I can speak for our department.
The CFO is responsible for signing attestation on controls—for the system of internal controls over financial management and reporting. It's her obligation to review those. Our role is to come in and look at whether they are doing it appropriately.
I think every department goes through this. You go through your risk assessment. You see what the priorities of that department are. What are the key risks they're facing? Then you develop a plan to provide assurance to the deputy in the areas that need focus, such as grants and contributions, across administration.
However, in general, I believe the controls are pretty well established. It's oftentimes a case of the implementation of controls at the program's working level.