest risk and significance across the OPS.
- Audits led by external assurance providers and other departments as appropriate, including the Office of the Auditor General of Ontario (OAGO).
- The option to provide advisory services to the organization, as a supplement to the assurance role and in accordance with the IIA GIAS or equivalent.
- Providing advice, as appropriate, to the President of the Treasury Board (as the AAC Chair), the Secretary of the Cabinet and OIAC Chair, regarding the appointment and removal of the SAC and OIAC members.
- Overseeing OIAD’s Audit Branches which are led by an Audit Branch Director. Each Audit Branch Director provides direct support to the CIA and to their respective ministries/provincial agencies, as well as the respective SACs.
- Ensuring that internal auditors have the appropriate qualifications, skills, and opportunities to maintain and develop their competencies.
- Discuss the internal audit mandate and the Internal Audit Directive with the OIAC/AAC to assess whether the authority, role and responsibilities continue to enable OIAD to accomplish its objectives periodically as required by IIA GIAS or equivalent.
1.2 Forensic and Investigative Services
The CIA is responsible for the following:
- Establishing annually an operational plan for the FIT.
- Establishing a quality assurance and improvement program that covers forensic services, including its evaluation of alignment with applicable ISO Standards and CPA Canada Standard for Investigative and Forensic Accounting Engagements (2006) as applicable.
- Ensuring that forensic and investigative staff have the appropriate qualifications, skills, and opportunities to maintain and develop their competencies.
- Overseeing FIT which is led by a Director. The Director provides direct support to the CIA and to ministries/agencies which request or require FIT services.
2. Audit and Accountability Committee (AAC)
The AAC’s responsibilities include:
- Providing strategic advice and direction, with due consideration of the strategic advice provided by OIAC and the SACs, in areas such as approving the Internal Audit Plan, the re-prioritization of key deliverables, management progress in addressing key issues/audit recommendations made by OIAD and OAGO.
- Periodically reviewing and approving OIAD’s mandate, including the Internal Audit Directive, in consultation with the CIA as required by IIA GIAS or equivalent, to assess whether the authority, role and responsibilities continue to enable OIAD to accomplish its objectives.
- Ensuring external quality assessments are completed periodically or as required by IIA GIAS or equivalent.
AAC’s role is to provide oversight of the Internal Audit Plan, which does not encompass forensic activities conducted or within the mandate of FIT’s investigative or forensic services.
3. Ontario Internal Audit Committee (OIAC)
The OIAC’s responsibilities include the following:
- Supporting the AAC’s mandate by providing independent, strategic advice on government-wide internal audit assurance and advisory services; including on the audit planning process, the status of the Internal Audit Plan to support continued alignment with emerging risks and priorities, and management progress in addressing key issues/audit recommendations made by OIAD and OAGO.
- Periodically reviewing, in consultation with the CIA/Designate, any significant matters with respect to scope and/or other restrictions encountered during internal audit work, including impairments to independence and/or objectivity.
4. Sector Audit Committees (SACs)
SAC responsibilities include the following:
- Providing independent, strategic advice on government-wide internal audit assurance and advisory services as well as focused attention on sector-related risks and trends, including on sector-specific audit planning process, status of sector-related Internal Audit Plan deliverables, and management progress in addressing key issues/audit recommendations made by OIAD and OAGO.
- Periodically reviewing, in consultation with the respective Audit Branch Director, matters with respect to scope and/or other restrictions encountered during internal audit work, including impairments to independence and/or objectivity.
Roles and responsibilities of the AAC, OIAC and SACs are detailed in their respective Terms of References.
5. Secretary of the Cabinet
The Secretary of the Cabinet’s responsibilities include:
- Ensuring the CIA or designate has unrestricted access as specified in Part A to carry out internal audit engagements in accordance with this directive.
- Providing feedback and input on the Internal Audit Plan prior to it being finalized, flagging areas of high risk and significance.
- Nominating internal members to serve on the OIAC/SACs for recommendation/approval by the President of the Treasury Board (AAC Chair)
- Providing input to Treasury Board President as appropriate prior to the appointment of the OIAC Chair.
6. Deputy Ministers / Agency Chief Executive Officers or Equivalent
The Deputy Minister and Provincial Agency Chief Executive Officer or equivalent responsibilities include:
- Ensuring all employees and appointees are made aware of their responsibilities under this directive.
- Ensuring the directive is applied and monitored appropriately.
