• Cart
Log in

Log in

home page banner blank


Practice Guide to Auditing Oversight


Selecting Audit Criteria

Audit criteria represent the standards expected to be met by an audited organization. Audit criteria are a key contributor to an audit’s strength and potential impact. Audit procedures focus on determining whether criteria are met or not met. Suitable criteria are clear, concise, relevant, reliable, neutral, understandable, and complete.

Finding suitable criteria is a challenge for any performance (value-for-money) audit, not just for audits of oversight. Each audit is unique due to the auditor’s mandate, audit focus, audit objectives, and the way the organization being audited approaches the audit’s subject matter.

The criteria presented as examples in this section are largely derived from the work of the CCOLA Governance Study Group and the Office of the Auditor General of Canada.

Examples of audit criteria and sub-criteria that can be used to audit the structures/systems and results/effectiveness of oversight bodies responsible for the oversight of major initiatives in departments and ministries are presented in Table 13. The criteria and sub-criteria are divided into 10 categories:

  1. Oversight roles and responsibilities
  2. Independence
  3. Skills and knowledge
  4. Sufficient and appropriate information
  5. Risk management
  6. Performance monitoring
  7. Compliance
  8. Corrective actions
  9. External reporting
  10. Performance assessment

These categories correspond with the audit objective topic numbers 2 to 11 in Table 12. Oversight topic 1 in Table 12, the overall oversight framework, is very broad and would need, in practice, to be supported by a selection of criteria taken from these 10 sub-categories.

Auditors are not expected to use all of the suggested criteria. Rather, they can pick and choose those that are most relevant to the scope of the audit and document the rationale for their selection. They can also develop additional criteria where needed, in order to conclude on their audit objective(s).

Auditors should always use their professional judgment in selecting audit criteria and determining whether the expectations defined by the criteria are reasonable given the nature and operational constraints of the audited organization. The reasonableness of potential criteria is, in part, a function of the degree to which they represent a balance between cost, risk, and effectiveness. For example, it would not be reasonable to expect an organization to adopt an unproven, costly control measure to mitigate a minor risk.

While the criteria presented in Table 13 have been designed for situations where there is a clear oversight structure in place, many can be adapted to audit situations where there is no such structure but it would be reasonable to expect one. In such situations, auditors could adopt a general objective about whether there is adequate oversight in place for a major initiative and select and adapt a number of audit criteria based on what could reasonably be expected in each specific situation, based on good management principles and best practices.

Table 13 – Examples of Audit Criteria that Can Be used to Audit the Oversight of a Major Initiative in a Department or Ministry

Topic

Structures and Systems

Results and Effectiveness

1. Oversight roles and responsibilities

Criterion: The oversight body has clearly defined oversight roles and responsibilities.

Criterion: The oversight body fulfills its assigned oversight roles and responsibilities.

2. Independence

Criteria:

The oversight body has established clear policy and guidance about independence requirements. Specific prohibitions are listed and guidance covers the various forms of independence threats (self review, self-interest, advocacy, familiarity, and intimidation) and how they are to be addressed.

Oversight body members have to sign an annual independence declaration that requires them to disclose any known independence threats and confirm their understanding of the applicable independence policy.

Criterion: The oversight body has the independence necessary to perform its oversight responsibilities objectively.

Sub-criteria:

Members of the oversight body comply with applicable independence policies.

Independent members of the oversight body hold regular in camera meetings without initiative management in attendance.

3. Skills and knowledge

Criterion: The skills, knowledge and experience required of oversight body members have been defined and communicated.

Criterion: Collectively, oversight body members have the skills and knowledge they require to effectively discharge their oversight responsibilities.

Sub-criteria:

  • Oversight body members have the qualifications, skills, and competencies necessary to effectively fulfill the committee’s role and responsibilities, as defined in its terms of reference.
  • The oversight body has access to and uses outside expertise when necessary to fill gaps in its skills and expertise profile.
  • All oversight body members receive sufficient, appropriate training and guidance to provide them with a working knowledge of the selected initiative and the environment within which it operates.

4. Sufficient and appropriate information

Criterion: The oversight body has defined the information and knowledge it needs to effectively exercise its oversight role.

Criterion: The oversight body has sufficient relevant and reliable information about the selected major initiative to fulfill its oversight responsibilities.

Sub-criteria:

  • The oversight body ensures that it receives sufficient and appropriate information on a timely basis to support decision making overall.
  • The oversight body ensures that it receives appropriate (credible, complete, and timely) financial, performance, and risk information to allow it to:
    • fully assess the initiative’s performance at regular intervals;
    • ensure that the initiative complies with applicable legislation, regulations, and policies; and
    • ensure that key initiative risks are being adequately managed.
  • Where additional information is required to make an assessment or a decision, the oversight body requests such information from initiative management and/or external sources, and ensures that it is obtained on a timely basis. The oversight body defers decisions when appropriate information has not yet been received.
  • Periodically, the oversight body looks critically at the quality and quantity of information it receives from initiative management and external sources to ensure that this information allows it to effectively discharge its oversight responsibilities.

5. Risk management

Criterion: The oversight body ensures that appropriate risk management policies and internal controls are put in place to mitigate the initiative’s key risks in a cost-effective manner.

Criterion: The oversight body effectively overseesthe initiative’s risk management policies and processes.

Sub-criteria:

  • The oversight body understands the initiative’s key risks and ensures that a risk assessment process is in place for the initiative.
  • The oversight body reviews and challenges management’s plans on how to avoid, control, accept, or transfer key initiative risks before approving them.
  • The oversight body monitors the implementation of risk management processes and internal controls applicable to the initiative to ensure they are working as intended.

6. Performance monitoring

Criterion: The oversight body ensures that performance targets and pertinent indicators are in place to enable it to properly monitor the initiative’s performance.

Criteria:

The oversight body is effectively monitoring the initiative’s performance in relation to its stated objectives and intended outcomes.

The oversight body challenges management about the quality and reliability of the available performance information.

7. Compliance

Criterion: Systems and practices are in place to monitor the compliance of the initiative with applicable legislation, regulations and policies.

Criterion: The oversight body obtains assurance that the initiative is in compliance with applicable legislation, regulations, and policies.

8. Taking corrective actions

Criterion: The oversight body has put in place adequate controls to ensure that corrective actions are taken in a timely manner.

Criterion: Evidence exists that, based on the initiative information they receive, oversight body members make decisions, provide direction, and follow up on actions taken in response.

9. External reporting

Criterion: The oversight body has determined which accountability reports it needs to receive, review and approve.

Criterion: The oversight body regularly reviews and approves key accountability reports produced by initiative managers.

10. Performance Assessment

Criterion: A process is in place to periodically assess the performance of the oversight body in discharging its oversight responsibilities.

Criterion: The performance of the oversight body in discharging its oversight responsibilities is assessed periodically.

Sub-criteria:

  • The collective performance of the oversight body is assessed periodically.
  • The oversight body complies with the department’s values and ethical requirements.
  • The oversight body holds a sufficient number of meetings each year to fulfill its roles and responsibilities.
  • The oversight body keeps adequate meeting minutes and supporting documentation.
  • The oversight body works well as a team and has effective decision-making processes in place.

Source: These criteria and sub-criteria have been modified from the CCOLA Governance Study Group’s Crown Agency Governance: Audit Objectives & Criteria and from the Office of the Auditor General of Canada’s Recommended General Criteria & Sub-Criteria (for special examinations of Crown corporations).