Practice Review and Internal Audit—Risk-Based Plan for the 2016–17 to 2018–19 Fiscal Years
Practice Review and Internal Audit—Risk-Based Plan for the 2016–17 to 2018–19 Fiscal Years
Table of Contents
- Foreword
- Role of the Practice Review and Internal Audit team
- Risk-based audit plan
- Internal audit plan
- Follow-up on previous audit recommendations
- External review
- Practice review plan
- Resourcing
- Appendix 1—Proposed internal audit products
- Appendix 2—Critical risks facing the Office of the Auditor General of Canada
This document presents the Practice Review and Internal Audit Risk-Based Plan for the 2016–17 to 2018–19 fiscal years as reviewed by the Office’s Audit Committee and approved by the Auditor General on 16 April 2016.
Foreword
The Risk-Based Plan is prepared by the Practice Review and Internal Audit (PRIA) function of the Office of the Auditor General of Canada. The purpose of the plan is to ensure that the Office’s planned internal audit and practice review activities, as well as its assurance tools, meet the Office’s assurance needs. This document contains
- details about the role of the PRIA team;
- an overview of the planned internal audit and practice review commitments and activities for the next three years; and
- information about the resourcing and capacity of the PRIA team for the 2016–17 fiscal year, the first year of the plan’s delivery.
Input from the Office’s Audit Committee and senior management on key organizational risks is sought and taken under advisement in setting internal audit and practice review activity priorities. The plan will be updated annually.
I would like to take this opportunity to express my appreciation to senior management, Office staff, and the members of the Audit Committee for their cooperation and assistance with the development of this plan. Their input contributed to the development of a plan that will enable PRIA to assess the adequacy and effectiveness of risk management, control activities and processes, and governance within the Office.
Louise Bertrand
Chief Audit Executive
Office of the Auditor General of Canada
Role of the Practice Review and Internal Audit team
The mission of the Office’s PRIA team is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
The PRIA team serves two separate but related purposes:
- The Internal Audit team provides independent and objective assurance, information, advice, and consultative services to the Auditor General of Canada in order to add value and improve the Office’s operations. The team accomplishes this by submitting analyses, assessments, recommendations, and pertinent comments concerning the activities reviewed. Internal Audit follows the International Professional Practices Framework issued by the Institute of Internal Auditors.
- The Practice Review team helps the Office meet its obligations under the Chartered Professional Accountants of Canada’s Canadian Standard of Quality Control 1 (CSQC 1). The team does this by conducting inspection activities to determine the extent to which engagement leaders are complying with professional standards, Office policies, and applicable legislative and regulatory requirements when conducting their audits. It also ensures that audit reports are supported and appropriate.
Practice Review and Internal Audit helps the Office accomplish its objectives by offering recommendations based on the application of a systematic, disciplined approach to evaluating and improving the design and effectiveness of the risk management, control, and governance processes.
This work is conducted under two sets of professional standards:
- Internal audits are conducted in accordance with the International Standards for the Professional Practice of Internal Auditing, established by the Institute of Internal Auditors. The Treasury Board’s Policy on Internal Audit follows the spirit of the Institute’s standards, which are implemented in a way that respects the Auditor General’s independence as an Officer of Parliament.
- Practice reviews are conducted in compliance with CSQC 1—Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements, issued by the Chartered Professional Accountants of Canada.
Risk-based audit plan
The PRIA Risk-Based Plan for the 2016–17 to 2018–19 fiscal years has two objectives:
- Identify potential internal audits based on an assessment of Office risks, risk management procedures, and an understanding of Office plans and priorities.
- Identify a practice review schedule that meets the requirements of professional standards and addresses the Office’s intent to continuously improve the conduct of its audits.
The internal audit planning process ensures that all internal audit and practice review activities are relevant, timely, and strategically aligned to support the achievement of the Office’s strategic objectives.
Internal audit plan
PRIA’s Internal Audit team has two key responsibilities:
- Provide constructive feedback through internal audit reports to managers on how well they have identified and assessed risk, as well as on the effectiveness, efficiency, and economy of existing measures to manage risk.
- Provide assurance to the Auditor General about the design and effectiveness of the Office’s risk management, control, and governance processes.
PRIA developed the audit plan by identifying auditable activities, then organizing the audit universe by the Office’s core businesses (all practice and service areas) to ensure completeness. For each component identified in the audit universe, we reviewed the risks identified using the component’s respective risk register. The Office’s corporate, practice, and service risk registers identify key risks that must be monitored and managed to ensure the Office meets its commitments and achieves its objectives. The Office framework assesses risks and assigns them to strategic, compliance, and operations categories.