7. Comptroller General
- The Comptroller General oversees the province’s comptrollership function (with leadership from the Office of the Provincial Controller Division), enterprise risk management (with leadership from the Office of the Chief Risk Officer) and internal audit functions.
- The Comptroller General’s responsibilities include providing province-wide direction and leadership in these areas while also ensuring transparency in risk and financial reporting.
In addition to reporting to the OIAC on functional matters, OIAD’s CIA is accountable and has an organizational reporting relationship to the Comptroller General, who in turn reports to the Deputy Minister of the Treasury Board Secretariat.
8. Ministry and Provincial Agency Employees
- The ministry and provincial agency employees ensure information and materials requested by OIAD are provided to OIAD in a timely manner.
Appendix A: Internal Audit Governance Structure
This diagram is for visual reference only. See the text below this figure for the full description.
* In addition to the 9 OIAD Audit Branches, the Enterprise-Wide Audit and Divisional Services Branch also provides assurance and advisory services and tables reports with the Central Services SAC and the OIAC. There is also a Practice Management team and Data Analytics Centre of Excellence that supports the division; and a Forensic Investigations Team (FIT) that provides investigative services.
** OIAC’s role does not include forensic and/or investigative reporting from services performed by FIT.
*** The CIA reports to the OIAC on functional matters, which entails key audit updates and outcomes to help inform the OIAC’s strategic advice to the AAC (who provides functional oversight on internal audit services provided by OIAD). OIAD’s CIA is also accountable and has an organizational reporting relationship to the Comptroller General, who in turn reports to the Deputy Minister of the Treasury Board Secretariat.
**** OCG reports to the TBS Deputy/Secretary of TB/MBC, who provides support to the AAC Chair and all AAC members in the exercise of their duties and works collaboratively with other DMs to support AAC.
The diagram illustrates the audit committee structure.
The centre box provides a visual flow chart for functional reporting lines of OIAD:
- Treasury Board (TB) and Management Board of Cabinet (MBC) is a Committee of Cabinet that consists of Ministers and Advisors; and is known as TB/MBC.
- The Audit and Accountability Committee (AAC operates as a sub-committee of the Treasury Board/Management Board of Cabinet (TB/MBC), with identical membership composition.
- The Ontario Internal Audit Committee (OIAC) is a provincial advisory agency that reports to the President of the Treasury Board (Chair of AAC).
- The Chief Internal Auditor (CIA), within Ontario Internal Audit Division (OIAD) reports to the OIAC on functional matters, which entails key audit updates and outcomes to help inform the OIAC’s strategic advice to the AAC. The OIAD includes nine audit branches that support their respective sector audit committees.
The box on the left provides a visual flow chart for OIAC information sharing and consultation, as well as OIAD’s dual reporting line to the Comptroller General.
- The OIAC supports information sharing and consultation, as appropriate, with the President of the Treasury Board (Chair of the AAC), AAC, Secretary of the Cabinet, Deputy Ministers, Sector Audit Committees (SACs), and senior management.
- The CIA is also accountable and has an organizational reporting relationship to the Comptroller General, who in turn reports to the Deputy Minister of the Treasury Board Secretariat.
- OIAD consults with Deputy Ministers to plan and execute assurance and advisory engagements.
The box on the right provides a list of nine Audit Branches:
- There are nine SACs and each SAC is supported by their respective Audit Branch. The SACs are sub-committees of OIAC. The nine SACs are as follows:
- Agencies and Transfer Payment
- Central Services
- Education
- Justice Services
- I&IT
- Capital
- Community Services
- Health
- Resources
Audit and Accountability Committee (AAC)
The AAC operates as a sub-committee of Treasury Board/Management Board of Cabinet (TB/MBC), with identical membership composition. AAC members carry out their functions within the statutory mandates of the TB under the Financial Administration Act and the MBC under the Management Board of Cabinet Act.
The AAC provides functional oversight on the internal audit services provided by OIAD with due consideration of the strategic advice provided by the OIAC. The OIAC Chair is accountable to the President of the Treasury Board (who serves as the Chair of the AAC), in consultation with the Secretary of the Cabinet and the broader AAC.
Ontario Internal Audit Committee (OIAC)
The OIAC is an independent provincial advisory agency established under section 6.1 of the Ministry of Government Services Act and reports to the President of the TB (who serves as the Chair of the AAC), in consultation with the Secretary of the Cabinet and the broader AAC. The OIAC does not have decision-making authority over the operations and finances of the Ontario Government. The OIAC supports the AAC’s mandate by providing independent, strategic advice on government-wide internal audit assurance and advisory services, including on the adequacy and effectiveness of the government’s risk management, governance, and internal control practices, and the effectiveness of the internal audit function.
