Audit of the Selection Processes for Recipient Audits
March 2021
Prepared by: Audit and Assurance Services Branch
PDF Version (308 KB, 23 Pages)
Table of contents
Acronyms
| CFRDO |
Chief Finances, Results and Delivery Officer |
|---|---|
| CIAD |
Capacity, Infrastructure and Accountability Division |
| CIRNAC |
Crown-Indigenous Relations and Northern Affairs Canada |
| FNIHB |
First Nations and Inuit Health Branch |
| FNIHB-RO |
First Nations and Inuit Health Branch - Regional Operations |
| GA |
General Assessment |
| ISC |
Indigenous Services Canada |
| NNC |
Nutrition North Canada |
| RAA |
Recipient Audit Assessment |
| RO |
Regional Operations |
| TPAS |
Transfer Payment Advisory Services |
Executive Summary
Context
The Government of Canada provides transfer payment funding to a variety of recipients to further its policy objectives and priorities. Crown–Indigenous Relations and Northern Affairs Canada (CIRNAC) and Indigenous Services Canada (ISC) administer funding to First Nations, Tribal Councils, Inuit, Métis, northern and other Indigenous and non-Indigenous organizations. This funding is distributed through grants and contributions. Contributions are transfer payments subject to performance conditions specified in the funding agreement and are subject to a recipient audit.
As defined by the Treasury Board, a recipient audit is an independent assessment to provide assurance on a recipient's compliance with a funding agreement. Departments are expected to implement a risk-based selection process for recipient audits to help ensure that transfer payments are managed in a way that reflects sound stewardship, integrity and transparency.
Recipient audits are one of several types of activities in place to support the ongoing departmental monitoring of recipients. Other departmental monitoring activities may include: program compliance reviews; financial statement reviews; the default prevention and management program; recipient reporting; site visits; and other ad hoc communications with recipients to review project progress.
Recipient audits are conducted by Chief Finances, Results and Delivery Officer (CFRDO) of ISC, CFRDO of CIRNAC, and First Nations and Inuit Health Branch (FNIHB) with the support of FNIHB Regional Operations and Regional Operations of ISC.
The Transfer Payment Advisory Services (TPAS) has been designated as the lead for the recipient auditing process for most of CIRNAC and most of ISC. It is a shared service within both CIRNAC and ISC CFRDOs that administers recipient audits for most CIRNAC contribution funding, ISC contribution funding (with the exception of FNIHB contribution funding) and any Indigenous and Northern Affairs Canada legacy funding. Within FNIHB, Capacity, Infrastructure and Accountability Division (CIAD) has been designated as the lead for the recipient auditing process and administers recipient audits for FNIHB contribution funding.
CFRDO and FNIHB each have their own recipient auditing processes. During the audit period, the sectors were collaborating on a new integrated CIRNAC and ISC recipient audit framework, which is expected to be shared with multiple governance committees starting in March 2021 to seek endorsement and then final approval. The date by which the framework will be implemented has not yet been determined. The conduct phase of this audit was substantially completed in November 2020 and the findings reflect observations made up to that time.
Why It Is Important
The audit was identified as a priority because a strong recipient auditing function contributes to independent and risk-based assurance on compliance with funding agreements and complements other recipient monitoring and oversight activities.
What We Examined
The objective of the audit was to provide assurance that CIRNAC and ISC were using risk-based recipient selection processes that supported providing sufficient recipient audit assurance for potentially high risk recipients.
What We Found
Positive Observations
During the audit, many positive observations were identified, including the following:
- TPAS undertook a consistent recipient selection process for certain portions of the process, which included recommending a list of proposed recipients for audit and consulting with FNIHB on joint recipient audit opportunities.
- CIAD documented the qualitative risk intelligence that they used from ongoing monitoring activities to inform recipient selection.
- Joint recipient audits have been considered between TPAS and CIAD in the recipient selection process.
- The Recipient Audit Framework Taskforce was created in 2020 to develop an integrated risk-based recipient audit framework to be applied across CIRNAC and ISC.
Opportunities for Improvement
Areas where management control practices and processes could be improved were identified, resulting in the following recommendations:
- The Chief Finances, Results and Delivery Officer, CIRNAC, the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance includes how to apply the risk and prioritization criteria, including the support required when recipients that meet the risk and prioritization criteria are not recommended.
- The Chief Finances, Results and Delivery Officer, CIRNAC, the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance elaborates on how much recipient audit coverage is required to support overall departmental monitoring and oversight.
- The Chief Finances, Results and Delivery Officer, CIRNAC, the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance elaborates on how to use the information collected from the framework's activities to periodically validate the risk and prioritization criteria.
Overall Conclusion
The audit recognized that the current approaches to the risk-based recipient selection processes will be replaced by the CIRNAC and ISC Integrated Recipient Audit Framework that is being developed. The findings related to the current processes and the draft framework could be used to inform the final framework and its supporting guidance as it is completed, endorsed by governance committees and then ultimately approved.
The audit concluded that there was an opportunity to strengthen the consistency in how recipient selection criteria are assessed, including the requirement for stronger justification for decisions to not include proposed recipients in the recipient audit plan; elaborate on the assurance coverage required to meet the objectives of recipient audits; and to periodically validate that risk-based selection criteria remain aligned with the departmental risk landscape.
Management's Response
Management is in agreement with the findings, has accepted the recommendations included in the report, and has developed a management action plan to address the recommendations. The management action plan has been integrated into this report.
1. Context
The Government of Canada provides transfer payment funding to further its policy objectives and priorities to a variety of recipients. Crown–Indigenous Relations and Northern Affairs Canada (CIRNAC) and Indigenous Services Canada (ISC) administer funding to First Nations, Tribal Councils, Inuit, Métis, northern and other Indigenous and non-Indigenous organizations. This funding is distributed through grants and contributions. Grants are transfer payments with pre‑established criteria that a recipient must meet. Grants are not normally subject to recipient audits. Contributions are transfer payments subject to performance conditions specified in the funding agreement and are subject to a recipient audit.
The Treasury Board provides guidance on recipient auditing through the Guideline on Recipient Audits under the Treasury Board Policy and Directive on Transfer Payments. As per the Guideline, program management is responsible for "determining when recipient audits are necessary to complement other departmental monitoring activities and developing and executing a risk-based framework for these recipient audits". As defined by Treasury Board, a recipient audit is an independent assessment to provide assurance on a recipient's compliance with a funding agreement. The scope of a recipient audit may address any or all financial or non‑financial aspects of the funding agreement.
Accordingly, CIRNAC and ISC are expected to implement a risk-based selection process for recipient audits to help ensure that transfer payments are managed in a way that reflects sound stewardship, integrity and transparency. The level of monitoring achieved through recipient audits should be proportional to the sensitivity, complexity, risk and materiality of the projects, programs, or activities funded, as well as the risk profile of the recipients.
Recipient audits are just one of several types of activities in place to support the ongoing departmental monitoring of recipients. Other departmental monitoring activities may include: program compliance reviews; financial statement reviews; the default prevention and management program; recipient reporting; site visits; and other ad hoc communications with recipients to review project progress.
1.1 How Recipient Audits are Administered
Within ISC
In ISC, recipient audits were conducted by the Chief Finances, Results and Delivery Officer (CFRDO) and the First Nations and Inuit Health Branch (FNIHB) with the support of First Nations and Inuit Health Branch Regional Operations (FNIHB-RO) and Regional Operations (RO).
CFRDO and FNIHB each had their own recipient auditing processes. Within CFRDO, Transfer Payment Advisory Services (TPAS) had been designated as the lead for the recipient auditing process. This group is a shared service that supports CIRNAC and ISC and they administered recipient audits for most CIRNAC contribution funding, ISC contribution funding (with the exception of FNIHB contribution funding) and any Indigenous and Northern Affairs Canada legacy funding. Within FNIHB, the Capacity, Infrastructure and Accountability Division (CIAD) had been designated as the lead for the recipient auditing process and was responsible for administering recipient audits for FNIHB contribution funding.
The difference in approach was also reflected at RO and FNIHB-RO regional offices. RO regional offices were consulted by TPAS on the recipients being recommended for audit within their region only after a draft list was completed. FNIHB-RO regional offices were responsible to select recipients for audit within their region, which were then provided to CIAD towards inclusion in the audit plan. CIAD then created the audit plan based upon risk assessment priorities of the aggregated provided regional lists.
Within CIRNAC
As described earlier, recipient audits of Indigenous and Northern Affairs Canada legacy funding and current CIRNAC funding agreements were administered by TPAS as a shared service.
In addition to the TPAS shared services, there are also recipient audits conducted within CIRNAC by the Northern Affairs Organization through the Nutrition North Canada (NNC) Program. NNC's recipients are registered retailers, suppliers and processors who receive subsidies in the form of either non-advanced contribution funding or advanced contribution funding, if eligible. The NNC program conducts recipient auditing against their funding agreements to ensure the companies have passed the subsidy onto the consumer in the form of a mandatory price discount at the checkout.
Given the nature of the NNC recipient audits and their focus on registered companies that receive subsidies, the NNC recipient auditing process was not included in the scope of this audit.
1.2 Departmental Integration Efforts
As part of the departmental integration efforts, a Recipient Audit Framework Taskforce was created in 2020 to develop an integrated risk-based recipient audit framework and approach that is consistently applied across CIRNAC and ISC and supports departmental objectives related to recipient audits. The Recipient Audit Framework Taskforce is comprised of stakeholders from various CIRNAC and ISC regional offices and Headquarters. At the time of this audit, the Recipient Audit Framework Taskforce members were working collaboratively on the development of a new integrated recipient audit framework for CIRNAC and ISC. The new recipient audit framework is expected to be shared with multiple governance committees starting in March 2021 to seek endorsement and then final approval. The date by which the framework will be implemented has not yet been determined. The conduct phase of the audit was substantially completed in November 2020 and the findings reflect observations made up to that time.
2. About the Audit
The Audit of the Process of Recipient Auditing was initially included in the CIRNAC and ISC Risk‑Based Audit Plan for 2018-19 to 2019-20 and then included again in the CIRNAC and ISC Risk-Based Audit Plan for 2020-21 to 2021-22.
2.1 Why It Is Important
The audit was identified as a priority because a strong recipient auditing function contributes to independent and risk-based assurance on compliance with funding agreements and complements other recipient monitoring and oversight activities.
2.2 Audit Objective
The objective of the audit was to provide assurance that CIRNAC and ISC were using risk‑based selection processes that supported providing sufficient recipient audit assurance for potentially high risk recipients.
2.3 Audit Scope
The scope of the audit included the examination of the process for recipient auditing within CIRNAC and ISC. The audit covered the activities related to the recipient auditing selection processes within CFRDO CIRNAC, CFRDO ISC, RO, FNIHB, and FNIHB-RO (National Capital Region and in the departments' regional offices).
The audit focused on recipient selection process activities between fiscal years 2017-18 and 2019-20. The development of the new recipient audit framework was considered up to November 2020.
This audit excluded the recipient selection process conducted within CIRNAC by Northern Affairs Organization through the NNC program. As grants are not normally subject to recipient audits, grants were also excluded from the scope of this audit.
2.4 Audit Approach and Methodology
The audit was conducted in accordance with the requirements of the Treasury Board Policy on Internal Audit and followed the Institute of Internal Auditors International Professional Practices Framework. The audit examined sufficient, relevant evidence and obtained sufficient information to provide a reasonable level of assurance in support of the audit conclusion.
Audit fieldwork was substantially performed from October 2020 to November 2020. The main audit techniques used included:
- Interviews with key stakeholders involved in the recipient selection processes;
- Process walkthroughs of recipient selection processes;
- Review of relevant documentation related to recipient selection, including policies, operational procedures and guidelines; and
- Data analysis of recipient selections, including coverage of highest assessed General Assessment (GA) risk ratings, other risk factors, overall funding and regions.
The approach used to address the audit objective included the development of audit criteria, against which observations and conclusions were drawn. The audit criteria can be found in Appendix A.
3. Key Findings and Recommendations
3.1 Recipient Selection Processes for Individual Funding Agreements and Coordination for Joint Recipient Audits
Treasury Board provided guidance on recipient auditing through the Guideline on Recipient Audits Under the Policy on Transfer Payments. The guideline outlined that a risk management model should be designed at a recipient and project level to inform a broader risk-based plan for assurance at a program and departmental level. Moreover, the process should be clearly documented, including when decisions should be made using sample selection or the manager's discretion.
