Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The Internal Auditor’s first responsibility is to the public as represented by their elected municipal Council. The Internal Auditor will assist the Mayor and Council to strengthen local governance by enhancing the City’s accountability to the public for its use and stewardship of resources.
The role of internal auditor encompasses the examination and evaluation of the adequacy, economy, efficiency and effectiveness of the City’s governance, risk management, system of internal control, performance levels in delivering municipal services and programs and investigations into suspected fraudulent activities and other acts of misconduct.
The Internal Auditor shall have full and free access to the Mayor and City Council.
The Internal Auditor shall have full and complete access to personnel and documents (in both paper or electronic format) such as but not limited to, books, accounts, financial records, electronic data processing records, reports, files, policies, procedures, processes and systems and all other papers, things or property belonging to or used by the Municipality, a municipal body or agency of the Municipality, or grant recipient, as the case may be, that the Internal Auditor believes to be necessary to perform the Internal Auditor’s duties.
All requests for information and assignment of staff time (if required) will be made through the City Manager and/or relevant General Managers and Directors related to the engagement being performed. Nonetheless, there may be occasions where the internal auditor requires assistance from staff to discuss minor questions /concerns, or to validate or clarify basic information. These informal communications shall be infrequent, shall not disrupt staff from their duties or place a burden on the organization.
Staff of the organizations within Internal Audit’s scope, have a duty to co-operate with the Internal Auditor and to not obstruct audit activities. They shall, upon request, in a timely manner, provide access, information and explanations to the Internal Auditor.
The Internal Auditor is not authorized to direct the activities of city employees or any individual not employed or retained by Internal Audit, except to the extent that such employees have been appropriately assigned to assist the Internal Auditor.
In support of the principles of corporate accountability, transparency, responsibility, and sound ethical operating practices; the public, City Council and staff may contact the Internal Auditor directly to report suspected fraudulent activities, significant waste of City assets, unethical behaviour and other acts of misconduct.
The Internal Auditor shall have no direct operational responsibility or authority over any of the activities they review. Accordingly, they shall not develop nor install systems or procedures, prepare records or engage in any other activity which would normally be audited.
City Council shall approve the yearly Internal Audit plan which identifies anticipated audits. However, internal audit activities shall remain free of influence by any element in the organization, including matters of scope, procedures, frequency, timing or report content to permit maintenance of an independent and objective attitude necessary in rendering reports.
Independence is an essential component to building public trust and preserving objectivity and integrity associated with the audit function. To provide for the independence of the Internal Auditor; the Internal Auditor will report:
- Functionally to the Mayor and City Council;
- and Administratively to the City Manager
The City Manager shall provide administrative support to the City Auditor including: legal services, human resources and payroll, corporate communications, information technology, materials management, and budget and accounting.
The City Manager shall ensure that the Internal Auditor is provided with full support and cooperation of all levels of operations and management of the City and its municipal bodies, agencies or related entities.
The City Manager shall promptly inform the Internal Auditor of known or suspected cases of an inappropriate nature (e.g. misuse, abuse, theft, fraud) involving City funds, property or employees.
These reporting relationships help ensure independence and promote comprehensive audit objectivity.
The Internal Auditor is responsible for developing a risk-based audit plan. The Internal Auditor takes into account the organization’s risk management framework, including using risk appetite levels set by Council and management for the different activities or parts of the organization. Each year, the Internal Auditor shall prepare a work plan, setting out the proposed schedule of audits and other undertakings proposed for the coming year. In order to generate this plan, the following sources are considered:
- Prioritization of the audit universe using a risk-based methodology;
- Requests from Councillors, senior management and staff;
- Any audits planned for the past year but delayed or not completed;
- and Any conditions or concerns discovered or communicated throughout the past year.
The annual work plan is presented to City Council each year. As well, prior to each individual engagement, the Internal Auditor will develop and document a terms of reference that includes the engagement's objectives, scope, timing, and resource allocations.
There are two types of engagements that the Internal Auditor may pursue: Assurance services and Consulting services.
Consulting services are advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility.
The Internal Auditor may provide advisory or other consulting services, as appropriate, or at the request of City Council. These types of services may include:
- Conducting special projects, or reviews;
- Performing research;
- Providing training on audit related topics (e.g. risk assessment and internal controls); and
- Providing counsel or advice (e.g. on the adequacy of draft polices & procedures).
Assurance service engagements (i.e. audits) provide an objective examination of evidence for the purpose of providing an independent assessment and recommendations on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.
The Internal Auditor shall be responsible for carrying out assurance engagements of all programs, activities and functions of all City Departments, Agencies, Boards, Commissions, and the Mayor and members of Council. (Note: The financial statement attest audits are exclusively performed by the External Auditor.)
The internal auditor must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the:
- Reliability and integrity of financial and operational information;
- Economy, effectiveness and efficiency of operations, programs and services;
- Safeguarding of assets;
- Loss of information system availability, data integrity and information confidentiality;
- Compliance with laws, regulations, policies, procedures, and contracts; and
- Investigations of suspected fraud, significant waste of City assets, unethical behaviour and other acts of misconduct.
Communicating the results of internal audit engagements is a key part of the Internal Auditor’s responsibilities. As a result, the Internal Auditor shall: Update City Council on any departure from the internal audit plan; Report at least quarterly to City Council on the status of internal audit engagements;
Submit an annual report to Council, that summarizes the engagements completed; Report on the status of the audit plan to the City Manager, General Managers and Directors at least 3 times a year. Report at least annually to the Mayor and City Council in a public meeting; Prepare a written report following the conclusion of each audit; and
For each audit the Internal Auditor will prepare a written draft report for management’s comments. The Internal Auditor’s recommendations will be addressed by management who shall submit a management response and an action plan where required. The management response and action plans will be incorporated into the final report. All action plans shall be approved by the City Manager.
The Internal Auditor shall follow-up on the action plans as practical to determine if corrective action has been taken. The Auditor may request periodic status reports from audited parties regarding actions taken to address reported deficiencies and audit recommendations.
Professional standards provide an overall framework for ensuring that auditors have competence, integrity, objectivity and independence in planning, conducting and reporting their work. The documents and information entrusted to Internal Audit will be handled with the required level of confidentiality and integrity.
The Internal Auditor will be guided by the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics issued by the Institute of Internal Auditors (IIA).