Audit

 

Annual Plans 2007-2008

---

(Download the report)

• Executive Summary
• Approved Internal Audit Projects 2007-08

---

Executive Summary

Why an Annual Plan? This summary presents the NRCan Annual Audit Plan for 2007-08. It has been prepared in accordance with pertinent Treasury Board policies¹ and guidance. Performance standards for the professional practice of internal auditing as set by the Institute of Internal Auditors² require that the Chief Audit Executive (CAE) establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.

Multi-Year Plan. A three-year plan has also been prepared at the Management Accountability Framework (MAF) control element level. This is a theoretical document that shows the general areas we will be planning to cover over the next three years. The reality is that the Annual Plan is subject to considerable changes throughout the year based on the dynamic nature of risks and external developments. Many in the audit profession consider multi-year plans to be archaic.

Methodology. We introduced something new in our planning process this year, which has made our process more strategic, more defensible and which permits multi-year planning. We employed a consulting company to apply a risk-based planning framework (based on the MAF), which the company had developed and which has been used by other government departments. The basis of the framework is the 70 key controls developed by the Office of the Comptroller General (OCG), mapped to the MAF. Details on how this new methodology was applied are provided in the body of the Report.

Our process for this Annual Plan involved the six Sectors in NRCan, including Assistant Deputy Ministers (ADMs), direct reports to the Deputy Minister, and other selected managers. We have found that briefings with the sector management committees to be particularly useful fora to exchange ideas. The NRCan Audit and Evaluation Committee (AEC) chaired by the DM participated directly in selecting the project proposals and approving the Annual Plan.

Nature of NRCan. NRCan is a complex, widely distributed organization, with about 1,500 (of 4,565) employees located outside the National Capital Region (NCR). It’s one of the oldest departments and is made up of seven distinct sectors – Earth Sciences Sector (ESS), Energy Policy Sector (EPS), Energy Technology and Program Sector (ETPS), Canadian Forest Service (CFS), Minerals and Metals Sector (MMS), Corporate Management Sector (CMS), and Strategic Policy Sector (SPS).A Shared Services Office (SSO ) has been established with the objective of making service delivery functions more effective and efficient, while providing continued support to programs and services.

This rich history presents unique challenges with respect to the integration of systems and information sharing. Another major challenge is to manage the large amount of temporary funding ($1,652.9M³ ) from a smaller ($403.6M) permanent A-base level. In this regard, between 1997-98 and 2006-07, NRCan has increased its total budget by approximately 202%, and its temporary funding allocations by more than 837%. NRCan’s temporary funding allocations continue to increase and at the same time there has been an erosion of the A-Base budget.

Federal Accountability Act (Fed AA). The Fed AA, or Accountability Act, which received royal assent on December 12, 2006, makes substantive changes to 45 statutes. The Fed AA is intended to create a culture of accountability. The major elements of the Fed AA and the associated action plan are: Parliamentary reform, Political reform, procurement reform, public sector reform and making the public sector more open. The Fed AA permits the Deputy Minister to decline to disclose any audit working paper if the record came into existence less than 15 years before the request was made⁴. The Fed AA also expands the class of recipients of grants, contributions and loans into which the Office of the Auditor General (OAG) can inquire about the use of funds (“follow the money”) and allow the OAG to conduct performance audits to assess value for money.

New sections of the Fed AA make the Deputy Head of a Department responsible for ensuring appropriate internal audit capacity is in place and for establishing the organization’s independent Audit Committee. In addition, the Treasury Board has been provided the authority to appoint members of audit committees who are external to the Public Service.

New Internal Audit Policy.This new policy, which became effective April 1, 2006, places particular emphasis on the independence, structure and mandate of the Audit Committee. In practical terms, a great deal of work will be required by the Internal Audit Division to meet the requirements of the new policy, primarily with respect to the implementation of specific policies, accrual financial reporting, holistic assurance of controls, and participating in the conduct of horizontal, government-wide internal audits led by the Comptroller General.

