The Risk-Based Audit Plan (RBAP), also referred to as the “Plan”, is prepared by the Audit Branch of Natural Resources Canada (NRCan). It contains the details on the role of internal audit, planning methodology and planned audits for the three year cycle 2015-18. It also contains more detailed information on the resourcing and capacity of NRCan Audit Branch for 2015-16, for the delivery of the first year of the Plan.
The RBAP is developed in accordance with the requirements of the Treasury Board of Canada (TB) Policy on Internal Audit, along with related directives, guidelines, and the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors (IIA).
Each year, the NRCan’s Chief Audit Executive (CAE) is required to prepare a risk-based audit plan which sets out the priorities of the internal audit activity that are consistent with the organization’s goals and priorities. The audit planning process ensures that all internal audit activities are relevant, timely, and strategically aligned to support the achievement of the Department’s strategic objectives. The input from the NRCan’s Departmental Audit Committee (DAC) along with NRCan’s senior management is sought and taken under advisement in setting internal audit activity priorities.
The starting point for the risk-based planning process is the identification of the audit universe which is comprised of NRCan’s auditable entities. NRCan’s audit universe is made up of 213 auditable entities. These entities include programs, activities, processes, policies and initiatives which collectively contribute to the achievement of the Department’s strategic objectives. The Audit Branch uses NRCan’s Program Activity Architecture (PAA) as well as an inventory of legislated services to ensure the identified audit universe is complete.
All programs, projects, activities, processes, policies and initiatives of the Department are subjected to a risk assessment and risk ranking exercise to identify NRCan Audit Branch activities in order of priority. Criteria used for selecting audit projects for the three-year RBAP include past audit coverage and results, materiality, significance to management, risk analysis and assessments based on a standardized methodology, auditability, audit projects not completed from the previous year’s Plan, organizational priorities, opportunities for improvement and legislated or other mandated obligations.
Prioritization of the audit universe is a two-step process. The first step includes management consultations, review and consideration of available departmental risk information, including NRCan’s Corporate Risk Profile (CRP), the latest Management Accountability Framework (MAF) assessment, strategic reviews and assessments, business planning documentation, NRCan’s Report on Plans and Priorities, Government priorities and previous audit results (both internal and external), along with the most recent tabled financial statements.
Other factors are also considered such as collaboration with NRCan’s Evaluation function to identify joint audit and evaluation projects. In order to improve efficiency, minimize duplication of efforts, and to reduce fatigue on NRCan’s Sectors, this year’s RBAP update has seen an increase of collaborative efforts between NRCan’s Audit and Evaluation functions with the inclusion of 8 planned future joint/collaborative audit and evaluation projects over the next 5 years. These include: Management of International Agreements (all Sectors) in 2015-16 (advisory project); Harassment Prevention and Resolution Process in 2015-16; Explosives Program Management & Licensing (MMS) in 2016-17; Geoscience for New Energy (ESS) in 2017-18; Biofuels (ES) in 2017-18; Federal Geospatial Platform (ESS) in 2018-19; and, Canada’s Legal Boundaries (ESS) in 2018-19. It should be noted that collaborative efforts will range from exchanging information and methodology to conducting hybrid audit/evaluations engagements.
The second step of the prioritization of the audit universe includes consideration of horizontal factors such as senior management requests, the DAC’s advice and recommendations, audits by the Office of the Comptroller General, and planned audits by other external assurance providers.
Based on the results of this process, all potential moderate and high risk auditable entities are discussed with NRCan senior management and the DAC, with particular emphasis on the projects planned for 2015-16 (the first year of the three-year plan), given that future year projects are re-assessed on an annual basis. Also, Government and Departmental priorities are validated with senior management and the DAC to ensure greater alignment of planned audits to the highest priority areas of the Department. Appropriate audit objectives are included for each audit selected.
Finally, the audit plan is reviewed by the DAC and approved by the Deputy Minister.
The following diagram highlights the four key phases used in the selection process for the development of a robust risk-based audit plan.
This figure highlights the four key phases used in the selection process for the development of a robust Risk-based audit plan. It covers the starting point of the selection process that determines potential NRCan auditable entities covering a 3 year period to its final recommendation. The first large block represents the potential range of auditable components which include departmental programs, activities, processes, policies and initiatives which collectively contribute to the achievement of the Department’s strategic objectives. It is called the audit universe. The Audit Branch uses the departmental Program Activity Architecture (PAA) as well as NRCan's inventory of external legislated services to ensure the audit universe identified is complete. There are approximately 213 auditable entities based on the PAA and the sectors.
The next stage is to prioritize the audit universe based on a risk-based assessment. This is a two-step process that involves a preliminary and final prioritization based on a number of factors such as likelihood of risk and impact. The final 2 steps are to rank the priority of the proposed audits and to recommend them for approval in the 3 year audit plan (as in the final 2 large blocks).
In total, 30 “highest priority” internal audit and advisory projects are planned for the next three years. For each proposed project, the plan provides a clear indication of the preliminary objective and scope. An indication of resource requirements, in terms of start and end date to conduct the audits is provided.
The following table summarizes the number of new internal audit projects selected for each year along with the number of special advisory projects, carry-forward audits from 2014-15 and Office of the Comptroller General (OCG) horizontal audits where NRCan participates in.
In 2014-15, 13 audit projects were completed and tabled at the NRCan Departmental Audit Committee meetings. The same numbers of completed reports are planned to be tabled in 2015-16.
Table 2 and 3 provide a listing of projects being carried forward from 2014-15 and the new “highest priority” projects for fiscal years 2015-16, 2016-17, and 2017-18.
Harassment Prevention and Resolution Process (CMSS and all Sectors)
Geoscience for New Energy (ESS)
Management of International Agreements (SPI and all Sectors)
(This is a Joint/Collaborative Audit & Evaluation Advisory Project)
Explosives Program Management & Licensing (MMS)
New Infrastructure Projects Management Control Framework (CMSS and all sectors)
Lessons Learned – Systemic Issues (Re-Profiling, Performance Measurements Strategies and Dissemination of Science) (all Sectors)
Advisory Project – Topic TBD
As part of this year’s process in developing the NRCan’s RBAP 2015-18, the Audit Branch engaged subject matter specialists in the area of Information Technology Risk Assessments with a specific focus on Cyber Security. A number of consultation and engagement sessions were conducted with NRCan Sectors during November and December 2014. A final workshop to present overall observations and recommendations resulting from the assessment was held with participants from the Audit Branch and the Chief Information Officer Branch. The results of this in-depth assessment have been used in identifying key audit projects in the IT risk areas for the development of NRCan’s RBAP 2015-18. Specifically, this assessment identified a list of 17 different audit/advisory projects that could be undertaken by NRCan Audit Branch. Three of these 17 projects have been identified as the most value-added audits to the Department at this time and are being proposed in the draft Audit Plan.
The Audit Branch will continue to undertake assurance-based continuous auditing at NRCan to proactively identify potential control issues and report annually on various processes. In addition to the assurance provided by this activity, results from audits are intended to assist NRCan’s Management in improving control mechanisms and managing risks. This work will be performed in accordance with the IIA Standards (i.e. provide reasonable assurance). Continuous auditing will be carried out in a structured approach which is linked to the RBAP and leverages existing audit projects.
The purpose of each continuous auditing activity will be to provide ongoing reasonable assurance that key controls are in place for the process being audited. Specifically, these continuous audits will assess:
The 3 areas selected for continuous audit in 2015-16 are:
NRCan’s annual report on continuous audit activities will be completed for the DAC’s Fall 2015 meeting.
As an adjunct to the assurance role, the TB Policy on Internal Audit indicates that “internal auditors will also provide advisory services to their organizations.” Although NRCan’s Audit Branch has always undertaken advisory services upon request by senior management, this year’s RBAP update included a specific exercise in identifying key advisory services that could be offered by the Audit Branch.
This introduction of advisory projects into NRCan’s RBAP (i.e. approximately two projects per year) helps to ensure more value is provided to Senior Management in addition to our regular audit activities. Examples include Management of International Agreements (SPI and all Sectors), New Infrastructure Projects Management Control Framework (CMSS and all Sectors), along with interpretation of recipient audit reports, program reviews and consultation on new processes.
As noted above, in order to improve efficiency, minimize duplication of efforts, and to reduce fatigue on NRCan’s Sectors, this year’s RBAP update has seen an increase of collaborative efforts between NRCan’s Audit and Evaluation functions with the inclusion of 8 planned future joint/collaborative audit and evaluation projects over the next 5 years. Table 4 provides a listing of Joint/Collaborative Audit and Evaluation Projects for fiscal years 2015-18, which falls under the current RBAP cycle and it also includes 2 additional joint projects in 2018-19 as discussed / committed by NRCan Audit and Evaluation functions. It should be noted that collaborative efforts will range from exchanging information and methodology to conducting hybrid audit/evaluation engagements.
Joint Audit and Evaluation Plan
The Department is subject to audits by various external central agencies (e.g. Office of the Comptroller General, Office of the Auditor General, Commissioner of the Environment and Sustainable Development, Public Service Commission). Table 5 provides a listing of external audit projects planned for fiscal years 2015-18.
Following the 2011 audit by the Public Service Commission (PSC), the Department has been reporting on actions taken and progress made in implementing the recommendations resulting from this audit. NRCan has been recently informed that the PSC is satisfied with NRCan’s achievements. For this reason, NRCan has no planned internal/external audit coverage on staffing at this time.
Like last year, Audit Branch has been asked to support the office of the Auditor General Audit in its annual audit of Public Accounts by providing audit resources with knowledge of Offshore Revenues. Within this context, OAG’s audit procedures on offshore revenues will be conducted by NRCan’s Audit Branch.
As per the TB Policy on Internal Audit and International Standards for the Professional Practice of Internal Auditing, the Chief Audit Executive “must establish a follow-up process and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.”
The follow-up process at NRCan is a two-phase process which begins with a management self-assessment of each Management Action Plan (MAP). In the Fall, the Audit Branch reports on the status of the implementation of recommendations based on management’s self-assessment, using levels ranging from 1 to 5, where 5 equals full implementation. Each Spring, as part of the second phase, the Audit Branch performs a validation of the Level 5 recommendations (Full Implementation based on management self-assessment). The validation approach includes the following procedures: conducting interviews; reviewing supporting evidence; and, performing analysis and testing based on risk. Once the Follow-Up Report is approved by the DM, it is sent to the OCG.
It should be noted that Audit Branch, in addition to its regular follow-up activities, will also conduct a follow-up assessment on the Audit of Disaster Recovery during the course of fiscal year 2016-17.
The Audit Branch base budget, including administrative and management costs, is $3.256 million for 2015-16 (down from $3.266 million in 2014-15). An estimate of total resource capacity available was determined and allocated to all Audit Branch activities using metrics based on past experience. Approximately 3423 person days of capacity for 20 professional positions will be available for 2015-16 (i.e. direct audit and advisory services, excluding leave provisions and time for administration, professional development and language training).The Audit Branch has the capacity to deliver the proposed Risk-Based Audit Plan within the resources allocated to it.