Archived - Risk-Based Audit Plan 2009-2010 to 2011-2012
Archived information
This Web page has been archived on the Web. Archived information is provided for reference, research or record keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Date: April 22, 2009
PDF Version (330 Kb, 39 Pages)
This document represents the three-year Risk-based Internal Audit Plan of Indian and Northern Affairs Canada for 2009-2012.
The Plan was received by the Audit and Evaluation Committee (AEC) at its February 26, 2009 meeting and, upon the recommendation of the Committee, approved by the Deputy Minister.
The Plan focuses primarily on the provision of assurance services to Indian and Northern Affairs Canada's AEC and Deputy Minister while ensuring that appropriate audit attention is directed to addressing areas of government-wide interest, such as fundamental controls and financial reporting, as directed by the Office of the Comptroller General (OCG).
Based on the economic stimulus package presented in the Budget 2009, the Plan has identified three projects that will ensure additional funding provided to Indian and Northern Affairs Canada reflects the principles of sound stewardship as highlighted in the Financial Accountability Act. These three projects include the Audit of Housing, the Due Diligence Review of Infrastructure Initiatives and the Audit of the Delegation of Authorities.
The Plan is intended to support an annual holistic opinion from the Chief Audit and Evaluation Executive (CAEE) on departmental governance, risk management and control processes.
Table of contents
- Introduction
- Risk-Based Audit Planning
- The Three-Year Audit Plan
- Appendix A - Auditable Units by Risk Score
- Appendix B - 2009-2010 Audits Prioritized from Highest to Lowest Risk
- Appendix C - Linkage of 2009-10 Audits to the Corporate Risk Profile
- Appendix D - Anticipated 2009 - 2010 Regional Site Visits
- Appendix E - Coverage of MAF Elements
Introduction
Background
The 2006 Treasury Board Internal Audit Policy places considerable emphasis on:
- increasing the independence of the internal audit function
- strengthening and further professionalizing the internal audit function
- providing a consistent, comprehensive government-wide approach to the way internal audit activities are planned and conducted and
- enhancing the oversight, monitoring and reporting role of the internal audit function.
The Audit and Assurance Services Branch within Indian and Northern Affairs Canada (INAC) has put in place the professional practices and management processes to ensure that it is in full compliance with the 2006 Policy, as required, by April 1, 2009.
This three-year audit plan is a key component of that compliance, providing a strong and credible audit regime that contributes to effective risk management, sound resource stewardship and good governance in the delivery of Indian and Northern Affairs Canada's programs and in the performance of its corporate activities.
Scope of the Internal Audit Function
The internal audit function plays an important role in supporting departmental operations. It provides assurance on all important aspects of risk management strategy and practices, management control frameworks and practices, and governance. Where control weaknesses exist and where the achievement of objectives is at risk, internal audit plays a role in providing constructive insight and recommendations for the strengthening of operations. In this way, internal audit contributes to enhanced accountability and performance.
The Government of Canada's standards for the professional practice of internal audit stipulate that the role of internal audit is to provide assurance that the system of internal control is adequate and effective to manage risk at a level that is acceptable to management. In this way, the internal audit function will provide the Deputy Minister and the Audit and Evaluation Committee with confidence that the risks to the achievement of INAC's objectives are being managed effectively. The internal audit function has a vital role to play in supporting the principles of modern comptrollership.
Internal control is defined broadly and encompasses those elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support the achievement of the organizational objectives.
The scope of the internal audit function is broad and includes those systems of internal control that are in place to achieve the following objectives:
- compliance with legislation, regulations, policies and procedures
- economy and efficiency of operations
- safeguarding of assets
- reliability and integrity of financial and operational information and
- achievement of operational objectives.
Risk-based Audit Planning
In preparing this second three year audit plan within the context of the 2006 Treasury Board Internal Audit Policy, the Audit and Assurance Services Branch employed the same risk-based planning methodology as developed for the 2007-2010 Plan. The methodology is described below and is consistent with professional standards for the development of risk-based audit plans.
The methodology consists of:
- Identification of Auditable Units based upon an analysis and grouping of INAC's potential audit universe of programs, corporate functions, and authorities. A list of the auditable units is included as Appendix A.
- Risk Assessment of each auditable unit in terms of its significance, complexity, and sensitivity, using a scale of 1 to 5 for each factor where 1 is low risk and 5 is high risk. Those auditable units marked with an asterisk in Appendix A are not currently ranked as having sufficient risk to be included in the Three Year Plan.
- Recommendation of Audit Projects that would be most appropriate to address the highest risk areas on a priority basis.
While employing the same methodology to ensure consistency over time, care was taken to:
- update or refine the auditable units, e.g. to reflect new initiatives, transfer of responsibilities or areas of increased central agency interest
- revise the risk assessment to take into consideration the knowledge gained from implementation of the 2007-08 Annual Plan, including the results of Management Practices Reviews, audits and evaluations (both internal and external), and the review of Results-based Management Accountability Frameworks and Risk-based Audit Frameworks and
- refine or refocus recommended audit projects, e.g. carryover.
In the case of auditable units for which there has been little or no recent relevant audit or evaluation activity, the Branch will continue to undertake preliminary surveys as a first step in the audit process to identify the management control framework as well as potential risks that would be suitable for audit attention.
The Branch will also continue the practice of recommending a small number of audit projects that examine key issues or risks from a horizontal or cross boundary perspective.
Consultations with INAC Management
Consultations were held with the senior management of all sectors in INAC to explain and verify the identification of auditable units and to present the recommended audit projects that affect their sector or their interests as corporate managers.
The Three-Year Audit Plan
Based on the results of the risk-based prioritization of auditable units, a formal three-year audit plan has been developed, taking into consideration the known planned activities of external parties. The Three-Year Audit Plan (Table 1) sets out the recommended projects over the period from 2008-2009 to 2010-2011.
