Risk-Based Audit Plan 2014-2015 to 2016-2017

Date : February 2014

PDF Version (470 Kb, 34 Pages)

Introduction
Risk-Based Audit Planning Approach
The Three Year Risk-Based Audit Plan
Resource Considerations
Appendix A - AANDC Audit Universe
Appendix B - Linkage of 2014-2017 Audits to the Corporate Risk Profile
Appendix C - Linkage of 2014-2015 Audits to MAF Elements
Appendix D – 2014-2015 Audit Projects
Appendix E – Changes to the Audit Plan

Introduction

The Treasury Board Policy on Internal Audit seeks to contribute to the improvement of public sector management by ensuring a strong, credible, effective and sustainable internal audit function within departments as well as government-wide. In response to this requirement, Aboriginal Affairs and Northern Development Canada (AANDC) has developed this three-year Risk-Based Audit Plan. This plan details the assurance services that Audit and Assurance Services Branch will provide, independent of line management, to sustain a strong, credible internal audit regime that contributes directly to sound risk management, control and governance.

Purpose

The Audit and Assurance Services Branch (AASB) of AANDC has prepared this document for the Deputy Minister to outline the 2014-2015 to 2016-2017 Risk-Based Audit Plan for Aboriginal Affairs and Northern Development Canada (AANDC). The plan is designed to support the allocation of audit resources to those areas that represent the most significant risks to the achievement of AANDC’s objectives and to respond to the requirements of the Treasury Board Policy on Internal Audit (April 1, 2012). In considering the appropriateness of the plan, the Deputy Minister is advised by an independent, departmental Audit Committee comprised of five external members.

Document Organization

Introduction	This section provides an overview of the role of the internal audit function and Treasury Board expectations with respect to audit in order to provide the reader with the context for the Plan.
Risk-Based Audit Planning Approach	This section describes the process followed to develop the Plan.
The Three-Year Risk Based Audit Plan	This section details the comprehensive plan for the 2014-2015 to 2016-2017 fiscal years, including a summary of activities over three years.
Resource Considerations	This section details the resource considerations required to execute the Plan.
Appendices	This section provides various detailed tables to further describe the Plan.

The Role and Scope of Internal Audit

Internal audit plays a vital role in governance and accountability. Without a strong, objective and independent assurance function, the effectiveness of the overall governance framework of an organization is severely weakened. With an effective internal audit function, there is greater confidence that the decisions being taken are informed by appropriate information on governance, risk and control. Internal audit's systematic and disciplined approach adds value and improves an organization's operations.

Through the Federal Accountability Act (2006) and Action Plan, the Government of Canada committed to strengthen auditing and accountability within Departments by clarifying the managerial responsibilities of deputy heads within the framework of ministerial responsibility and by enhancing the internal audit function.

The role of AANDC's internal audit function is to ensure that, in conjunction with advice from the Audit Committee, the Deputy Minister is provided with independent assurance regarding the effectiveness of the Department's risk management, control and governance processes. The internal audit function fulfils this role by bringing a systematic, disciplined approach to assessing and improving the effectiveness of the Department's risk management, control and governance processes.

The scope of work of the internal audit function is to assess if AANDC's network of risk management, control, and governance processes (as designed and represented by management) is adequate and functioning such that:

Risks are appropriately identified and managed;
Financial, managerial, and operational information is accurate, reliable, and timely;
Compliance with policies, standards, procedures and applicable laws and regulations is achieved;
Resources are acquired economically, used effectively and adequately protected;
Programs, plans and objectives are achieved;
Quality and continuous improvement are fostered in the Department's control processes; and,
Legislative or regulatory issues affecting the Department are recognized and addressed properly.

When opportunities for improving management control, governance or resource stewardship are identified in audits, they are communicated to the suitable level of management so that appropriate action can be taken.

The internal audit function plays an important role in supporting departmental operations. It provides assurance on all the important aspects of the risk management strategy and practices, management control frameworks and practices, and governance. Where control weaknesses exist and where the achievement of objectives is at risk, internal audit plays a role in providing constructive advice and recommendations. In this way, internal audit contributes to enhanced accountability and performance.

Treasury Board Policy Requirements

AANDC is subject to the Treasury Board Policy on Internal Audit. This policy states that the internal audit function in the Government of Canada "…is a professional, independent and objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes".

The Policy on Internal Audit requires the Deputy Minister to approve a multi-year risk-based audit plan that considers departmental areas of high risk and significance, as well as Government-wide audits led by the Comptroller General. The Treasury Board Directive on Internal Auditing in the Government of Canada (April 1, 2012) requires that the Chief Audit Executive "…establish and update at least annually a multi-year plan of internal audit engagements based on a risk assessment and which is focused predominantly on the provision of assurance services". The Directive also requires that the Audit Committee "…review and recommend for approval a multi-year risk-based internal audit plan".

The Treasury Board specifies that "the Government of Canada has adopted the Institute of Internal Auditors'(IIA) International Professional Practices Framework and that all federal departments are required to meet the IIA Standards in undertaking their internal auditing responsibilities, unless the Standards are in conflict with the Treasury Board Policy on Internal Audit or any related directives or standards, in which case the Policy, Directive or Standards will prevail".

The Chief Audit Executive's Annual Written Report to the Deputy Minister and the Audit Committee

A requirement of the Directive on Internal Auditing in the Government of Canada is that the Chief Audit Executive must annually prepare a written report to the Deputy Minister and the Audit Committee that includes sections on:

"Internal audit's independence, proficiency, performance and results relative to its plan, including resource utilization, lessons learned and influences on future years' plans;
The results of the Quality Assurance and Improvement Program including internal audit's conformance with the Internal Auditing Standards for the Government of Canada;
The results of the follow-up on the implementation of management action plans; and,
An overview of the aggregate findings following the execution of the risk-based audit plan, including the actions taken by management to address key findings."

Collectively, the Chief Audit Executive's annual report and other inputs, such as the Chief Financial Officer's Statement of Management Responsibility including Internal Control over Financial Reporting, and reports of other assurance agencies, provide departmental senior management and the Comptroller General with assurance on the state of the Department's risk management, controls and governance processes.

Risk-Based Audit Planning Approach

To meet the requirement of the Directive on Internal Auditing in the Government of Canada for the establishment, and at least annual update, of a multi-year plan of internal audit, the Audit and Assurance Services Branch's assessment of AANDC's areas of risk was reviewed and updated to ensure that audit resources continue to be targeted to areas of highest risk and significance.

In establishing priorities for the Risk-Based Audit Plan, AASB employs a structured, risk-based approach.

Conduct and Timing of an Internal Audit
Once approved, the Risk-Based Audit Plan provides AASB with the Deputy Minister's direction on what specific audits should be undertaken in the coming year. Each audit consists of the following phases:
The Planning Phase is undertaken to gain an understanding of the objectives, activities, key risks and controls of the area subject to audit. The audit objectives and scope are finalized and audit criteria are established.
During the Conduct Phase, auditors carry out the audit program to ascertain whether each audit criterion is satisfied. Auditors conduct interviews, review documentation, perform analysis, observe activities and employ other techniques to obtain sufficient, relevant and reliable information to reach conclusions and support preliminary findings. Findings are reviewed with management to validate accuracy.
During the Reporting Phase, the draft audit report is prepared outlining background and context, and the auditor's findings, conclusions and recommendations. Management presenting a Management Response and Action Plan outlining their response to the findings as well as the corrective action planned to mitigate the identified control gaps.
In the Follow-up Phase, action is taken to ensure that the required measures have indeed been implemented.
The audit may last three (3) to twelve (12) months depending on the size and complexity of the area subject to audit as well as the specific scope and objectives of the engagement.

