RISK-BASED AUDIT PLAN 2013-2016
- RBAP Process
- Planning Results
- Continuous Auditing of Core Controls
- Advisory/Review Projects for 2013-14
- Central Agencies Audit Projects for 2013-16
- Audit Branch Capacity
The Risk-Based Audit Plan (RBAP), also referred to as the "Plan", is prepared by the Audit Branch of Natural Resources Canada (NRCan). It contains the details on the role of internal audit, planning methodology and planned audits for 2013-14 to 2015-16. It also contains information on the resources and capacity of NRCan Audit Branch for 2013-14.
The RBAP was developed in accordance with the applicable requirements of the Treasury Board Policy on Internal Audit, related directives, guidelines and the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors (IIA).
Each year, the Chief Audit Executive (CAE) is required to prepare a risk-based audit plan which sets out the priorities of the internal audit activity, consistent with the organization’s goals and priorities. The audit planning process is aligned with the Department’s strategic objectives. The input from the Departmental Audit Committee (DAC) and senior management is considered in setting audit priorities.
The starting point for the risk-based planning process is the audit universe which is comprised of NRCan’s auditable entities. These auditable entities include programs, activities, processes, policies and initiatives which collectively contribute to the achievement of the Department’s strategic objectives. The Audit Branch used NRCan’s Program Activity Architecture (PAA) as well as an inventory of external legislated services to help assess completeness of the audit universe. The NRCan audit universe includes 120 auditable entities.
All programs, projects, activities, processes, policies and initiatives of the Department are considered for audit by subjecting them to a risk assessment and ranking them in order of priority. Criteria used for selecting audit projects for the three-year RBAP include past audit coverage and results, materiality, significance to management, risk based on a standardized methodology, auditability, audit projects not completed from the previous year’s Plan, organizational priorities, opportunities for improvement and legislated or other mandated obligations.
Prioritization of the audit universe is a two step process. The first step includes management consultations, review and consideration of available departmental risk information, including the Corporate Risk Profile (CRP), the latest Management Accountability Framework (MAF) assessment, strategic review, business planning, the Report on Plans and Priorities, Departmental and Government priorities, the most recent tabled financial statements, other considerations such as previous audit results (both internal and external) and program evaluations, including those planned for future years. A second step includes consideration of factors such as senior management requests, the DAC’s advice and recommendations, mandated audits such as Office of the Comptroller General’s horizontal directed audits and planned audits by other assurance providers.
Based on the results of this process, all potential moderate and high risk audit projects were discussed with NRCan senior management and the DAC, with particular emphasis on the projects planned for 2013-14 (first year of the three-year plan), given that future year projects are re-assessed on an annual basis. Also, Government and Departmental priorities were validated with senior management and the DAC to ensure greater alignment of planned audits to the highest priority areas of the Department. Appropriate audit objectives are included for each audit selected.
Finally, the audit plan was reviewed by the DAC and approved by the Deputy Minister.
The following diagram highlights the four key phases used in the selection process for the development of a robust risk-based audit plan.
- Government Priorities
- Departmental Priorities
- Corporate Risks
- Strategic and Operating Review
- Business Planning
- MAF Assessment
- Consultations with management
- Core audit requirements (TB MAF)
- CAE annual overview report
- Mandated priorities
- Central Agency audits (e.g OAG, OCG)
- Previous NRCan internal audits
- Time since last audit
- Audit Branch capacity
- Program Evaluations
- Final discussions with senior management
- Senior management requests
- Audit Committee requests
- Focus on first year proposed audit projects
- Evaluation Plan
In total, 33 new "highest priority" internal audit projects are planned for the next three years. For each proposed audit project, the plan provides a clear indication of the preliminary objective and scope. An indication of resource requirements, in terms of start and end date to conduct the audits is provided.
The following table summarizes the number of new internal audit projects selected for each year along with the number of special "advisory" projects, carry-forward audits from 2012-13 and scheduled Office of the Comptroller General (OCG) horizontal directed audits as these audits may require Audit Branch resources to perform the audit work for the examination phase.
|Type of Audit Project||2013-14||2014-15||2015-16|
|New Internal Audit Projects||9||10||10|
|Carry-Forward Audits From Prior Year||3||3||3|
|OCG – Horizontal Directed Audits||1||2||1|
In 2012-13, 12 audit projects were completed. Of the 12 audit projects, two audit projects (Internal Controls over Quarterly Financial Reporting and IT Certification and Accreditation Program) will be presented to the Departmental Audit Committee in 2013-14 due to reporting time lags. Both audit projects are not considered carry-forward audits as they were finalized by the end of 2012-13.
The following two tables provide a listing of audit projects being carried forward from 2012-13 and the new "highest priority" internal audit projects for fiscal years 2013-14, 2014-15 and 2015-16.
|2012-13||1. SAP Functionalities|
|2. Economic Action Plan 2012|
|3. System Development Audit of the GCDOCS Project|
|2013 – 2014||2014 – 2015||2015 - 2016|
|1. Polar Continental Shelf Project||1. Targeted Geoscience Initiative 4||1. Geomatics - Remote Sensing including Satellite Station Facilities|
|2. Management of Laboratories||2. Climate Change Impacts and Adaptation||2. Canada’s Legal Boundaries|
|3. Net Vote Revenue (NVR) and User Fees||3. Management of Science and Technology Activities||3. Office of Energy Efficiency|
|4. Program of Energy Research and Development||4. ecoENERGY Innovation Initiative||4. Green Mining Initiatives|
|5. Offshore Revenues||5. Port Hope Area Initiative||5. Services Standards of Internal Services|
|6. Risk Management Framework and Implementation||6. Integrated Business Planning and Reporting||6. Human Resources Function|
|7. Financial Forecasting||7. Directive on Internal Support Services||7. Horizontal Audit|
|8. Disaster Recovery Controls For Mission Critical Applications and IT Infrastructure*||8. Efficiency of Procurement and Contracting Practices||8. SAP System Security|
|9. Internal Controls over Financial Reporting – Phase II||9. Values and Ethics||9. Grants and Contributions Management (Framework)|
|10. Access to Information and Privacy||10. Emergency and Disaster Management Framework||10. Management of Classified Documents|
|11. Expanding Market Opportunities||11. Isotope Technology Acceleration Program|
|12. Forest Innovation Program|
* This audit will be coordinated with Shared Services Canada (SSC) Internal Audit and scheduling may be adjusted.
Continuous Auditing of Core Controls
The Audit Branch has developed, as part of this year’s RBAP, effective and sustainable continuous auditing activities to support the overall assurance work of the Internal Audit function and to support NRCan senior management’s commitment to financial oversight and compliance with TB Policy on Internal Controls.
The Audit Branch will undertake assurance-based continuous auditing at NRCan to proactively identify potential control issues and report annually on various processes. In addition to the assurance gained from this activity, the audit results will assist management in improving control mechanisms and managing risks. This work will be performed in accordance with the IIA Standards (i.e. provide reasonable assurance). Continuous auditing will be carried out in a structured approach which is linked to the RBAP and leverages existing audit projects.
Table 3 summarizes the processes that will be subject to continuous auditing for the next three years.
|Process||Audit Risk||Estimated Spending
|1. Acquisition Cards||Moderate||$ 15.6 M|
|2. Supplier Payments||High||$ 346 M|
|3. Travel and Hospitality Expenses||Moderate||$ 18 M|
|4. Contracting||High||$ 127 M|
|5. Salary Expenses||Moderate||$ 524 M|
The purpose of each continuous auditing activity will be to provide ongoing reasonable assurance that key controls are in place for the process being audited. A report will be produced annually. Specifically, the audit will assess:
- Compliance with government and departmental policies;
- The efficiency and effectiveness of key controls during the period under review; and
- The mitigation of related risk.
Advisory/Review Projects for 2013-14
As an adjunct to the assurance role, the TB Policy on Internal Audit (section 3.7) indicates that "internal auditors will also provide advisory services to their organizations." Notwithstanding a clear focus on assurance work, the Audit Branch also undertakes advisory services as requested from time to time by senior management. Examples include interpretation of recipient audit reports, program reviews and consultation on new processes.
Central Agencies Audit Projects for 2013-16
The Department is subject to audits by various external central agencies (e.g. Office of the Comptroller General, Office of the Auditor General, Commissioner of the Environment and Sustainable Development, Public Service Commission). Table 4 provides a listing of external audit projects planned for fiscal years 2013-16 and carry forward project from 2012-13. (This does not include the annual audit of Public Accounts by the OAG.)
|Office of the Comptroller General||Horizontal Internal Audit of Financial Forecasting *|
|Office of the Auditor General**||Accessibility of Government Services to Canadians|
|Implementation of Internal Control Policies|
|Status Report on Evaluating the Effectiveness of Programs|
|Status Report on Security in Contracting|
|Workforce Adjustments Measures|
|Commissioner of the Environment and Sustainable Development**||A Study on Biodiversity|
|Assessing Progress under the Federal Sustainable Development Strategy|
|Environmental Petitions Annual Report|
|Follow-up Audit of Climate Change Mitigation|
|Greenhouse Gas Mitigation Programs|
|Study on Groundwater|
* This carry forward audit is part of the OCG’s horizontal risk-based audit plan.
** NRCan participation, audit titles and tabling dates are subject to change.
At the time of producing this Plan, the Public Service Commission and the Office of the Commissioner for Official Languages had not included NRCan as part of their 2013-14 audit plans.
Audit Branch Capacity
The Audit Branch base budget, including administrative and management costs, is $3.5 million for 2013-14 ($3.6 million in 2012-13). An estimate of total resource capacity available was determined and allocated to all Audit Branch activities using metrics based on past experience. Approximately 4,787 person days of capacity for 28 professional positions was estimated for 2013-14 (i.e. direct audit time, excluding leave provisions and time for administration, professional development and language training). The internal audit resources provided and deployed are appropriate to achieve the proposed Risk-Based Audit Plan for the 2013-14 fiscal year.
The following acronyms are used in this document:
|CAE||Chief Audit Executive|
|CRP||Corporate Risk Profile|
|DAC||Departmental Audit Committee|
|IIA||Institute of Internal Auditors|
|MAF||Management Accountability Framework|
|NRCan||Natural Resources Canada|
|OAG||Office of the Auditor General|
|OCG||Office of the Comptroller General|
|PAA||Program Activity Architecture|
|RBAP||Risk-Based Audit Plan|
|SAP||Systems, Applications, and Products (Software System)|
- Date modified: