Overall Internal Audit Assessment Criteria

squircle icon

Select the section you’d like to navigate to.

Role of Internal Audit

The internal audit function provides independent oversight of the effectiveness of, and adherence to, the provincially regulated financial institution’s (“PRFI”) organization and procedural controls. It may also oversee the effectiveness of, and adherence to, the PRFI’s compliance and risk management policies and practices. This function can be outsourced in smaller PRFIs; however, the criteria will still apply to the third party carrying out the function as well as the BCFSA Outsourcing Guideline on the PRFI.

Quality of Internal Audit Oversight

The following statements describe the rating categories to assess the internal audit function’s oversight of how effective the PRFI’s organization and procedural controls are and how well they are adhered to. An overall rating of the internal audit function considers both its characteristics and the effectiveness of its performance in executing its mandate in the context of the nature, scope, complexity, and risk profile of the PRFI. Characteristics and examples of performance indicators that guide supervisory judgment in determining an appropriate rating are set out below.

StrongThe mandate, organization structure, resources, methodologies, and practices of the internal audit function meet or exceed what is considered necessary, given the nature, scope, complexity, and risk profile of the PRFI. Internal audit has consistently demonstrated highly effective performance. Internal audit characteristics and performance are superior to generally accepted industry practices and meet current professional standards.
AcceptableThe mandate, organization structure, resources, methodologies, and practices of the internal audit function meet what is considered necessary given the nature, scope, complexity, and risk profile of the PRFI. Internal audit performance has been effective. Internal audit characteristics and performance meet generally accepted industry practices and current professional standards.
Needs ImprovementThe mandate, organization structure, resources, methodologies, and practices of the internal audit function generally meet what is considered necessary, given the nature, scope, complexity, and risk profile of the PRFI, but there are some significant areas that require improvement. Internal audit performance has generally been effective, but there are some significant areas where effectiveness needs to be improved. The areas needing improvement are not serious enough to cause prudential concerns if addressed in a timely manner. Internal audit characteristics and/or performance do not consistently meet generally accepted industry practices and current professional standards.
WeakThe mandate, organization structure, resources, methodologies, and practices of the internal audit function are not what is considered necessary in a material way, given the nature, scope, complexity, and risk profile of the PRFI. Internal audit performance has demonstrated serious instances where effectiveness needs to be improved through immediate action. Internal audit characteristics and/or performance often do not meet generally accepted industry practices and current professional standards.

Internal Audit Criteria*

The following statements describe the characteristics to be used in assessing the quality of the internal audit function’s oversight of how effective the PRFI’s organization and procedural controls are and how well they are adhered to. The application and weighting of the individual criteria will depend on the nature, scope, complexity, and risk profile of the PRFI and will be assessed collectively, together with internal audit performance, in rating its overall effectiveness.

Essential ElementsCriteria
1. Mandate1.1 Extent to which the function’s mandate establishes:

a) Clear objectives and enterprise-wide authority for its activities;
b) Authority to carry out its responsibilities independently;
c) Right of access to the PRFI’s records, information and personnel;
d) Requirement to express an opinion on the effectiveness of, and adherence to, the PRFI’s organizational and procedural controls; and
e) Authority to follow-up with management on action taken in response to audit findings and recommendations.

1.2 Extent to which the mandate is communicated within the PRFI.
2. Organization Structure2.1 Appropriateness of the stature and authority of the function head within the organization for the function to be effective in fulfilling its mandate.
2.2 Extent to which the function head has direct access to the CEO and the board (or audit committee).
2.3 Appropriateness of the function’s organizational structure.
2.4 Extent to which the function is independent of activities it audits and day-to-day internal control processes.
3. Resources3.1 Adequacy of the function’s processes to determine the required:

a) Level of resources necessary to carry out responsibilities;
b) Qualifications and competencies of staff; and
c) Continuing professional development programs to enhance staff competencies.

3.2 Adequacy of the function’s resources and appropriateness of its collective qualifications and competencies for executing its mandate.
3.3 Sufficiency of staff development programs.
4. Methodology and Practices4.1 Adequacy of policies and practices to ensure that audit methodologies conform to generally accepted industry practices and current professional standards.
4.2 Appropriateness of audit methodologies and practices to execute the function’s mandate.
4.3 Extent to which the function’s audit methodology is risk-based and responds to changes in the PRFI’s risk profile
5. Planning5.1 Adequacy of policies and practices to review audit cycles in response to changes in the PRFI’s environment and risk profile.
5.2 Extent to which the annual audit planning process clearly identifies audit objectives and scope of work.
6. Reporting6.1 Adequacy of policies and practices to report audit findings and recommendations to management.
6.2 Adequacy of policies and practices to follow-up on the resolution of audit findings and recommendations.
7. Quality Assurance7.1 Adequacy of policies and practices for monitoring of audit staff to ensure that they comply with standards of professional practice and utilize approved methodology in executing their reviews.
8. Senior Management and Board Oversight8.1 Extent to which board (or audit committee) and senior management approval is required for the:

a) Appointment and/or removal of the function head;
b) Function’s mandate and resources; and
c) Function’s annual work plan.

8.2 Adequacy of policies and practices to report periodically to
the board (or audit committee) and senior management on audit findings, recommendations, and progress in meeting annual audit plan (including the impact of any resource limitations).

8.3 Adequacy of policies and practices to perform regular independent reviews of the function (including feedback received from the PRFI’s external auditor) and to communicate the results to the board (or audit committee) and senior management.

Internal Audit Performance

The quality of the internal audit function’s performance is demonstrated by its overall effectiveness at independently overseeing the effectiveness of and adherence to the PRFI’s organizational and procedural controls.

The assessment will consider how well the internal audit function promotes a sound control environment that mitigates risks, ensures that control weaknesses are appropriately dealt with, and provides the board and senior management with reasonable assurance of how effective the organizational and procedural controls are and how well they are adhered to.

BCFSA will look to indicators of effective performance to guide its judgement during its supervisory activities. These activities may include and are not limited to: discussions with directors, external auditors, and management, including the chief internal auditor; review of how significant findings and management’s responses to them are addressed with the audit committee; assessment of internal audit practices and reporting; review of audit plans and working paper files.

Examples of indicators that could be used to guide supervisory judgement include the extent to which internal audit:

  1. Is viewed by the audit committee and/or board and senior management as being effective in executing its mandate;
  2. Regularly engages the audit committee on the continued appropriateness of internal audit resources and plan;
  3. Proactively communicates to the audit committee significant and persistent findings and management’s action related to them;
  4. Reviews objectives, strategies, events, initiatives, and transactions for changes that could materially impact the PRFI in order to ensure risk management and control practices continue to be appropriate and effective;
  5. Actively seeks information from risk management, compliance officers, external auditors, BCFSA, subsidiary company auditors or other relevant sources to corroborate or enhance its risk assessment and to ensure that areas of weakness are appropriately considered in its audit plan;
  6. Proactively follows up and reports on significant issues to ensure timely resolution. Demonstrates it can cause necessary changes in the operations of the PRFI in response to material weaknesses identified;
  7. Appropriately consider the pervasiveness and significance of its findings, both at the individual activity level, as well as in aggregate across the PRFI; and
  8. Appropriately differentiates between audit findings affecting safety and stability from those affecting operating efficiency, and how these are communicated and followed up on.

* Examples of documentation that BCFSA may review in formulating its assessment of the characteristics of the internal audit function include: the curriculum vitae of staff, professional training programs, internal audit mandates, manuals, work plans and audit reports and relevant materials discussed with the audit committee and senior management, and follow up documentation related to audit findings, self-assessment reviews, and audit working papers.