Internal Audit :
Framework for the
Management of Compliance
Presentation at FMI meeting Sept. 2014
Background
• The Framework for the Management of Compliance - along
with the Foundation Framework for Treasury Board Policies
and the Framework for the Management of Risk - is one of
the key architectural elements of the Treasury Board suite of
policies.
• Core responsibilities of the Deputy head within a department
include ensuring compliance with legal and Treasury Board
policy requirements.
• Generally performed through an attestation exercise, with
oversight and monitoring & reporting.
2
EX: Framework for Management of Compliance
Compliance:
• Executive committee sets expectation and effort (tone)
• Engage functional community (performance/compensation)
• Review inventory of ‘TBS and internal’ policies
– Relevance, requirements, accountabilities, current monitoring &
reporting, consequences of non-compliance, gaps analysis
– Develop risk assessment process/tool
– Conduct risk assessment of all policies and rank
• Monitor and report (risk-based approach) (ADM level statements)
• Feedback mechanism (audit)
Non-compliance:
• Review instances of non-compliance
• Risk rate the consequences (tone)
• Develop monitoring approach
• Report all non-compliance and measures taken to address
3
Summary of Findings
In 2012, CIC launched an exercise through which functional authorities could attest
to their compliance to policy suites, acts, and regulatory requirements. To
initiate this, an analysis was performed to determine which Treasury Board
policies apply to CIC, and accountabilities by functional area were assigned.
An annual compliance attestation exercise has been established to inform the
Department’s management of compliance. The self-assessments requested as
part of the compliance attestation exercise were not formally challenged or
based on risk. Performance requirements against compliance are not
formalised. Issues related to non-compliance are addressed on an ad hoc basis.
With the completion of this first exercise to assess compliance, CIC has initiated
activities to formally assign accountability for Treasury Board policy domains,
but a comprehensive framework for oversight, monitoring or reporting on
compliance has not been established.
4
Recommendations
1.
CIC should develop a risk-based oversight framework for monitoring
compliance to TB policies. This should include:
–
–
–
–
–
–
2.
accountability for development and implementation of the framework;
risk-ranking and risk tolerance for Treasury Board policies;
accountability for individual policy compliance (including shared when
relevant);
documentation requirements to support compliance assessments;
monitoring of activities; and
reporting requirements including pre-determined frequency of
reporting.
CIC should develop and implement measures to identify and report
on non-compliance and the adequacy of the actions taken in a
situation of non-compliance with Treasury Board policy
requirements.
5
References
• TB Framework for the Management of Compliance
• TB Foundation Framework for Treasury Board Policies
• Cadre stratégique sur la gestion de la conformité du CT
• Cadre principal des politiques du CT
6
Annex: Audit Objective, Scope and Procedures
•
The objective of the audit was to provide assurance to senior management that
effective practices are in place within CIC for the management of compliance with
Treasury Board policy requirements.
•
In order to limit the scope, the audit did not include legislative requirements
specific to CIC or a subset of government departments, but rather focused on
government-wide policy requirements issued by Treasury Board.
•
The audit examined activities from June 1, 2012 to August 31, 2013. It also
reviewed documents from 2009-2012 related to central and independent agency
reporting requirements and Policy Suite Renewal, a departmental exercise
launched in 2009-10 to simplify and reduce the number of CIC Frameworks, Policies
and tools.
•
The audit criteria developed for this audit are included below.
7
Annex: Areas of Engagement
•
The audit sought evidence that:
Governance:
– An oversight regime exists to ensure all relevant Treasury Board policy
requirements are respected in line with Treasury Board policy
expectations.
Risk Management:
– CIC policies and procedures and monitoring practices over Treasury Board
policy requirements have been designed with consideration of risk.
Internal Controls:
– Approval processes, procedures and control systems of CIC are in line with
Treasury Board policy requirements.
8
Annex :
Audit Criteria
Governance
1 – An analysis has been done to determine policies relevant to CIC and an appropriate framework of
oversight has been determined based on risk.
2 – For policies relevant to CIC, accountability has been assigned and performance management
includes compliance considerations.
3 – The results of monitoring of Treasury Board policy compliance are reliable, risk-based and are
reported to those with an oversight responsibility, and action is taken when appropriate.
4 – CIC has measures in place to ensure that non-compliance and the nature of the consequences and
their severity are commensurate with the nature of the non-compliance.
Risk Management
5 – CIC policies and procedures are commensurate with the associated risk of non-compliance with
Treasury Board policy.
6 – Policies and procedures foster an organizational environment conducive to innovation and informed
risk-taking.
Internal Controls
7 – Departmental frameworks for internal controls and management practices are designed to be
efficient, transparent, understood and supported in CIC, and, where applicable, are in line with
Treasury Board policy requirements.
8 – Employees are trained and have access to learning opportunities and relevant information to
increase their awareness and knowledge of applicable Treasury Board policy requirements.
9