Sector Audit Committees (SACs)
The nine SACs are subcommittees of and form part of the OIAC, and report to the President of the Treasury Board through the OIAC Chair. The SACs do not have decision-making authority over the operations and finances of the Ontario Government. The SACs, as part of the OIAC, support the AAC’s mandate by providing independent strategic advice on government-wide internal audit assurance and advisory services as well as focused attention on sector-related risks and trends.
Appendix B: Definitions
For the purposes of this Directive, the identified terms have the following meanings:
Accountability
The obligation to answer for results and the manner in which responsibilities are discharged. Accountability cannot be delegated.
Audit and Accountability Committee
A sub-committee of the Treasury Board/Management Board of Cabinet (TB/MBC). It is chaired by the President of the Treasury Board. The Audit and Accountability Committee (AAC ensures that the internal audit services and resources are directed to the government’s priority and critical risk areas.
Audit Branches
Internal audit professionals, under an Audit Branch Director, provide internal audit services to one or more ministries and provincial agencies.
Audit Branch Director
The head of an Audit Branch that provides internal audit services to one or more ministries and provincial agencies.
Chief Internal Auditor
The head of the Ontario Internal Audit Division who is responsible for internal audit services for the Ontario Public Service.
Governance
The combination of processes and structures implemented by those charged with governance to inform, direct, manage and monitor the activities of the organization towards the achievement of its objectives.
Internal Audit Services
Refers to:
- Assurance Services include value for money audits, performance audits, operational audits, financial and internal control audits, compliance reviews, and special reviews
- Advisory Services include risk assessment and control design; consulting advice on controllership, accountability, governance, and sound business practice; training and education on risk management and control; special projects; advice and liaison for audits conducted by the Office of the Auditor General of Ontario (OAGO)
- Information and Information Technology (I&IT) include specialized audit, risk assessment and consulting services of I&IT projects including new systems under development, systems and IT project management, information and infrastructure security and IT operations
- Investigative and Forensic Services including Forensic audits and investigations; police and enforcement support; digital and IT forensic examination; cyber monitoring including related incident management; fraud awareness and training; fraud and ethical business conduct policy and operational design support
Ontario Internal Audit Committee
A provincial advisory agency. The OIAC supports the AAC’s mandate by providing the President of the Treasury Board who serves as Chair of the AAC with independent strategic advice and recommendations on the adequacy of the government’s risk management, governance and internal control practices in consultation with the Secretary of the Cabinet. The OIAC does not have any decision-making authority over the operations of the Ontario government.
Ontario Internal Audit Division
An externally certified professional body within the Ontario Public Service that operates as a trusted advisor to provide independent and objective assurance, forensic and advisory services to support the achievement of government priorities.
Provincial agency
A provincial agency has the following characteristics:
- is established by the Ontario Government through a constituting instrument (under or by articles of incorporation, statute, Order in Council or regulation);
- is accountable to a Minister for fulfilling its legislative obligations, the management of the resources it uses, and its standards for any services it provides;
- the majority of its appointments are made by the Ontario Government;
- is not organizationally part of a ministry but is part of the Ontario Government; and
- has authority and responsibility, granted by the Ontario government, to perform an ongoing public function or service that involves adjudicative or regulatory decision-making, operational activity, or an advisory function
Office of the Comptroller General
Office within Treasury Board Secretariat that provides government-wide direction and leadership in provincial controllership, financial management policy, enterprise risk management and oversight of the internal audit function.
Risk management
A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.
Sector Audit Committee
A subcommittee of the Ontario Internal Audit Committee that provides strategic advice to the AAC through the OIAC on sector-specific risks. As part of the OIAC advisory agency, SACs are essential to the Ontario Government’s efforts to help ensure the responsible stewardship of public funds across its operations.
Footnotes
- footnote[1] Back to paragraph Part B establishes OIAD’s charter.
- footnote[2] Back to paragraph The AAD outlines audit requirements for provincial agencies.
- footnote[3] Back to paragraph As defined in the OPS Financial Management Gateway
- footnote[4] Back to paragraph Global Internal Audit Standards (2024) – Glossary
- footnote[5] Back to paragraph As defined in the Agencies and Appointments Directive