RISK-BASED AUDIT PLAN 2012-2015

(Download the report)

Contents

• The Planning Context
• The Planning Process
• The Planning Results
• Continuous Auditing Projects
• 2012-13 Advisory/Review Projects
• Central Agencies Audit Projects for 2012-13
• Acronyms

Executive Summary

The Natural Resources Canada (NRCan) three year risk-based audit plan has been prepared in accordance with the applicable requirements of the revised July 2009 Treasury Board (TB) Policy on Internal Audit and related directives and guidelines, and the professional standards of the Institute of Internal Auditors (IIA).  The risk-based audit plan includes internal audit projects for a 3 year period from 2012-13 to 2014-15.

The Planning Context

Since the adoption of the 2006 Treasury Board Policy on Internal Audit (revised July 2009), the Audit Branch has continued to refine its risk-based planning approach each year with further improvements consistent with Treasury Board guidance to Chief Audit Executives (CAE). The Audit Branch uses a similar audit planning approach to the Office of the Comptroller General (OCG).

All potential audit projects were discussed with senior management and the Departmental Audit Committee, with particular emphasis on the projects planned for 2012-13 (first year of the three-year Audit Plan¹), given that future year projects are re-assessed on an annual basis.  Continued efforts were made this year to align planning efforts with the ongoing work in establishing a departmental risk management framework and Corporate Risk Profile. Also, government and departmental priorities were validated with senior management and the Departmental Audit Committee to ensure greater alignment of planned audits to the key and highest priority areas.

A quality review process was applied throughout the planning cycle, to ensure that:

• The audit planning process is aligned with the Department’s strategic objectives.
• The perspectives of the Executive Committee and the Departmental Audit Committee are considered in audit planning. Senior management are involved in the process.
• All programs, projects and activities of the Department are considered for audit, subjected to a risk assessment, and ranked in order of priority.
• Appropriate audit objectives for each audit selected have been established.
• The plan is prepared in a timely manner and distributed to the appropriate levels of management.
• A process for selection of audit projects is documented and includes criteria such as past audit coverage and results, materiality, significance to management, risk based on a standardized methodology, auditability, audit projects not completed from the previous year’s plan, organizational priorities, opportunities for improvement and legislated or other mandated obligations.

The audit plan is focused predominantly on the provision of assurance and supports annual overview reporting by the Chief Audit Executive on departmental risk management, control and governance processes.

The Planning Process

The starting point for the risk-based selection process is NRCan’s internal audit universe.  The audit universe represents a potential range of all audit activities and is comprised of a number of auditable entities.  The Audit Branch uses the departmental Program Activity Architecture (PAA) as well as NRCan’s inventory of external legislated services to help assess completeness of the audit universe.

The next stage is to prioritize the audit universe based on a risk assessment.  This is a two step process and involves preliminary and final prioritization. This includes management consultations, review and consideration of available departmental risk information, including the Corporate Risk Profile (CRP), the latest Management Accountability Framework (MAF) assessment, strategic review, business planning, the Report on Plans and Priorities (RPP), departmental and government priorities, the most recent tabled financial statements, other considerations such as previous audit results (both internal and external) and planned program evaluations.

Consideration is given to other factors such as senior management requests; the Departmental Audit Committee (DAC) advice and recommendations; mandated audits such as Office of the Comptroller General's horizontal directed audits; planned audits by other assurance providers.

Finally the draft audit plan is distributed to Departmental Audit Committee for review and recommendation to the Deputy Minister (DM) for approval.

The following diagram highlights the four key phases used in the selection porcess for the development of a robust risk-based audit plan.

[ text version ]

Environmental Scanning

• Government Priorities
• Departmental Priorities
• Corporate Risks
• Strategic and Operating Review
• Business Planning
• MAF Assessment
• Consultations with management

Other Considerations

• Core audit requirements (TB MAF)
• CAE annual overview report
• Mandated priorities
• Central Agency audits (e.g OAG, OCG)
• Previous NRCan internal audits
• Time since last audit
• Audit Branch capacity
• Program Evaluations

Prioritization

• Final discussions with senior management
• Senior management requests
• Audit Committee requests
• Focus on first year proposed audit projects
• Evaluation Plan

The Planning Results

In total, twenty six new “highest priority” internal audit projects are planned for the next three years.  For each proposed audit project, the plan provides a clear indication of the preliminary objective and scope. An indication of resource requirements, in terms of start and end date to conduct the audits is provided.

