This figure highlights the four key phases used in the selection process for the development of a robust risk-based audit plan. It covers the starting point of the selection process that determines potential NRCan auditable entities covering a 3 year period to its final recommendation. The first large block represents the potential range of auditable components which include departmental programs, activities, processes, structures and initiatives. It is called the audit universe. The Audit Branch uses the departmental Program Activity Architecture (PAA) as well as NRCan's inventory of external legislated services to help assess completeness of the audit universe. There are approximately 150 auditable entities based on the PAA and the sectors.
The next stage is to prioritize the audit universe based on a risk based assessment. This is a two step process that involves a preliminary and final prioritization based on a number of factors such as likelihood of risk, impact and control. The final 2 steps are to rank the priority of the proposed audits and to recommend them for approval in the 3 year audit plan (as in the final 2 large blocks).