Based on Treasury Board guidance, it was expected that both TPAS and CIAD would demonstrate consistent and transparent processes for their respective recipient selection. As explained earlier in the report, each group's individual process was not expected to continue once the integrated CIRNAC and ISC Recipient Audit Framework is implemented. The findings made in this section can be leveraged as the integrated framework and its supporting guidance are finalized.
Risk
There is a risk that within each recipient selection process, the approach may not be consistently applied to recipients.
Findings
3.1.1 Transfer Payment Advisory Services
Process
For the recipient selection process used by TPAS for recipients receiving CIRNAC funding, ISC funding (with the exception of FNIHB funding), and/or Indigenous and Northern Affairs Canada legacy funding, selection process included:
- Consulting with counterparts within FNIHB to identify common recipients between the two ISC funding streams and determining how many joint recipient audits should be included in the audit plans;
- Generating a preliminary list of recipients with high risk GA ratings (in the prior fiscal year) for consideration;
- Carrying forward any recipient audits planned for prior years that were deferred/postponed;
- Generating a random sample of recipients with medium or low risk GA ratings (in the prior fiscal year) for consideration; and
- Consulting with RO regional offices to obtain their input on recipients proposed for recipient audits.
The TPAS methodology also noted that both Treasury Board and CFRDO recommended including as many recipients with high risk GA ratings as possible and any recipient that was removed from the proposed selection needed proper justification as to why they should not be on the audit plan.
Consistency
It was observed that steps 1 to 4 listed earlier were performed consistently. This was expected as these steps were defined and managed solely by TPAS.
TPAS used a central tracking spreadsheet to seek regional input on recipients recommended for audit as referred to in step 5. Despite the use of a common approach, the input received from regional offices was not consistent. For example, review of the 2018-19 list of proposed recipients identified 13 instances within a list of 51 recommended individual and joint recipient audits where the regional offices recommended to remove proposed recipients, including several recipients with high risk GA ratings. Rationale to support these recommendations was not consistently consolidated and captured in the central tracking spreadsheet. It was explained by TPAS that these decisions were likely made through email correspondence but they were not readily available for review by the auditors.
Within TPAS, there was no documented guidance on how to appropriately justify not recommending a recipient that was on the proposed list of recipients. Treasury Board guidance recommended documenting the rationale for any managerial discretion used in the recipient selection process.
3.1.2 Capacity, Infrastructure and Accountability Division
Process
For the recipient selection process used by CIAD for recipients receiving funding under ISC funding agreements delivered by FNIHB-RO regional offices, CIAD allocated an equal pre‑determined budget amount for the cost to perform recipient audits to each regional office. The regional offices used professional judgment guided by a set of risk factors to select the corresponding number of recipients for audit in a fiscal year.
There was no overarching process documentation (at headquarters-level) used by all FNIHB‑RO regional offices to select recipients for audits and some regions did not have any documented processes for their recipient selection.
FNIHB-RO regional offices selected recipient audits through documenting a rationale guided by risk factors (e.g. ongoing monitoring findings) within the Recipient Audit Assessment (RAA) form used by all regional offices. The RAA form was completed for all selected recipients and all high risk recipients that were not selected. Based on the pre-determined budget amount for the cost to perform recipient audits allocated to that regional office, a certain number of recipients were recommended for audit by the regional office. These forms were sent to CIAD, which used them to prepare the FNIHB Recipient Audit Plan. CIAD indicated that there was a limited challenge function at Headquarters of the recipients selected for audit by FNIHB-RO regional offices.
Consistency
The RAA form allowed recipients to be assessed based on the same list of possible risk factors. These included:
- High or medium risk GA ratings;
- Findings from ongoing monitoring;
- Recipient's activities that did not fulfill terms and conditions of an agreement;
- Evidence of mismanagement of funds;
- Failure to address issues previously agreed upon for remedial action;
- Irregularities identified in previous audits;
- Targeted selection for audit (e.g., recipient selected for audit based on materiality or length of time since last audit); and,
- Other.
The risk factors identified on the RAA forms were not used consistently. Based on a review of RAA forms within the audit period, it was found that the most commonly used risk factors were "Targeted selection for audit" and "Other". The "Findings from ongoing monitoring" and "High/Medium-Risk GA Score" risk factors were used less. The remaining risk factors were not often used.
The way the RAA forms were filled out was not consistent. The "Other" risk factor was used to reflect risk information that could have been captured in specific risk factor fields. For example, risk information related to missed/late recipient reports, surplus/deficit funding, possible accounting challenges, possible non-compliance, program/funding types of interest, and recent funding increases/reallocation could have been recorded under the specific risk factor to which it related.
The overall assessment of the identified risk factors was not consistent because each regional office only considered the risk profiles of the recipients for which they were responsible. The budget that was allocated for each regional office for recipient audits determined how many recipients would be selected by that regional office. Selection was based on an assessment of risks within that specific regional office's pool of recipients rather than risks of all the recipients that received ISC funding delivered by FNIHB.
While there was a standardized RAA form with risk factors, consistency was hindered by limited guidance on how to complete the form and the limited challenge function available for the completed RAA forms.
3.1.3 Joint Recipient Audits
A joint recipient audit at CIRNAC and ISC involved a coordinated approach to assess two or more funding agreements of a single recipient. The joint recipient audit assessed compliance with the terms and conditions of separate funding agreements that were signed by ISC or by CIRNAC and ISC.
Given that TPAS and CIAD followed a practice of ensuring recipients were not audited more than once in any given five-year period, it was expected that strong coordination practices were in place between the two groups to consider joint recipient audits for any common recipients proposed for audit.
Process
As described earlier, the current TPAS methodology for recipient selection had an initial step to consult with counterparts within FNIHB to identify common recipients eligible for a joint recipient audit and to determine the number of joint recipient audits that should be included in the audit plan. Moreover, representatives within FNIHB-RO regional offices indicated that they sometimes reached out to their counterparts in RO regional offices to informally discuss and coordinate joint recipient audit opportunities.
Consistency
The different planning and approval processes and timelines used by TPAS and FNIHB for the recipient selection process created an inconsistent approach to identifying joint recipient audits, which resulted in a recent reduction in joint recipient audits. Specifically, there were 15 joint recipient audits in the 2018-19 recipient audit plans but only three joint recipient audits in the 2019-20 recipient audit plan. The impact of the different planning and approval cycles was magnified by the departmental approach of not auditing a recipient more than once every five years.
3.1.4 Recipient Auditing Framework
The draft Recipient Auditing Framework proposed an integrated approach with foundational elements and principles that supported a cycle of activities for the entire recipient auditing process. With respect to the recipient selection process, the draft framework proposed risk criteria, risk indicators with data sources as well as risk scales, scoring and a ranking approach. The proposed risk criteria for recipient selection considered characteristics of the recipient themselves as well as considerations related to the funding and the program or activity under which the funding was delivered. The prioritization criteria considered additional context, such as the default status of recipients; the recentness of previous recipient audits; plans to include the recipient in upcoming management assurance work; and specific requests for a recipient audit.
At the time of this audit, the draft framework identified that the development and approval of the risk-based recipient audit plan would be supported by a collaborative, coordinated and integrated approach. The design of this process appeared to address any previous challenges in the selection of joint recipient audits or the challenge function for the proposed recipients. The draft framework did not elaborate on the process by which regional offices would justify not recommending a recipient that was proposed through the selection process.
Recommendation
1. The Chief Finances, Results and Delivery Officer, CIRNAC, the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance includes how to apply the risk and prioritization criteria, including the support required when recipients that meet the risk and prioritization criteria are not recommended.
3.2 Recipient Audit Coverage
CIRNAC and ISC had several types of activities in place to support the ongoing monitoring and oversight of funding agreements. These activities included program compliance reviews, financial statement reviews, the default prevention and management program, review of program or recipient reporting, site visits, and other ad hoc communications with recipients to review project progress.
Recipient auditing was one of several types of assurance activities in place to support ongoing departmental monitoring and oversight of recipients. As per the Treasury Board Guideline on Recipient Audits, recipient monitoring, reporting and auditing should reflect risks specific to the program(s), the value of funding in relation to administrative costs and the risk profile of the recipient. Accordingly, it was expected that there was alignment between the recipients selected for recipient audits and the three criteria identified by Treasury Board.
