RISK-BASED AUDIT PLAN 2012-2015

(Download the report)

Contents

Executive Summary

The Natural Resources Canada (NRCan) three year risk-based audit plan has been prepared in accordance with the applicable requirements of the revised July 2009 Treasury Board (TB) Policy on Internal Audit and related directives and guidelines, and the professional standards of the Institute of Internal Auditors (IIA).  The risk-based audit plan includes internal audit projects for a 3 year period from 2012-13 to 2014-15.

The Planning Context

Since the adoption of the 2006 Treasury Board Policy on Internal Audit (revised July 2009), the Audit Branch has continued to refine its risk-based planning approach each year with further improvements consistent with Treasury Board guidance to Chief Audit Executives (CAE). The Audit Branch uses a similar audit planning approach to the Office of the Comptroller General (OCG).

All potential audit projects were discussed with senior management and the Departmental Audit Committee, with particular emphasis on the projects planned for 2012-13 (first year of the three-year Audit PlanFootnote 1), given that future year projects are re-assessed on an annual basis.  Continued efforts were made this year to align planning efforts with the ongoing work in establishing a departmental risk management framework and Corporate Risk Profile. Also, government and departmental priorities were validated with senior management and the Departmental Audit Committee to ensure greater alignment of planned audits to the key and highest priority areas.

A quality review process was applied throughout the planning cycle, to ensure that:

  • The audit planning process is aligned with the Department’s strategic objectives.
  • The perspectives of the Executive Committee and the Departmental Audit Committee are considered in audit planning. Senior management are involved in the process.
  • All programs, projects and activities of the Department are considered for audit, subjected to a risk assessment, and ranked in order of priority.
  • Appropriate audit objectives for each audit selected have been established.
  • The plan is prepared in a timely manner and distributed to the appropriate levels of management.
  • A process for selection of audit projects is documented and includes criteria such as past audit coverage and results, materiality, significance to management, risk based on a standardized methodology, auditability, audit projects not completed from the previous year’s plan, organizational priorities, opportunities for improvement and legislated or other mandated obligations.

The audit plan is focused predominantly on the provision of assurance and supports annual overview reporting by the Chief Audit Executive on departmental risk management, control and governance processes.

The Planning Process

The starting point for the risk-based selection process is NRCan’s internal audit universe.  The audit universe represents a potential range of all audit activities and is comprised of a number of auditable entities.  The Audit Branch uses the departmental Program Activity Architecture (PAA) as well as NRCan’s inventory of external legislated services to help assess completeness of the audit universe.

The next stage is to prioritize the audit universe based on a risk assessment.  This is a two step process and involves preliminary and final prioritization. This includes management consultations, review and consideration of available departmental risk information, including the Corporate Risk Profile (CRP), the latest Management Accountability Framework (MAF) assessment, strategic review, business planning, the Report on Plans and Priorities (RPP), departmental and government priorities, the most recent tabled financial statements, other considerations such as previous audit results (both internal and external) and planned program evaluations.

Consideration is given to other factors such as senior management requests; the Departmental Audit Committee (DAC) advice and recommendations; mandated audits such as Office of the Comptroller General's horizontal directed audits; planned audits by other assurance providers.

Finally the draft audit plan is distributed to Departmental Audit Committee for review and recommendation to the Deputy Minister (DM) for approval.

The following diagram highlights the four key phases used in the selection porcess for the development of a robust risk-based audit plan.

the four key phases used in the selection porcess for the development of a robust risk-based audit plan
Text Version

The four key phases used in the selection process for the development of a robust risk-based audit plan

This figure highlights the four key phases used in the selection process for the development of a robust risk-based audit plan. It covers the starting point of the selection process that determines potential NRCan auditable entities covering a 3 year period to its final recommendation. The first large block represents the potential range of auditable components which include departmental programs, activities, processes, structures and initiatives. It is called the audit universe. The Audit Branch uses the departmental Program Activity Architecture (PAA) as well as NRCan's inventory of external legislated services to help assess completeness of the audit unviverse. There are approximately 150 auditable entites based on the PAA and the sectors.

The next stage is to prioritize the audit universe based on a risk based assessment. This is a two step process that involves a preliminary and final prioritization based on a number of factors such as likelihood of risk, impact and control. Sixty-four projects were identified during the preliminary prioritization (as in the 2nd large block). The final 2 steps are to rank the priority of the proposed audits and to recommend them for approval in the 3 year audit plan (as in the final 2 large blocks).

 

Environmental Scanning

  • Government Priorities
  • Departmental Priorities
  • Corporate Risks
  • Strategic and Operating Review
  • Business Planning
  • MAF Assessment
  • Consultations with management

Other Considerations

  • Core audit requirements (TB MAF)
  • CAE annual overview report
  • Mandated priorities
  • Central Agency audits (e.g OAG, OCG)
  • Previous NRCan internal audits
  • Time since last audit
  • Audit Branch capacity
  • Program Evaluations

Prioritization

  • Final discussions with senior management
  • Senior management requests
  • Audit Committee requests
  • Focus on first year proposed audit projects
  • Evaluation Plan

The Planning Results

In total, twenty six new “highest priority” internal audit projects are planned for the next three years.  For each proposed audit project, the plan provides a clear indication of the preliminary objective and scope. An indication of resource requirements, in terms of start and end date to conduct the audits is provided.

The following table summarizes the number of new internal audit projects selected for each year along with the number of special advisory projects, carry-forward audits from 2011-12 and scheduled Office of the Comptroller General (OCG) horizontal directed audits since OCG audits might involve performing the audit work for the examination phase.

Type of Audit Project 2012-13 2013-14 2014-15
New Internal Audit Projects 8 8 10
Carry-Forward Audits From Prior Year 3 3 2
OCG – Horizontal Directed Audits 1 1 1
TOTAL 12  12  13

Two audit projects (CANMET Relocation and Real Property Management) were finalized at fiscal year end but their presentation to the Audit Committee could only be performed in 2012-13 due to a reporting time lag.  These audit projects are not considered carry-forward audits since they are essentially completed, as they do not require any significant audit work in the new fiscal year.

The following two tables provide a listing of audit projects being carried forward from 2011-12 and the new “highest priority” internal audit projects for fiscal years 2012-13, 2013-14 and 2014-15.

Carry Forward Audits
2011-12
Information Management 
Electronic Payments System
Strategic Review Implementation
2012 - 2013 2013 - 2014 2014 - 2015
  • Investments in Forest Industry Transformation Program (CFS) [22Footnote 2] *
  • Access to Information and Privacy (PAPMS and NRCan) [50]
  • Integrated Business Planning and Reporting (SPI) [15]
  • ecoENERGY for Renewable Power (ES) [6]
  • Automated Pay Interface (CMSS-SSO) [5]
  • Green Mining Initiatives (MMS) [12]
  • Conversion Process for SAP Opening Balances
    (CMSS-FMB) [26]
  • Business Continuity and IT Disaster Recovery Planning (NRCan) [3]
  • Targeted Geoscience Initiative 4 (ESS) [46]
  • SAP Functionalities (NRCan) [27]
  • Polar Continental Shelf Project (ESS) [44]
  • Port Hope Area Initiative (ES) [7]
  • Internal Controls Over Quarterly Financial Reporting (CMSS-FMB) [28]
  • ecoENERGY Innovation Initiative (ES & IETS) [40]
  • Climate Change Impacts and Adaptation (ESS) [9]
  • Economic Action Plan 2012 Implementation (SPI and NRCan) [13]
  • Communication Function Review (PAPMS) [51]
  • Web Standards (CMSS-IMB) [31]
  • IT Certification and Accreditation Program (CMSS-IMB) [35]
  • Offshore Statutory Transfer Payments (CMSS-FMB) [41]
  • End-User Service Transformation (CMSS-IMB) [34]
  • Enterprise Document Management System – GCDocs (CMSS-GCDOCS and NRcan) (System Under Development Audit) [30]
  • New Values & Ethics Code (CMSS / IETS / Legal) [2]

 

  • Program of Energy Research and Development (ES & IETS) [47]
  • External Legislated Services (NRCan) [49]
  • User Fees and Regulatory Charges (NRCan) [55]

* The Investments in Forest Industry Transformation (IFIT) audit will be coordinated with the OAG.

Continuous Auditing Projects

The Audit Branch has developed as part of this year’s Audit Plan an approach with the intent to roll-out an effective and sustainable continuous auditing process to support the Internal Audit function, and support management needs regarding the Policy on Internal Controls.

The Audit Branch will apply continuous auditing at NRCan to proactively identify potential control issues and report regularly on an on-going basis on various processes in order to assist management with improving control mechanisms and managing risks. This work will be performed in accordance with the IIA Standards in order to provide reasonable assurance. Continuous auditing will be exercised in a structured approach. This process is linked to the RBAP and leverages existing audit projects.

The following table summarizes the continuous auditing projects planned for the next three-years.

Audit Risk Estimated SpendingFootnote 3 Project Name Fiscal Year
2012-2013 2013-2014 2014-2015
High $1.2 B
over 5 years
1 – ecoEnergy Retrofit Homes Program x n/a n/a
High $425 M
2010/2011
2 – Supplier Payments x x x
Moderate $20 M
Annually
3 – Acquisition Cards x x x
High $212 M
2010/2011
(contracts > $10,000)
4 – Contracting   x x
Moderate $20 M
2010/2011
5 – Hospitality and Travel Expenses   x x
Moderate $501 M
2010/2011
6 – Salary Expenses     x

2012-13 Advisory/Review Projects

As an adjunct to the assurance role, the TB Policy on Internal Audit (section 3.7) indicates that internal auditors will also provide advisory services to their organizations.  Notwithstanding a clear emphasis on assurance work, the Audit Branch also undertakes advisory services as requested from time to time by senior management. Examples include interpretation of recipient audit reports, program reviews and consultation on new processes.

Central Agencies Audit Projects for 2012-13

The Department is subject to audits by various external central agencies (e.g. Office of the Comptroller General (OCG), Office of the Auditor General (OAG), Commissioner of the Environment and Sustainable Development (CESD), Public Service Commission (PSC)).  The following table provides a listing of external audit projects being carried forward from 2011-12 and proposed planned external audit projects for fiscal year 2012-13.

Office of the Comptroller General (OCG) Horizontal Internal Audit of Financial Forecasting [4] **
Office of the Auditor General (OAG) Audit of Public Accounts 2011-12
Performance Audit of Grants and Contribution programs
Public Security and Anti-terrorism Initiative Retrospective
Study of Cyber Security
Commissioner of the Environment and Sustainable Development (CESD) Audit of Offshore Petroleum Board
Audit of Financial Impact of Environmental Risks – Part 1
Audit of Financial Impact of Environmental Risks – Part 2
Follow-up on Groundwater Mapping Audit
Performance Audit of Biodiversity
Study of the Federal Support to the Fossil Fuel

** The Financial Forecasting horizontal audit is aligned with OCG horizontal risk-based audit plan.
At the time of producing this plan, NRCan was not informed of new audit projects from other central agencies such as the Public Service Commission.

Acronyms

The following acronyms are used in this document:

CAE Chief Audit Executive
CESD Commissioner of the Environment and Sustainable Development
CFS Canadian Forest Service
CMSS Corporate Management & Services Sector
CRP Corporate Risk Profile
DAC: Departmental Audit Committee
DM Deputy Minister
ES Energy Sector
ESS Earth Sciences Sector
FMB Financial Management Branch
G&C Grants and Contributions
GCDOCS GCDOCS project
GFS Government Financial System
IETS Innovation and Energy Technology Sector
IFIT Investments in Forest Industry Transformation
IIA Institute of Internal Auditors
IM Information Management
IMB Information Management Branch
IT Information Technology
MAF Management Accountability Framework
MMS Minerals and Metals Sector
N/A Not Applicable
NRCan Natural Resources Canada
OAG Office of the Auditor General
OCG Office of the Comptroller General
PAA Program Activity Architecture
PAPMS Public Affairs and Portfolio Management Sector
PSC Public Service Commission
RBAP Risk-Based Audit Plan
RPP Report on Plans and Priorities
SAP Systems, Applications, and Products (Software System)
SPI Science & Policy Integration Sector
SSO Shared Services Office
TB Treasury Board

Download the report

Printable Version [PDF, 200 KB]

To read Adobe Acrobat® files, you will need to download and install the free Acrobat Reader® software available from Adobe Systems Incorporated.