The following table summarizes the number of new internal audit projects selected for each year along with the number of special advisory projects, carry-forward audits from 2011-12 and scheduled Office of the Comptroller General (OCG) horizontal directed audits since OCG audits might involve performing the audit work for the examination phase.

Type of Audit Project	2012-13	2013-14	2014-15
New Internal Audit Projects	8	8	10
Carry-Forward Audits From Prior Year	3	3	2
OCG – Horizontal Directed Audits	1	1	1
TOTAL	12	12	13

Two audit projects (CANMET Relocation and Real Property Management) were finalized at fiscal year end but their presentation to the Audit Committee could only be performed in 2012-13 due to a reporting time lag.  These audit projects are not considered carry-forward audits since they are essentially completed, as they do not require any significant audit work in the new fiscal year.

The following two tables provide a listing of audit projects being carried forward from 2011-12 and the new “highest priority” internal audit projects for fiscal years 2012-13, 2013-14 and 2014-15.

Carry Forward Audits 2011-12	Information Management
	Electronic Payments System
	Strategic Review Implementation

 

2012 - 2013	2013 - 2014	2014 - 2015
Investments in Forest Industry Transformation Program (CFS) [222] *	Access to Information and Privacy (PAPMS and NRCan) [50]	Integrated Business Planning and Reporting (SPI) [15]
ecoENERGY for Renewable Power (ES) [6]	Automated Pay Interface (CMSS-SSO) [5]	Green Mining Initiatives (MMS) [12]
Conversion Process for SAP Opening Balances (CMSS-FMB) [26]	Business Continuity and IT Disaster Recovery Planning (NRCan) [3]	Targeted Geoscience Initiative 4 (ESS) [46]
SAP Functionalities (NRCan) [27]	Polar Continental Shelf Project (ESS) [44]	Port Hope Area Initiative (ES) [7]
Internal Controls Over Quarterly Financial Reporting (CMSS-FMB) [28]	ecoENERGY Innovation Initiative (ES & IETS) [40]	Climate Change Impacts and Adaptation (ESS) [9]
Economic Action Plan 2012 Implementation (SPI and NRCan) [13]	Communication Function Review (PAPMS) [51]	Web Standards (CMSS-IMB) [31]
IT Certification and Accreditation Program (CMSS-IMB) [35]	Offshore Statutory Transfer Payments (CMSS-FMB) [41]	End-User Service Transformation (CMSS-IMB) [34]
Enterprise Document Management System – GCDocs (CMSS-GCDOCS and NRcan) (System Under Development Audit) [30]	New Values & Ethics Code (CMSS / IETS / Legal) [2]	Program of Energy Research and Development (ES & IETS) [47]
		External Legislated Services (NRCan) [49]
		User Fees and Regulatory Charges (NRCan) [55]

* The Investments in Forest Industry Transformation (IFIT) audit will be coordinated with the OAG.

Continuous Auditing Projects

The Audit Branch has developed as part of this year’s Audit Plan an approach with the intent to roll-out an effective and sustainable continuous auditing process to support the Internal Audit function, and support management needs regarding the Policy on Internal Controls.

The Audit Branch will apply continuous auditing at NRCan to proactively identify potential control issues and report regularly on an on-going basis on various processes in order to assist management with improving control mechanisms and managing risks. This work will be performed in accordance with the IIA Standards in order to provide reasonable assurance. Continuous auditing will be exercised in a structured approach. This process is linked to the RBAP and leverages existing audit projects.

The following table summarizes the continuous auditing projects planned for the next three-years.

Audit Risk	Estimated Spending3	Project Name	Fiscal Year
			2012-2013	2013-2014	2014-2015
High	$1.2 B over 5 years	1 – ecoEnergy Retrofit Homes Program	x	n/a	n/a
High	$425 M 2010/2011	2 – Supplier Payments	x	x	x
Moderate	$20 M Annually	3 – Acquisition Cards	x	x	x
High	$212 M 2010/2011 (contracts > $10,000)	4 – Contracting		x	x
Moderate	$20 M 2010/2011	5 – Hospitality and Travel Expenses		x	x
Moderate	$501 M 2010/2011	6 – Salary Expenses			x

 

2012-13 Advisory/Review Projects

As an adjunct to the assurance role, the TB Policy on Internal Audit (section 3.7) indicates that internal auditors will also provide advisory services to their organizations.  Notwithstanding a clear emphasis on assurance work, the Audit Branch also undertakes advisory services as requested from time to time by senior management. Examples include interpretation of recipient audit reports, program reviews and consultation on new processes.

Central Agencies Audit Projects for 2012-13

The Department is subject to audits by various external central agencies (e.g. Office of the Comptroller General (OCG), Office of the Auditor General (OAG), Commissioner of the Environment and Sustainable Development (CESD), Public Service Commission (PSC)).  The following table provides a listing of external audit projects being carried forward from 2011-12 and proposed planned external audit projects for fiscal year 2012-13.

Office of the Comptroller General (OCG)	Horizontal Internal Audit of Financial Forecasting [4] **
Office of the Auditor General (OAG)	Audit of Public Accounts 2011-12
	Performance Audit of Grants and Contribution programs
	Public Security and Anti-terrorism Initiative Retrospective
	Study of Cyber Security
Commissioner of the Environment and Sustainable Development (CESD)	Audit of Offshore Petroleum Board
	Audit of Financial Impact of Environmental Risks – Part 1
	Audit of Financial Impact of Environmental Risks – Part 2
	Follow-up on Groundwater Mapping Audit
	Performance Audit of Biodiversity
	Study of the Federal Support to the Fossil Fuel

** The Financial Forecasting horizontal audit is aligned with OCG horizontal risk-based audit plan.
At the time of producing this plan, NRCan was not informed of new audit projects from other central agencies such as the Public Service Commission.

Acronyms

The following acronyms are used in this document:

CAE	Chief Audit Executive
CESD	Commissioner of the Environment and Sustainable Development
CFS	Canadian Forest Service
CMSS	Corporate Management & Services Sector
CRP	Corporate Risk Profile
DAC:	Departmental Audit Committee
DM	Deputy Minister
ES	Energy Sector
ESS	Earth Sciences Sector
FMB	Financial Management Branch
G&C	Grants and Contributions
GCDOCS	GCDOCS project
GFS	Government Financial System
IETS	Innovation and Energy Technology Sector
IFIT	Investments in Forest Industry Transformation
IIA	Institute of Internal Auditors
IM	Information Management
IMB	Information Management Branch
IT	Information Technology
MAF	Management Accountability Framework
MMS	Minerals and Metals Sector
N/A	Not Applicable
NRCan	Natural Resources Canada
OAG	Office of the Auditor General
OCG	Office of the Comptroller General
PAA	Program Activity Architecture
PAPMS	Public Affairs and Portfolio Management Sector
PSC	Public Service Commission
RBAP	Risk-Based Audit Plan
RPP	Report on Plans and Priorities
SAP	Systems, Applications, and Products (Software System)
SPI	Science & Policy Integration Sector
SSO	Shared Services Office
TB	Treasury Board

¹ The risk-based audit plan (RBAP) prepared by the Audit Branch of Natural Resources Canada (NRCan) is also referred to as the Audit Plan within this document.

² The number represents the project number for the audit, which is how the project is identified in the “risk heatmap” diagram (i.e. audit risk ranking).

³ The estimated spending amounts were taken from GFS and the financial statements.  Data for fiscal 2011-12 was not available.

---

Download the report

Printable Version [PDF, 200 KB]

To read Adobe Acrobat® files, you will need to download and install the free Acrobat Reader® software available from Adobe Systems Incorporated.