Risk-Based Audit Plan 2013-2014 to 2015-2016

Treasury Board Policy Requirements

AANDC is subject to the Treasury Board Policy on Internal Audit. This policy states that the internal audit function in the Government of Canada "… is a professional, independent and objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes."

The Policy on Internal Audit requires that the Deputy Minister approves a risk-based audit plan that considers departmental areas of high risk and significance and Government-wide audits led by the Comptroller General. The Treasury Board Directive on Internal Auditing in the Government of Canada (April 1, 2012) requires that the Chief Audit Executive " … establish and update at least annually a multi-year plan of internal audit engagements based on a risk assessment and which is focused predominantly on the provision of assurance services." The Directive also requires that the Audit Committee "… review and recommend for approval a multi-year risk-based internal audit plan."

The Treasury Board Internal Auditing Standards for the Government of Canada (October 1, 2012) specifies that "The Government of Canada has adopted the Institute of Internal Auditors' (IIA) International Professional Practices Framework and all federal departments are required to meet the IIA Standards in undertaking their internal auditing responsibilities, unless the Standards are in conflict with the Treasury Board Policy on Internal Audit or any related directives or standards in which case the Policy, directives or standards will prevail."

Auditable Units Priority Rankings

Text description of Auditable Units Priority Rankings

The chart illustrates the final priority rankings for each auditable unit of AANDC's audit universe. The priority rankings are as follows:

• Very High: 22% or 23 auditable units
• High: 30% or 32 auditable units
• Moderate: 34% or 35 auditable units
• Low: 10% or 10 auditable units
• Not rated: 4% or 4 auditable units

Using the AANDC corporate risk assessment scales, where one is low risk and five is high risk, participants provided their assessment of risk for each auditable unit, with the exception of the internal audit, evaluation, risk management and complaints and allegations functions falling within the responsibilities of the Chief, Audit and Evaluation Executive position. While evidently the internal audit function could not audit itself objectively, there would be an appearance of lack of independence and objectivity should it attempt to assess the risks associated with and plan to audit other functions belonging to the same direct report.^{Footnote 2} Should it come to the attention of senior management that any of these functions may constitute a high risk to AANDC and should be subject to an audit, arrangements would be made for external firms to conduct the work under the direction of a senior ADM or the Audit Committee.

A weighting of 50% was allocated to Inherent Risk, 30% to Significance and 20% to Legal Risk to arrive at a risk score for each auditable unit assessed. A risk priority score was then assigned to each of the assessed auditable units in the universe and all units were assigned a priority score ranging from 0 to 1. As a final pass, all entities were further categorized as Very High, High, Moderate or Low risk based on the priority scores. The distribution of auditable units by rank is displayed in the chart to the right. The methodology employed is the same as was used in prior years to ensure that risk ratings and priorities are consistent on a year-to-year basis.

The products of this workshop became the basis for a consultation workshop with the members of the Directors General Implementation and Operations Committee (DGIOC) to review the risk ranking of auditable units and to comment upon an initial listing of potential projects over the three-year horizon of the plan. The information gathered during this session was useful in refining risk rankings and informing the scope and timing of planned audits.

Following revisions to the risk ranking and listing of potential projects resulting from the DGIOC session, AASB invited Assistant and Associate Deputy Ministers to provide their perspective on the recommended listing of potential projects and their scheduling. AASB also consulted with the Office of the Comptroller General, the Office of the Auditor General, and Health Canada to obtain their input on the identified risk levels and on the identification and timing of potential audits, particularly with respect to their planned audit activities. AASB also reviewed the identified risks and potential projects with members of the Audit committee.

Through discussions with Health Canada, AASB struck an agreement to work with their internal audit group over the coming year to identify AANDC and Health Canada Program Alignment Activities (PAA) which are related in some way. AANDC intends to look for opportunities to align their respective 2014-15 audit projects to focus on higher risk areas of common interest.

Following consultations, AASB developed a final three-year audit plan taking into account the following planning considerations:

• The Risk-Based Audit Plan should be a body of work that can be reasonably achieved with AASB's current staff complement and operating budget
• Auditable units assessed as very high and high priority should be given priority and audited once in the three-year cycle, resources permitting
• Auditable units assessed as medium priority should only be considered for audit if all very high and high priority units are covered or if they represent an AANDC management priority
• Adequate coverage of corporate risks identified in the corporate risk profile should be obtained
• The three-year plan should ensure sufficient coverage of risk management, control and governance processes
• The timing of activities should take into account program evaluations, OAG, OCG and other central agency audits and any other considerations such as program renewals, so as not to place an unreasonable burden on any entity and to avoid duplication of effort and
• A reasonable allocation of effort should be included to conduct follow-up reviews and audit procedures to assess the adequacy of management actions in addressing past audit recommendations.

The Chief Audit and Evaluation Executive reviewed and approved the proposed Plan and presented it to Audit Committee members for their review and recommendation for approval by the Deputy Minister.

The implementation of the Plan will be monitored on a regular basis throughout the year and proposed changes will be reviewed and formally approved by the Audit Committee. An update of the plan will be presented at the mid-year meeting of the Audit Committee to confirm that it still covers the departmental priorities and highest risks.

Audit Coverage

This section describes how the plan addresses areas of higher risk and significance. As detailed in Appendix A, there is complete coverage of all Very High and High ranked units.

The Corporate Risk Profile is management's point in time reflection of the most significant risks that threaten achievement of AANDC's mandate and AASB seeks to ensure that all of these risks are covered in the planned audits. The chart to the right summarizes the number of 2013-14 audits that will address any one of the corporate risks. Every corporate risk is covered by at least two assurance engagements (audits). Appendix B presents the specific linkages of audits to risks.

Coverage of Corporate Risks (2013-14)

Text description of Coverage of Corporate Risks (2013-14)

The graph illustrates the extent to which AANDC corporate risks are covered by the new and ongoing audits and preliminary surveys in 2013-2014. Please note that individual projects may cover one or more risk area. The coverage is as follows:

• HR Capacity and Capabilities: 9
• Information for Decision Making: 18
• Transformation & Implementation: 12
• Resource Alignment Risk: 13
• Government Partnership: 9
• Aboriginal Relationship Risk: 11
• External Partnership Risk: 10
• Legal Risk: 7
• Environmental: 3

In support of the CAEE's annual report to the Deputy Minister and the Audit Committee, the audit plan endeavours to address all elements of the Treasury Board's Management Accountability Framework (MAF). The chart to the right summarizes the extent to which the elements of this framework are covered in the planned audits for 2013-2014. Appendix C describes these linkages in greater detail.

Coverage of MAF Areas of Management (2013-14)

Text description of Coverage of MAF Areas of Management (2013-14)

The graph illustrates the extent to which the elements of the Treasury Board's Management Accountability Framework are covered by the number of planned audit projects for 2013-2014 in each Management Area.

• Values and Ethics: 5
• Managing for Results: 17
• Governance and Planning: 18
• Citizen-focused Service: 14
• Internal Audit: 0
• Evaluation: 0
• Financial Management and Control: 17
• Management of Security: 2
• Integrated Risk Management: 14
• People Management: 6
• Procurement: 5
• Information Management: 5
• Information Technology: 3
• Asset Management: 1
• Investment Planning & Management of Projects 5

As noted above, internal audit and evaluation are not subject to audit by internal audit as the auditor's independence and objectivity could be considered to be compromised.

2013-2014 to 2015-2016 Audit Plan

Table 1 below outlines the number of planned program or functional audits, Management Practices Audits, and OCG audits for each of the three years of the plan.

** To be determined

Table 2 below presents the planned audits for 2013-2014 and identifies the audit priority assigned to them and the fiscal quarters in which they are expected to begin and in which the results are expected to be presented to the Audit Committee (AC in the table).

Table 3 lists the proposed audits for 2014-2015 and 2015-16 and their audit priority ranking. The audit plans for 2014-15 and 2015-16 are tentative and the selection and timing of audits will be revisited during next year's annual planning exercise.

The detailed audit plan for 2013-2014, including project objectives, scope and rationale, is presented in Appendix D Consistent with the requirements of the Internal Auditing Standards of the Government of Canada, all audits will be designed to achieve a high level of assurance.

Changes to the Plan

As noted previously, the multi-year audit plan is updated annually with adjustments during the year, if necessary. This year's audit plan is an evolution of the 2012-2013 to 2014-2015 Plan and, as such, includes two on-going audits that will be completed in 2013-14 and other projects that have been cancelled or deferred as a result of changing business priorities and conditions. Details of these changes can be found in Appendix E.

Challenges to Achieving Fulfillment of the Three-Year Plan

AANDC programs and services are delivered in a complex policy and political environment that is constantly evolving and shifting from a legalistic approach to a policy-based approach that is more focused on reconciliation, partnerships, and the sustainable development of Aboriginal communities. Two risk factors that were identified in the 2012-2013 Corporate Risk Profile are of particular importance to the successful implementation of the Risk-Based Audit Plan. These are: (1) the risk related to the availability of timely, pertinent, consistent, and accurate information and (2) the risk related to the need to attract, recruit and retain sufficiently qualified, experienced and representative employees. Given this context, the plan allows flexibility to respond to emerging risks and policy or program changes. If these risks or changes emerge and suggest higher priority audit activity, the Plan will be adjusted so that internal audit can undertake appropriate responses.

To support the need for flexibility, AASB has adopted an approach whereby internal resources are supplemented with qualified contractors. Considering the cross-government shortage of qualified auditors, this approach not only allows AASB to access required capacity and skills but also facilitates transfer of knowledge and skills to internal resources, thereby building internal capacity. While contracting continues to represent challenges for a variety of reasons, AASB was successful in 2012-13 in establishing competitive supply arrangements under the Professional Audit Support Services Supply Arrangement (PASS) should offer more efficient contracting.

AANDC's implementation of the Government of Canada's Deficit Reduction Action Plan (DRAP) will likely continue to impair AASB's ability to obtain timely access to departmental managers and staff over the planning period. It is also possible that AASB will be called upon to focus more attention on implementation of DRAP measures.

In its effort to adjust to the challenges raised by the implementation of Budget 2012 and the Deficit Reduction Action Plan, AASB has taken a series of actions including the following:

• Senior management and DAC members have been kept informed on a more frequent basis on the changes to the plan
• Reassessment of the alignment between AASB resources and the plan has been conducted to ensure the capacity exists to support the implementation of the RBAP and
• Consulting engagements have been employed to support the HR function in the implementation of DRAP.

Auditable Units

Auditable Units