Strategic Planning - North Star. Shortly after her arrival in July 2006, the Deputy Minister Cassie Doyle established the North Star Team, composed of 18 NRCan employees from across all sectors, and tasked it “to develop the key elements of a Natural Resource Policy Framework for the Department that would span a 10 to 15 year timeframe” and to “explore, discuss, and debate the most important trends shaping the work of NRCan today.” She stated that “through this team of NRCan experts we hope to build a stronger and more integrated Department to position NRCan as a leader on the natural resources agenda.” North Star is the most important strategic initiative in the Department. The Deputy Minister also created a new Strategic Policy Sector under the leadership of an Assistant Deputy Minister.

The North Star team concluded that adopting the proposed integrated natural resources policy framework for Canada will change NRCan and move it toward a more integrated, knowledge-driven department. This, in turn, will strengthen the federal platform for decision making and priority setting on natural resources issues, which will strengthen the federation. Ultimately, this will put Canada in a more innovative and competitive position internationally, and improve the quality of life of Canadians. This is the challenge for Natural Resources Canada – to lead the evolution and become the leading voice for the country's resources, and become Canada's authority on resource innovation and knowledge.

The North Star Team also identified some internal changes to the way NRCan currently operates that would facilitate the implementation of the policy framework, and allow the Department to take full advantage of the talented and dedicated professionals that make up the organization. In summary, the North Star Team recommends that NRCan:

1. Create a Corporate Trend Analysis unit to work collectively with the sectors to undertake scans of trends and issues and identify threats and opportunities that will enable it to be forward looking and predictive;
2. Create a single, open platform to share data and other information to support the work of this unit, and to support better sharing of information across all parts of the Department and with partners outside of NRCan;
3. Improve communications between employees (both horizontally and vertically) by creating public and virtual spaces to exchange information and share ideas;
4. Create a renewed policy integration function by establishing a targeted number of formal and informal structures to better integrate decision making on natural resources issues; and
5. Become a knowledge organization by implementing the framework, working for a common purpose, promoting collaboration, and strengthening and taking full advantage of the knowledge, expertise, and talent pool of the Department.

OAG Public Accounts Report

The first OAG audit of the Public Accounts of NRCan was carried out during the past fiscal year and was reported in November 2006, as a result of the Department’s budget reaching $1B annually. This has resulted in considerable attention to:

1. Departmental readiness to prepare departmental-level financial statements;
2. Departmental readiness to support an efficient and control-reliant audit approach of their related statements;
3. The integration of accrual financial information into internal reports and the information used for decision making;
4. The advancements made in the implementation of accrual budgeting and appropriation at the departmental level; and
5. Central and departmental financial leadership and capacity.

Although the OAG audit concluded that NRCAn’s transactions are free of material misstatements at a government-wide level for public accounts, a management letter reported on a number of activities which are described in the body of the Plan.

Our Approach to Audit Planning. There are three recurring themes⁵ resulting from emerging requirements such as the Departmental Financial Statements audit requirements, the new Internal Audit Policy, Management Accountability Framework Assessments and upcoming Policy on Financial Management (new CFO role), as follows:

1. Increased focus on ensuring effectiveness and adequacy of risk management, control and governance processes;
2. Greater emphasis on quality of financial reporting and disclosures; and
3. Enhanced expectations for opinions on the state of controls and financial results.

These three themes were considered carefully in the development of the audit proposals following our risk assessment of the 70 key controls identified by the OCG.

We will also allocate 10% of our resources to ad hoc projects, an allocation that has proven appropriate over time. As well, there are several carry-over projects from 2006-07.

Our Plan balances a number of requirements and perspectives. We have emphasized horizontal perspectives to obtain the most value for our limited audit resources, and to have a continued presence in regional activities. We have also retained a significant emphasis on transfer payment programs and projects through which most of NRCan’s outcomes are delivered.

