The Risk-Based Audit Plan (RBAP), also referred to as the “Plan”, is prepared by the Audit Branch of Natural Resources Canada (NRCan). It contains the details on the role of internal audit, the Audit Branch’s planning methodology, and the planned audits for the next three year cycle 2016-19.
The RBAP is developed in accordance with the requirements of the Treasury Board of Canada (TB) Policy on Internal Audit, along with related directives, guidelines, and the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing.
Each year, NRCan’s Chief Audit Executive (CAE) is required to prepare a risk-based audit plan which sets out the priorities of the internal audit activity that are consistent with the organization’s goals and priorities. The audit planning process ensures that all internal audit activities are relevant, timely, and strategically aligned to support the achievement of the Department’s strategic objectives. The input from NRCan’s Departmental Audit Committee (DAC) along with NRCan’s senior management is sought and taken under advisement in setting internal audit activity priorities.
The starting point for the risk-based planning process is the identification of the audit universe. The audit universe characterizes the array of possible audit activities and is made up of auditable entities identified as relevant to NRCan and its operating context. Auditable entities commonly include programs, processes, policies, management activities and control systems, along with departmental and government wide initiatives, which collectively contribute to the achievement of the NRCan’s strategic objectives. NRCan’s audit universe is made up of 24 groupings of auditable entities.
All programs, management activities, processes, policies and control functions, along with departmental and government wide initiatives are subjected to a risk assessment and risk ranking exercise to select audit projects in order of priority. Criteria used for selecting audit projects for the three-year RBAP include past audit coverage and results, materiality, significance to management, level of risk, auditability, audit projects not completed from the previous year’s Plan, organizational priorities, opportunities for improvement and legislated or other mandated obligations.
Prioritization of the audit universe is a two-step process. The first step includes management consultations, review and consideration of available departmental risk information, including NRCan’s Corporate Risk Profile (CRP), the latest Management Accountability Framework (MAF) assessment, business planning documentation, NRCan’s Report on Plans and Priorities (RPP), Government priorities and previous audit results (both internal and external), along with the most recent financial information and statements.
Other factors are also considered such as collaboration with NRCan’s Evaluation function to identify opportunities to collaborate on audit and evaluation projects, in order to improve efficiency and minimize duplication of efforts. This year’s RBAP update includes 7 planned future audit and evaluation projects where collaboration is possible. These include: Geomatics for Remote Sensing (ESS, CFS) in 2016-17; Biofuels (ES) in 2016-17; Governance for Results (All Sectors) in 2016-17; Geoscience for New Energy (ESS) in 2017-18; Explosives Program Management & Licensing (MMS) in 2017-18; Federal Geospatial Platform (ESS) in 2018-19; and, Canada’s Legal Boundaries (ESS) in 2018-19. It should be noted that collaborative efforts will range from conducting joint interviews, collection and sharing of information, to conducting hybrid audit and evaluation engagements.
The second step of the prioritization of the audit universe includes consideration of other factors such as senior management requests, the DAC’s advice and recommendations, audits by the Office of the Comptroller General, and planned audits by other external assurance providers.
Based on the results of this process, all potential moderate and high risk auditable entities are discussed with NRCan senior management and the DAC, with particular emphasis on the projects planned for 2016-17 (the first year of the three-year plan), given that future year projects are re-assessed on an annual basis. Also, Government and Departmental priorities are validated with senior management and the DAC to ensure greater alignment of planned audits to the highest priority areas of the Department. Appropriate preliminary audit objectives are included for each audit selected.
Finally, the audit plan is reviewed by the DAC and approved by the Deputy Minister.
The following diagram highlights the four key phases used in the selection process for the development of a robust risk-based audit plan.
This figure highlights the four key phases used in the selection process for the development of a robust Risk-based audit plan. It covers the starting point of the selection process that determines potential NRCan auditable entities covering a 3 year period to its final recommendation. The first large block represents the potential range of auditable components which include departmental programs, activities, processes, policies and initiatives which collectively contribute to the achievement of the Department’s strategic objectives. It is called the audit universe. The Audit Branch uses the departmental Program Activity Architecture (PAA) as well as NRCan's inventory of external legislated services to ensure the audit universe identified is complete. There are approximately 24 groupings of auditable entities based on the PAA and the sectors.
The next stage is to prioritize the audit universe based on a risk-based assessment. This is a two-step process that involves a preliminary and final prioritization based on a number of factors such as likelihood of risk and impact. The final 2 steps are to rank the priority of the proposed audits and to recommend them for approval in the 3 year audit plan (as in the final 2 large blocks).
In total, 36 “highest priority” internal audit and advisory projects are planned for the next three years. For each proposed project, the plan provides a clear indication of the preliminary objective and scope.
The following tables summarize the number of new internal audit projects selected for each year along with the number of special advisory projects, carry-forward audits from 2015-16 and Office of the Comptroller General (OCG) horizontal audits.
Table 2 and 3 provide a listing of projects being carried forward from 2015-16 and the new “highest priority” projects for fiscal years 2016-17, 2017-18, and 2018-19 respectively.
The results of an in-depth assessment of NRCan’s Information Technology Risk conducted last fiscal year have been used again in identifying key audit projects in the IT risk areas for the development of NRCan’s RBAP 2016-19.
The Audit Branch will continue to undertake assurance-based continuous auditing to proactively identify potential systemic control issues and report annually on various processes. In addition to the assurance provided by this activity, results from audits are intended to assist NRCan’s Management in improving control mechanisms and managing risks on a real time basis. This work will be performed in accordance with the IIA Standards (i.e. provide reasonable assurance). Continuous auditing will be carried out in a structured approach which is linked to the RBAP and will leverage information collected during the conduct of other audit projects. In addition, continuous auditing will be carried out to address key risks associated with significant departmental expenses.
The purpose of each continuous auditing activity will be to provide ongoing reasonable assurance that key controls are in place for the process being audited. Specifically, these continuous audits will assess:
The 3 areas selected for continuous audit in 2016-17 are:
NRCan’s annual report on continuous audit activities will be completed for the DAC’s fall 2016 meeting.
As an adjunct to the assurance role, the TB Policy on Internal Audit indicates that “internal auditors will also provide advisory services to their organizations.” Although NRCan’s Audit Branch has always undertaken advisory services upon request by senior management, NRCan`s recent RBAP updates have included specific exercises in identifying key advisory services that could be offered by the Audit Branch.
The inclusion of advisory projects into NRCan’s RBAP (i.e. approximately two projects per year) helps to ensure additional value is provided to Senior Management to complement our regular audit activities. Examples include the Science Framework – Advisory Project (Office of the Chief Scientist), IT End State Migration - Advisory Project (CMSS), along with consultation on new processes.
The Audit and Evaluation functions held joint consultations with senior management and staff to ensure the most effective, efficient, and coordinated planning process possible. This year’s RBAP update includes 7 planned future audit and evaluation projects where collaboration is possible. Table 4 provides a listing of Joint/Collaborative Audit and Evaluation Projects for fiscal years 2016-19. It should be noted that collaborative efforts will range from conducting joint interviews, the collection and sharing of information, to conducting hybrid audit and evaluation engagements.
Joint Audit and Evaluation Plan
The Department is subject to audits by various external central agencies (e.g. Office of the Comptroller General, Office of the Auditor General, Commissioner of the Environment and Sustainable Development, Public Service Commission). Table 5 provides a listing of external known audit projects planned for fiscal years 2016-17.
Horizontal Audit of Costing Information for Decision Making (OCG) (All Sectors)
Horizontal Audit of IT Security
The Audit Branch has been asked once again to support the Office of the Auditor General in its annual audit of Public Accounts by providing direct assistance for testing of payroll transactions and offshore revenues and transfers.
As per the TB Policy on Internal Audit and International Standards for the Professional Practice of Internal Auditing, the Chief Audit Executive “must establish a follow-up process and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.”
The follow-up process at NRCan is a two-phase process which begins with a management self-assessment of the level of implementation for each Management Action Plan (MAP). In the fall, the Audit Branch reports on the status of the implementation of recommendations based on management’s self-assessment, using levels ranging from 1 to 5, where 5 equals full implementation.
Each spring, as part of the second phase, the Audit Branch performs a validation of the Level 5 implementation of recommendations (Full Implementation based on management self-assessment). The validation approach includes the following procedures: conducting interviews; reviewing supporting evidence; and, performing analysis and testing based on risk. Once completed a Follow-Up Report is produced and approved by the Deputy Minister. Once approved, it is sent to the OCG.
The Audit Branch’s forecasted budget for 2016-17 is $3,2M. An estimate of total resource capacity available was developed and allocated to Audit Branch activities using metrics based on past experience. Approximately 3,000 person days of direct audit and advisory service capacity for 24 professional positions are required for 2016-17 audit projects. This figure includes time for quality assurance reviews for all audit projects. It does not include time related to Branch administration and administrative support, or employee leave provisions, professional development or language training. The Audit Branch has the capacity to deliver the proposed Risk-Based Audit Plan within the resources allocated to it, as well as the capacity to engage in other branch activities such as the preparation of the RBAP itself, follow-up on the implementation of recommendations, performance reporting, professional practices, along with external audit liaison.