Prior to each subsequent fiscal year, the risk assessment of auditable units and the identification of projects will be updated to ensure that audit attention continues to be devoted to those areas of greatest risk that are suitable for examination.
The audit plan for 2008-2009 is presented in Table 2 with each project described in terms of its nature, its objective, its estimated timeframe, and its rationale. Regional coverage for each project will be determined as part of the planning phase.
The status of audit projects which began in 2007-2008 but have not been substantively completed is identified as carried forward in Table 3. Projects from the 2007-2008 Audit Plan which had not begun, e.g. due to unavailability of suitable contractors or contracting vehicles, and which are still considered as high priority have been included in the 2008-2009 Plan in Table 2.
| Auditable Unit | Risk Profile | 2009-2010 Audit Project | 2010-2011 Audit Project | 2011-2012 Audit Project | Recent Audit History |
|---|---|---|---|---|---|
| Departmental Programs | |||||
| Self Government/Claims | High risk: significant to the achievement of the department's objectives and are financially material, highly complex to negotiate and implement, highly sensitive due to time and resources invested | Audit of Funding for Implementation and Negotiations | Preliminary Survey for Audit of Self Government, including Comprehensive Claims - 2008-09 | ||
| Specific Claims | High risk: new specific claims process being implemented, significant expectations on INAC to support new specific claims tribunal and timelines for resolution of claims, highly complex due to the volume of claims, sensitive to beneficiaries and public | Audit of Specific Claims | Preliminary Survey for Specific Claims - 2007-08 | ||
| Indian Government Support | Moderate risk: significant materiality, moderately complex, quite sensitive if programming revised |
Audit of Band Classification Audit of Indian Government Support |
Audit of Band Support Funding - 2008-09 | ||
| Capacity Development | High risk: moderate relative materiality (>$100 million) but significant impact on INAC's agenda and highly complex due to numerous initiatives and programs and significant cumulative resources, sensitive to public if results not evident | Audit of Lands Management | Audit of Capacity Development - 2008-09 | ||
| Capital Facilities and Maintenance (Infrastructure) | High risk: major materiality (approaching $1 billion) with significant infusion of funding through Budget 2009, highly complex delivery model, sensitive to beneficiaries and public | Audit of Housing Due Diligence Review of Infrastructure Initiatives |
Audit of Infrastructure Initiatives | Follow-up Audit of Capital Facilities and Maintenance | Audit of Capital Facilities and Maintenance - 2008-09 |
| Economic Development | High risk: moderate relative materiality with significant challenges of refocusing programming, inherently highly complex to pick "winners" in a multi-jurisdiction environment, highly sensitive if failures are highlighted | Audit of Aboriginal Business Canada and Non-Proposal Driven Programming | Follow-up Audit of Economic Development | Community Economic Development Funding - 2007-08 Preliminary Survey for Audit of Economic Development - Non-Proposal Driven - 2008-09 |
|
| Office of the Federal Interlocutor (OFI) and Urban Aboriginal Strategy (UAS) | Moderate risk: lower relative materiality, however, highly complex due to challenges of mandate, community based model not driven by INAC formulas but by consultations with communities, expanded Urban Aboriginal Strategy and central agency interest, sensitive to the public | Audit of Implementation of the Urban Aboriginal Strategy | Audit of OFI Management Control Framework for Programs and Contributions - 2007-08 | ||
| Emergency | Moderate risk: normally low materiality, some complexity in implementing appropriate responses, highly sensitive if responses mismanaged | Audit of Emergency | |||
| Natural Resources and Environmental Management | Moderate risk: lower relative materiality with potentially increased significance due to contingent liabilities, complex because of competing demands - environment vs. development, public sensitivity if environment threatened | Audit of Natural Resources and Environmental Management (Scope TBD) |
Preliminary Survey for Audit of Natural Resources and Environmental Management | ||
| Child and Family Services | High risk: significant materiality (>$500 million), highly sensitive to beneficiaries and public, complex and challenging in new approach, number of agreements and participants | Audit of Child and Family Services (Enhanced Prevention Focus and Follow-up) | Audit of Child and Family Services - 2006-07 OAG Audit of Child and Family Services - May 2008 |
||
| Income Assistance | High risk: major materiality, highly sensitive to public - living conditions and potential for abuse, highly complex because of decentralized and devolved delivery; program being revitalized (e.g. active measures) and Preliminary Survey in 07-08 identified need for strengthened control framework | Audit of Income Assistance | Preliminary Survey of Income Assistance - 2007-08 | ||
| Elementary and Secondary Schools and Other Education | High risk: significant level of materiality (> $1 billion), sensitive to beneficiaries and public, challenges to meet standards and improve results, renewal underway, e.g. enhanced accountability | Audit of Special Education | Audit of Other Education | Audit of Elementary and Secondary and Other Education - 2008-09 | |
| Post Secondary Education | High risk: significant materiality, more complex delivery than elementary/secondary education - wide range of Post Secondary options and decentralized delivery, sensitive to beneficiaries (demand) and public | Follow-Up Audit of Post Secondary Education | Audit of Post Secondary Education - 2008-09 | ||
| Family Violence and Other Social Services | Moderate risk: moderate materiality, some complexity due to number of authorities, little specific sensitivity | Audit of Family Violence | |||
| Registration and Membership | High risk: low direct materiality but highly significant in terms of potential impacts, complex to determine eligibility and the various stakeholders, highly sensitive due to potential benefits associated with the Indian Status card, e.g. trans-border travel, health, tax, roll-out of new CIS may require significant shift in roles and responsibilities | System Under Development Audit of CIS-IRS, continued | Audit of Registration and Membership | System Under Development Audits of CIS-IRS - 2007-08 and 2008-09 Threat Risk Assessment - 2007-08 |
|
| Residential Schools Resolution | High risk: high materiality and high symbolic significance, high degree of complexity in a number of cases, extremely sensitive | Follow-up of Previous Audits | Audit of the Advance Payment Program - 2007-08 Audit of the Financial Settlement Allotment - 2008-09 |
||
| Grants and Contributions Horizontal Departmental Controls | High risk: highest materiality and significance representing approximately 85% of INAC budget, highly complex and sensitive (variety of authorities and delivery mechanisms) | Horizontal Departmental Audit - (Scope TBD) | Horizontal Departmental Audit - (Scope TBD) | Horizontal Departmental Audit - (Scope TBD) | Audit of Intervention Policy and Quality Assurance - 2008-09 |
| Corporate Functions | |||||
| Financial Planning and Budgeting | Moderate risk: significant since no basis in place for the preparation of budgeted allocations, complex in a decentralized organization, sensitive once basis of allocation established and resulting competition for resources | Audit of Financial Planning and Budgeting | |||
| Financial Forecasting | Moderate risk: potentially significant particularly at year-end, complex in a decentralized organization, little sensitivity | Audit of Forecasting | |||
| External Reporting - Financial Statements Audit Readiness (including: Public Accounts, Audited Financial Statements, DPR/RPP, Proactive Disclosure, Contingent Liabilities) | Moderate risk: high degree of sensitivity but primarily internal to government because OAG and TBS are interested, highly complex because of decentralized organization | Audit related to External Reporting (Scope TBD) | Audit of Liabilities - 2008-09 | ||
| Expenditure Management | High risk: potential weakness of internal controls could have high materiality, highly complex because of decentralized organization, highly sensitive due to nature of some expenditures (e.g. hospitality) | Follow-Up Audit of Travel, Taxis, Hospitality, Conferences and Acquisition Cards | Audit of Expenditure Management - 2008-09 | ||
| Fraud Risk and Control Strategies | Moderate risk: moderate significance and complexity although included in OCG's horizontal audit, highly sensitive due to media attention if events occur | To be addressed in each audit * | To be addressed in each audit * | To be addressed in each audit * | |
| Assets and Property Management | Moderate risk: moderate significance due to INAC's challenge in documenting its own assets, moderate complexity as policies and procedures exist governing expected practices, somewhat sensitive if existence of some assets cannot be determined | Preliminary Survey of Assets and Property Management | Audit of Assets and Property Management (Scope TBD) |
||
| Revenues | Moderate risk: moderate significance since revenues are relatively low, moderate complexity since majority of revenues are agreement/formula driven, not normally sensitive unless failure to collect revenues owed becomes a public issue | Audit of Revenue Management | Preliminary Survey for Audit of Revenue Management - 2008-09 | ||
| Trust Accounts | Low risk: although significant custodial responsibility with degree of sensitivity among First Nations and some complexity to track and manage accounts, a preliminary survey identified reasonable controls | Audit of Trust Accounts | Preliminary Survey for Audit of Trust Accounts - 2008-09 | ||
| Loans and Accounts Receivable | Moderate risk: function can be quite significant if large dollar value of loans and accounts receivable not actively managed to ensure timely receipt, moderate complexity in determining estimates on allocation, moderate sensitivity if INAC not seen as managing funds well | Audit of Loans and Accounts Receivable | |||
| Human Resource Planning and Resourcing | High risk: significant in that INAC is facing workforce shortages and competition for skilled workers in some areas, coupled with challenges in capacity issues in human resources, can be quite complex in terms of identifying future requirements, establishing plans to address them, and implementing resourcing strategies in a complex and controlled environment, initiatives are underway, however, still at an early stage, can be sensitive with respect to Aboriginal recruitment | Audit of Aboriginal Resourcing |
Audit of Human Resource Planning and Leadership Development Audit of Advertised Appointments |
Audit of Staffing and Classification - Manitoba - 2008-09 Audit of Staffing and Payroll for Non-Advertised Appointments and Acting Appointments - 2008-09 |
|
| Organizational Design and Classification | Moderate risk: effective design and appropriate classification can contribute significantly to achievement of INAC's objectives, moderate complexity to achieve most effective structures and appropriate levels, classification modernization underway with conversions to generic job descriptions for various groups such as the EC group, capacity issues for Classification Advisors, moderate sensitivity and complexity as structures become more centralized | Audit of the Delegation of Authorities, Organizational Design and Classification | Audit of Staffing and Classification - Manitoba - 2008-09 | ||
| Compensation and Benefits | High risk: financially significant, activities are complex due to a high level of decentralization | Audit of Payroll | |||
| Learning and Development | Moderate risk: can be significant if next generation of managers/leaders not adequately trained, activity not complex on its own but some complexity introduced because of challenges in obtaining commitment and ensuring learning occurs, little sensitivity as an internal activity, employees may be dissatisfied if opportunities not made equitably available | Audit of Training and Development | |||
| Occupational Health and Safety | Moderate risk: significance is normally low unless employees perceive that their health or safety is at risk in the workplace, complexity can be moderate risk if health and safety taken for granted and if somewhat complex legislation is not respected, function could be sensitive if a serious incident can be attributed to non-compliance | Follow-up Audit of Occupational Health and Safety | Audit of Occupational Health and Safety - 2008-09 | ||
| Security | Moderate risk: potentially significant to achievement of INAC business objectives if employees and assets not adequately safeguarded, can be complex to keep abreast of threats and in the conduct of threat risk assessments, highly sensitive if major threats or security violations occur | Follow-Up Audit of IT Security | Audit of Personnel and Physical Security | Audit of IT Security - 2007-08 | |
| IM/IT Governance | High risk: highly significant because of potential impacts on program delivery and corporate services, highly challenging for senior management to establish a governance regime that can set priorities and meet competing demands, sensitive if needs not met | Audit of Regional IT Expenditures | Audit of IM/IT Governance | Preliminary Survey of IM/IT Policy, Planning and Management and Applications Development and Support - 2007-08 | |
| Information Management | Moderate Risk: Potentially significant in terms of achieving efficient and affective information management to support program and service delivery, complex to implement consistently across a large decentralized organization, not normally sensitive unless breaches occur, survey of IM/IT applications identified CIDM as a primary risk area | Follow-up Audit of Information Management (CIDM focus) | Audit of Information Management (CIDM focus) - 2008-09 | ||
| IM/IT Applications | High risk: potential for significant impact if corporate or program systems not reliable or effective, system development can be quite complex, sensitivity can be high if expenditures do not achieve objectives | Post-Implementation Audit of First Nations and Inuit Transfer Payment System Audit of PeopleSoft |
Audit of Systems Under Development or Application in Place - Enterprise Data Warehouse, Specific Claims Data Base Preliminary Survey of OASIS Preliminary Survey of GroupWise |
Audit of OASIS Audit of GroupWise |
System Under Development Audit of FNITP - 2006-07 Preliminary Survey for IM/IT Applications - 2007-08 Preliminary Survey for Audit of PeopleSoft - 2008-09 |
| Strategic Policy and Planning | Moderate risk: function can be significant in terms of determining and achieving INAC policies and programs, complex in terms of identifying, obtaining, and effectively utilizing required inputs, moderate sensitivity given management interest | Audit of Strategic Policy or Planning | Preliminary Survey for Audit of Strategic Policy and Planning - 2008-09 | ||
| Official Languages | Low risk: activity relates indirectly to achievement of INAC's objectives, little complexity to adopt existing policies yet practice can result in lapses in a large organization, moderate sensitivity, especially among central agencies and public | Audit of Official Languages | |||
| Entity Level Controls | High risk: highly significant due to OAG and TBS interest and linkages to Audited Financial Statements and to Management Accountability Framework, highly complex because of decentralized organization | Audit of Governance Structure | Audit of Risk Management |
Preliminary Survey of ELC for External Reporting - 2007-08 Update of the Corporate Risk Profile - 2008-09 Values and Ethics - Organizational Risk Assessment - 2008-09 |
|
| Complaints and Allegations | Moderate risk: moderate complexity to determine facts and appropriate course of action, significant in terms of INAC's integrity and responsiveness | Post Implementation Audit of Forensic Audit Policy and Revised Complaints and Allegation Policy | Special Study of Complaints and Allegations - 2007-08 | ||
| Continuity of Operations | Low risk: normally, activity relates only indirectly to achievement of INAC objectives, complexity revolves around challenge of maintaining plans current, sensitivity low except in the case of a major failure | Audit of Continuity of Operations | |||
| Communications | Moderate risk: indirectly significant to achievement of INAC objectives, complex to communicate consistent messages across a large decentralized organization and with numerous stakeholders, sensitive when attention focused on INAC | Preliminary Survey For Audit of Internal and External Communications | Audit of Internal or External Communications (Scope TBD) |
||
| Legal Services and Litigation Management | High risk: significant in terms of potential claims, high degree of sensitivity, highly complex because of decentralized organization and response timeframes | Preliminary Survey of Litigation Management | |||
| Management Practices | |||||
| Regions | Generic Risk: Potential disconnects between strategic direction and program implementation in highly decentralized organization | Audit of Management Practices (Regions TBD) |
Audit of Management Practices (Regions TBD) |
Audit of Management Practices (Regions TBD) |
Management Practices Reviews of Atlantic, Quebec, Ontario, Manitoba, Saskatchewan, Alberta,BC, Yukon, NWT, Nunavut |
| Headquarters Sectors | Generic Risk: Sectors are key to providing effective policy framework and direction to regions and for setting the tone at the top | Audit of Management Practices (Sectors TBD) |
Audit of Management Practices (Sectors TBD) |
Audit of Management Practices (Sectors TBD) |
Management Practices Reviews of LTS, TAG, NAP** |
* "Internal auditors are responsible for assisting companies to prevent fraud by examining and evaluating the adequacy and effectiveness of their internal controls' system, commensurate with the extent of potential exposure within the organization. … In conducting engagements, the internal auditor's responsibilities for detecting fraud are to: consider fraud risks in the assessment of control design and determination of audit steps to perform, have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed, be alert to opportunities that could allow fraud, evaluate the indicators of fraud and notify the appropriate authorities within the organization if a fraud has occurred to recommend an investigation." (The IIA Professional Practices Framework).
** The following Sectoral Management Practice Reviews will be completed by April 1, 2009: Chief Financial Officer, Planning and Strategic Direction, Resolution & Individual Affairs Sector, Lands & Economic Development.
| Audit Project | Audit Objective | Timeframe | Rationale |
|---|---|---|---|
| Audit of Housing | Provide assurance that the Housing program, especially the Budget 2009 components, is being implemented in a well-controlled manner in accordance with approved terms and conditions. | Fall 2009 |
|
| Audit of Aboriginal Business Canada and Non-Proposal Driven Programming | Provide assurance on the adequacy and appropriateness of management control frameworks to ensure that funds are being used for the intended purpose. | Spring 2009 |
|
| Audit of Implementation of the Urban Aboriginal Strategy | Provide assurance on the adequacy and appropriateness of management control frameworks to ensure that program outcomes are being achieved and funds are being used for the intended purpose. | Summer 2009 |
|
| Audit of Income Assistance | Provide assurance that an appropriate management control framework has been established to ensure that program outcomes are being achieved and funds are being used for the intended purpose. | Summer 2009 |
|
| Audit of Family Violence | Provide assurance on the adequacy and appropriateness of management control frameworks to ensure that program outcomes are being achieved and funds are being used for the intended purpose. | Fall 2009 |
|
| System Under Development Audit of CIS-IRS, continued | Provide assurance that the implementation of the new Certificate of Indian Status card includes appropriate controls as recommended by earlier audit and Threat Risk Assessment studies. | Dependent Upon Project Status |
|
| Grants and Contributions - Horizontal Departmental Controls (Scope TBD) | Provide assurance with respect to the adequacy of controls related to either the implementation of the new Transfer Payment Policy or smaller programs/funding authorities or the Alternative Funding Arrangement Authority. | Spring 2009 |
|
| Audit of Revenue Management | Provide assurance that INAC revenues are adequately identified, recorded and received. | Dependent Upon Outcome of Preliminary Survey |
|
| Audit of Trust Accounts | Provide assurance on the adequacy and appropriateness of the management control framework to ensure that trust funds are managed in compliance with legislation and authorities. | Summer 2009 |
|
| Audit of the Delegation of Authorities, Organizational Design and Classification | Provide assurance that INAC's organizations are designed to maximize accountability, sound stewardship and efficiency and effectiveness and that classification of positions is appropriate to the authority delegated and the nature of responsibilities. | Spring 2009 |
|
| Audit of Payroll | Provide assurance that regular and special payments are accurate. | Summer 2009 |
|
| Audit of Regional IT Expenditures | Provide assurance that regional IT expenditures are consistent with the corporate IM/IT vision and the delegation of roles and responsibilities and are reliably accounted for. | Spring 2009 |
|
| Post-Implementation Audit of First Nations & Inuit Transfer Payment System | Provide assurance that the system has been implemented as intended, is fulfilling its objectives, and has appropriate controls. | Spring 2009 |
|
| Audit of PeopleSoft | Provide assurance that the data entry process is consistent with low levels of error and the recent upgrade has been conducted with proper strategy, sufficient resource levels and minimal impact on data and supports the business process, contains secured quality of data, appropriate controls and complies with departmental and governmental policies. | Summer 2009 |
|
| Preliminary Survey of Assets and Property Management | Identify the scope and materiality of INAC assets and property, assess associated risks, determine whether the management control framework is adequate to manage them, and recommend whether additional audit work is required. | Fall 2009 |
|
| Preliminary Survey for Audit of Internal and External Communications | Document communication responsibilities and activities, identify associated risks, and recommend whether additional audit work is required. | Fall 2009 |
|
| Preliminary Survey of Litigation Management | Document the sector's activities and risks and recommend objectives and priorities for a future audit(s) of Litigation Management. | Summer 2008 |
|
| Management Practices Reviews of Regions (2-3 TBD) | Assist regional management in assessing whether their management practices and controls are designed to achieve objectives in an efficient and effective manner and inform on areas of strength and weakness. | Fall 2009 Winter 2010 |
|
| Management Practices Reviews of Sectors - Regional Operations and Education and Social Development Policy and Partnerships - Adjudication Secretariat | Assist sector management in assessing whether their management practices and controls are designed to achieve objectives in an efficient and effective manner and inform on areas of strength and weakness. | Spring 2009 |
|
| Case Study and Analysis of Management Practice Reviews Conducted between 2006 - 2009 | Document, synthesize and analyze the results of the Regional and Sector management practices reviews conducted between 2006 - 2009. | Spring 2009 |
|
| Due Diligence Review of Infrastructure Spending | Provide a low level of assurance that appropriate controls are in place to ensure that Budget 09 expenditures are used as intended. | Ongoing |
|
| Departmental Framework for Assessing and Addressing Recipient Program Delivery Risk | Develop a practical set of tools that will assist programs and regions in establishing appropriate monitoring, compliance and auditing regimes to address recipient risk | Spring 2009 |
|
| Audit Project | Audit Objective | Status as of April 1, 2009 | Status |
|---|---|---|---|
| Audit of Expenditure Management Monitoring | Provide assurance on the adequacy and effectiveness of departmental controls for monitoring and managing expenditures on a risk-informed basis, including both transfer payments and operational expenditures | 50% complete |
|
| Audit of Information Management (CIDM focus) | Provide assurance that information is created, stored and managed in accordance with government policy and standards | 20% remaining |
|
| Audit of Liabilities | Provide assurance on the adequacy and effectiveness of controls for accurately quantifying and reporting liabilities and contingent liabilities | 25% remaining |
|
| System Under Development Audit of CIS-IRS | Provide assurance that implementation of the new Certificate of Indian Status card includes appropriate controls as recommended by earlier audit and Threat Risk Assessment studies | 25% remaining |
|
| Audit of Occupational Health and Safety | Provide assurance on the adequacy and effectiveness of INAC's management control framework for occupational health and safety | 25% remaining |
|
Performance of the Audit Engagements
The Audit and Assurance Services Branch will carry out the approved 2009-2010 audit engagements on a systematic basis. Having established a sound working relationship with the limited number of firms pre-qualified (until November 2009) to provide audit services on a priority and timely basis and having significantly increased its internal audit management resources, the Audit and Assurance Services Branch is well positioned to initiate and complete the planned audit projects within the fiscal year if current contracting vehicles are extended or if replacement vehicles are in place in a timely manner.
To that end, all projects have been scheduled to begin no later than the end of Fall 2009.
Audits will be carried out in accordance with the Professional Standards for Internal Audit as outlined in the TB Policy on Internal Audit.
Modification to the Plan
The risk-based audit plan will be updated, where justified on the basis of risk and urgency, as departmental and governmental risks evolve. Modifications to the plan will be presented at AEC meetings and submitted to the Deputy Minister for approval.
The Audit and Assurance Services Branch has reviewed recent audit activities and has not currently identified any standalone follow-up work to be completed during 2009-2010. As part of its ongoing monitoring of the implementation of management action plans arising from previous audits, the Audit and Assurance Services Branch may decide, however, to conduct formal audit follow-up activity during the year.
The Audit and Assurance Services Branch will also continue to monitor the scope and timing of emerging external audits (e.g. OAG, OCG, Public Service Commission, Office of the Commissioner of Official Languages) in order to optimize coverage and minimize duplication of effort.
Level of Activity and Direct Resource Requirements
The Three-Year Plan identifies that approximately 20 audit projects will be carried out on an annual basis. This number has increased slightly from earlier Plans as a result of the integration of Indian Residential Schools Resolution Canada into INAC. While the level of audit effort will vary from project to project, it is the Audit and Assurance Services Branch's professional opinion that this level of activity is the minimum necessary to provide adequate and meaningful risk-based coverage of the programs and corporate functions of INAC and to meet the requirements of the Treasury Board Policy. Appendix E illustrates how the audit projects proposed for 2009-2010 will provide coverage of the Management Accountability Framework elements and will support the preparation of an Annual Report and Holistic Opinion.
The Branch has been advised that this level of activity is commensurate with that required and undertaken in other government departments of similar size.
For purposes of identifying initial resource requirements, the Audit and Assurance Services Branch has assumed, based on experience, that its average portfolio of twenty audit projects will be comprised normally of large, medium, and small audit engagements. During 2008-2009, the Audit and Assurance Services Branch developed, and had accepted by the Audit and Evaluation Committee, a costing model that estimated the indirect costs, e.g. sector or regional auditee time and administrative expenses, for the three sizes of audit engagement.
The anticipated direct and indirect costs of audit projects in 2009-2010 are detailed below:
| Cost Factors | Large Audit | Medium Audit | Small Audit | Preliminary Surveys |
|---|---|---|---|---|
| Direct Costs | ||||
| Contract Dollars | $222,000 | $147,000 | $73,000 | $25,000 |
| FTEs | $23,000 | $15,000 | $8,000 | $5,000 |
| Travel | $50,000 | $33,000 | $17,000 | - |
| Indirect Costs | ||||
| $58,000 | $38,000 | $19,000 | $10,000 | |
| Total | $353,000 | $233,000 | $117,000 | $40,000 |
and result in an annual requirement for a budget equivalent to approximately $3,530,000 in contract funds. These costs are reflected in Appendix F.
Infrastructure and Non-Core Resource Requirements
In addition to the resource requirements for the carrying out of audit projects, the Audit and Assurance Services Branch also faces significant demands on its existing resource base to:
| Role | Rationale | Resource Requirement |
|---|---|---|
| Departmental Liaison | Serve as the Departmental liaison with the Office of the Auditor General and the Commissioner for the Environment and Sustainable Development, the Public Service Commission, the Office of the Comptroller General and other Agencies | One senior level full time equivalent |
| Risk Management | Provide advice, guidance and challenge on the identification and assessment of risks and related mitigation strategies and on the preparation of the Corporate Risk Profile | One senior level full time equivalent $400,000 contracts |
| Professional Standards | Update, maintain and inculcate a set of professional standards and practices (e.g. Audit Manual, Code of Ethics, Quality Assurance) that will enhance the capacity of the Branch to add value. | One senior level full time equivalent |
Challenges to Achievement of the Audit Plan
The extent to which the Branch is able to achieve full implementation of the Plan is dependent, however, on a number of factors:
- the Branch must continue to have access to efficient contracting vehicles. The primary contracting vehicles which the Branch employs expire in the Fall of 2009. While there is provision for an option year, there are significant downsides to exercising the option. If a decision is made to seek new arrangements within the mandatory government-wide contracting vehicle, there are serious risks that delays will occur in contracting for projects
- the Branch must be able to successfully avoid having its contractors over-commit and under-deliver
- the Branch may have to respond in an incremental fashion to OCG requirements for government-wide audit activity and
- the Branch may have to respond to emerging INAC or government-wide priorities or issues.
The Audit and Assurance Services Branch will continue to provide an update to the Audit Committee at each of its meetings on the progress it is making in implementing the Plan and the challenges it is facing in so doing.
Appendix A – Auditable Units
| Auditable Unit | Significance (1-5) |
Complexity (1-5) |
Sensitivity (1-5) |
Risk Score (Sum of Significance + Complexity + Sensitivity) |
|---|---|---|---|---|
| Departmental Programs | ||||
| Capital Facilities and Maintenance (Infrastructure) | 5 | 5 | 5 | 15 |
| Income Assistance | 5 | 5 | 5 | 15 |
| Elementary and Secondary Schools and Other Education | 5 | 5 | 5 | 15 |
| Specific Claims | 5 | 5 | 4 | 14 |
| Registration and Membership | 4 | 5 | 5 | 14 |
| Self Government and Comprehensive Claims | 5 | 5 | 3 | 13 |
| Economic Development | 3 | 5 | 5 | 13 |
| Child and Family Services | 4 | 4 | 5 | 13 |
| Capacity Development | 5 | 5 | 3 | 13 |
| Post Secondary Education | 5 | 4 | 4 | 13 |
| Residential Schools Resolution | 5 | 4 | 3 | 12 |
| Indian Government Support (includes Brand Support Funding) | 4 | 3 | 4 | 11 |
| Office of the Federal Interlocutor and Urban Aboriginal Strategy | 3 | 4 | 4 | 11 |
| Emergency | 3 | 3 | 5 | 11 |
| Natural Resources and Environmental Management | 4 | 4 | 3 | 11 |
| Family Violence and Other Social Services | 2 | 3 | 2 | 7 |
| Northern Air Stage Funding Subsidy (Food Mail) | 1 | 2 | 2 | 5 |
| Corporate Functions | ||||
| Compensation and Benefits (Payroll) | 5 | 5 | 5 | 15 |
| IM/IT Applications | 5 | 5 | 5 | 15 |
| Expenditure Management (including: Procurement & Acquisition Cards, Contracting, Travel & Expenditure Claims, Hospitality, Memberships, Compliance Monitoring, Settled Claims) | 5 | 5 | 4 | 14 |
| Entity Level Controls – Risk Management (including: Follow-up of Audit and Evaluation Recommendations, Policies and Practices, Corporate Risk Profile, Intervention Policy, Business Planning), Values and Ethics (including: Staff Ombudsman, Integrity), Delegation of Authorities, Governance Structure (including: Roles and Responsibilities, Committees) | 5 | 4 | 5 | 14 |
| Legal Services and Litigation Management | 4 | 5 | 5 | 14 |
| Human Resource Planning and Resourcing (including: Human Resource Planning, Corporate Resourcing and Aboriginal and other Resourcing, Executive Resourcing, Staffing) | 4 | 4 | 5 | 13 |
| IM/IT Governance | 5 | 4 | 4 | 13 |
| Financial Planning and Budgeting | 4 | 4 | 4 | 12 |
| Strategic Policy and Planning – Research (including: Aboriginal Peoples Survey, Legislation) | 5 | 4 | 3 | 12 |
| External Reporting - Financial Statements Audit Readiness (including: Public Accounts, Audited Financial Statements, DPR/RPP, Proactive Disclosure, Contingent Liabilities) | 4 | 5 | 3 | 12 |
| Fraud Risk and Control Strategies | 3 | 4 | 5 | 12 |
| Security (including: Physical and Personnel) | 4 | 4 | 4 | 12 |
| IM/IT Security | 4 | 5 | 3 | 12 |
| Organizational Design and Classification | 3 | 4 | 4 | 11 |
| Information Management | 4 | 4 | 3 | 11 |
| Communications (Internal and External) | 3 | 4 | 4 | 11 |
| Loans and Accounts Receivable | 4 | 3 | 3 | 10 |
| Complaints and Allegations | 3 | 3 | 4 | 10 |
| Financial Forecasting (Management Variance Reporting) | 3 | 4 | 2 | 9 |
| Learning and Development | 4 | 2 | 3 | 9 |
| Labour Relations | 2 | 3 | 4 | 9 |
| Occupational Health and Safety | 3 | 3 | 3 | 9 |
| Assets and Property Management | 3 | 3 | 2 | 8 |
| Revenues | 3 | 3 | 2 | 8 |
| Trust Accounts | 3 | 2 | 2 | 7 |
| Continuity of Operations (including: Crises and Emergencies) | 2 | 3 | 2 | 7 |
| Official Languages | 2 | 2 | 3 | 7 |
| ATIP | 1 | 1 | 4 | 6 |
| Sustainable Development | 2 | 2 | 2 | 6 |
Auditable Units Not Ranked Due to Apparent Low Risks
- Youth Employment Strategy
- Accommodations
- Library and Information Centre
- Aboriginal Connectivity
- Corporate Secretary
Auditable Units Not Ranked Due to Potential Conflict of Interest
- Departmental Audit and Evaluation
Auditable Units to be Subject to an Updated Risk Ranking Process for Management Practices Reviews
- Regions
- British Columbia Region
- Alberta Region
- Saskatchewan Region
- Manitoba Region
- Ontario Region
- Quebec Region
- Atlantic Region
- Yukon Region
- NWT Region
- Nunavut Region
- Sectors
- Treaties and Aboriginal Government (formerly Claims and Indian Government) Sector
- Education and Social Development Policies and Partnerships
- Regional Operations Sector
- Lands and Economic Development Sector (including: Oil and Gas Canada)
- Resolution and Individual Affairs Sector
- Northern Affairs Sector
- Chief Financial Officer Sector
- Planning and Strategic Development Sector
- Other Organizations
- Inuit Relations Secretariat
- International Polar Year
Appendix B – 2009-2010 Audits Prioritized from Highest to Lowest Risk
| Ranking | Audit Title |
|---|---|
| 1 | Audit of Income Assistance |
| 2 | Audit of Payroll |
| 3 | Audit of Housing |
| 4 | Post-Implementation Audit of First Nations & Inuit Transfer Payment System |
| 5 | Audit of PeopleSoft |
| 6 | Grants and Contributions – Horizontal Departmental Controls |
| 7 | System Under Development Audit of CIS-IRS |
| 8 | Audit of Aboriginal Business Canada and Non-Proposal Driven Programming |
| 9 | Audit of Trust Accounts |
| 10 | Audit of Regional IT Expenditures |
| 11 | Audit of the Delegation of Authorities, Organizational Design and Classification |
| 12 | Audit of Implementation of the Urban Aboriginal Strategy |
| 13 | Audit of Family Violence |
| 14 | Audit of Revenue Management |
Appendix C – Linkage of 2009-10 Audits to the Corporate Risk Profile
| Risk Name | Risk Description: There is a risk that… |
|---|---|
| 1. Information for Decision-making Risk | INAC will make sufficient progress to improve acess to timely, pertinent, consistent and accurate information to support planning, resource allocation and programming decisions, monitoring/oversight, and to fulfill its acountability obligations. |
| 2. HR Capacity and Capabilities Risk | INAC will not be able to attract, recruit and retain sufficiently qualified, experienced and representative Human Resources. |
| 3. Program Alignment Risk | There will be misalignment between the departmental mandate, program authorities, program design, and the use of program funding. |
| 4. Legal Risk | INAC will not be able to forsee, plan for, pre-empt or respond effectively and efficiently to legal decisions that impact program mandates. |
| 5. Management Practices Risk | INAC will not be able to develop and suatain the necessary managerial practices to support an accountable, well-managed and resilient department. |
| 6. Aboriginal Relationship Risk | INAC will fail to foster and sustain strong and constructive Aboriginal relationships on key Federal priorities. |
| 7. Government Partnership Risk | INAC and its Federal /Provincial/Territorial/government partners will not effectivelt collaborate in their approaches or delivery of horizontal programs and policies. |
| 8. Implementation Risk | INAC will not be able to create or maintain the necessary systems, pracices and governance rigour to successfully implement strategic initatives. |
| Risks | 2009-10 Audits | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | Audit Title |
| Selected | Selected | Selected | Selected | Selected | Selected | Income Assistance | ||
| Selected | Selected | Payroll | ||||||
| Selected | Selected | Selected | Selected | Selected | Selected | Selected | Housing | |
| Selected | Selected | Selected | Selected | Selected | First Nations & Inuit Transfer Payment System | |||
| Selected | Selected | Selected | Selected | PeopleSoft | ||||
| Selected | Selected | Selected | Selected | Selected | Selected | Selected | Grants and Contributions – Horizontal Departmental Controls | |
| Selected | Selected | Selected | Selected | Selected | Selected | Selected | CIS-IRS | |
| Selected | Selected | Selected | Selected | Selected | Selected | Selected | Aboriginal Business Canada and Non-Proposal Driven Programming | |
| Selected | Selected | Selected | Trust Accounts | |||||
| Selected | Selected | Selected | Regional IT Expenditures | |||||
| Selected | Selected | Selected | Selected | Delegation of Authorities, Organizational Design and Classification | ||||
| Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Implementation of the Urban Aboriginal Strategy |
| Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Family Violence |
| Selected | Selected | Revenue Management | ||||||
| Selected | Selected | Selected | Selected | Selected | Management Practices Review | |||
Appendix D – Anticipated 2009 - 2010 Regional Site Visits
| Project Title | Regions |
|---|---|
| Large Projects | |
| Audit of Housing | Quebec, Ontario, Manitoba, British Columbia, Alberta |
| Audit of Aboriginal Business Canada and Non-Proposal Driven Programming | Manitoba, Saskatchewan, Alberta, Quebec, Ontario |
| Audit of Income Assistance | Atlantic, Quebec, Manitoba, Saskatchewan, Alberta |
| System Under Development Audit of CIS-IRS, continued | Atlantic, Quebec, Ontario, Manitoba, Saskatchewan |
| Grants and Contributions - Horizontal Departmental Audit (Scope TBD) | Atlantic, Quebec, Ontario, Manitoba, Saskatchewan, Alberta, British Columbia, Yukon, Northwest Territories, Nunavut |
| Audit of Payroll | Atlantic, Ontario, Manitoba, British Columbia |
| Post-Implementation Audit of First Nations and Inuit Transfer Payment System | Quebec, Ontario, Manitoba, British Columbia, Alberta |
| Audit of the Delegation of Authorities, Organizational Design and Classification | Atlantic, Ontario, Saskatchewan, British Columbia, Nunavut |
| Medium Projects | |
| Audit of Implementation of the Urban Aboriginal Strategy | Ontario, Saskatchewan, Alberta |
| Due Diligence Review of Infrastructure Spending | Ontario, Manitoba, British Columbia |
| Audit of Family Violence | Atlantic, Quebec, British Columbia |
| Audit of Trust Accounts | Atlantic, Quebec, Saskatchewan, Alberta |
| Audit of Regional IT Expenditures | Atlantic, Quebec, British Columbia |
| Small Projects | |
| Audit of Revenue Management | British Columbia, Alberta |
| Audit of PeopleSoft | Saskatchewan, Nunavut |
| Departmental Framework for Assessing and Addressing Recipient Program Delivery Risk | N/A |
Appendix E – Coverage of MAF Elements
| 1 Public Service Values | 2 Governance and Strategic Directions | 3 Policy and Programs | 4 Results and Performance | 5 Learning, Innovation and Change Management | 6 Risk Management | 7 People | 8 Stewardship | 9 Citizen-focused Service | 10 Accountability | |
|---|---|---|---|---|---|---|---|---|---|---|
| Carry-Over from 2008-2009 (ongoing) | ||||||||||
| Audit of Expenditure Management Monitoring | Selected | X | ||||||||
| Audit of Information Management (CIDM focus) | Selected | Selected | ||||||||
| Audit of Liabilities | Selected | Selected | ||||||||
| System Under Development Audit of CIS-IRS, continued | Selected | Selected | Selected | Selected | ||||||
| Audit of Occupational Health and Safety | Selected | Selected | Selected | Selected | ||||||
| 2009-2010 | ||||||||||
| Audits | ||||||||||
| Audit of Housing | Selected | Selected | Selected | Selected | Selected | Selected | ||||
| Audit of Aboriginal Business Canada and Non-Proposal Driven Programming | Selected | Selected | Selected | Selected | Selected | Selected | ||||
| Audit of Implementation of the Urban Aboriginal Strategy | Selected | Selected | Selected | Selected | Selected | Selected | ||||
| Audit of Income Assistance | Selected | Selected | Selected | Selected | Selected | |||||
| Audit of Family Violence | Selected | Selected | Selected | Selected | Selected | Selected | ||||
| System Under Development Audit of CIS-IRS, continued | Selected | Selected | Selected | |||||||
| Grants and Contributions - Horizontal Departmental Controls (Scope TBD) | Selected | Selected | Selected | Selected | Selected | Selected | ||||
| Audit of Revenue Management | Selected | Selected | Selected | Selected | ||||||
| Audit of Trust Accounts | Selected | Selected | Selected | |||||||
| Audit of the Delegation of Authorities, Organizational Design and Classification | Selected | Selected | Selected | Selected | Selected | |||||
| Audit of Payroll | Selected | Selected | Selected | |||||||
| Audit of Regional IT Expenditures | Selected | Selected | Selected | |||||||
| Post-Implementation Audit of First Nations and Inuit Transfer Payment System | Selected | Selected | Selected | Selected | Selected | |||||
| Audit of PeopleSoft | Selected | Selected | Selected | Selected | Selected | |||||
| Preliminary Surveys | ||||||||||
| Preliminary Survey of Assets and Property Management | Selected | Selected | ||||||||
| Preliminary Survey for Audit of Internal and External Communications | Selected | Selected | Selected | Selected | Selected | |||||
| Preliminary Survey of Litigation Management | Selected | Selected | Selected | Selected | Selected | |||||
| Other Initiatives | ||||||||||
| Management Practices Reviews of Regions (2-3 TBD) | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected |
| Management Practices Reviews of Sectors – Regional Operations and Education and Social Development Policy and Partnerships – Adjudication Secretariat | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected |
| Case Study and Analysis of Management Practice Reviews Conducted between 2006 – 2009 | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected | Selected |
| Due Diligence Review of Infrastructure Spending | Selected | Selected | Selected | Selected | ||||||
| Departmental Framework for Assessing and Addressing Recipient Program Delivery Risk | Selected | Selected | Selected | Selected | Selected | Selected |