More detail on our approach to audit planning is presented in the full report, which also includes consideration of: audits completed by Other Government Departments (OGDs) and national audit organizations (i.e. Auditor General) around the world, and the General Accounting Office (U.S.A.).

Treasury Board MAF of NRCan (draft March 2007)

The TBS MAF was more comprehensive and rigorous this year. Comments are considered below in two categories: internal audit and the rest of the Department.

Internal Audit received an “Acceptable Rating” which is less than the highest rating of “Strong” but above “Opportunity for Improvement” and “Attention Required” ratings. There were two areas in which NRCan internal audit needs to improve, both related to reporting. Details are provided in the body of the Plan.

Only one area in the Department was rated as“Attention required”, the effectiveness of Financial Management and Control. However a number of other activities were rated as “Opportunities for Improvement", including:

• Clarity and measurability of the organization's strategic outcomes,
• Presence of a risk-based corporate plan,
• Accuracy and reliability of supporting information in Memoranda to Cabinet (MCs) and TB submissions,
• Integration use and reporting of performance information
  
  managing organizational change e.g. clarity of corporate vision,
• Stewardship i.e. effectiveness of information management and effectiveness of information technology management,
• Effective project management, and
• Effective procurement.

A chart is provided in the Plan proper describing the audit projects that are in progress, recently completed, or planned to address these MAF observations.

Annual Plan. Attached (Annex A) is the Annual Audit Plan of nine audit projects approved by the AEC for 2007-08. This is followed by the 6 other prioritized audit proposals presented for AEC consideration (Annex B).

Annex C titled, Audit Professional Standards and Capacity Building, also approved by the AEC, identifies internal projects that are necessary to respond to the new internal audit policy. Annex D, presents Carry-over Internal Audits to be Reported in 2007-08.Annex E presents a high-level 3 Year Audit Plan⁶, as mentioned previously. Annex F presents audits completed in 2006-07, approved projects (2007-08) and carry-over projects (started in 2006-07) by Departmental sector. These projects have also been mapped (in the body of the report) to the Management Accountability Framework, (MAF), the TB Risk model and other models. Finally, Annex G presents a Detailed Resource Plan for 2007-08.

Key Challenges. There are several major challenges facing the Audit Division in NRCan at this time. First, the recruitment, retention and professional development of internal auditors remains a priority. We are increasing from 9 to 16 auditors over the next few months. We have encountered difficulty in finding qualified auditors, and are training most of our new employees to be internal auditors from scratch. We anticipate that it will take at least 18 months to train all staff to the required standard. We have allocated 10 days training for each auditor this year, and this does not include initial training requirements, which will vary from person to person.

Second, the AEC has approved a measured approach to the implementation of the new internal audit policy. AEC has decided that a new independent departmental audit committee that includes experienced, competent external members⁷ should be in place by the end of September 2007. However, as that date approaches we find much work remains to be done by Central Agencies. We will need to adapt to changing conditions over the next fiscal year.

Third, there are two technical areas flowing from the new policy, which will present challenges – audit opinions on internal controls, and the preparation of departmental-level financial statement ready for audit “scrutiny”. The first, especially for opinions outside of financial statements, will place us in uncharted waters. There are training and technical issues that must be worked through for both internal audit and corporate services. Accrual reporting presents similar challenges that will take time to resolve.

Fourth, the rapid introduction of Clean Air programs in NRCan since December 2006, complicates the planning process for Internal Audit. It is anticipated that some changes to the Audit Plan will be needed during the year to account for developments in this regard.

Finally, obtaining required information across the Department remains a major challenge for audit activities, and correspondingly for senior managers. By bringing information shortfalls to the attention of senior management, we can help drive the information priorities of the Department. In particular, meeting the financial information needs of the managers is paramount.

Approved Internal Audit Projects 2007- 08

Serial	Title	Sector	Scope
1.	SSO /CMS Control Frameworks Audit	SSO / CMS	Assess the control frameworks for selected key functions of CMS and SSO , such as finance and personnel, and the delineation of roles/responsibilities and accountability in this regard. This will contribute to preparation for the holistic assurance of controls.
2.	GFS Application Controls and Functionality	CMS/ SSO	Provide assurance on the automated application controls in GFS and related accountability processes.
3.	Off-the-Shelf Software Management and Custom Software Development	CMS/ SSO /All	Provide assurance on the controls and accountability processes related to management of off-the-shelf software and custom software development.
4.	Performance Measurement Management at the Contribution Agreement Level	CMS/ EPS, ESS, CFS, MMS	Provide assurance that accurate and complete performance measurement information is being provided to ADMs at the Contribution Agreement level, and that this information is used appropriately in the management of programs.
5.	Management of Repayable Contributions	CMS/ SSO /All/ Regions	Provide assurance on compliance with TB Policy and Guidelines.
6.	ESS Project Management System	ESS/ CMS	Assess the system design and application compared to current standards, the effectiveness of its application in ESS, and its integration with corporate information systems.
7.	Model Forest	CFS/CMS/ SSO	Provide assurance on the control framework for the management of this program, including compliance with departmental policy and requirements.
8.	Cash Management	CMS/ SSO / Regions	Provide assurance on compliance with TB and departmental policy and guidelines. Cash is defined to include cheques and other negotiable instruments.
9.	Regional (Quebec City, Maritimes, follow-up Devon and Varennes)	All/ Regions	Provide assurance on the management control framework for several functions including contracting, financial management, asset management, and physical security at regional locations
10.	Advertising and Research of Public Opinion Activities and Processes	DG Com/ SSO / CMS	Provide assurance on the controls related to the advertising and research of public opinion activities and processes. This audit is called for by the Fed AA Action Plan. The OAG released a cross-Government audit on this topic on February 13, 2007, but NRCan was not part of the audit.
11.	Departmental Management and Financial Policies	CMS	Provide assurance that departmental policies called for by TB policies and guidelines are in place and are current, and that the process to prepare such departmental policies is working.
12.	Accounts Payable	CMS/ SSO /All	Provide assurance on the controls and accountability processes related to Accounts Payable and Disbursements.
13.	Risk Management	CMS/All/ Regions	Provide assurance that the enterprise risk management process in NRCan is integrated with strategic planning and business planning, and is granular enough to provide practical information on major functions, processes and programs.
14.	Cost Recovery	CMS/All	Provide assurance that the Department is in compliance with TBS policy and guidelines and managing these effectively.
15.	Policy Capacity for Decision Making	CMS/All	Provide assurance that the Department has adequate policy resources to provide appropriate input for Department strategic planning. This audit would benchmark NRCan with OGDs.

