Archived - Risk-Based Audit Plan 2010-2011 to 2012-2013

Date: April 1, 2010

PDF Version (450 Kb, 31 Pages)

Introduction

Through the Federal Accountability Act (2006) and Action Plan, the Government of Canada committed to strengthen auditing and accountability within departments by clarifying the managerial responsibilities of deputy heads within the framework of ministerial responsibility, and by bolstering the internal audit function, with particular reference to the role of the Chief Audit Executive and the establishment of external Audit Committees.

Purpose

This document was prepared by Indian and Northern Affairs Canada Audit and Assurance Services Branch (AASB) and outlines the Risk-Based Audit Plan 2010-2011 to 2012-2013 for Indian and Northern Affairs Canada (INAC). The plan has been designed to support the allocation of audit resources to those areas that represent the most significant priorities to INAC and to respond to requirements of the Treasury Board Policy on Internal Audit (2009).

Document Organization

The Role and Scope of Internal Audit

The role of the internal audit function, in conjunction with the Audit Committee, is to ensure that the Deputy Minister and the Comptroller General, are provided with added assurance, independent from line management, on the department's risk management, control and accountability processes. The internal audit function fulfills this role by bringing a systematic, disciplined approach to assess and improve the effectiveness of the department's risk management, control, and governance processes.

The scope of work of the internal audit function is to determine whether the INAC network of risk management, control, and governance processes (as designed and represented by management) is adequate and functioning in a manner to ensure:

• Risks are appropriately identified and managed;
• Financial, managerial, and operating information is accurate, reliable, and timely;
• Activities and actions are in compliance with policies, standards, procedures, and applicable laws and regulations;
• Resources are acquired economically, used efficiently, and adequately protected;
• Programs, plans, and objectives are achieved;
• Quality and continuous improvement are fostered in the department's control processes; and
• Legislative or regulatory issues affecting the department are recognized and addressed properly.

When opportunities for improving management control, governance, or resource stewardship are identified during audits, they are communicated to the appropriate level of management so that appropriate action can be taken.

The internal audit function plays an important role in supporting departmental operations. It provides assurance on all important aspects of the risk management strategy and practices, management control frameworks and practices, and governance. Where control weaknesses exist and where the achievement of objectives is at risk, internal audit plays a role in providing constructive advice and recommendations. In this way, internal audit contributes to enhanced accountability and performance and sound management in general.

Treasury Board Policy Requirements

INAC is subject to the Treasury Board Policy on Internal Audit (2009). This policy states that the internal audit function in the Government of Canada is a professional, independent appraisal function that provides objective, substantiated conclusions as to how well an organization's risk management, control and governance processes are designed and working.

The Policy on Internal Audit (2009) further clarifies that the focus of internal audit is on all management systems, processes and practices, including the integrity of financial and non-financial information. The policy requires that the Deputy Minister consider and approve a risk-based audit plan that addresses areas of highest risk and significance, including audits identified by the Comptroller General as part of government-wide or sectorial coverage. The Audit Committee is required to review the risk-based audit plan and advise the Deputy Minister on its adequacy.

Recent changes to the Internal Audit Policy have removed the requirement that the Chief Audit Executive provide an annual holistic opinion. However, the Internal Audit Policy (2009) now requires the audit plan to be designed to "perform risk-based internal audits necessary to provide an independent annual assurance report to the deputy head on the adequacy and effectiveness of risk management, control and governance processes within the department." The Treasury Board Directive on Chief Audit Executives, Internal Audit Plans, and Support to the Comptroller General further directs that the risk-based audit plan focus predominantly on the provision of assurance services.

The Government of Canada has adopted the Institute of Internal Auditors' (IIA) Professional Practices Framework, including the International Standards for the Professional Practice of Internal Auditing (IIA Standards) for internal auditing in the Government. AASB strives to conduct its work and to manage contracted work in accordance with these standards.

