RISK-BASED AUDIT PLAN 2014-2017
Executive Summary
The Risk-Based Audit Plan (RBAP), also referred to as the “Plan”, is prepared by the Audit Branch of Natural Resources Canada (NRCan). It contains the details on the role of internal audit, planning methodology and planned audits for 2014-15 to 2016-17. It also contains information on the resources and capacity of NRCan Audit Branch for 2014-15.
The RBAP was developed in accordance with the applicable requirements of the Treasury Board Policy on Internal Audit, related directives, guidelines and the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors (IIA).
RBAP Process
Each year, the Chief Audit Executive (CAE) is required to prepare a risk-based audit plan which sets out the priorities of the internal audit activity, consistent with the organization’s goals and priorities. The audit planning process is aligned with the Department’s strategic objectives. The input from the Departmental Audit Committee (DAC) and senior management is considered in setting audit priorities.
The starting point for the risk-based planning process is the audit universe which is comprised of NRCan’s auditable entities. These auditable entities include programs, activities, processes, policies and initiatives which collectively contribute to the achievement of the Department’s strategic objectives. The Audit Branch used NRCan’s Program Activity Architecture (PAA) as well as an inventory of external legislated services to help assess completeness of the audit universe. The NRCan audit universe includes 114 auditable entities.
All programs, projects, activities, processes, policies and initiatives of the Department are considered for audit by subjecting them to a risk assessment and ranking them in order of priority. Criteria used for selecting audit projects for the three-year RBAP include past audit coverage and results, materiality, significance to management, risk based on a standardized methodology, auditability, audit projects not completed from the previous year’s Plan, organizational priorities, opportunities for improvement and legislated or other mandated obligations.
Prioritization of the audit universe is a two-step process. The first step includes management consultations, review and consideration of available departmental risk information, including the Corporate Risk Profile (CRP), the latest Management Accountability Framework (MAF) assessment, strategic review, business planning, the Report on Plans and Priorities, Departmental and Government priorities, the most recent tabled financial statements, other considerations such as previous audit results (both internal and external) and program evaluations, including those planned for future years. A second step includes consideration of factors such as senior management requests, the DAC’s advice and recommendations, mandated audits such as Office of the Comptroller General’s horizontal directed audits and planned audits by other assurance providers.
Based on the results of this process, all potential moderate and high risk audit projects were discussed with NRCan senior management and the DAC, with particular emphasis on the projects planned for 2014-15 (first year of the three-year plan), given that future year projects are re-assessed on an annual basis. Also, Government and Departmental priorities were validated with senior management and the DAC to ensure greater alignment of planned audits to the highest priority areas of the Department. Appropriate audit objectives are included for each audit selected.
Finally, the audit plan was reviewed by the DAC and approved by the Deputy Minister.
The following diagram highlights the four key phases used in the selection process for the development of a robust risk-based audit plan.
Text version
The Four Key Phases Used in the Selection Process for the Development of a Robust Risk-Based Audit Plan
This figure highlights the four key phases used in the selection process for the development of a robust Risk-based audit plan. It covers the starting point of the selection process that determines potential NRCan auditable entities covering a 3 year period to its final recommendation. The first large block represents the potential range of auditable components which include departmental programs, activities, processes, structures and initiatives. It is called the audit universe. The Audit Branch uses the departmental Program Activity Architecture (PAA) as well as NRCan's inventory of external legislated services to help assess completeness of the audit universe. There are approximately 114 auditable entities based on the PAA and the sectors.
The next stage is to prioritize the audit universe based on a risk-based assessment. This is a two step process that involves a preliminary and final prioritization based on a number of factors such as likelihood of risk and impact. The final 2 steps are to rank the priority of the proposed audits and to recommend them for approval in the 3 year audit plan (as in the final 2 large blocks).
Planning Results
In total, 27 new “highest priority” internal audit projects are planned for the next three years. For each proposed audit project, the plan provides a clear indication of the preliminary objective and scope. An indication of resource requirements, in terms of start and end date to conduct the audits is provided.
The following table summarizes the number of new internal audit projects selected for each year, carry-forward audits from 2013-14 and scheduled Office of the Comptroller General (OCG) horizontal directed audits. It is also worthwhile to note that, an internal audit on SAP – Entity Level controls will be conducted jointly between NRCan, Agri-Culture and Agri-Food Canada (AAFC), and Canadian Food Inspection Agency (CFIA) in 2015-16, which will allow the three departments’ audit functions to leverage knowledge and expertise while minimizing the total engagement cost to each participating department.
Type of Audit Project | 2014-15 | 2015-16 | 2016-17 |
---|---|---|---|
New Internal Audit Projects | 8 | 8 | 8 |
Carry-Forward Audits From Prior Year | 5 | 3 | 3 |
OCG – Horizontal Directed Audits | 1 | 1 | 1 |
TOTAL | 14 | 12 | 12 |
In 2013-14, 11 audit projects were completed and tabled at the NRCan Departmental Audit Committee meetings.
Table 2 and 3 provide a listing of audit projects being carried forward from 2013-14 and the new “highest priority” internal audit projects for fiscal years 2014-15, 2015-16 and 2016-17.
2013-14 |
---|
1. Internal Control Over Financial Reporting Phase II |
2. EcoEnergy Innovation Initiative |
3. Access to Information and Privacy |
4. Disaster Recovery Controls for Missions Critical ApplicationFootnote 1 |
5. Offshore Revenues |
2014-2015 | 2015-2016 | 2016-2017 |
---|---|---|
1. Targeted Geoscience Initiative 4 and GeoConnections (ESS) Programs |
10. Canada’s Legal Boundaries (ESS) |
19. NRCan’s Legal Management Control Framework (Legal and all Sectors) |
2. Human Resources Function – Succession Planning for NRCan S&T Community (CMSS and all Sectors) |
11. Port Hope Area Initiative (ES)* |
20. NRCan’s Intellectual Property Management Control Framework (All Sectors) |
3. Delivery of Energy Efficiency Programs (ES) |
12. Green Mining Initiatives (MMS)* |
21. Explosives Safety & Security (MMS) |
4. Program of Energy Research and Development (IETS and recipient Sectors) |
13. Efficiency Metrics for Internal Services & Programs (SPI and all sectors) |
22. Investment Planning and Reporting (CMSS and all Sectors) |
5. Shared Accountability in Back Office Consolidation (OCG Horizontal Audit) |
14. Information Management (OCG) |
23. Horizontal Audit (OCG) (Sector TBD) |
6. Climate Change Impacts and Adaptation (ESS, CFS, ES)* |
15. SAP Entity Level Controls (CMSS) (joint audit with AAFC and CFIA) |
24. Geomatics - Remote Sensing and Mapping including Satellite Station Facilities (ESS) |
7. Values and Ethics (CMSS and all Sectors) |
16. Grants and Contributions Management (Framework) (CMSS) |
25. Audit of Real Property (CMSS) |
8. Emergency Management Framework (all Sectors) (in consultation with Public Safety) |
17. Geoscience for New Energy (ESS) |
26. Expanding Market Opportunities in Forest Sector (CFS) |
9. Process for CFO Attestation (CMSS) |
18. Integrated Business Planning and Reporting (SPI) |
27. Management of Science and Technology Activities |
* In collaboration with Evaluation
Continuous Auditing of Core Controls
The Audit Branch has established an effective and sustainable continuous auditing capacity in 2013 to support the overall assurance work of the Internal Audit function and to support NRCan senior management’s commitment to financial oversight and compliance with TB Policy on Internal Controls. NRCan’s first annual report on continuous audit activities was published in Fall 2013.
The Audit Branch will continue to undertake assurance-based continuous auditing at NRCan to proactively identify potential control issues and report annually on various processes. In addition to the assurance provided by this activity, the audit results will assist Management in improving control mechanisms and managing risks. This work will be performed in accordance with the IIA Standards (i.e. provide reasonable assurance). Continuous auditing will be carried out in a structured approach which is linked to the RBAP and leverages existing audit projects.
The purpose of each continuous auditing activity will be to provide ongoing reasonable assurance that key controls are in place for the process being audited. Specifically in 2014-15, these continuous audits will focus on supplier payments and contracting, travel and events and employee compensation. This will include an assessment of:
- Compliance with government and departmental policies;
- The efficiency and effectiveness of key controls during the period under review; and
- The mitigation of related risk.
Advisory/Review Projects for 2014-15
As an adjunct to the assurance role, the TB Policy on Internal Audit (section 3.7) indicates that “internal auditors will also provide advisory services to their organizations.” The Audit Branch undertakes advisory services as requested from time to time by senior management. Examples include interpretation of recipient audit reports, program reviews, consultation on new processes, or on Treasury Board Submission or Memorandum to Cabinet. In 2014-15, AB will also coordinate the IT Security Assessment that SSC Internal Audit is planning to perform at NRCan in the spring of 2014.
Central Agencies Audit Projects for 2014-17
The Department is subject to audits by various external assurance providers (e.g. Office of the Comptroller General, Office of the Auditor General, Commissioner of the Environment and Sustainable Development, Public Service Commission). Table 4 provides a listing of external audit projects planned for fiscal years 2014-17 and a carry forward project from 2013-14. (This does not include the annual audit of Public Accounts by the OAG.)
Office of the Comptroller General | Horizontal Internal Audit of Financial Forecasting |
---|---|
Office of the Auditor General | Audit of Public Accounts 2013-14 |
Audit of Library & Archives Canada - Preserving Canadian Documentary Heritage | |
Commissioner of the Environment and Sustainable Development | Strategic Planning Exercise |
Audit of Sustainable Development Strategies - Assessing Progress under the Federal Sustainable Development Strategy | |
Follow-Up Audit Climate Change Mitigation | |
Implementation of the Environmental Assessment Act | |
CESD – Environmental Petitions Chapter |
At the time of producing this Plan, the Public Service Commission and the Office of the Commissioner for Official Languages had not included NRCan as part of their 2014-15 audit plans.
Audit Branch Capacity
The Audit Branch base budget, including administrative and management costs, is $3.26 million for 2014-15 (down from $3.5 million in 2013-14). An estimate of total resource capacity available was determined and allocated to all Audit Branch activities using metrics based on past experience. Approximately 4,677 person days of capacity for 25 professional positions will be available for 2014-15 (i.e. direct audit time, excluding leave provisions and time for administration, professional development and language training). The Audit Branch has the capacity to deliver the proposed Risk-Based Audit Plan.
Page details
- Date modified: