Table of Contents
Natural Resources Canada’s three year risk-based audit plan has been prepared in accordance with the applicable requirements of the revised July 2009 Treasury Board Policy on Internal Audit and related directives and guidelines, and the professional standards of the Institute of Internal Auditors. The risk-based audit plan includes internal audit projects for a 3 year period from 2010-11 to 2012-13.
The Planning Context
The Audit Branch is in its third year of formalizing a more systematic and transparent approach to risk-based audit planning since the adoption of the 2006 Treasury Board Policy on Internal Audit. In preparing the Audit PlanFootnote 1, planning principles were applied in a consistent manner with the prior two years. Building on previous work, the Audit Branch has continued to refine its approach each year with further improvements consistent with Treasury Board guidance to Chief Audit Executives (CAE). The Audit Branch uses a similar audit planning approach as the Office of the Comptroller General, which is based on the planning guidance provided by its Internal Audit Sector.
All audit projects were discussed with senior management and the Audit Committee, with particular emphasis on the projects planned for 2010-11 (first year of the three-year Audit Plan), given that future year projects are re-assessed on an annual basis. Government and departmental priorities were validated with senior management and the Audit Committee to ensure greater alignment of planned audits to the key and highest priority areas.
Opportunities for improvement were identified regarding the Audit Plan in the 2009 Management Accountability Framework (MAF) assessment (Round VII) provided in April 2010. The 2009-12 Audit Plan was assessed as not clearly demonstrating the results of its risk assessment process, not providing additional resourcing information and was received by the Office of the Comptroller General (OCG) in an untimely manner. The Audit Branch believes it has addressed all three matters in this year’s report.
A quality review process was applied throughout the planning cycle, to ensure that the Audit Plan:
- Is risk-based;
- Covers audit and management priorities;
- Is reviewed by senior management and the audit committee;
- Is focused predominantly on the provision of assurance on risk management, control and governance processes;
- Has a multi-year horizon;
- Addresses risks and internal audits identified by the Comptroller General as part of government-wide coverage; and
- Supports annual assurance reporting by the Chief Audit Executive on departmental risk management, control and governance processes.
The Planning Process
The starting point for the risk-based selection process is NRCan’s internal audit universe. The audit universe represents a potential range of all audit activities and is comprised of a number of auditable entities. The Audit Branch uses the departmental Program Activity Architecture (PAA) to help assess completeness of the audit universe.
The next stage is to prioritize the audit universe based on a risk assessment. This is a two step process and involves preliminary and final prioritization. This includes management consultations, review and consideration of available departmental risk information, including the Corporate Risk Profile (CRP), the latest Management Accountability Framework assessment, strategic review, business planning, the Report on Plans and Priorities (RPP), departmental and government priorities, the most recent tabled financial statements, and other considerations such as previous audit results (both internal and external).
Consideration is given to other factors such as senior management requests; the Departmental Audit Committee (DAC) advice and recommendations; mandated audits such as Office of the Comptroller General’s horizontal directed audits; audits resulting from the Budget 2009 Economic Action Plan; planned audits by other assurance providers.
Finally the draft audit plan is distributed to Departmental Audit Committee for review and recommended to the Deputy Minister for approval.
The following diagram highlights the four key phases used in the selection process for the development of a robust risk-based audit plan.
- Government Priorities
- Departmental Priorities
- Corporate Risks
- Strategic Review
- Business Planning
- MAF Assessment
- Consultations with management
- Core audit requirements
- CAE annual assurance perspective
- Mandated priorities
- Central Agencies audits
- Previous NRCan internal audits
- Time since last audit
- Audit Branch capacity
- Final discussions with senior management
- Senior management requests
- Audit Committee requests
- Focus on first year proposed audit projects
The Planning Results
|Type of Audit Project||2010-11||2011-12||2012-13|
|Core grant and contribution (G&C) programs||3||2||1|
|Core information management and technology (IM/IT)||1||3||4|
|Other audit projects||1||3||1|
|NEW INTERNAL AUDIT PROJECTS – SUB-TOTAL||9||11||9|
|Special advisory projects||3||2||2|
|Carry-forward audits from 2009-10||4||0||0|
|OCG – Horizontal directed audits||2||2||2|
|Carry Forward 2009-10||ecoENERGY for Biofuels|
|Financial Statement Preparation and Reporting|
|Accounts Receivable and Revenue Management|
|2010-11||Horizontal Audit of Transfer Payments (G&C Programs)|
|Pulp and Paper Green Transformation Program (PPGTP) - Black Liquor Production|
|Clean Energy Fund|
|Financial Statement Reporting (Asset) - Investments|
|Payroll and Benefits – Overtime, Vacation and Other Benefits|
|Asset Management – Real Property and Fleet|
|Professional Services – Operating Expenditures|
|SAP System (Felix Project Planning & Delivery)|
|Accelerated Infrastructure Program (Phase II - Delivery) Footnote 2|
|2011-12||Expenditure Management (Strategic Review Reallocations)|
|ecoENERGY Technology Initiative|
|Business Continuity Management|
|Management of Information Holdings|
|CANMET - Materials Technology Lab: Relocation|
|United Nations Convention on the Law of the Sea (UNCLOS)|
|Geo-Mapping for Energy & Minerals (GEM)|
|Operating Expenditures (Transportation, Information, Rentals, and Repairs and Maintenance)|
|2012-13||ecoENERGY Renewable Power|
|Identity and Access Management (Privacy/Access Acts, User Identification /Password Controls)|
|Budgeting and Forecasting|
|Servers Administration and Security|
|Systems and Application Controls (HR / Payroll / Procurement)|
|Interest / Transfer Payments (Offshore)|
|Natural Hazards Information and Response|
|Loans and Advance Receivables|
|IT Infrastructure and Governance|
In preparation of the Audit Plan, an estimate of total resource capacity available was determined and allocated to all Branch activities using metrics based from prior experience. Taking into account the budget available for internal and external resources, a total of approximately 4,700 person days of capacity for 26 professional positions was estimated for 2010-11 (i.e., direct audit time, excluding leave provisions and time for administration, professional development and language training).
Printable Version [PDF, 67.6 KB]
To read Adobe Acrobat® files, you will need to download and install the free Acrobat Reader® software available from Adobe Systems Incorporated.