Internal Audit Policy

January 2024

Prepared by: Chief Audit Executive, CIHR
Recommended by: CIHR Audit Committee, January 11, 2024
Approved by: CIHR Governing Council, March 26 & 27, 2024

Table of Contents

  1. Effective Date
  2. Authorities
  3. Objectives and expected result
  4. Requirements
  5. Application
  6. Consequences of non-compliance
  7. References
  8. Enquiries

1. Effective Date

1.1 This Internal Audit Policy takes effect on June 15, 2023.

1.2 This Policy replaces the CIHR Internal Audit Policy - 2022.

2. Authorities

2.1 This Policy is issued pursuant to the Treasury Board (TB) of Canada's Policy on Internal Audit effective June 15, 2023 and pursuant to sections 7 and 11.1 of the Financial Administration Act. The TB Policy is designed to ensure that, at both departmental and government-wide levels, internal audit provides deputy heads and the Comptroller General, respectively, with added assurance and advice, independent from line management, on risk management, control, and governance processes.

2.2 The Canadian Institutes of Health Research Act, which establishes CIHR, mandates the CIHR Governing Council with responsibility for the management of CIHR, including development of its strategic directions, goals, and policies; evaluation of its overall performance, including the achievement of its objectives; and approval of its budget. The Act appoints the CIHR president as the Chief Executive Officer responsible for the day-to-day management and direction of CIHR.

3. Objective and expected result

3.1 The objective of this Policy is to ensure that the oversight of public resources throughout CIHR is informed by a professional and objective internal audit function that is independent of management. This function provides assurance as to whether CIHR's activities are managed in a way that demonstrates responsible stewardship to Canadians. Accordingly, CIHR shall comply with the requirements of the TB Policy on Internal Audit.

3.2 The expected results of this Policy are:

3.2.1 The President is supported in their role of accounting officer as defined in section 16.4 (1) and 16.4 (2) of the Financial Administration Act, by an internal auditing function that contributes directly and proactively to improving risk management, control, and governance.

3.2.2 The President receives advice from the Audit Committee (AC) and assurance from the internal audit function to inform decision making at CIHR.

4. Requirements

4.1 The President is responsible for the following:

4.1.1 Ensure the internal audit resources and capacity are sufficient to achieve the Risk-Based Internal Audit Plan (RBAP) and are appropriate to the needs of CIHR.

4.1.2 Ensure, through the oversight of the Chief Audit Executive (CAE) and internal audit activities, that the function operates in accordance with the TB Policy on Internal Audit, Directive on Internal Audit and the Institute of Internal Auditors' International Professional Practices Framework (IPPF), unless the framework is in conflict with the Treasury Board Policy or its related Directive; if there is a conflict, the Policy and Directive will prevail.

4.1.3 Brief the appropriate minister on matters arising from the work of internal audit which merit their attention.

4.1.4 Inform the Comptroller General of Canada, without delay, of any risk, control or governance issues that may require the involvement of the Treasury Board of Canada Secretariat.

4.1.5 Ensure that a formal response is provided to the recommendations arising from internal audit engagements and that actions are assigned and implemented in a timely mannerFootnote 1.

4.1.6 Ensure that completed internal audit reports are released on platforms as prescribed by the Treasury Board of Canada Secretariat and within the timeframe prescribed by the Comptroller General of Canada.

4.1.7 Ensure that the Comptroller General of Canada is provided with full and timely access to all information, documentation or explanations required or requested by the Comptroller General of Canada in order to carry out his or her responsibilities.

4.1.8 Investigate and act when significant issues regarding policy compliance arise and ensure that appropriate remedial action is taken to address these issues within CIHR.

4.2 The President will ensure that:

4.2.1 The Comptroller General of Canada is consulted when appointing a new CAE to manage the internal audit function.

4.2.2.1 The CAE meets the requirements described in section 4.2.1 of the Treasury Board Policy on Internal Audit.

4.2.2 The Comptroller General is informed when a new CAE position is created, and prior to the appointment, deployment, replacement or departure of a CAE.

4.2.3 The CAE shall:

4.2.3.1 Report directly to the deputy head.

4.2.3.2 Be independent from CIHR line management and operations to allow objective assurance services in all areas of CIHR responsibility. To protect the independence and objectivity of the Office of Internal Audit, the following measures shall be taken:

  • if independence or objectivity is impaired in fact or appearance, the CAE shall disclose the details of the impairment to appropriate parties, including the CIHR AC. The AC has approved a process for addressing these situations;
  • CIHR's Office of Internal Audit shall refrain from assessing specific operations for which it is, or was previously, responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year; and
  • assurance engagements for functions over which the CAE has responsibility shall be overseen by a party outside the internal audit activity.

4.2.3.3 Have unrestricted access to the CIHR AC and the Committee Chair.

4.2.3.4 Have unrestricted access to all CIHR records, databases, workplaces, and employees, and have the authority within the context of internal audit planning and approved engagements to obtain information and explanations from CIHR employees and contractors.

4.2.3.5 Have unimpaired ability to carry out his or her responsibilities, including reporting issues to the President, Governing Council, AC and, as appropriate, to the Comptroller General of Canada.

4.2.4 Establish a RBAP that spans multiple years and considers the following:

4.2.4.1 CIHR's areas of high risk and significance;

4.2.4.2 Internal audits led by the Comptroller General;

4.2.4.3 Planned audits led by external assurance providers and other departments as appropriate;

4.2.4.4 Other oversight engagements;

4.2.4.5 The appropriate balance between assurance and advisoryFootnote 2 engagements as part of a full suite of services in light of the organization's strategy, objectives, and risks; and,

4.2.4.6 Is reviewed and recommended for approval by AC and approved by the Governing Council.

4.2.5 Submit the approved RBAP to the Comptroller General of Canada in the time and manner prescribed by that office.

4.2.6 Ensure that the results of internal audit engagements result in a written report that includes:

  • A statement of conformance in compliance with the current IIA standards including a disclosure of any nonconformance with these standards;
  • The engagement's objective(s), scope, criteria, and context; and
  • Risks, opportunities for improvement identified, and recommendations made as a result of the engagement.

Reports are considered completed when they have been reviewed and recommended for approval by the Audit Committee, and are approved by the President. Advisory services, which may not result in a published report, are addressed in section 4.3.

4.2.7 Ensure that the internal audit function has appropriate professional qualifications, knowledge, and skills to deliver against its plan, applies due professional care in its duties, and that staff members have opportunities for sufficient training and development to maintain and develop their internal auditing competence and to obtain the Certified Internal Auditor (CIA) or Certified Government Audit Professional (CGAP) certification.

4.2.8 Ensure AC is aware of the resource requirements for the internal audit function and the impact of resource decisions.

4.2.9 Ensure the timely completion of all internal audit engagements, including internal audits of programs or services that are identified by the Comptroller General of Canada or the Secretary of the Treasury Board.

4.2.10 Ensure public reporting requirements prescribed by the Office of the Comptroller General and Treasury Board of Canada Secretariat are met by posting results on prescribed platforms, including:

  • Annual performance results; and
  • Planned audit engagements for upcoming fiscal yearsFootnote 3.

4.2.11 Ensure that all members of CIHR's AC receive all of the information and documentation necessary to perform their duties and provide support to the CIHR AC as requested by the Committee Chair.

4.2.12 Report at least annually to AC whether the actions scheduled by management in response to audit recommendations, both internal and external, have been implemented, including an assessment of the impact of the proposed actions and whether these actions will address the risks identified.

4.3 Sections 4.1 and 4.2 of the policy apply to the provision of assurance services, as defined in the Policy on Internal Audit. The internal audit function may also provide advisory services within their sphere of expertise, principally as an adjunct to their assurance role.

Advisory services, also known as consulting services, are client service activities, the nature, scope, and administration of which are agreed with the client (principally senior management). These services are intended to add value and improve an organization's risk management, control, and governance processes. Advisory services do not include a statement of assurance. Examples of these services include advice, facilitation, and training. Advisory engagements are a means of adding value to CIHR operations, not a means of circumventing, or to allowing others to circumvent, requirements that would normally apply to an assurance engagement. The following requirements apply to advisory engagements at CIHR:

4.3.1 Internal auditors may not assume management responsibility as part of any advisory activities.

4.3.2 Issues of significance identified as a result of advisory engagements must be communicated to the CIHR's executive-level management committee and AC.

4.3.3 The following issues must be determined through discussion between the CAE and the client beforehand, ideally as part of the annual RBAP:

  • Potential impairments to independence or objectivityFootnote 4;
  • Project scope, objectives, and the role of internal audit; and
  • The nature and extent of the reporting and follow-up process.

4.3.4 The CIHR executive-level management committee must approve reports on advisory engagements prior to their submission to the AC.

5. Application

This Policy applies to CIHR.

6. Consequences of non-compliance

6.1 For an outline of the consequences of non-compliance, refer to the Framework for the Management of Compliance (Appendix C: Consequences for Institutions and Appendix D: Consequences for Individuals).

7. References

Relevant Legislation and Policy

Related Publications

8. Enquiries

8.1 Please address questions about this policy to: Chief Audit Executive, Office of Internal Audit, Canadian Institutes of Health Research

Appendix: Definitions

Definitions to be used in the interpretation of this Policy and related directives and standards are included in the Appendix of the Treasury Board Policy on Internal Audit.

Date modified: