Table of Contents Executive Summary RBAP Process Planning Results Advisory/Review Projects for 2017-20 Potential Future Joint/Collaborative Audit and Evaluation Reports Continuous Auditing of Core Controls Central Agencies Audit Projects for 2017-18 – 2018-20 Audit of Public Accounts 2017-18 Follow-up on Previous Audit Recommendations Audit Branch Capacity Executive Summary The Risk-Based Audit Plan (RBAP), also referred to as the “Plan”, is prepared by the Audit Branch of Natural Resources Canada (NRCan). It contains the details on the role of internal audit (IA), the Audit Branch’s planning methodology, and the planned audits for the next three year cycle: 2017-20. The RBAP is developed in accordance with the requirements of the Treasury Board of Canada (TB) Policy on Internal Audit, along with related directives, guidelines, and the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing. RBAP Process Each year, NRCan’s Chief Audit Executive (CAE) is required to prepare a risk-based audit plan (RBAP), which sets out the priorities of the internal audit activity that are consistent with the organization’s goals and priorities. The audit planning process ensures that all internal audit activities are relevant, timely, and strategically aligned with NRCan’s Corporate Risk Profile (CRP) to support the achievement of the Department’s strategic objectives. The input from NRCan’s Departmental Audit Committee (DAC), along with NRCan’s senior management, is sought and taken under advisement in setting internal audit activity priorities. The starting point for the risk-based planning process is the identification of the audit universe. This audit universe document was developed by the Audit Branch and is updated annually to reflect the Department’s most current priorities. The audit universe characterizes the array of possible audit activities and is made up of auditable entities identified as relevant to NRCan and its operating context. Auditable entities commonly include programs, processes, policies, management activities and control systems, along with departmental and government-wide initiatives, which collectively contribute to the achievement of NRCan’s strategic objectives. NRCan’s audit universe is made up of 24 groupings of auditable entities. All programs, management activities, processes, policies and control functions, along with departmental and government-wide initiatives are subjected to a risk assessment and risk ranking exercise to select audit projects in order of priority. Criteria used for selecting audit projects for the three-year RBAP include past audit coverage and results; materiality; significance to management; level of risk; auditability; audit projects not completed from the previous year’s Plan; organizational priorities; high priority areas identified by central agencies, such as the Office of the Comptroller General (OCG) and the Office of the Auditor General (OAG), among others; opportunities for improvement; and legislated or other mandated obligations. Prioritization of the audit universe is a two-step process. The first step includes management consultations, review, and consideration of the following available documentation: departmental risk information, including NRCan’s CRP; the latest Management Accountability Framework (MAF) assessment; recent departmental-wide assessments of IT and fraud risks, respectively, which lead to the identification of audits as part of the Audit Branch’s continuous audit framework; business planning documentation; NRCan’s Report on Plans and Priorities (RPP); Government priorities; and previous audit results (both internal and external), along with the most recent financial information and statements. Other factors are also considered, such as collaboration with NRCan’s Evaluation Division to identify opportunities to collaborate on audit and evaluation projects in order to improve efficiency and minimize duplication of efforts. It should be noted that collaborative efforts will range from conducting joint interviews, to collecting and sharing information, to conducting hybrid audit and evaluation engagements. The second step to prioritize the audit universe involves consideration of several factors, including significance to departmental strategic outcomes and operational objectives; senior management requests and priorities; the DAC’s advice and recommendations; external audit activities and planned evaluations; readiness of the entity for audit activities; and availability of internal resources to complete the audit on time. Following this step, professional judgement is still required to risk-assess and rank the auditable entities. This is performed through collaborative discussions with NRCan senior management and the DAC, where emphasis is placed on projects planned for 2017-18 (the first year of the three-year plan), given that future projects are reassessed annually. Government and departmental priorities are also validated with senior management and the DAC to ensure planned audits align with higher priority areas. In addition, preliminary audit objectives are developed for each audit selected for the RBAP. The final plan is then reviewed by the DAC and approved by the Deputy Minister. The following diagram highlights the four key phases used in the selection process for the development of a robust risk-based audit plan. Text version The Four Key Phases Used in the Selection Process for the Development of a Robust Risk-Based Audit Plan This figure highlights the four key phases used in the selection process for the development of a robust Risk-based audit plan. It covers the starting point of the selection process that determines potential NRCan auditable entities covering a 3 year period to its final recommendation. The first large block represents the potential range of auditable components which include departmental programs, activities, processes, structures and initiatives which collectively contribute to the achievement of the Department’s strategic objectives. It is called the audit universe. The Audit Branch uses the departmental Program Activity Architecture (PAA) as well as NRCan's inventory of external legislated services to ensure the audit universe identified is complete. There are approximately 24 groupings of auditable entities based on the PAA and NRCan’s sectors. The next stage is to prioritize the audit universe based on a risk-based assessment. This is a two-step process that involves a preliminary and final prioritization based on a number of factors such as likelihood of risk and impact. The final 2 steps are to rank the priority of the proposed audits and to recommend them for approval in the 3 year audit plan (as in the final 2 large blocks). Planning Results The following tables summarize the number of new internal audit projects selected for each year along with the number of special advisory projects and OCG horizontal audits. In total, 35 of the highest priority internal audit and advisory projects are planned for the next three years. Table 1 – Number of New Internal Audit Projects and OCG Horizontal directed Audits by Fiscal Year Type of Audit and Advisory Project 2017-18 2018-19 2019-20 New Internal Audit and Advisory Projects 10 11 11 OCG – Horizontal Directed Audits 1 1 1 TOTAL 11 12 12 Table 2 and 3 provide a listing of projects being carried forward from 2016-17 and the new “highest priority” projects for fiscal years 2017-18, 2018-19 and 2019-20, respectively. Table 2 – Carry Forward Audits from Fiscal Year 2016-17 Carry Forward Audits from Fiscal Year 2016-17 1. Assessment of the ecoEnergy for Biofuels Program 2. Management of Publishing Activities 3. Audit of Management of NRCan’s Satellite Station Facilities 4. Advisory Project on NRCan’s Approach to Funding Science-Based Activities Advisory Project Joint Audit and Evaluation Project Advisory Projects for 2017-20 As an adjunct to the assurance role, the Audit Branch provides consulting/advisory services to the organization. Approximately two advisory projects per fiscal year (FY) are planned, which are based on senior management priorities and the availability of Audit Branch’s resources. As part of this year’s update to the RBAP six advisory projects have been identified in Table 3, with the possibility of others, where feasible. Table 3 – Internal Audit Projects for Fiscal Years 2017-20 2017-18 2018-19 2019-20 Audits 1. Employee Performance Management 12. Lower Churchill Falls Loan Guarantees 24. NRCan’s Experimentation and Innovation Strategy 2. Internal Controls over Financial Reporting 13. Crisis Management 25. Advancing Clean Technologies 3. Design and Development of NRCan’s IT Architecture Framework 14. Memorandum to Cabinet (MC) and Treasury Board (TB) Submission Processes 26. Management of Federal-Provincial Offshore Agreements 4. Management of International Activities 15. Management of Science 27. NRCan’s Culture 5. Horizontal Audit of Human Resources (HR) Planning 16. Horizontal Audit of Information Technology Security – Phase II 28. Horizontal Audit of Costing Information for Decision Making 6. National Certification Program for Critical Inspections of Metals and Materials 17. Implementation of Extractive Sector Transparency Measures Act 29. Geoscience for New Energy Supply 7. Federal Geospatial Platform 18. Electric Vehicle and Alternative Fuel Infrastructure Development & Deployment Initiative 30. Open Government 8. Explosives Program Management & Licensing 19. Implementation of NRCan’s IT Strategy 31. Capital Asset Management 9. Classification 20. Indigenous Engagement Process 32. Professional Development and Talent Management 21. Transition to Digital Communication 33. Canada’s Legal Boundaries Advisory Projects 10. Advisory Project on New Infrastructure Projects Management Control Framework 22. Advisory Project on Evidence for Policy Decision Making 34. Advisory Project on Workplace Wellness-Disability Management 11. Advisory Project on HR Capacity for Science-based Programs 23. TBD 35. Advisory Project on IT End State Migration Advisory Project Potential Joint/Collaborative Audit and Evaluation Project Potential Future Joint/Collaborative Audit and Evaluation Projects The Audit and Evaluation functions have held joint consultations with senior management and staff to ensure the most effective, efficient, and coordinated planning process. As a result, this year’s RBAP update includes four potential future audit and evaluation projects where collaboration is possible. Table 4 provides a listing of Joint/Collaborative Audit and Evaluation Projects for FYs 2018-19 and 2019-20. It should be noted that collaborative efforts will range from conducting joint interviews, the collection and sharing of information, to conducting hybrid audit and evaluation engagements. Table 4 – Potential Future Joint/Collaborative Audit and Evaluation Projects 2017-18 2018-19 2019-20 No joint audit and evaluation projects planned for this year. Electric Vehicle and Alternative Fuel Infrastructure Development and Deployment Initiative Advancing Clean Technologies Indigenous Engagement Process Canada’s Legal Boundaries Continuous Auditing of Core Controls The Audit Branch will continue to undertake assurance-based continuous auditing to proactively identify potential systemic control issues and report annually on various processes. This work will be performed in accordance with the IIA Standards (i.e. provide reasonable assurance). The work carried out will address key risks associated with significant departmental expenses and have been identified in part, based on the results of the Department’s Fraud Risk Assessment’s (FRA’s) Management Action Plans (MAPs). The 3 areas selected for continuous audit in 2017-18 are: Grants and Contributions; Pay and Benefits processes; and, Acquisition Cards. NRCan’s annual report on continuous audit activities will be completed for the DAC’s fall 2017 meeting. Central Agencies Audit Projects for 2017-18 – 2019-20 The Department is also subject to audits by other assurance providers. Table 5 provides a listing of known external audit projects planned for fiscal years 2017-18 to 2019-20, with the expected tabling dates. Table 5 – Planned External Audit Projects for Fiscal Years 2017-18 to 2019-20 Office of the Comptroller General Horizontal Audit of Human Resources Planning September 2018 Horizontal Audit of Information Technology Security – Phase II March 2019 Horizontal Audit of Costing Information for Decision Making March 2020 Office of the Auditor General Audit of the Management of Scientific Facilities November 2017 Audit of the Transformation of Pay Administration November 2017 Annual Audit of Public Accounts, including NRCan’s Offshore Revenue November 2017 Commissioner of the Environment and Sustainable Development Audit on Funding of Clean Energy Technology May 2017 Audit of Adapting to Climate Change Effects October 2017 Public Service Commission Audit of System-Wide Staffing October 2017 Audit of Public Accounts 2017-18 Similar to previous years, the Audit Branch has been asked to support the OAG in its annual audit of Public Accounts, by providing direct assistance in testing of payroll transactions and offshore revenues and transfers. Audit Branch will be conducting this work in the first half of FY 2017-18, with expected tabling in the second half. Follow-up on Previous Audit Recommendations The follow-up process at NRCan is a two-phase process, which begins with a management self-assessment of the level of implementation for each recommendation and Management Action Plan (MAP). In the fall, the Audit Branch reports on the status of the implementation of recommendations based on management’s self-assessment. Each spring, as part of the second phase, the Audit Branch performs a validation that the recommendations assessed by management have been fully implemented. The validation approach includes the following procedures: conducting interviews; reviewing supporting evidence; and performing analysis and testing based on risk. Once completed, a Follow-Up Report is produced, discussed with senior management, DAC and approved by the DM. Once approved, it is sent to the OCG.The follow-up process at NRCan is a two-phase process which begins with a management self-assessment of the level of implementation for each Management Action Plan (MAP). Audit Branch Capacity The Audit Branch’s forecasted budget for FY 2017-18 is $3.2 million. An estimate of total resource capacity available was developed and allocated to Audit Branch activities using metrics based on past experience. Approximately 3,600 person days of direct audit and advisory service capacity for 25 professional positions are required for 2017-18 audit projects. The Audit Branch has the capacity to deliver the proposed RBAP within the resources allocated to it, as well as the capacity to engage in other Branch activities, such as the preparation of the RBAP, follow-up on the implementation of recommendations, performance reporting, professional practices, and external audit liaison.