As a first step in updating the RBAP, AASB reviewed the audit universe to confirm that the existing auditable units^{Footnote 1} were still valid. The audit universe is a collection of all auditable units. The auditable units generally correspond to the programs and sub-programs identified in AANDC Program Alignment Architecture (PAA) and to the major organizational units of the Department (Appendix A presents the entire AANDC Audit Universe). AASB updated the audit universe to reflect changes to the 2014-2015 PAA and current and planned resources allocations associated with the auditable units. In total, there are 42 program units and 34 internal services units.

AASB then reviewed departmental priorities, business conditions and risks as identified in a wide variety of sources, including, but not limited to, corporate, sector and program risk profiles, corporate and sector business plans, Management Accountability Framework assessments, performance reports, past audit, evaluation and review reports, and last year's risk-based planning exercise.

To better understand the risks and challenges associated with each auditable unit, three consultative workshops were held with members of the Directors General Implementation and Operations Committee 2. Participants' input was received on the current business conditions, issues and the risks associated with activities related to each PAA and Internal Services sub-program.

Following the update of the audit universe, review of documentation, and consultative workshops, AASB held a planning and prioritization workshop with Audit and Evaluation Sector (AES) representatives (Audit and Assurance, Risk Management, Evaluation and Performance Measurement and Review, and Assessment and Investigation Services). During this workshop information gathered to date was shared with AES participants who were then asked to examine each auditable unit and offer their perspective on each unit's level of inherent risk, legal risk and significance.

Inherent risk level is defined as the degree of risk to which the entity is exposed, considering current and anticipated business conditions and the presence and potential impact of specific risk exposures. Legal risk considers the level of exposure to legal issues that may affect the activities of the Department. Significance considers the relative importance of the program activity or internal service to the achievement of the Department’s overall objectives. Significance includes materiality of the entity and its intrinsic importance.

Text description of Figure 1

The chart illustrates the final priority rankings for each auditable unit of AANDC's audit universe. The priority rankings are as follows:

Very High: 18% or 14 auditable units
High: 41% or 31 auditable units
Moderate: 25% or 19 auditable units
Low: 11% or 8 auditable units
Not rated: 5% or 4 auditable units

Using the AANDC corporate risk assessment scales, where one is low risk and five is very high risk, participants provided their assessment of risk for each auditable unit, through voting on the inherent risk, legal risk and significance. Exceptions to this were in the areas of internal audit, evaluation, risk management and complaints and allegations. As these functions fall within the responsibility of the Chief Audit and Evaluation Executive, there would be the appearance of a lack of independence and objectivity should AES assess risks in those areas, or plan to audit those functions.^{Footnote 2} Should it come to the attention of senior management that any of these functions constitute a high risk to AANDC, and should therefore be subject to an audit, arrangements would be made for external firms to conduct the work under the direction of a senior ADM or the Audit Committee.

For the purposes of the risk assessment, a weighting of 50% was allocated to Inherent Risk (including 20% to Legal Risk) and 50% was attributed to Significance to arrive at a risk score for each auditable unit assessed. A risk priority score was then assigned to each of the assessed auditable units in the audit universe. As a final pass, all entities were further categorized as Very High, High, Moderate or Low priority based on their risk scores. The distribution of auditable units by rank is displayed in Figure 1.

The products of this workshop became the basis for the development of an initial listing of potential audit projects over the three-year horizon of the Plan. To develop the preliminary plan, the auditable units assigned a Very High and High risk rating were deemed worthy of attention and preliminarily assigned audits within the three years of the RBAP. This preliminary RBAP was then shared with Assistant Deputy Ministers and internal service heads to provide an opportunity to gain their perspective on the recommended listing of potential projects and their scheduling.

AASB also consulted with the Office of the Comptroller General (OCG) and the Office of the Auditor General (OAG) to obtain their input on the identified risk levels and on the identification and timing of potential audits, particularly with respect to their planned audit activities.

Additionally, AASB consulted Health Canada, Shared Services Canada and Employment and Social Development Canada to discuss the potential for coordinated or joint audits on higher risk areas of common interest.

Finally, AASB reviewed the identified risks and potential projects with members of the Audit Committee.

Following consultations, AASB developed a three-year Risk-Based Audit Plan (RBAP) taking into account the following planning considerations:

The Plan should be a body of work that can be reasonably achieved with AASB’s current staff complement and operating budget;
Auditable units assessed as Very High and High priority should be given priority and audited once in the three-year cycle, resources permitting;
Auditable units assessed as Medium priority should only be considered for audit if all Very High and High priority units are covered or if they represent an AANDC management priority;
Adequate coverage of corporate risks identified in the corporate risk profile should be obtained;
The RBAP should ensure sufficient coverage of risk management, control and governance processes;
The timing of activities should take into account program evaluations, OAG, OCG and other central agency audits and any other considerations such as program renewals, so as not to place an unreasonable burden on any entity and to avoid duplication of effort; and,
A reasonable allocation of effort should be included to conduct follow-up reviews and audit procedures to assess the adequacy of management actions in addressing past audit recommendations.

The Chief Audit and Evaluation Executive reviewed and approved the proposed Plan and presented it to Audit Committee members for their review and recommendation for approval by the Deputy Minister.

The implementation of the RBAP will be monitored on a regular basis throughout the year and proposed changes will be reviewed and formally recommended for the Deputy Minister’s approval by the Audit Committee. An update of the Plan will be presented at the mid-year meeting of the Audit Committee to confirm that it still provides appropriate coverage over the departmental priorities and highest risks.

The Three Year Risk-Based Audit Plan

This section presents an overview of the AANDC 2014-2015 to 2016-2017 Risk-Based Audit Plan.

Audit Coverage

AANDC's Risk-Based Audit Plan 2014-2015 to 2016-2017 addresses areas of higher risk and significance

This section describes how the plan addresses areas of higher risk and significance. As detailed in Appendix A, there is complete coverage of all Very High and High risk audible units. The Corporate Risk Profile is management's point in time reflection of the most significant risks that threaten achievement of AANDC's objectives and AASB seeks to ensure that all of these risks are covered in the planned audits. The chart to the right summarizes the number of 2014-2015 audits that will address one or more of the corporate risks. Every corporate risk is covered by at least three assurance engagements (audits). Appendix B presents the specific linkages of audits to risks.

Text description of Figure 2

The graph illustrates the extent to which AANDC corporate risks are covered by the new and ongoing audits and preliminary surveys in 2014-2015. Please note that individual projects may cover one or more risk area. The coverage is as follows:

Environmental: 3
Legal: 10
External Partnership: 6
Aboriginal Relationship: 15
Government Partnership: 11
Resource Alignment: 16
Implementation: 17
Information for Decision Making Risk: 21
HR Capacity and Capabilities: 14

In support of the Chief Audit and Evaluation Executive's annual report to the Deputy Minister and the Audit Committee, the audit plan endeavours to address all elements of the Treasury Board's Management Accountability Framework (MAF). The chart to the right summarizes the extent to which the elements of this framework are covered in the planned audits for 2014-2015. Appendix C describes these linkages in greater detail.

Coverage of MAF/ Core Management Control Elements (2014-2015)

Text description of Figure 3

The graph illustrates the extent to which the elements of the Treasury Board's Management Accountability Framework are covered by the number of planned audit projects for 2014-2015 in each Management Area.

Values and Ethics: 3
Managing for Results: 17
Governance and Planning: 21
Citizen-focused Service: 14
Internal Audit: 0
Evaluation: 0
Financial Management and Control: 13
Management of Security: 2
Integrated Risk Management: 17
People Management: 6
Procurement: 4
Information Management: 3
Information Technology: 3
Asset Management: 1
Investment Planning & Management of Projects: 6

As noted in the Risk-Based Audit Planning Approach section, internal audit and evaluation are not subject to audit by AANDC's internal audit function as the auditor's independence and objectivity could be considered to be compromised.

2014-2015 to 2016-2017 Risk-Based Audit Plan

Table 1 below outlines the number of planned program or functional audits, Management Practices Audits, and OCG audits for each of the three years of the Plan.

**Table 1:**
	2013-14 Ongoing	2014-2015	2015-2016	2016-2017
Audits	4	15	13	14
Management Practices Audits	0	2	3	2
OCG Horizontal Internal Audits	0	1	1	1**
Total	4	18	17	17

** To be determined

Table 2 below presents the planned audits for 2014-2015 and identifies the audit priority assigned to them and the fiscal quarters in which they are expected to begin and in which the results are expected to be presented to the Audit Committee (denoted as "AC" in the table).

Table 3 below lists the proposed audits for 2015-2016 and 2016-2017 and their respective audit priority rankings. The audit plans for 2015-2016 and 2016-2017 are tentative and the selection and timing of audits will be revisited during next year's annual planning exercise.

TABLE 2 - 2014-2015 Audit Plan		2013-14 (ongoing)		2013-14 (Year 1)
	Priority	Q3	Q4	Q1	Q2	Q3	Q4
Ongoing (projects commenced in 2013-14 to be completed in 2014-15)*
1. Audit of the Management Control Framework for Grants and Contributions (recurring audit)	Very High			AC
2. Review of Negotiation of Comprehensive Land Claims and Self-Government Agreements	Very High			AC
3. System Under Development Audit of the Integrated Financial Management System (SAP&GCIMS)	Very High			AC
4. Audit of Delegation of Authorities, Organization Design and Classification	High			AC
2014-15 Projects
1. Audit of ATIP Management	High			AC
2. Management Practices Audit of the Communications Branch	High			AC
3. Audit of Indian Registration (Qalipu Phase II)	Very High				AC
4. Audit of Internal Controls Over Financial Reporting	Very High				AC
5. Audit of Consultation and Accommodation	High				AC
6. Audit of Northern Oil and Gas	High				AC
7. Audit of On-Reserve Infrastructure (excluding Water and Wastewater)	Very High					AC
8. Audit of the Northern Contaminated Sites Program	Very High					AC
9. Audit of AANDC Support to the Independent Assessment Process	High					AC
10. Audit of Métis and Non-Status Indian Relations and Métis Rights Management	High					AC
11. Management Practices Audit of the Lands and Economic Development Sector	High					AC
12. Audit of Litigation Management	High						AC
13. Audit of the National Child Benefit Reinvestment and Assisted Living Programs	High						AC
14. Audit of Occupational Health and Safety	High						AC
15. Audit of the Post-Secondary Education Programs	High						AC
16. Audit of the Management Control Framework for Grants and Contributions (recurring audit)	Very High						*
17. System Under Development Audit of the Secure Integrated Registration and Certification Unit	Very High						*
18. OCG Horizontal Internal Audit of Information Technology Security	High						*

*Note: These audits will be completed and presented to the Audit Committee in Q1 2015-2016.

TABLE 3 - 2015-2016 to 2016-2017 Audit Plan	Priority
2015-2016 Projects
1. Audit of the Management Control Framework for Grants and Contributions (recurring audit)	Very High
2. Audit of the First Nations Child and Family Services Program	Very High
3. Financial Audit of Contingent Liabilities (incl. Contaminated Sites)	Very High
4. Audit of the Elementary and Secondary Education Programs	Very High
5. Audit of the Education Information System	Very High
6. OCG Horizontal Internal Audit of Information Management	Very High
7. Audit of the Emergency Management Assistance Program	Very High
8. Management Practices Audit of the Manitoba Region	Very High
9. Management Practices Audit of the Ontario Region	Very High
10. Audit of the Income Assistance Program	High
11. Audit of First Nations Government Programs	High
12. Audit of HR Staffing and Planning	High
13. Audit of Aboriginal Governance Institutions and Organizations Programs	High
14. Audit of Performance Measurement and Reporting	High
15. Audit of Values and Ethics	High
16. Audit of AANDC Support to the Specific Claims Process	High
17. Management Practices Audit of the Alberta Region	High
2016-2017 Projects
1. Audit of Additions to Reserves Process	Very High
2. Audit of Lands Management (incl. Lands Registry System)	Very High
3. Audit of the Management Control Framework for Grants and Contributions (recurring audit)	Very High
4. Audit of Water and Wastewater Infrastructure	Very High
5. Audit of Negotiation of Comprehensive Land Claims and Self-Government Agreements	Very High
6. Audit of the Implementation of Modern Treaty Obligations	Very High
7. Audit of the Indian Registration System	Very High
8. Management Practices Audit of the Chief Financial Officer Sector	Very High
9. Management Practices Audit of the Resolution and Individual Affairs Sector	Very High
10. Audit of Economic Development Programs	High
11. Audit of Expenditure Management	High
12. Audit of IM/IT Governance	High
13. Audit of Nutrition North Canada	High
14. Audit of Program Management of the Canadian High Arctic Research Station	High
15. Audit of Corporate Business Planning	High
16. Audit of the Urban Aboriginal Strategy	High
17. OCG Horizontal Internal Audit (to be determined)	High

The detailed audit plan for 2014-2015, including project objective, scope and rationale, is presented in Appendix D. Consistent with the requirements of the Internal Auditing Standards of the Government of Canada, all audits will be designed to achieve a high level of assurance.

Changes to the Plan

As noted previously, AANDC’s RBAP is updated annually with adjustments during the year, if necessary. This year’s audit plan is an evolution of the 2013-2014 to 2015-2016 Plan and, as such, includes four on-going audits that will be completed in 2014-15 and other projects that have been cancelled or deferred as a result of changing business priorities and conditions. Details of these changes can be found in Appendix E.

Challenges to Achieving Fulfillment of the Three-Year Plan

AANDC programs and services are delivered in a complex policy and political environment that is constantly evolving and shifting from a legalistic approach to a policy-based approach that is more focused on reconciliation, partnerships, and the sustainable development of Aboriginal communities. Two risk factors that were identified in the 2013-2014 Corporate Risk Profile are of particular importance to the successful implementation of the Risk-Based Audit Plan. These are: (1) the risk related to the availability of timely, pertinent, consistent, and accurate information; and, (2) the risk related to the need to attract, recruit and retain sufficiently qualified, experienced and representative employees. Given this context, the Plan allows flexibility to respond to emerging risks and policy or program changes. If these risks or changes emerge and suggest higher priority audit activity, the Plan will be adjusted so that internal audit can undertake appropriate responses.

To support the need for flexibility, AASB has adopted an approach whereby internal resources are supplemented with qualified contractors. Considering the cross-government shortage of qualified auditors, this approach not only allows AASB to access required capacity and skills but also facilitates transfer of knowledge and skills to internal resources, thereby building internal capacity. The establishment of the Professional Audit Support Services Supply Arrangement (PASS) by AASB in 2012-2013 has contributed to more efficient contracting and has helped to overcome some of these challenges. AANDC’s implementation of the Government of Canada’s Deficit Reduction Action Plan (DRAP) will likely continue to impair AASB’s ability to obtain timely access to departmental managers and staff over the planning period.

Resource Considerations

This section presents the resource requirements of all internal audit activities planned for 2014-2015. Projects undertaken will depend on the availability of financial and human resources. The estimated resource requirements for small, medium, and large projects have been updated to reflect current forecasts and are consistent with the results of historical project cost analysis for the last three fiscal years (2011-12 to 2013-14). This approach has proven to be the most accurate basis for forecasting costs, as specific requirements can only be determined once audit planning has been completed.

The Audit and Assurance Services Branch’s assurance activities represent 91% (90% for AANDC-led and 1% for OCG-led) of branch resource requirements. Other internal audit activities, including monitoring of action plans from past audits, annual audit planning, Quality Assurance and Improvement, reporting, learning and development, and liaison with OAG and other external assurance providers represents 9%.

The Plan identifies an average of 17 audit projects to be carried out on an annual basis.

Appendix A - AANDC Audit Universe

**Very High Risk Auditable Units and Related Audit Activity 2014-2017**
Departmental Program Auditable Units (10)	Planned Audit(s)*
Administration of Reserve Land	Audit of Lands Management (incl. Lands Registry System) (2016-2017) Audit of Additions to Reserve Process (2016-2017)
Elementary and Secondary Education	Audit of the Education Information System (2015-2016) Audit of the Elementary and Secondary Education Programs (2015-2016)
Emergency Management Assistance	Audit of the Emergency Management Assistance Program (2015-2016)
First Nations Child and Family Services	Audit of the First Nations Child and Family Services Program (2015-2016)
Housing	Audit of On-Reserve Infrastructure (excluding Water and Wastewater) (2014-2015)
Management and Implementation of Agreements and Treaties	Audit of the Implementation of Modern Treaty Obligations (2016-2017)
Negotiations of Claims and Self-Government	Review of Negotiation of Comprehensive Land Claims and Self-Government Agreements (2014-2015) (Carry Forward) Audit of Negotiation of Comprehensive Land Claims and Self Government Agreements (2016-2017)
Northern Contaminated Sites	Audit of Northern Contaminated Sites Program (2014-2015) Financial Audit of Contingent Liabilities (including Contaminated Sites) (2015-2016)
Registration and Membership	Audit of Indian Registration (Qalipu Phase II) (2014-2015) System under Development Audit of the Secure Integrated Registration and Certification Unit (2014-2015) Audit of the Indian Registration System (2016-2017)
Water and Wastewater Infrastructure	Audit of Water and Wastewater Infrastructure (2016-2017)
Internal Services Auditable Units (4)	Planned Audit(s)*
Grants and Contributions Controls	Audit of the Management Control Framework for Grants and Contributions (2013-2014) (Carry Forward) Audit of the Management Control Framework for Grants and Contributions (2014-2015) Audit of the Management Control Framework for Grants and Contributions (2015-2016) Audit of the Management Control Framework for Grants and Contributions (2016-2017)
Information Management	System Under Development Audit of the Integrated Financial and Management System (SAP & GCIMS) (2014-2015) (Carry Forward) Audit of the Education Information System (2015-2016) OCG horizontal Internal Audit of Information Management (2015-2016) Audit of the Indian Registration System (2016-2017)
Information Technology	System Under Development Audit of the Integrated Financial and Management System (SAP & GCIMS) (2014-2015) (Carry Forward) OCG Audit of Information Technology Security (2014-2015) Audit of the Education Information System (2015-2016) Audit of the Indian Registration System (2016-2017)
Liabilities	Audit of Internal Controls Over Financial Reporting (2014-2015) Financial Audit of Contingent Liabilities (including Contaminated Sites) (2015-2016)

* Very High Risk Auditable Units will be subject to audit coverage (in whole or in part) at least once every three years.

* Very High Risk Auditable Units will be subject to audit coverage at least once every three years.

**HIGH RISK AUDITABLE UNITS AND RELATED AUDIT ACTIVITY 2014-2017**
Departmental Program Auditable Units (19)	Planned Audit(s)*
Aboriginal Governance Institutions and Organizations	Audit of Aboriginal Governance Institutions and Organizations Programs (2015-2016)
Assisted Living	Audit of the Assisted Living and National Child Benefit Reinvestment Program (2014-2015)
Consultation and Engagement	Audit of Consultation and Accommodation (2014-2015)
Contaminated Sites	Financial Audit of Contingent Liabilities (including Contaminated Sites) (2015-2016)
Education Facilities	Audit of On-Reserve Infrastructure (excluding Water and Wastewater) (2014-2015)
First Nations Governments	Audit of First Nations Government Programs (2015-2016)
Income Assistance	Audit of the Income Assistance Program (2015-2016)
Independent Assessment Process	Audit of AANDC Support to the Independent Assessment Process (2014-2015)
Investment in Economic Opportunities	Audit of Economic Development Programs (2016-2017)
Lands and Economic Development Services	Audit of Economic Development Programs (2016-2017)
Métis and Non-Status Indian Relations and Métis Rights Management	Audit of Métis and Non-Status Indian Relations and Métis Rights Management (2014-2015)
National Child Benefit Reinvestment	Audit of the Assisted Living and National Child Benefit Reinvestment Programs (2014-2015)
Nutrition North	Audit of Nutrition North Canada (2016-2017)
Other Community Infrastructure and Activities	Audit of On-Reserve Infrastructure (excluding Water and Wastewater) (2014-2015)
Petroleum and Minerals	Audit of Northern Oil and Gas (2014-2015)
Post-Secondary Education	Audit of the Post-Secondary Education Programs (2014-2015)
Science Initiatives	Audit of Program Management of the Canadian High Arctic Research Station (2016-2017)
Specific Claims	Audit of AANDC Support to the Specific Claims Process (2015-2016)
Urban Aboriginal Participation	Audit of the Urban Aboriginal Strategy (2016-2017)
Internal Services Auditable Units (12)	Planned Audit(s)
ATIP Management	Audit of ATIP Management (2014-2015)
Communications	Management Practices Audit of the Communications Branch (2014-2015)
Expenditure Management	Audit of Expenditure Management (2016-2017)
HR Staffing and Planning	Audit of HR Staffing and Planning (2015-2016)
IM/IT Governance	System Under Development Audit of the Integrated Financial Management System (SAP & GCIMS) (2014-2015) (Carry Forward) Audit of IM/IT Governance (2016-2017) Audit of the Indian Registration System (2016-2017)
IM/IT Security	OCG Horizontal Internal Audit of Information Technology Security (2014-2015)
Litigation Management	Audit of Litigation Management (2014-2015)
Occupational Health and Safety	Audit of Occupational Health and Safety (2014-2015)
Organizational Design and Classification	Audit of Delegation of Authorities, Organization Design and Classification (2014-2015) (Carry Forward)
Performance Measurement and Reporting	Audit of Performance Measurement and Reporting (2015-2016)
Strategic and Business Planning	Audit of Corporate Business Planning (2016-2017)
Values and Ethics	Audit of Values and Ethics (2015-2016)

* High Risk Auditable Units will be subject to audit coverage at least once every three years.

**MODERATE RISK AUDITABLE UNITS 2014-2015 TO 2016-2017**
Departmental Program Auditable Units (9)	Internal Services Auditable Units (10)
Business Capital and Support Services	Accommodations
Climate Change Adaptation	Compensation and Benefits
Family Violence Prevention	Continuity of Operations
Northern Contaminants	Corporate Security
Northern Land and Water Management	External Reporting
Political Development and Intergovernmental Relations	Financial Planning and Budgeting
Reconciliation	Labour Relations
Strategic Partnerships	Learning and Development
Support to the Truth and Reconciliation Commission	Loans and Accounts Receivable
	Strategic Policy Development

**LOW RISK AUDITABLE UNITS 2014-2015 TO 2016-2017**
Departmental Program Auditable Units (4)	Internal Services Auditable Units (4)
Business Opportunities	Assets and Property Management
Common Experience Payments	Library and Information Centre
Estates	Official Languages
Renewable Energy and Energy Efficiency	Revenues

**NOT RATED AUDITABLE UNITS 2014-2015 TO 2016-2017**
Departmental Program Auditable Units (0)	Internal Services Auditable Units (4)
	Audit and Evaluation
	Complaints and Allegations
	Legal Services
	Risk Management

Appendix B - Linkage of 2014-2017 Audits to the Corporate Risk Profile

2014-2015 Audit Projects	HR Capacity and Capabilities	Information for Decision Making	Implementation	Resource Alignment	Government Partnership	Aboriginal Relationship	External Partnership	Legal	Environmental
Ongoing
Audit of Management Control Framework for Grants and Contributions (2013-2014)		Selected	Selected	Selected	Selected	Selected	Selected
Review of Negotiation of Comprehensive Land Claims and Self-Government Agreements		Selected	Selected	Selected	Selected	Selected	Selected	Selected
System Under Development Audit of the Integrated Financial Management System (SAP&GCIMS)	Selected	Selected	Selected	Selected	Selected
Audit of Delegation of Authorities, Organization Design and Classification	Selected	Selected			Selected
2014-2015 Projects
Audit of Management Control Framework for Grants and Contributions (recurring audit)		Selected	Selected	Selected	Selected	Selected	Selected
Audit of Northern Contaminated Sites Program	Selected	Selected	Selected	Selected	Selected	Selected		Selected	Selected
Audit of the Internal Controls Over Financial Reporting	Selected	Selected
Audit of Indian Registration (Qalipu Phase II)	Selected	Selected	Selected	Selected		Selected		Selected
Systems Under Development of the Secure Integrated Registration and Certification Unit	Selected	Selected	Selected	Selected		Selected		Selected
Audit of On-Reserve Infrastructure (excluding Water and Wastewater)		Selected	Selected	Selected		Selected
Audit of AANDC Support to the Independent Assessment Process	Selected	Selected	Selected	Selected	Selected	Selected		Selected
Audit of Northern Oil and Gas		Selected	Selected	Selected	Selected	Selected	Selected		Selected
Audit of Consultation and Accommodation	Selected	Selected	Selected	Selected	Selected	Selected		Selected
Audit of Litigation Management	Selected	Selected	Selected	Selected	Selected	Selected		Selected
Audit of Occupational Health and Safety	Selected	Selected	Selected	Selected	Selected			Selected	Selected
Audit of ATIP Management	Selected	Selected	Selected					Selected
Audit of the Post-Secondary Education Programs	Selected	Selected	Selected	Selected	Selected	Selected	Selected	Selected
Audit of the National Child Benefit Reinvestment and Assisted Living Programs	Selected	Selected	Selected	Selected	Selected	Selected	Selected
Audit of Métis and Non-Status Indian Relations and Métis Rights Management	Selected	Selected	Selected	Selected	Selected	Selected		Selected
Management Practices Audit of the Communications Branch	Selected	Selected	Selected	Selected
Management Practices Audit of the Lands and Economic Development Sector	Selected	Selected	Selected	Selected
OCG Horizontal Internal Audit of Information Technology Security	Selected	Selected	Selected	Selected	Selected

Appendix C - Linkage of 2014-2015 Audits to MAF Elements

2014-2015 Audit Projects Note (1) - These two areas of MAF are the responsibility of the CAEE therefore, they were not considered	Value and Ethics	Managing for Results	Governance and Planning	Citizen-focused Service	Internal Audit (1)	Financial Management and Control	Management of Security	Integrated Risk Management	People Management	Procurement	Information Management	Information Technology	Asset Management	Investment Planning and Management of Projects
Ongoing
Audit of the Management Control Framework for Grants and Contributions (2013-2014)		Selected	Selected			Selected		Selected
Review of Negotiation of Comprehensive Land Claims and Self-Government Agreements		Selected	Selected	Selected		Selected			Selected
System Under Development Audit of the Integrated Financial Management System (SAP & GCIMS)			Selected			Selected	Selected	Selected		Selected	Selected	Selected		Selected
Audit of Delegation of Authorities, Organization Design and Classification	Selected	Selected	Selected	Selected				Selected	Selected					Selected
2014-2015 Projects
Audit of the Management Control Framework for Grants and Contributions		Selected	Selected			Selected		Selected
Audit of the Northern Contaminated Sites Program		Selected	Selected			Selected		Selected	Selected	Selected				Selected
Audit of Internal Controls Over Financial Reporting		Selected	Selected			Selected		Selected			Selected	Selected
Audit of Indian Registration (Qalipu Phase II)			Selected	Selected		Selected		Selected			Selected			Selected
Systems Under Development of the Secure Integrated Registration and Certification Unit		Selected	Selected	Selected				Selected			Selected	Selected		Selected
Audit of On-Reserve Infrastructure (excluding Water and Wastewater)		Selected	Selected	Selected		Selected		Selected					Selected	Selected
Audit of AANDC Support to the Independent Assessment Process		Selected	Selected	Selected				Selected
Audit of Northern Oil and Gas		Selected	Selected	Selected		Selected		Selected
Audit of Consultation and Accommodation			Selected	Selected				Selected	Selected
Audit of Litigation Management		Selected	Selected	Selected				Selected
Audit of Occupational Health and Safety		Selected	Selected						Selected
Audit of ATIP Management		Selected	Selected	Selected							Selected
Audit of the Post Secondary Education Program		Selected	Selected	Selected		Selected		Selected			Selected	Selected		Selected
Audit of National Child Benefit Reinvestment and Assisted Living Programs		Selected	Selected	Selected		Selected		Selected
Audit of Métis and Non-Status Indian Relations and Métis Rights Management			Selected	Selected	Selected				Selected
Management Practices Audit of the Communications Branch		Selected	Selected	Selected	Selected		Selected		Selected	Selected	Selected
Management Practices Audit of the Lands and Economic Development Sector		Selected	Selected	Selected	Selected		Selected		Selected	Selected	Selected
OCG Horizontal Internal Audit of Information Technology Security								Selected	Selected			Selected	Selected

Appendix D – 2014-2015 Audit Projects

The detailed audit plan for 2014-2015 is presented below, with each project described in terms of its preliminary objective, preliminary scope and rationale. For all planned audits, the final objective and scope will determined at the end of the planning phase, based on an assessment of risk.

Audit Objective and Scope	Rationale for Conduct
Audit of the Management Control Framework for Grants and Contributions (recurring audit)	Very High
The ongoing objective of the audit of the management control framework for grants and contributions is to assess the adequacy and effectiveness of the management control framework for grant and contribution programs. As the framework and the Department's programs and their risks evolve, the specific objectives and scope for audit activity in a given year are based upon a current risk assessment conducted during the planning phase. In assessing the adequacy and effectiveness of selected controls, the audit will typically examine their application horizontally, i.e. through a sample of programs and regions.	Maps to Program Alignment Architecture Strategic Outcome: Internal Services Activity: Grants and Contributions Maps to Corporate Risk Profile Information for Decision Making Implementation Resource Alignment Government Partnership Aboriginal Relationships External Partnership Grants and contributions are the primary transfer payment vehicles through which AANDC programming is delivered. In addition to being financially material (over $6 billion annually), AANDC continues to implement a strengthened Management Control Framework for Grants and Contributions to achieve the expected improvements reflected in the Policy on Transfer Payments, e.g. risk-based program frameworks, recipient agreements and recipient auditing, reduced reporting burden on recipients. The 2012-2014 audit found that while regions were using eligible funding approaches to flow funding to recipients, the level of recipient risk was not always considered in the establishment/ selection of funding approaches and compliance activities.
Audit of the Northern Contaminated Sites Program	Very High
The preliminary objective of this audit is to determine the adequacy and effectiveness of the management controls established in relation to the objectives of the Department in regard to Northern contaminated sites. The preliminary scope for the audit includes the management practices and controls for identifying, assessing and remediating contaminated sites north of 60° as well as those to ensure compliance with relevant legislation, regulations, guidelines and policies. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks. The Financial Audit of Contingent Liabilities (2014-2015) will provide assurance on the estimation practices of determining contingent liabilities related to the contaminated sites.	Maps to Program Alignment Architecture Strategic Outcome: The North Activities: Contaminated Sites Maps to Corporate Risk Profile HR Capacity Information for Decision Making Implementation Resource Alignment Aboriginal Relationship Legal Environmental Northern contaminated sites are important in that they may pose significant immediate or long-term hazard to human health and/or the environment and represent large actual or contingent liabilities for the Department. The remediation of Giant and Faro mines alone represents significant long-term environmental, financial and human health and safety risks. The remediation of these contaminated sites is funded 80% by Federal Contaminated Sites Action Plan (FCSAP), which sunsets in 2020, leaving questions about long-term funding. The 2012-2013 AANDC internal audit on environmental management and contaminated sites south of 60° noted significant weaknesses in project management practices related to the Giant Mine. There are increased reporting requirements for contingent liabilities related to contaminated sites; a Financial Audit of Contingent Liabilities is also planned for 2013-2014.
Audit of Internal Controls over Financial Reporting	Very High
The preliminary objective of this audit is to assess the Department's readiness to achieve operating effectiveness of Internal Controls over Financial Reporting (ICFR) and to sustain a financial statement audit. The preliminary scope of the audit includes an examination of processes and mechanisms in place for selected key steps within the Treasury Board Policy on Internal Control implementation process and progress towards compliance with the Policy. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: Internal Services Activity: External Reporting, Liabilities Maps to Corporate Risk Profile HR Capacity Information for Decision Making Recent government initiatives such as the development and implementation of Treasury Board's Policy on Internal Control and Policy on Financial Resource Management, Information and Reporting are aimed at strengthening public sector financial management and reporting, as well as internal controls. The Department's contingent and other liabilities are very material in financial terms, reporting requirements related to contingent liabilities are changing and the OAG recently identified weaknesses in this area during their Audit of Internal Controls over Financial Reporting.
Audit of Indian Registration (Qalipu Phase II)	Very High
The preliminary objective of this audit is to provide assurance that the controls related to Phase II of the Qalipu Mi'kmaq Band enrollment process are sufficient to ensure the accuracy of eligibility assessments and the integrity of information captured in the Indian Registration System (IRS). The preliminary scope of the audit includes the Phase II processes and controls designed to assess the eligibility of the applicant to become a founding member of the Qalipu Mi'Kmaq Band and to ensure that registration information is accurately entered into the IRS. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: The People Activity: Registration and Membership Maps to Corporate Risk Profile HR Capacity Implementation Aboriginal Relationship Legal Accuracy and integrity of Indian Registration data is key to minimizing false or illegitimate claims for federal funding. In 1989, the Federation of Newfoundland Indians, representing approximately 7,800 members from the nine Mi'kmaq communities across the island, along with Chiefs of six affiliated groups began a Federal Court Action seeking eligibility for registration under the Indian Act and in June 2008, the Agreement for Recognition of the Qualipu Mi'kmaq Band was signed. By November 30, 2009, close to 26,000 applications for membership had been received and by November 30, 2012 the number of applications for Band membership had grown to 101,000. Phase II of the enrollment process, designed to assess the eligibility of the applicant to become a founding member, is currently underway and will be completed by August 2015.
System Under Development Audit of the Secure Integrated Certification and Registration Unit	Very High
The preliminary objective of the audit is to assess the adequacy and effectiveness of the project management framework and controls in place to support the successful completion of the Secure Integrated Certification and Registration Unit project. The preliminary scope of the audit includes an examination of governance, risk management and control practices related to the implementation of Phase I and additionally, the project management practices related to Phase II of the project. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: The People Activities: Registration and Membership Maps to Corporate Risk Profile HR Capacity Information for Decision Making Implementation Aboriginal Relationship Effective and successful implementation of Indian Registration System (IRS) and Secure Certificate of Indian Status (SCIS) are important to stakeholders and to AANDC credibility. Accuracy and integrity of IRS data and SCIS cards are key to minimizing false or illegitimate claims for federal funding. In 2010, a Departmental initiative to modernize the IRS was brought into force and is being rolled out in two phases. Phase I will see the integration of Indian registration and card issuance processes through the implementation of common business processes (known as the SIRCU model) and a linkage between the two system applications. Phase II will see the development and implementation of a replacement system for IRS and the SCIS Web Application. Phase II of the project has recently entered stage three of the Department's gating process.
Audit of On-Reserve Infrastructure (excluding Water and Wastewater)	Very High
The preliminary objective of this audit is to assess the adequacy and effectiveness of controls in place to support funding decisions for on-reserve infrastructure projects (including education facilitates, housing and other community infrastructure projects. Water and Wastewater infrastructure will not be in the scope as it subject to a separate audit.). The preliminary scope of the audit includes an assessment of the adequacy of the design of the management control framework to ensure that funding for infrastructure projects are spent in an effective, efficient and timely manner. The preliminary scope also includes an examination of a sample of infrastructure project plans and spending, as well as a series of O&M payments for maintenance of existing infrastructure. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: The Land and the Economy Activity: Education Facilities; Housing; Other Community Infrastructure and Activities Maps to Corporate Risk Profile Information for Decision Making Implementation Resource Alignment Aboriginal Relationship Funding for education facilities, housing and other infrastructure projects is significant (approximately $730M budgeted for 2013-2014). Capital funding is susceptible to reallocation by FN to cover their social program commitments or to maintain debts related to housing. As a result infrastructure projects are not made a priority and proper maintenance to the existing infrastructure is often not sustained, leading to premature obsolescence and potential environmental impacts.
Audit of AANDC Support to the Independent Assessment Process	High
The preliminary objective of this audit is to provide assurance over the adequacy, efficiency and effectiveness of the management controls of both AANDC and in particular, the Indian Residential Schools Adjudication Secretariat in meeting their obligations to support the Independent Assessment Process (IAP). The preliminary scope of the audit includes the responsibilities of the Secretariat to support the IAP and the Chief Adjudicator. The preliminary scope does not include those aspects of the independent alternative dispute resolution processes within the IAP that are administered under the direction of the Chief Adjudicator nor will it include any assessment of decisions made by the independent adjudicators. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: The People Activity: Independent Assessment Process Maps to Corporate Risk Profile HR Capacity Information for Decision Making Implementation Resource Alignment Government Partnership Aboriginal Relationship This program represents a significant financial obligation to the Department with $660M in claims payments budgeted for the next fiscal year. There are delivery risks as the volumes of claims significantly exceed original forecasts. Capacity is strained to process these in a timely manner and failure to do so could result in non-compliance with the IRS Settlement Agreement.
Audit of Northern Oil and Gas	High
The preliminary objective of the audit is to determine whether AANDC is fulfilling its obligations with respect to the regulation and administration of oil and gas resources in the north in an efficient, effective, and controlled manner. The preliminary scope of the audit includes an assessment of the adequacy and effectiveness of the governance, risk management, and internal controls in place to support the effective and efficient execution of AANDC's responsibilities in managing oil and gas resources in the north. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: The North Activity: Petroleum and Minerals Maps to Corporate Risk Profile Information for Decision Making Implementation Resource Alignment Government Partnership Aboriginal Relationship External Partnership Legal Environmental Management of Northern Oil and Gas is very complex and important to the economic development of the North. The initiatives underway in the North (e.g. Beaufort Drilling and Mackenzie Pipeline) are very large with very significant potential environmental impacts and AANDC is now the lead for the McKenzie project. Some areas of responsibility will be devolved to the Northwest Territories effective April 1, 2014, however, AANDC remains responsible for Nunavut.
Audit of Consultation and Accommodation	Very High
The preliminary objective of the audit is to determine whether AANDC's management control framework for consultation and accommodation is sufficient to ensure that the Department is fulfilling its legal "Duty to Consult." The preliminary scope of the audit includes both the support given by the Consultation and Accommodation unit to internal and external stakeholders, as well as the Department's implementation of consultation requirements with Aboriginal people and communities. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: The Government Activity: Consultation and Accommodation Maps to Corporate Risk Profile HR Capacity Information for Decision Making Implementation Resource Alignment Government Partnership Aboriginal Relationship Legal There are significant legal ramifications and liabilities that result from a failure to properly consult Aboriginal people and communities, or from an expectation that more extensive consultation was required. There are increasing demands on the part of First Nations for engagement and recent court cases have ruled against AANDC on the grounds that sufficient consultation on program changes have not taken place.
Audit of Litigation Management	High
The preliminary objective of the audit will be to assess the adequacy and effectiveness of controls in place to support the efficient and effective, management of litigation files within AANDC and with AANDC's interactions with the Department of Justice. The preliminary scope of the audit includes an examination of the governance, risk management and control practices in place to ensure that the Department's objectives with respect to Litigation Management are met. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: Internal Services Activity: Litigation Management Maps to Corporate Risk Profile HR Capacity Information for Decision Making Implementation Resource Alignment Government Partnership Aboriginal Relationship Legal Litigation is a highly complex area with a high degree of sensitivity and visibility, with significant impacts on departmental decisions and Aboriginal relationships. While the number of active litigation files has decreased, the profile on these files and the cost to defend has increased. The Preliminary Survey of Litigation Management (2011-2012) found significant issues that led the Litigation Management and Resolution Branch to initiate a review to address these issues.
Audit of Occupational Health and Safety	High
The preliminary objective of the audit is to provide assurance on the adequacy of AANDC's Management Control Framework over Occupational Health and Safety (OHS) and on the adequacy and effectiveness of controls for ensuring compliance with relevant legislation, regulations, guidelines and policies. The preliminary scope of the audit includes an examination of management's awareness of and compliance with the relevant policies and legislation and the adequacy of the Department's oversight and monitoring regime for OHS. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: Internal Services Activity: Occupational Health and Safety Maps to Corporate Risk Profile HR Capacity Information for Decision Making Resource Alignment Legal Environmental Occupational Health and Safety is an inherently high risk area due to the implications if incidents occur and potential for criminal charges for non-compliance
Audit of ATIP Management	High
The preliminary objective of the audit is to assess the adequacy and effectiveness of controls in place to support the processing of requests related to Access to Information and Privacy (ATIP). The preliminary scope of the audit includes those activities under the Department's responsibility that are related to access to information including the efficiency and effectiveness of control practices and compliance with relevant legislation, policies and procedures. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: Internal Services Activity: ATIP Management Maps to Corporate Risk Profile HR Capacity Information for Decision Making Implementation Legal Access to information is a sensitive area due to possible reputational risks to the Department and the media exposure related to the release of sensitive information. AANDC has a high volume of ATIP requests and there are known process and efficiency issues.
Audit of the Post-Secondary Education Programs	High
The preliminary objective of the audit is to assess the adequacy and effectiveness of the management control framework of the Department's Post-Secondary Education Programs, particularly as it pertains to recent reform initiatives, and that regional controls for administering recipient contributions are effective at ensuring compliance with applicable authorities and policy frameworks. The preliminary scope of the audit includes program design, redesign and approvals, program implementation and program monitoring and reporting. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: The People Activity: Post-Secondary Education Maps to Corporate Risk Profile Information for Decision Making Implementation Resource Alignment Government Partnership Aboriginal Relationship External Partnership Legal Post-Secondary Education Programs are very important to both First Nations and the Department in terms of their support to capacity development and self-sufficiency. The programs are significant from a materiality perspective and audits performed in 2009 and 2011 identified systemic concerns related to unexpended funds and funds not being used for their intended purposes. Program guidelines were strengthened in 2012-2013 and program reform initiatives were launched in 2013.
Audit of the National Child Benefit Reinvestment and Assisted Living Programs	High
The preliminary objective of the audit is to assess the adequacy and effectiveness of the controls in place to support the design, delivery, and monitoring of the National Child Benefit Reinvestment (NCNR) and Assisted Living (AL) programs, including compliance with relevant program authorities and Treasury Board and AANDC policy requirements. The preliminary scope of the audit includes a focus on the recent changes to the program's Management Control Framework to ensure effective governance, stewardship and accountability, both at the headquarters and regional levels. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic The People Activity: National Child Benefit Reinvestment; Assisted Living Maps to Corporate Risk Profile Information for Decision Making Implementation Resource Alignment Government Partnership Aboriginal Relationship External Partnership Both the National Child Benefit Reinvestment (NCBR) and Assisted Living (AL) programs are social programs that have undergone recent reform. NCBR is complex, with a component that is implemented by HRSDC. AL services a particularly vulnerable population. Payments made for both services are susceptible to possible misappropriation.
Audit of Métis and Non-Status Indian Relations and Métis Rights Management	High
The preliminary objective of the audit is to determine whether AANDC is proactively implementing ways to enhance Métis and Non-Status Indian organizations to build legitimate, stable and democratic methods of representing their members and building capacity and expansion of partnerships with federal and provincial governments and the private sector. The preliminary scope of the audit includes both the work performed by this program sub-activity unit in encouraging verifiable membership systems and the Department's planning and readiness to address possible issues related to the future Supreme Court ruling. The specific objective and scope of the audit will be determined during the planning phase based on an assessment of risks.	Maps to Program Alignment Architecture Strategic Outcome: The Government Activity: Métis and Non-Status Indian Relations and Métis Rights Management Maps to Corporate Risk Profile HR Capacity Information for Decision Making Implementation Resource Alignment Government Partnership Aboriginal Relationship Legal A recent federal court ruling, which has been appealed to the Supreme Court, will potentially include 600,000 Métis and Non-Status Indians to federal jurisdiction. The impact of this decision is uncertain, yet increases the implementation risks of providing programming to a larger pool of recipients.
Management Practices Audit of the Communications Branch	High
The preliminary objective of the audit is to assess the adequacy and effectiveness of selected management practices in regions and sectors of the Department. The scope of the audit will be determined on the basis of risk, as identified through Control Self-Assessment workshops, review of previous audit and review findings, review of priorities, and consideration of other relevant information.	Maps to Program Alignment Architecture: Strategic Outcome: N/A Activity: N/A Maps to Corporate Risk Profile: HR Capacity Information for Decision Making, Implementation Resource Alignment Following the first round of Management Practices Reviews between 2007 and 2010, the Audit and Evaluation Sector prepared a summary report highlighting the strengths and weaknesses of the process. The report led to the initiation of a round of Management Practices Audits (MPAs) beginning in 2011-2012. The MPA approach is more targeted towards a higher level of assurance by taking a two phase approach: a Control Self-Assessment followed by an audit of selected management practices determined on the basis of the auditor's risk assessment. During the 2013-2014 fiscal year the final MPAs of the regions were completed, and in 2014-2015 the remaining sectors will undergo a MPA thereby completing a full round of Management Practice Audits for all AANDC Regions and Sectors.
Management Practices Audits of the Lands and Economic Development Sector	High
The preliminary objective of the audit is to assess the adequacy and effectiveness of selected management practices in regions and sectors of the Department. The scope of the audit will be determined on the basis of risk, as identified through Control Self-Assessment workshops, review of previous audit and review findings, review of priorities, and consideration of other relevant information.	Maps to Program Alignment Architecture: Maps to Corporate Risk Profile: HR Capacity Information for Decision Making Implementation Resource Alignment Following the first round of Management Practices Reviews between 2007 and 2010, the Audit and Evaluation Sector prepared a summary report highlighting the strengths and weaknesses of the process. The report led to the initiation of a round of Management Practices Audits (MPAs) beginning in 2011-2012. The MPA approach is more targeted towards a higher level of assurance by taking a two phase approach: a Control Self-Assessment followed by an audit of selected management practices determined on the basis of the auditor's risk assessment. During the 2013-2014 fiscal year the final MPAs of the regions were completed, and in 2014-2015 the remaining sectors will undergo a MPA thereby completing a full round of Management Practice Audits for all AANDC Regions and Sectors.
OCG Horizontal Internal Audit of Information Technology Security	High
The preliminary objective of the audit is to assess compliance with selected elements of the Policy on Management of Information Technology and the Policy on Government Security (including the Operational Security Standard Management of Information Technology Security (MITS)). The scope of the audit will likely include key practices and processes in place for managing IT security and the level of technical and operational safeguards that exist within and across departments.	Maps to Program Alignment Architecture: Strategic Outcome: Internal Services Activity: IM/IT Security Maps to Corporate Risk Profile: Information for Decision Making Implementation The OCG has identified Information Management as a priority for audit across a representative sample of large and small government departments.

