Federal Internal Audit Community, September 25, 2001

SUMMARY
The following submission on the impact of Access to Information (ATI) requests on the federal internal audit function is presented on behalf of the federal internal audit community. The internal audit community fully endorses the principles of openness and transparency. The internal audit process relies on an environment of trust between management, employees, and the internal auditors. In order to ensure the integrity of the internal audit process, yet respect the rights of Canadians to access federal government information, it is recommended that all audit material, including working papers, be exempt from ATI requests until the audit report has been finalized.

ISSUE
The following submission on the impact of Access to Information (ATI) requests on the federal internal audit function is presented on behalf of the federal internal audit community. This submission follows the presentation and reference material provided to the ATI Review Task Force by the federal internal audit community on July 25, 2001. The internal audit community fully endorses the principles of openness and transparency. The recommendation below is intended to maintain the integrity of the audit process by balancing the delivery of high quality internal audit information and the requirements of the ATI Act.

CONTEXT
The revised internal audit policy, effective 1 April 2001, was developed as a result of a review of the role of internal audit following Program Review, particularly the impacts that cuts had on the function. Following the review, it was deemed necessary to strengthen the internal audit function, which included increasing internal audit resources.

The revised policy on internal audit seeks to reposition the internal audit community within government as a provider of independent assessments to departmental senior management on all important aspects of risk management strategies, management control frameworks, and information used for decision making and reporting. This shift comes as the result of the
Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada, which suggested that internal audit provide assurances related to performance reporting and the accountability environment.

The tabling in March 2000 of Results for Canadians: A Management Framework for the Government of Canada reinforced the Government's commitment to continuous management improvement and accountability for results. In this context, it identified the need for a better-positioned and strengthened internal audit function. Results for Canadians states that the Government of Canada requires assurance that management frameworks are in place and working in departments and agencies to support due diligence and stewardship of public resources.

The goal of the revised internal audit policy is to strengthen the role of the internal audit function within the federal government, while at the same time ensuring compliance with the ATI and Privacy Acts. The revised internal audit policy reinforces the commitment to transparency, requiring departments to "issue completed reports in a timely manner and make them accessible to the public with minimal formality in both official languages."

THE INTERNAL AUDIT PROCESS
Information is gathered through a variety of methods and from a variety of sources, in accordance with the Institute of Internal Auditors' (IIA) Professional Standards. Information is gathered, analysed, and preliminary findings are identified. Further evidence is then gathered through the validation process to prove or disprove the preliminary findings. The final product is a written report that conveys the final results. All documentation except the final validated report is considered to constitute part of the working papers. Draft reports are also considered to be working papers.

In internal auditing, much of the evidence is in the form of notes made during an interview process. The internal audit process relies on an environment of trust between management, employees, and the internal auditors. The auditor needs to be sure that the individual providing the evidence is doing so in an open manner. Likewise, the individual providing the information needs to be sure that the information will be treated in confidence.

In its raw form, especially when taken out of context of other information and evidence, material contained in working papers will, in and of itself, not necessarily allow for clear and meaningful conclusions to be drawn by third parties. This also applies to draft reports, as the findings they contain have not yet been validated. In some cases it can be misleading, and in other cases could, if read out of context, undermine the future capacity of internal audit to benefit from the condition of trust which is so essential to its effectiveness. There is a genuine risk that the future information flow required by the professional standards will not be as open as required due to concerns that working papers, including draft reports, could be taken out of context if released prior to the completion of an audit.

The timing of the release of information must ensure that fair and accurate conclusions can be drawn from the information provided, which requires the internal audit process to be complete prior to the release of information. Premature disclosure of confidential or sensitive information, incomplete or partial information, and preliminary assessments or conclusions will do far more harm than good in promoting transparency, accuracy, and the bond of trust that is essential to the professional practice of internal audit.

In other jurisdictions such as the United Kingdom, all audit activities, including final reports, are exempt from ATI legislation if its disclosure would, or would be likely to, prejudice the exercise of the audit functions. IIA Standards require internal auditors to disseminate results to appropriate individuals, communicate results promptly, control access to records, and obtain approval of senior management and/or legal counsel prior to releasing records to external parties. In the private sector internal audit reports are generally not released to the public, as they are not subject to the same types of access regulations which affect government. The Office of the Auditor General publicly releases their final reports, but all audit material including working papers and interview notes are currently exempt from ATI requests.

It should be reiterated that federal organizations are required to make completed internal audit reports accessible to the public with minimal formality, and are being encouraged to make their reports available on the Internet. This includes links from the Treasury Board of Canada Secretariat review database at http://www.tbs-sct.gc.ca/rma/database/database.asp where searches of reports can be made based on several criteria further improving ease of access.

RECOMMENDATION

In order to ensure the integrity of the internal audit process, yet respect the rights of Canadians to access federal government information, it is recommended that all audit material, including working papers, be exempt from ATI requests until the audit report has been finalized. Once the audit report has been finalized, relevant audit materials should be available through an ATI request and subject to current or revised exemptions.

ANNEX A

Supporting Documentation

• Presentation to the Access to Information Review Task Force on behalf of the Federal Government Internal Audit Community, July 25, 2001.
  
  
• Policy on Internal Audit, Treasury Board of Canada, February 1, 2001.
  http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/ia-vi/pia-pvi_e.html
  
  
• Standards for the Practice of Internal Auditing, Institute of Internal Auditors
  http://www.theiia.org/ecm/guide-stand.cfm?doc_id=124
  
  
• Code of Ethics, Institute of Internal Auditors
  http://www.theiia.org/ecm/guide-frame.cfm?doc_id=92
  
  
• Seventh Report of the Public Accounts Committee
  
  
• Practice Advisory 2330.A1-2: Legal Considerations in Granting Access to Engagement Records, Institute of Internal Auditors
  
  
• Treasury Board of Canada Secretariat Internal PIN 84-02-Access to Information Requests
  http://www.tbs-sct.gc.ca/ia/Resources/guide/PIN84_02.asp
  
  
• Letters of support from Professional Associations (CCAF, Deloitte & Touche, Institute of Internal Auditors)
  
  
• Review of the Costs Associated with Administering Access to Information and Privacy (ATIP) Legislation, Consulting and Audit Canada, 2000.
  
  
• Opening Statement of Denis Desautels, Auditor General of Canada, Before the Standing Committee on Public Accounts - Treasury Board's Revised Policies on Internal Audit and Evaluation - March 27, 2001
  http://www.oag-bvg.gc.ca/domino/other.nsf/html/01pac05e.html
  
  
• 1996 Report of the Auditor General, May, Chapter 4, Internal Audit in Departments and Agencies
  http://www.oag-bvg.gc.ca/domino/reports.nsf/html/96menu_e.html

ANNEX B

List of Contributors (Heads of Internal Audit)

Agriculture and Agri-Food Canada
Canada Customs and Revenue Agency
Canadian Food Inspection Agency
Canadian International Development Agency
Canadian Space Agency
Communications Security Establishment
Environment Canada
Fisheries and Oceans Canada
Foreign Affairs and International Trade
Health Canada
Human Resources Development Canada
National Parole Board
National Research Council
Natural Resources Canada
Natural Sciences and Engineering Research Council
Public Service Commission
Public Works and Government Services Canada
Statistics Canada
Solicitor General Canada
Transport Canada
Tax Court of Canada
Veterans Affairs Canada

Top of Page

Consultation