Audit Professional Standards and Capacity Building

Serial	Title	Description
1.	Continuous Monitoring	Using a software product called Audit Command Language (ACL) continuously monitor several financial topics including Duplicate Payments and Travel Claims
2.	Participation in Activities Coordinated by the Audit Sector of the Comptroller General	To assist in the implementation of new policies, Internal Audit staff will participate in a number of working groups initiated by the Comptroller General to include: - Audit Committee, - Risk Assessment and Audit Planning, - Audit Software/Common Platform, - Horizontal (cross-Department) Quality Inspections, Fundamental Controls, and - IT Audit/Horizontal Audits Across Government.
3.	Audit Manual	A matter of some priority is the development of an NRCan Internal Audit Manual, working from a template that will be provided by the Comptroller General.
4.	Quality Assurance of Internal Audit	Consistent with the Institute of Internal Auditors (IIA) Professional Practices Framework, January 2002, there are 2 aspects to consider with regard to quality assurance (QA) of internal audit. First, article 1311 calls for ongoing internal assessment of the performance of the internal audit activity, and periodic reviews. Second, external assessment such as quality assurance reviews should be conducted at least once every four years. QA has been stressed in the new Internal Audit Policy.
5.	Audit Capacity Building	The audit shop is growing from 10 to 16. Overall, more than half of the auditors will need significant training and development to reach professional standards.
6.	TeamMate (Audit Management System)	AEB has procured TeamMate, a well-recognized bilingual audit management system, already used by the Office of the Auditor General (OAG) and a number of OGDs. We are now using the electronic working paper module. We will be adapting the Team Central module to permit real-time, on-line entry of responses to the Management Commitment Monitoring system.
7.	New Internal Audit Implementation Plan - Update	The departmental implementation plan that was developed for the new Internal Audit Policy will require updating during the year consistent with initiatives by the OCG and decisions by the Audit Committee.
8.	TB Submissions and RBAFs (Risk Based Audit Frameworks)	This is routine work for the Internal Audit Division and the resources involved can vary from month-to-month. Nevertheless, it is a measurable activity and on occasion can delay the progress of audit projects.
9.	Audit Planning	Preparing the annual audit work plan for approval by the AEC is a major activity in the internal audit division. A senior audit manager and the Director of Internal Audit spend approximately 3 months full-time on this activity with such tasks as meeting ADMs, preparing proposals, scoping project proposals etc. The rest of the Audit Branch is also involved extensively.

Carry-Over Internal Audits

1. Improved Efficiency of New Commercial Buildings
2. Specified Purpose Accounts and Net Voted Revenue
3. Voice Telecommunications
4. Occupational Health and Safety – Labs
5. TB Submission Process
6. Horizontal Audit of Transfer Payments
7. Follow-up Audit of Accounting for Costs and Liabilities
8. Related to Contaminated Sites
9. Regional Management Control Frameworks Sault Ste Marie, Victoria and Sidney (B.C.)
10. Management Framework for Third Party Hospitality
11. Management Framework for Memberships
12. Server Management
13. Holistic Assurance of Controls Study
14. Financial (Accrual) Reporting Study
15. Control Software Study

THREE YEAR INTERNAL AUDIT PLAN

		2007-2008	2008-2009	2009-2010
MAF Categories	Hi-Risk MAF Elements
Governance and Strategic Directions	1. Strategic Direction and Objectives		x
	2.  Governance and Oversight of Collaborative Initiatives		x
	3. Horizontal Management		x
Results and Performance	4. Results Identification and Performance Measurement	x
Policy & Programs	5. Policy & Programs Resources, Procedures and Monitoring	x
People	6. Sustainable HR Policies and HR Planning			x
Accountability	7. Authority, responsibility & Accountability – Communication & Understanding	x		x
	8. Accountabilities for Collaborative/Horizontal Initiatives		x
Stewardship	9. Budgets – Content & Process			x
	10. Established and Communicated, Reviewed and Revised	x
	11. Compliance Monitored	x	x
	12. AMEX	x
	13. Asset Protection and Life-Cycle Management	x
	14. Property Management			x
	15. Expenditure Management System	x	x
	16. Resource Reallocation to Achieve Results			x
	17. Financial and Non-Financial Reporting	x	x
	18. Procurement and Contract Management			x
	19. Transfer Payments	x
Mandatory annual reviews by AEC	20. Values and Ethics	x	x	x
	21. Risk Management		x
Federal Accountability Action Plan	22. Advertising and Research of Public Opinion Activities and Processes	x

Notes:

1. Have considered audits completed by the NRCan Internal Audit Division, the Office of the Auditor General, the Office of the Comptroller General, and the Commissioner of the Environment and Sustainable Development over the past three years.
2. The carry-overs from 2006-07 are also considered in 2007-08.
3. This is a high-level Plan based on the high-risk controls identified from the OCG list of 70 controls and plotted by MAF elements.

