RISK-BASED AUDIT PLAN 2010-2013

Annual Plans


 

(Download the report)

Table of Contents


Executive Summary

Natural Resources Canada’s three year risk-based audit plan has been prepared in accordance with the applicable requirements of the revised July 2009 Treasury Board Policy on Internal Audit and related directives and guidelines, and the professional standards of the Institute of Internal Auditors.  The risk-based audit plan includes internal audit projects for a 3 year period from 2010-11 to 2012-13.

The Planning Context

The Audit Branch is in its third year of formalizing a more systematic and transparent approach to risk-based audit planning since the adoption of the 2006 Treasury Board Policy on Internal Audit.  In preparing the Audit PlanFootnote 1, planning principles were applied in a consistent manner with the prior two years.  Building on previous work, the Audit Branch has continued to refine its approach each year with further improvements consistent with Treasury Board guidance to Chief Audit Executives (CAE).  The Audit Branch uses a similar audit planning approach as the Office of the Comptroller General, which is based on the planning guidance provided by its Internal Audit Sector.

All audit projects were discussed with senior management and the Audit Committee, with particular emphasis on the projects planned for 2010-11 (first year of the three-year Audit Plan), given that future year projects are re-assessed on an annual basis.  Government and departmental priorities were validated with senior management and the Audit Committee to ensure greater alignment of planned audits to the key and highest priority areas. 

Opportunities for improvement were identified regarding the Audit Plan in the 2009 Management Accountability Framework (MAF) assessment (Round VII) provided in April 2010.  The 2009-12 Audit Plan was assessed as not clearly demonstrating the results of its risk assessment process, not providing additional resourcing information and was received by the Office of the Comptroller General (OCG) in an untimely manner.  The Audit Branch believes it has addressed all three matters in this year’s report.

A quality review process was applied throughout the planning cycle, to ensure that the Audit Plan:

  • Is risk-based;
  • Covers audit and management priorities;
  • Is reviewed by senior management and the audit committee;
  • Is focused predominantly on the provision of assurance on risk management, control and governance processes;
  • Has a multi-year horizon;
  • Addresses risks and internal audits identified by the Comptroller General as part of government-wide coverage; and
  • Supports annual assurance reporting by the Chief Audit Executive on departmental risk management, control and governance processes.
The Planning Process

The starting point for the risk-based selection process is NRCan’s internal audit universe.  The audit universe represents a potential range of all audit activities and is comprised of a number of auditable entities.  The Audit Branch uses the departmental Program Activity Architecture (PAA) to help assess completeness of the audit universe.

The next stage is to prioritize the audit universe based on a risk assessment.  This is a two step process and involves preliminary and final prioritization. This includes management consultations, review and consideration of available departmental risk information, including the Corporate Risk Profile (CRP), the latest Management Accountability Framework assessment, strategic review, business planning, the Report on Plans and Priorities (RPP), departmental and government priorities, the most recent tabled financial statements, and other considerations such as previous audit results (both internal and external).

Consideration is given to other factors such as senior management requests; the Departmental Audit Committee (DAC) advice and recommendations; mandated audits such as Office of the Comptroller General’s horizontal directed audits; audits resulting from the Budget 2009 Economic Action Plan; planned audits by other assurance providers.

Finally the draft audit plan is distributed to Departmental Audit Committee for review and recommended to the Deputy Minister for approval.

The following diagram highlights the four key phases used in the selection process for the development of a robust risk-based audit plan.

 

Environmental Scanning

  • Government Priorities
  • Departmental Priorities
  • Corporate Risks
  • Strategic Review
  • Business Planning
  • MAF Assessment
  • Consultations with management

Other Considerations

  • Core audit requirements
  • CAE annual assurance perspective
  • Mandated priorities
  • Central Agencies audits
  • Previous NRCan internal audits
  • Time since last audit
  • Audit Branch capacity

Prioritization

  • Final discussions with senior management
  • Senior management requests
  • Audit Committee requests
  • Focus on first year proposed audit projects
 
The Planning Results
In total, almost 30 new “highest priority” internal audit projects are planned for the next three years.  The following table summarized the number of new internal audit projects selected for each year along with the number of special advisory projects, carry-forward audits from 2009-10 and scheduled Office of the Comptroller General horizontal directed audits.
Type of Audit Project 2010-11 2011-12 2012-13
Core grant and contribution (G&C) programs 3 2 1
Core financial 4 3 3
Core information management and technology (IM/IT) 1 3 4
Other audit projects 1 3 1
NEW INTERNAL AUDIT PROJECTS – SUB-TOTAL 9 11 9
Special advisory projects 3 2 2
Carry-forward audits from 2009-10 4 0 0
OCG – Horizontal directed audits 2 2 2
TOTAL 18 15 13
The following four tables provide a listing of audit projects being carried forward from 2009-10 and the new “highest priority” internal audit projects for fiscal years 2010-11, 2011-12 and 2012-13.
Carry Forward 2009-10 ecoENERGY for Biofuels
Financial Statement Preparation and Reporting
Accounts Receivable and Revenue Management
Physical Security
 
2010-11 Horizontal Audit of Transfer Payments (G&C Programs)
Pulp and Paper Green Transformation Program (PPGTP) - Black Liquor Production
Clean Energy Fund
Financial Statement Reporting (Asset) - Investments
Payroll and Benefits – Overtime, Vacation and Other Benefits
Asset Management – Real Property and Fleet
Professional Services – Operating Expenditures
SAP System (Felix Project Planning & Delivery)
Accelerated Infrastructure Program (Phase II - Delivery) Footnote 2
 
2011-12 Expenditure Management (Strategic Review Reallocations)
Felix Implementation
ecoENERGY Technology Initiative
Business Continuity Management
Management of Information Holdings
CANMET - Materials Technology Lab: Relocation
United Nations Convention on the Law of the Sea (UNCLOS)
Geo-Mapping for Energy & Minerals (GEM)
Environmental Liabilities
Strategic Planning
Operating Expenditures (Transportation, Information, Rentals, and Repairs and Maintenance)
 
2012-13 ecoENERGY Renewable Power
Identity and Access Management (Privacy/Access Acts, User Identification /Password Controls)
Budgeting and Forecasting
Servers Administration and Security
Systems and Application Controls (HR / Payroll / Procurement)
Interest / Transfer Payments (Offshore)
Natural Hazards Information and Response
Loans and Advance Receivables
IT Infrastructure and Governance

In preparation of the Audit Plan, an estimate of total resource capacity available was determined and allocated to all Branch activities using metrics based from prior experience. Taking into account the budget available for internal and external resources, a total of approximately 4,700 person days of capacity for 26 professional positions was estimated for 2010-11 (i.e., direct audit time, excluding leave provisions and time for administration, professional development and language training).


Download the report

Printable Version [PDF, 67.6 KB]

To read Adobe Acrobat® files, you will need to download and install the free Acrobat Reader® software available from Adobe Systems Incorporated.