The Risk-Based Audit Plan (RBAP), also referred to as the “Plan”, is prepared by the Audit Branch of Natural Resources Canada (NRCan). It contains the details on the role of internal audit (IA), the Audit Branch’s planning methodology, and the planned audits for the next three year cycle: 2017-20.
The RBAP is developed in accordance with the requirements of the Treasury Board of Canada (TB) Policy on Internal Audit, along with related directives, guidelines, and the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing.
Each year, NRCan’s Chief Audit Executive (CAE) is required to prepare a risk-based audit plan (RBAP), which sets out the priorities of the internal audit activity that are consistent with the organization’s goals and priorities. The audit planning process ensures that all internal audit activities are relevant, timely, and strategically aligned with NRCan’s Corporate Risk Profile (CRP) to support the achievement of the Department’s strategic objectives. The input from NRCan’s Departmental Audit Committee (DAC), along with NRCan’s senior management, is sought and taken under advisement in setting internal audit activity priorities.
The starting point for the risk-based planning process is the identification of the audit universe. This audit universe document was developed by the Audit Branch and is updated annually to reflect the Department’s most current priorities. The audit universe characterizes the array of possible audit activities and is made up of auditable entities identified as relevant to NRCan and its operating context. Auditable entities commonly include programs, processes, policies, management activities and control systems, along with departmental and government-wide initiatives, which collectively contribute to the achievement of NRCan’s strategic objectives. NRCan’s audit universe is made up of 24 groupings of auditable entities.
All programs, management activities, processes, policies and control functions, along with departmental and government-wide initiatives are subjected to a risk assessment and risk ranking exercise to select audit projects in order of priority. Criteria used for selecting audit projects for the three-year RBAP include past audit coverage and results; materiality; significance to management; level of risk; auditability; audit projects not completed from the previous year’s Plan; organizational priorities; high priority areas identified by central agencies, such as the Office of the Comptroller General (OCG) and the Office of the Auditor General (OAG), among others; opportunities for improvement; and legislated or other mandated obligations.
Prioritization of the audit universe is a two-step process. The first step includes management consultations, review, and consideration of the following available documentation: departmental risk information, including NRCan’s CRP; the latest Management Accountability Framework (MAF) assessment; recent departmental-wide assessments of IT and fraud risks, respectively, which lead to the identification of audits as part of the Audit Branch’s continuous audit framework; business planning documentation; NRCan’s Report on Plans and Priorities (RPP); Government priorities; and previous audit results (both internal and external), along with the most recent financial information and statements. Other factors are also considered, such as collaboration with NRCan’s Evaluation Division to identify opportunities to collaborate on audit and evaluation projects in order to improve efficiency and minimize duplication of efforts. It should be noted that collaborative efforts will range from conducting joint interviews, to collecting and sharing information, to conducting hybrid audit and evaluation engagements.
The second step to prioritize the audit universe involves consideration of several factors, including significance to departmental strategic outcomes and operational objectives; senior management requests and priorities; the DAC’s advice and recommendations; external audit activities and planned evaluations; readiness of the entity for audit activities; and availability of internal resources to complete the audit on time. Following this step, professional judgement is still required to risk-assess and rank the auditable entities. This is performed through collaborative discussions with NRCan senior management and the DAC, where emphasis is placed on projects planned for 2017-18 (the first year of the three-year plan), given that future projects are reassessed annually. Government and departmental priorities are also validated with senior management and the DAC to ensure planned audits align with higher priority areas. In addition, preliminary audit objectives are developed for each audit selected for the RBAP. The final plan is then reviewed by the DAC and approved by the Deputy Minister.
The following diagram highlights the four key phases used in the selection process for the development of a robust risk-based audit plan.
This figure highlights the four key phases used in the selection process for the development of a robust Risk-based audit plan. It covers the starting point of the selection process that determines potential NRCan auditable entities covering a 3 year period to its final recommendation. The first large block represents the potential range of auditable components which include departmental programs, activities, processes, structures and initiatives which collectively contribute to the achievement of the Department’s strategic objectives. It is called the audit universe. The Audit Branch uses the departmental Program Activity Architecture (PAA) as well as NRCan's inventory of external legislated services to ensure the audit universe identified is complete. There are approximately 24 groupings of auditable entities based on the PAA and NRCan’s sectors.
The next stage is to prioritize the audit universe based on a risk-based assessment. This is a two-step process that involves a preliminary and final prioritization based on a number of factors such as likelihood of risk and impact. The final 2 steps are to rank the priority of the proposed audits and to recommend them for approval in the 3 year audit plan (as in the final 2 large blocks).
The following tables summarize the number of new internal audit projects selected for each year along with the number of special advisory projects and OCG horizontal audits.
In total, 35 of the highest priority internal audit and advisory projects are planned for the next three years.
Table 2 and 3 provide a listing of projects being carried forward from 2016-17 and the new “highest priority” projects for fiscal years 2017-18, 2018-19 and 2019-20, respectively.
As an adjunct to the assurance role, the Audit Branch provides consulting/advisory services to the organization. Approximately two advisory projects per fiscal year (FY) are planned, which are based on senior management priorities and the availability of Audit Branch’s resources. As part of this year’s update to the RBAP six advisory projects have been identified in Table 3, with the possibility of others, where feasible.
The Audit and Evaluation functions have held joint consultations with senior management and staff to ensure the most effective, efficient, and coordinated planning process. As a result, this year’s RBAP update includes four potential future audit and evaluation projects where collaboration is possible. Table 4 provides a listing of Joint/Collaborative Audit and Evaluation Projects for FYs 2018-19 and 2019-20. It should be noted that collaborative efforts will range from conducting joint interviews, the collection and sharing of information, to conducting hybrid audit and evaluation engagements.
The Audit Branch will continue to undertake assurance-based continuous auditing to proactively identify potential systemic control issues and report annually on various processes. This work will be performed in accordance with the IIA Standards (i.e. provide reasonable assurance). The work carried out will address key risks associated with significant departmental expenses and have been identified in part, based on the results of the Department’s Fraud Risk Assessment’s (FRA’s) Management Action Plans (MAPs).
The 3 areas selected for continuous audit in 2017-18 are:
NRCan’s annual report on continuous audit activities will be completed for the DAC’s fall 2017 meeting.
The Department is also subject to audits by other assurance providers. Table 5 provides a listing of known external audit projects planned for fiscal years 2017-18 to 2019-20, with the expected tabling dates.
Similar to previous years, the Audit Branch has been asked to support the OAG in its annual audit of Public Accounts, by providing direct assistance in testing of payroll transactions and offshore revenues and transfers. Audit Branch will be conducting this work in the first half of FY 2017-18, with expected tabling in the second half.
The follow-up process at NRCan is a two-phase process, which begins with a management self-assessment of the level of implementation for each recommendation and Management Action Plan (MAP). In the fall, the Audit Branch reports on the status of the implementation of recommendations based on management’s self-assessment. Each spring, as part of the second phase, the Audit Branch performs a validation that the recommendations assessed by management have been fully implemented. The validation approach includes the following procedures: conducting interviews; reviewing supporting evidence; and performing analysis and testing based on risk. Once completed, a Follow-Up Report is produced, discussed with senior management, DAC and approved by the DM. Once approved, it is sent to the OCG.The follow-up process at NRCan is a two-phase process which begins with a management self-assessment of the level of implementation for each Management Action Plan (MAP).
The Audit Branch’s forecasted budget for FY 2017-18 is $3.2 million. An estimate of total resource capacity available was developed and allocated to Audit Branch activities using metrics based on past experience. Approximately 3,600 person days of direct audit and advisory service capacity for 25 professional positions are required for 2017-18 audit projects. The Audit Branch has the capacity to deliver the proposed RBAP within the resources allocated to it, as well as the capacity to engage in other Branch activities, such as the preparation of the RBAP, follow-up on the implementation of recommendations, performance reporting, professional practices, and external audit liaison.