Strategy for Assurance Reporting on Risk Management, Control & Governance Processes

One of the cornerstones of the Policy on Internal Audit (2009) is the requirement that the Chief Audit Executive must provide annual assurance overview reporting on departmental risk management, control, and governance processes. In support of annual reporting for these three elements, the audit plan must achieve sufficient coverage of the Treasury Board's Management Accountability Framework (MAF) and Core Management Controls Framework. Together, these frameworks describe departmental risk management, control, and governance processes for an effectively controlled and accountable department.

The Chief Audit Executive provides annual assurance reporting and, together with other inputs such as the Chief Financial Officer's Statement on Internal Control and information gleaned from other assurance providers, they collectively provide departmental Senior management and the Comptroller General with assurance on the state of the Department's risk management, controls and governance processes.

External Relationships

1. Office of the Auditor General
   
   The relationship between the Department and the Office of the Auditor General is one of openness and cooperation. The CAE has the mandate to coordinate the activities of the Office of the Auditor General within the Department. To ensure both a fair and balanced assessment of the issues audited by the OAG and a unified approach and single source of reference for the Department, the CAE coordinates, on behalf of the Deputy Minister, the process of validating audit findings and draft reports up to and including the final report and the INAC management response and follow up processes.
   
   
2. Office of the Comptroller General
   
   Audits are conducted on a horizontal across-government basis from time to time by the OCG. These are factored in to the plan on an annual basis or as they are announced by the OCG.
   
   
3. Other external organizations conduct audits which are supported by the AASB, for instance, the Public Service Commission and the Office of the Privacy Commissioner conducted audits in 2009-10.

Risk Based Audit Planning Approach

In establishing priorities for the audit plan, AES analyzes all departmental program activities and internal services (see INAC Audit Universe in Appendix A) to assess risk and significance to the achievement of the INAC mandate. These assessments drive the preliminary audit priorities that are presented to Regions and Sectors to obtain input on the value and pertinence of the proposed audits. Moreover, each Region and Sector votes on whether they would like to be included in each proposed audit. This positive feedback is indicative of the perceived value of internal audit to regions and sectors in identifying opportunities to improve programs and management. Consistent with requirements of Treasury Board, the INAC risk-based approach to annual audit planning ensures appropriate allocation of resources necessary to provide the Deputy Head with assurance on areas of greatest importance and concern.

Assessments of significance and risk for each auditable units^{Footnote 1} were based on information gathered through extensive review of corporate documents such as the departmental risk profiles, departmental plans and priorities, performance reports, results of past audits, evaluations and reviews, and results from last year's risk-based planning exercise. Risk level considers the degree to which the activity is exposed to risk factors (e.g. change, complexity and sensitivity) and the impact of specific risk exposures (e.g. legal, program delivery, financial, health and environmental). Significance is based on the relative importance of the program activity or internal service to the achievement of the department's overall objectives. Significance includes materiality of the entity and its intrinsic importance to the department. The methodology employed for the assessment of risk is aligned to identified departmental corporate risk tolerances, as defined in the INAC corporate risk assessment scales.

The selection of audits for the three-year plan is not driven solely by AES prioritization and input from regions sectors, but includes the following planning considerations:

• The Risk-based Audit Plan should be a body of work that can be reasonably achieved with AASB's current staff complement and operating budget;
• Annual allocations should be made to address two OCG-directed audits per year and four emerging (OAG, Public Service Commission or management) projects or advisory engagements per year;
• Any mandated audits scheduled by central agencies or audit support required by the OAG should be scheduled on a priority-basis;
• Audit units assessed as very high and high priority should be audited at least once in the three year-cycle, resources permitting;
• Audit units assessed as medium priority should only be considered for audit if all high priority units are covered or if coverage is required to support the Chief Audit Executive's annual assurance overview reporting or INAC management priorities;
• Reviews of the management practices of all sectors and regions should be conducted on a three-year cycle;
• Adequate coverage should be obtained of the mitigating controls for corporate risks identified in the corporate risk profile;
• A reasonable allocation of effort should be included to conduct follow-up reviews and audit procedures to assess the adequacy of management's actions in addressing past audit recommendations;
• The timing of activities should take into account program evaluations and OAG audits, so as not to place an unreasonable burden on any one corporate entity, and to avoid duplication of effort; and
• The three-year plan should ensure sufficient coverage of risk management, control, and governance processes to support the Chief Audit Executive's annual assurance overview reporting.

The Three Year Risk-Based Audit Plan

This section presents an overview of INAC's Three Year Risk-based Audit Plan. As described in detail earlier in the Risk-based Audit Planning Approach section, the INAC internal audit priorities for the upcoming three years are based on a set of planning considerations and AASB's assessments of risk and significance for each auditable unit.

Audit Unit Priority Rankings

The INAC Audit Universe (Appendix A) encompasses all significant activities performed by INAC in support of its mandate and serves as the basis from which audit priorities were selected. It is comprised of program activities, internal services, and operating agencies, and serves as the basis from which audit priorities were selected. In prioritizing the INAC audit universe, AASB performed extensive review of corporate documents and completed three prioritization workshops. The distribution of the final priority ranking of these units is illustrated in the figure to the right.

Audit Coverage

This section describes how the plan achieves sufficient breadth and depth of audit coverage of areas of highest significance and risk to departmental mandate. Appropriate coverage also permits the CAE to provide an annual assurance statement to the Deputy Minister and Comptroller General.

The chart summarizes the audit coverage over the three years of the plan. As noted above, there is complete coverage through audits and management practices reviews of all very high and high ranked auditable units. The coverage of moderate priority ranked auditable units is 45% while coverage of low priority auditable units is 0%. (prioritization considers both risk and significance)

The graph summarizes the number of audits in the first year (2010-2011) and the links to the corporate risks. Appendix B describes the corporate risks and the links to planned first year audits. Note that the chart includes only planned new 2010-2011 audits and does not include ongoing audits and management practices reviews, which will provide additional assurance coverage of corporate risks.

The graph summarizes the extent of MAF elements and OCG Core Management Controls included in the planned audits in 2010-2011, including both new and ongoing audits. Appendix C details MAF/Core Management Control coverage by individual audit. It demonstrates that every element is covered by at least one audit or management practices review. Note that the chart includes ongoing and new 2010-2011 audits and management practices reviews, which will provide additional assurance coverage of MAF elements.

2010-2011 to 2012-2013 Audit Plan

Table 1 below presents a three-year view of the audit plan that sets out the recommended projects over the period from 2010-2011 to 2012-2013. This table is grouped by departmental programs and internal service. For each auditable unit, the final priority ranking, and past^{Footnote 2}, current and planned audits are outlined. Each of the planned audits for the auditable unit is listed over the three-year period.

• 2010-2011 (Year 1): 24 audits, preliminary surveys, or management practices reviews, 10 of which are audits that began in 2009-2010
• 2011-2012 (Year 2): 23 new audits, preliminary surveys, or management practices reviews
• 2012-2013 (Year 3): 23 new audits, preliminary surveys, or management practices reviews

At the end of the three-year plan, audits and reviews of all high risk and significant ranked auditable units will have been started allowing INAC to achieve coverage required by the Policy on Internal Audit (2009).

The more detailed audit plan for 2010-2011 is presented below in Appendix D. All audits will be conducted with a high level of assurance. Appendix E shows an alternative calendar view of the first year.

Changes to the Plan

The audit plan is an evergreen document and is updated annually. This year's audit plan is a continuation of the 2009-2010 to 2011-2012 Plan in that it includes ongoing audits and carry-forward audits that have been delayed or reprioritized to reflect current business conditions. Details of these changes can be found in Appendix F.

Challenges to Achieving the Three Year Plan

Canada's shifting social, economic, and political landscape strongly influences INAC priorities, performance and programs.  Two factors complicating operations in the INAC context, as identified in the Corporate Risk Profile, are challenges related to the availability of timely, pertinent, consistent, and accurate information and attracting, recruiting, and retaining sufficiently qualified, experienced, and representative human resources. INAC also faces additional pressures related to implementing Canada's Economic Action Plan and an increasing need for reliable information on program performance and outcomes. Given this context, the plan was crafted to allow flexibility to respond to changes and new risks. The plan has a reserve to address unplanned but emerging INAC or government-wide priorities and allow INAC to support OCG General Requirements for government-wide audit activity.