Risk
There is a risk that the oversight provided by recipient auditing may not be sufficient to provide CIRNAC and ISC with the assurance that is required.
Findings
Within the TPAS and CIAD processes, the role of recipient auditing within departmental oversight had not been defined using any specific measurements or targets, which established the assurance that it was expected to contribute to departmental monitoring and oversight. Without a sense of what was expected to be achieved, the audit could not assess if the current assurance coverage met departmental needs. The following section simply describes the recipient audit coverage using the three criteria identified by Treasury Board.
3.2.1 Risks Specific to the Programs
The audit team did not observe any methods in the current recipient selection processes to link the recipient audits selected with risks, specific to the programs responsible for the funding.
3.2.2 The Value of Funding in Relation to Administrative Costs
While the recipient audit plans do not identify the total amount of funding for which recipient auditing provided assurance, a presentation to management noted that TPAS and CIAD's recipient audit coverage was six percent for the 2019-20 CIRNAC and ISC recipient plan.
3.2.3 The Risk Profile of the Recipient
As part of the contributions agreement process, CIRNAC and ISC undertook a risk assessment process each year to assess and score the risk of each recipient. This annual assessment was used to determine the risk profile of recipients based on the following risk factors: Governance, Planning, Financial Management and Program Management. The output of this risk assessment process was referred to as a GA score, which corresponded to a risk rating of low risk, medium risk and high risk.
While TPAS and FNIHB-RO have different approaches for selecting recipients, both processes considered the GA risk rating and other risk criteria of the recipients.
Recipients with high risk GA ratings were considered for recipient audit. As previously described in Section 3.1.1, there was no documented guidance to define an acceptable rationale for excluding recipients with high risk GA ratings from consideration for the recipient audit plan. The validity of the available rationales to support why high risk recipients were not included in the recipient audit plan could not be assessed.
For the purpose of this audit, the recipient audit plans were analyzed to determine what portion of the recipients that were audited had a high risk rating. Figures 1 and 2 provide a summary of risk ratings among selected recipients between 2017-18 and 2019-20. For further context, there were 57 recipients with a high risk rating during that time period.
Figure 1 TPAS: Distribution of risk ratings among selected recipients
Text alternative for Figure 1 TPAS: Distribution of risk ratings among selected recipients
Figure 1 Bar chart representing the Transfer Payments Advisory Services’ distribution of risk ratings among selected recipients for fiscal years 2017-2018, 2018-2019 and 2019-2020.
- 11 low risk, 10 medium risk and 2 high risk recipients were selected for audit in fiscal year 2017-2018.
- 15 low risk, 6 medium risk and 4 high risk recipients were selected for audit in fiscal year 2018-2019.
- 10 low risk, 2 medium risk and 1 high risk recipients were selected for audit in fiscal year 2019-2020.
Figure 2 CIAD: Distribution of risk ratings among selected recipients
Text alternative for Figure 2 CIAD: Distribution of risk ratings among selected recipients
Figure 2 Bar chart representing the Capacity, Infrastructure and Accountability Division’s distribution of risk ratings among selected recipients for fiscal years 2017-2018, 2018-2019 and 2019-2020.
- 15 low risk, 12 medium risk and 3 high risk recipients were selected for audit in fiscal year 2017-2018.
- 17 low risk, 5 medium risk and 2 high risk recipients were selected for audit in fiscal year 2018-2019.
- 20 low risk, 2 medium risk and 1 high risk recipients were selected for audit in fiscal year 2019-2020.
3.2.4 Recipient Auditing Framework
The draft integrated recipient audit framework included risk criteria and risk prioritization considerations to reflect risks specific to the program(s), the value of funding and the risk characteristics of the recipient. Recommendation #1 will ensure that the documented guidance will provide clarity on how these risk and prioritization criteria should be applied.
The draft integrated audit framework established that the objective of recipient auditing included meeting management's independent assurance needs while complementing, but not duplicating, management assurance obtained through other monitoring and oversight activities. At the time of the audit, there was no documentation to elaborate on how much assurance coverage was required from recipient auditing to meet the objective of recipient monitoring, reporting and auditing as a whole.
Recommendation
2. The Chief Finances, Results and Delivery Officer, CIRNAC, the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance elaborates on how much recipient audit coverage is required to support overall departmental monitoring and oversight.
3.3 Alignment of Selection Criteria with Risk Landscape
The risk landscapes of CIRNAC and ISC are continuously evolving. The risk in programs, the amount of funding being delivered by each department and the risk profiles of recipients change as a result of many factors, including lower risk recipients moving to 10-year grants rather than contribution agreement funding, new programs being delivered and more contribution agreement funding being delivered by CIRNAC and ISC.
It was expected that the selection criteria used for recipient audits would be updated periodically to remain aligned with the departmental risk landscape.
Risk
There is a risk that the recipient selection criteria may target recipients and funding that do not reflect the current objectives of the management oversight activities.
Findings
TPAS and CIAD did not have a defined approach for updating the recipient selection criteria based on trends in past recipient audit results or identified changes to the departmental risk landscape. In some cases, it was indicated that post-mortem analysis of audit results (e.g. management letters) versus selection criteria (e.g. GA risk ratings) was being performed; however, it was not readily accessible for sharing with the audit team.
It was indicated that a purpose-built Grants and Contribution Information Management System module for the end-to-end recipient auditing process was being tested and prepared for deployment. The intent of the module will be to better capture documentation and decisions, including the recipient selection process, audit conduct and audit closure/follow-up. The module is expected to act as an enabler for any future retrospective analysis or post-mortem reviews of audit results versus selection criteria.
3.3.1 Recipient Auditing Framework
The draft CIRNAC and ISC Recipient Audit Framework included a process step referred to as "post-mortem and continuous improvement". The analysis will be utilized to maintain and strengthen the Recipient Audit Framework, approach, risk criteria, guides and templates. The draft framework also recognized that there were linkages between recipient auditing and other departmental activities and functions. These linkages included multiple sources of information, such as other recipient level oversight by regional offices, the Departmental Capacity Development Framework, program-specific compliance and quality assurance activities as well as results of internal audits, evaluations and investigations. At the time of the audit, there was no documentation to provide further explanation of how information from these identified linkages, the future Grants and Contribution Information Management System module and the continuous improvement activities would be used to validate the risk and prioritization criteria.
Recommendation
3. The Chief Finances, Results and Delivery Officer, CIRNAC, the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance elaborates on how to use the information collected from the framework's activities to periodically validate the risk and prioritization criteria.
4. Conclusion
The audit recognized that the current approaches to the risk-based recipient selection processes will be replaced by the CIRNAC and ISC Integrated Recipient Audit Framework that is being developed. The findings related to the current processes and the draft framework could be used to inform the final framework and its supporting guidance as it is completed, endorsed by governance committees and then ultimately approved.
The audit concluded that there was an opportunity to strengthen the consistency in how recipient selection criteria are assessed, including the requirement for stronger justification for decisions to not include proposed recipients in the recipient audit plan; elaborate on the assurance coverage required to meet the objectives of recipient audits; and to periodically validate that risk-based selection criteria remain aligned with the departmental risk landscapes.
Areas where management control practices and processes could be improved were identified, resulting in the following recommendations:
- The Chief Finances, Results and Delivery Officer, CIRNAC, the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance includes how to apply the risk and prioritization criteria, including the support required when recipients that meet the risk and prioritization criteria are not recommended.
- The Chief Finances, Results and Delivery Officer, CIRNAC, the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance elaborates on how much recipient audit coverage is required to support overall departmental monitoring and oversight.
- The Chief Finances, Results and Delivery Officer, CIRNAC, the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance elaborates on how to use the information collected from the framework's activities to periodically validate the risk and priority criteria.
Statement of Conformance
This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.