INTERNAL AUDIT PROJECTS BY SECTOR⁸

Earth Sciences Sector	Energy Policy Sector	Energy Technology and Programs Sector		Canadian Forest Service Sector	Minerals & Metals Sector		Corporate Management (CMS and SSO )
ESS Project Management Regional Audits	Wind Power Production Incentive	Improved Efficiency of New Commercial Buildings Commercial Transportation Energy Efficiency and Fuels Initiative Federal House in Order		Model Forest Regional Audits	Kimberley Diamond Process		SSO /CMSControl Frameworks GFS Application Controls and Functionality Follow-up Audit of Accounting for Costs & Liabilities Related to Contaminated Sites
Horizontal
Performance Measurement Management at the Contribution Agreement Level Management of Repayable Contributions Cash Management Continuous Monitoring Specified Purpose Accounts(SPAs) and Net Voted Revenue Voice Telecommunications TB Submission Process			Horizontal Audit of Transfer Payments Third-Party Hospitality Security of Cabinet Documents Information Management IT Security Recipient Audits Holistic Assurance of Controls Study Off-the-Shelf Software Management and Custom Software Development			Occupational Health & Safety – Labs Server Management Membership(s) Business Continuity Planning Control Software Study Financial (Accrual) Reporting Study

DETAILED RESOURCE PLAN 2007-08

Audit Manager	Apr - Jun	Jul - Sep	Oct - Dec	Jan - Mar
Director	Holistic Assurance of Controls Study (25) ($40K)	Holistic Assurance of Controls Study   (continued)
Financial Audit Manager	Horizontal Audit of Transfer Payments (10) ($25K)	Management of Repayable Contributions (120)	Management of Repayable Contributions (cont’d)	Management of Repayable Contributions (cont’d)
	Financial (Accrual) Reporting Study (10) ($20K)
	SPAs & NVRs (10)
	Audit of Accounting for Costs and Liabilities Related to Contaminated Sites (20) ($20K)
	Regional Management Control Frameworks – Sault Ste Marie, Victoria and Sidney (20)	Regional Visits (Quebec, Maritimes) (130)	Regional Visits (Quebec, Maritimes) (continued)	Regional Visits (Quebec, Maritimes) (continued)
	Management Framework for Memberships (10)
	Cash Management (120)	Cash Management (continued)	Cash Management (continued)
MAF Audit Manager	TB Submissions Process (30) ($30K)	TB Submissions Process (continued)
	Improved Efficiency of New Commercial Buildings (10)	Model Forest (120)	Model Forest (continued)	Model Forest (continued)
	Management Framework for 3rd Party Hospitality (10)	Performance Measurement Management at the Contribution Agreement Level (120)	Performance Measurement Management at the Contribution Agreement Level (continued)	Performance Measurement Management at the Contribution Agreement Level (continued)
	SSO/CMS Control Frameworks Audit (80) ($80K)	SSO/CMS Control Frameworks Audit (continued)	SSO/CMS Control Frameworks Audit (continued)
IM/IT Audit Manager	Voice Telecommunications (5)	ESS Project Management System (70) ($30K)	ESS Project Management System (continued)	ESS Project Management System (continued)
	Occupational Health and Safety – Labs (10)
	Server Management (40) ($80K)	Server Management (continued)	Server Management (continued)
	GFS Application Controls and Functionality (70) ($50K)	GFS Application Controls and Functionality (continued)	GFS Application Controls and Functionality (continued)
			Off-the-Shelf Software Management and Custom Software Development  (70) ($50)	Off-the-Shelf Software Management and Custom Software Development  (continued)

Notes:

1. numbers in brackets w/o $ are estimated days to complete carry-over projects (total estimated days 1,100)
2. numbers in brackets with $ are estimated consulting costs (total is $425K)

---

---

Download the report

Printable Version [PDF, 476 KB]

To read Adobe Acrobat® files, you will need to download and install the free Acrobat Reader® software available from Adobe Systems Incorporated.