Appendix E – Changes to the Audit Plan

Ongoing Audits

The resource implications of audit projects that began in 2013-2014, but were not completed within that period are identified below as ongoing audits from the 2013-2014 Risk-Based Audit Plan.

2014-2015 Ongoing Audits	Expected Completion Date
Audit of the Management Control Framework for Grants and Contributions (2013-2014)	Q1 2014-2015
Review of Negotiation of Comprehensive Land Claims and Self-Government Agreements	Q1 2014-2015
System Under Development Audit of the Integrated Financial Management System (SAP & GCIMS)	Q1 2014-2015
Audit of Delegation of Authorities, Organization Design and Classification	Q1 2014-2015

Removed, Deferred or Added Audits

The table below identifies all the changes from the 2013-2014 to 2015-2016 Risk-Based Audit Plan.

**Removed or Deferred Audits**
Audit Name and Year Planned	Rationale
Follow-up Audit of the Education Information System (2014-2015)	This audit has been deferred from 2014-2015 to 2015-2016 to coincide with the Audit of the Elementary and Secondary Education Programs.
Audit of Elementary and Secondary Education (2014-2015)	This audit has been deferred from 2014-2015 to 2015-2016 in order to give time for the current education reforms to be implemented.
Post Implementation Audit of DRAP Initiatives (2014-2015)	This audit has been removed as it is no longer considered a very high or high priority.
Audit of IM/IT Security (2014-2015)	This audit has been removed as the OCG Horizontal Internal Audit of Information Technology Security is planned for 2014-2015 and will provide audit coverage in the area. AANDC has volunteered to participate in the audit.
Follow-up Audit of Water and Wastewater (2015-2016)	This audit has been deferred from 2015-2016 to 2016-2017 to allow program reforms to be implemented and was renamed the Audit of Water and Wastewater.
Audit of Information Management (2015-2016)	This audit has been removed as the OCG Audit of Information Management is planned for 2015-2016 and will provide audit coverage in the area. AANDC has elected to participate in the audit.
Follow-up Audit of Lands management (incl. Lands Registry System) (2015-2016)	This audit has been deferred from 2015-2016 to 2016-2017 to allow for the scheduling of higher priority audits at this time.
Audit of Additions to Reserve	This audit has been deferred from 2015-2016 to 2016-2017 to allow for the scheduling of higher priority audits at this time.

**Additions**
Audit Name and Year Planned	Rationale
Audit of Internal Controls Over Financial Reporting (2014-2015)	This audit has been added to address risks associated with recent audit findings in this area.
Audit of Indian Registration (Qalipu Phase II) (2014-2015)	This audit has been added in 2014-2015 as a result of risks identified in this program area (at the request of management).
Systems Under Development Audit of the Secure Integrated Registration and Certification Unit (2014-2015)	This audit has been added in 2014-2015 as a result of risks identified in this program area (at the request of management).
Audit of Consultation and Accommodation (2014-2015)	This audit has been added to address risks related to consultation with First Nations.
Audit of ATIP Management (2014-2015)	This audit has been added to address risks related to the management of ATIP.
Audit of Métis and Non-Status Indian Relations and Métis Rights Management (2014-2015)	This audit has been added to address risks related to this area, including the consideration of a recent court ruling related to Métis and Non-Status Indians rights.
Management Practices Audit of the Communications Branch (2014-2015)	This area has been identified as a high risk during the 2014-2015 RBAP risk assessment process.
Management Practice Audit of the Lands and Economic Development Sector (2014-2015)	This area has been identified as a high risk during the 2014-2015 RBAP risk assessment process.
OCG Horizontal Internal Audit of Information Technology Security (2014-2015)	The OCG is conducting an Audit of Information Technology Security and AANDC has volunteered to participate.
Financial Audit of Contingent Liabilities (including Contaminated Sites) (2015-2016)	This audit has been added as contingent liabilities are materially significant to the Department and prior assurance work has identified significant issues.
OCG Horizontal Internal Audit of Information Management (2015-2016)	The OCG is conducting a Horizontal Internal Audit of Information Management and AANDC has volunteered to participate.
Audit of the Emergency Management Assistance Program (2015-2016)	This area has been identified as very high risk during the 2014-2015 RBAP risk assessment.
Audit of First Nations Government Programs (2015-2016)	This audit has been added to address risks associated with the growing importance of First Nations Government Programs and to address issues identified in previous audits.
Audit of Human Resources Staffing and Planning (2015-2016)	This area has been identified as a high risk during the 2014-2015 RBAP risk assessment.
Audit of Aboriginal Governance Institutions and Organizations Programs (2015-2016)	This audit has been added to address risks associated with the growing importance of Aboriginal Institutions and Organizations and to address issues identified in previous audits.
Audit of Performance Measurement and Reporting (2015-2016)	This area has been identified as a high risk during the 2014-2015 RBAP risk assessment.

Footnotes

Footnote 1

An auditable unit is an activity, program, service or organization of such significance or value that if audited would provide useful information for senior management as to the adequacy of risk management, control, and governance.

Return to footnote 1 referrer

Footnote 2

Assurance over these functions is currently provided in a number of ways. Internal audit and evaluation functions are overseen through the annual Treasury Board Secretariat Management Accountability Framework assessment and are subject to occasional OAG audits. The internal audit function is subjected to an external quality assurance review at least once every five years. The exercise of risk management is regularly audited through program, internal services and management practices audits and would identify systemic functional issues, and the reports of complaints and allegations are routinely subject to intense scrutiny by disclosers and respondents, and in some cases, by the judicial process.

Return to footnote 2 referrer

Did you find what you were looking for?

What was wrong?

I can't find the information

The information is hard to understand

There was an error or something didn't work

Other reason

Please provide more details

You will not receive a reply. Don't include personal information (telephone, email, SIN, financial, medical, or work details).
Maximum 300 characters

Date modified:: 2014-07-29