5. Management's Response
| Recommendations | Management Response / Actions | Responsible Manager | Planned Implementation Date |
|---|---|---|---|
| 1. The Chief Finances, Results and Delivery Officer, CIRNAC; the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance includes how to apply the risk and prioritization criteria including the support required when recipients that meet the risk and prioritization criteria are not recommended. | The Chief Finances, Results and Delivery Officer, CIRNAC; the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch, are and will remain accountable for their respective audits of recipients. They are collaborating through the Recipient Audit Framework Taskforce in the current development of a new and integrated ISC/CIRNAC Recipient Audit Framework, Recipient Audit Directive, processes and guidance tools to be approved in fiscal year 2021-22. Membership of the Recipient Audit Framework Taskforce includes representatives from Transfer Payments Advisory Services (under the Chief Finances, Results and Delivery Officer ISC), the Capacity, Infrastructure and Accountability Division (under the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch), Regions, as well as both ISC and CIRNAC programs. These documents will formalize a new standard recipient audit selection process that will take into account how to apply an agreed-upon risk-based selection criteria, where senior management will be involved in the decisions to recommend (or not recommend) audits all recipients who meet the criteria, with documented rationale. If recipients meeting the criteria are not recommended for audits, the justification will be documented as part of the process with a new standard recipient selection form to be developed. Key Deliverables: 1.1 Approval of new and integrated ISC/CIRNAC Recipient Audit Framework and Directive 1.2 Approval and rollout of processes and guidance tools |
Director, Transfer Payments Advisory Services And Director, Capacity, Infrastructure and Accountability Division |
Complete development of Framework/Directive and tools suite: 2021-22 Q1-Q2 Presentations to governance and approvals: 2021-22 Q3-Q4 Approval and publication of new Framework/Directive, and guidance tools: March 31, 2022 |
| 2. The Chief Finances, Results and Delivery Officer, CIRNAC; the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance elaborates on how much recipient audit coverage is required to support overall departmental monitoring and oversight. | The Transfer Payment Advisory Services Directorate will, through the Recipient Audit Framework Taskforce, include in the new integrated Recipient Audit Directive and supporting documents under development, guidance on recipient audit coverage level that supports the overall departmental monitoring and oversight obligation. Key Deliverables: 2.1 Inclusion of content in the new integrated Recipient Audit Directive and supporting documents under development, to provide guidance on recipient audit coverage level that supports the overall departmental monitoring and oversight obligation 2.2 Approval of new and integrated ISC/CIRNAC Recipient Audit Framework and Directive |
Director, Transfer Payments Advisory Services And Director, Capacity, Infrastructure and Accountability Division |
Complete development of Framework/Directive and tools suite: 2021-22 Q1-Q2 Presentations to governance and approvals: 2021-22 Q3-Q4 Approval and publication of new Framework/Directive, and guidance tools: March 31, 2022 |
| 3. The Chief Finances, Results and Delivery Officer, CIRNAC; the Chief Finances, Results and Delivery Officer, ISC and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch should ensure that the CIRNAC and ISC Integrated Recipient Audit Framework's guidance elaborates on how to use the information collected from the framework's activities to periodically validate the risk and prioritization criteria. | The new Integrated ISC/CIRNAC Recipient Audit Directive under development will reflect the use of the information collected from the framework's activities to periodically validate the risk and prioritization criteria by leveraging the Grants and Contributions Information Management System Recipient Audit Module currently in development, on the audit report results. Under this new directive the information will allow ISC and CIRNAC to be nimble in responding to emerging risks. The Recipient Audit Module of the Grants and Contributions Information Management System is being developed to allow for recording and reporting of recipient audit information for audit trail purposes. Key Deliverables: 3.1 Approval of new and integrated ISC/CIRNAC Recipient Audit Framework and Directive |
Director, Transfer Payments Advisory Services And Director, Capacity, Infrastructure and Accountability Division |
Complete development of Framework/Directive and tools suite: 2021-22 Q1-Q2 Presentations to governance and approvals: 2021-22 Q3-Q4 Approval and publication of new Framework/Directive, and guidance tools: March 31, 2022 |
Appendix A: Audit Criteria
To ensure an appropriate level of assurance to meet the audit objectives, the following audit criteria were developed to address the objectives.
Audit Criteria
1. The recipient selection processes are aligned to support a comprehensive approach at the development level.
1.1 The recipient selection processes are applied consistently within TPAS and CIAD to all recipients that receive departmental funding.
1.2 The recipient selection processes are coordinated between TPAS and CIAD.
2. The recipient selection processes provide sufficient coverage at the departmental level.
2.1 The recipient selection processes provide sufficient departmental coverage of recipients with the highest levels of assessed risk.
3. The recipient selection processes are based on risk criteria that remain relevant to the Department.
3.1 The selection criteria are updated to reflect the risk landscape from the past completed recipient audits and the current departmental risk perspective.