AASB is in a rebuilding phase designed to strengthen its internal staff capacity and capability. The audit community faces a shortage of qualified staff especially in areas of particular expertise. Therefore, AASB has adopted a team-based approach where internal resources are supplemented with qualified contractors. This approach not only allows AASB to access required capability from the external community, it also facilitates transfer of knowledge and skills to internal resources thereby building the capacity of the organization. To enable this team approach, AASB requires access to efficient contracting vehicles and efficient contracting services.

AASB will further mitigate these challenges by ensuring that senior management closely monitors progress against the three-year plan and takes timely action to resolve any issues or make adjustments. AASB will continue to provide an update to the Audit Committee at each of its meetings on the progress it is making in implementing the plan, any challenges it is facing in doing so, and the actions being taken to manage these challenges.

Resource Considerations

The projects undertaken will be dependent on the availability of financial and human resources. This section presents the resource requirements of all internal audit activities planned for 2010-2011. The estimated resource requirements for small, medium, and large projects have been updated to reflect current forecasts and remain aligned the results of historical project cost analysis presented to Audit Committee in 2009-2010. While on the surface, forecasts based on estimated size of a project may seem to be unreliable; this approach has proven to be the most accurate basis of forecasting cost. In short, virtually all INAC program activities and internal services operate under challenging business conditions that can only be reasonably understood upon completion of audit planning. Prior to planning an audit, it is not practicable to forecast resource requirements for each project precisely.

Together, the two major activities of INAC's AASB are audit work and management practices reviews. These activities consume over 80% of the Branch resource requirements. Other internal audit activities including monitoring of action plans from past audits, administration, annual audit planning, quality assurance and improvement, reporting, learning and development, and liaison with OAG and other external assurance providers represents 8%. The remainder is allocated to management assurance requests and emerging priorities.

The Three-Year Plan identifies that approximately 12 to 18 audit projects will be carried out on an annual basis. This number has decreased slightly from earlier Plans to reflect experience as well as the capacity of the organization and its partners.

Resource Requirements

Based on the cost assumptions and the planned audits for 2010-2011, the resource requirements are summarized in Table 2 below. Appendix G details the cost assumptions that form the basis of this analysis. The dollar and staff resource requirements presented are aligned with current budget forecasts and requests currently in consideration.

Note that sectors and regions have identified coordinators to work with audits staff and that while audits are underway staff in the audited entities devote time and energy to assist the auditors While the level of effort and costs will vary from project to project, it is AASB's professional opinion that this level of resourcing is adequate to achieve the plan.

Appendix A – Audit Universe

Appendix B – Linkage of 2010-2011 Audits to the Corporate Risk Profile

Appendix C – Linkage of 2010-2011 Audits to MAF elements

Appendix D – 2010-2011 Audit Projects

The more detailed audit plan for 2010-2011 is presented below with each project described in terms of its objective and scope, its estimated timeframe, and its rationale.

Appendix E - 2010-2011 Audit Calendar

The table below illustrates the planned timeframe for each planned engagement in 2010-2011. Note that reports and action plans will be posted 90 days after Deputy Minister approval. The letters "AC" indicate the quarter in which the audit report and management action plan are anticipated to be presented to the Audit Committee.

Appendix F – Changes to the Audit Plan

Ongoing Audits

The resource implications of audit projects that began in 2009-2010 but were not completed within that period are identified below as on-going audits from the 2009-2010 Plan. With the tabling of this revised audit plan in advance of the new fiscal year, it is expected that the extent of carry-over from 2010-11 engagements to 2011-12 will be minimal.

Removed or Carry-Forward Audits

In light of last year's activities and the results of this year's risk assessment and prioritization exercise, the table below identifies any engagements that were planned that were not completed. A complete analysis of all the changes from the 2009-2010 to 2011-2012 was completed.

Appendix G - Cost Assumptions

For purposes of identifying initial resource requirements, AASB has assumed, based on experience, that its average portfolio will be comprised of large, medium, and small audit engagements and management practices reviews. The anticipated direct and indirect costs of these projects in 2010-2011 are detailed below.