PRIA classified the risks as low or high, and considered the mitigation activities in place, by practice and service areas. Risks that were identified as being reported to the Office’s Executive Committee for ongoing monitoring were classified as low risk for our purposes and were excluded from further review, since management is taking action on them. We also looked at all of the areas together to note similar risks identified across a variety of service areas. We considered such risks to be higher.
The PRIA plan is also based on a review of previous PRIA plans and on the findings of previous internal audits and practice reviews.
The PRIA team had further meetings with senior management to better understand their assessment of risks—and to discuss other activities they were undertaking—in order to better document the controls and/or mitigate the risks. This process resulted in a list of eight items for consideration in our audit universe. We added our practice review work as a necessary task.
To prioritize which audits and other types of work we would undertake, we prepared a template that considers how the issues we identified link with risk factors and Office strategies. Risk factors were defined asFootnote 1
- susceptibility to fraud;
- reputation/corporate image implications;
- complexity of operations;
- results of last audit or other known deficiencies;
- change in systems, policies, or procedures; and
- level of regulatory/compliance implications.
We ranked the relationships between the audit universe items with the risk factors and the 12 Office strategic objectives using a rating scale of 1 to 5, with 1 meaning low relation and 5 meaning high relation. The result of our risk assessment created a priority list for our audit universe as follows:
- practice review (see the section “Practice review plan”);
- managing IT security;
- implementing the Departmental Security Plan;
- responsibility for the accuracy of direct engagement reports (see details below); and
- lack of resources.
We propose to conduct our practice reviews as we would normally do.
Several teams within the Office reported having responsibility for the accuracy of direct engagement reports. We were also informed about the Performance Audit Reporting and Redesign Project (PARRP), whose aim is to improve the efficiency and effectiveness of the performance audit process. A pilot project incorporating the new processes will begin in August 2016 with select fall 2017 performance audits. The Internal Audit team will observe the PARRP process to learn about the new approach. Therefore, our observation of the process and lessons learned will take place during the 2016–17 and 2017–18 fiscal years. We propose to assess in the 2018–19 fiscal year whether the new process is being implemented as intended and will identify any inefficiencies then.
Lack of resources was identified as a risk in many Office areas. Given our current resource level, we will reassess the relevance of this risk in the 2018–19 fiscal year.
See Appendix 1 for more information on these proposed products.
Self-assessment of the Practice Review and Internal Audit function
One of the Chief Audit Executive’s responsibilities is to implement processes designed to provide reasonable assurance to stakeholders that practice review and internal audit activities operate effectively and efficiently. These processes include appropriate supervision, periodic internal assessments, ongoing monitoring of quality assurance, and periodic external assessments. In preparation for our initial external assessment of the PRIA function planned for the 2017–18 fiscal year, we are currently finalizing our Practice Review and Internal Audit Manual. We will subsequently perform a self-assessment of the PRIA function prior to requesting the external assessment.
PRIA multi-year plan for the 2016–17 to 2018–19 fiscal years
We are proposing the following internal audits and related projects for the PRIA multi-year plan for the 2016–17 to 2018–19 fiscal years:
- 2016–17: Managing IT security (this internal audit would most likely be conducted using an external consultant)
- 2016–17: Self-assessment of the Practice Review and Internal Audit function
- 2017–18: Key components of implementing the Office’s Departmental Security Plan
- 2017–18: External assessment of the self-assessment of the Practice Review and Internal Audit function
- 2018–19: Review of the Performance Audit Reporting and Redesign Project
- 2018–19: Resourcing at the Office
Appendix 2 includes the critical risks facing the Office as identified by the Executive Committee. We are monitoring management actions on these risks and have taken them into consideration for current and future plans.
Core control audit process
In the 2016–17 fiscal year, PRIA will also investigate the use and appropriateness of a core control audit process and will implement a trial audit to evaluate its value and adjust if required.
Follow-up on previous audit recommendations
During the 2015–16 fiscal year, we developed a follow-up process for all internal audit observations and associated recommendations to provide assurance on management’s progress toward implementing outstanding recommendations. We will be performing regular follow-up activities in this area.
External review
In addition to the Office’s PRIA function, the Office’s systems and practices are subject to review by external financial auditors and peer reviewers, provincial professional accounting bodies, and various federal government oversight bodies, such as the Public Service Commission of Canada, the Office of the Commissioner of Official Languages, the Office of the Privacy Commissioner of Canada, and the Canadian Human Rights Commission.
International peer review
Since 1999, our Office has been subject to International Peer Review (IPR). The purpose is twofold: to assess whether the Office’s quality management system is appropriately designed, and to assess whether it is being implemented effectively. The expectation is that there should be at least one IPR within an Auditor General’s mandate. This means that an IPR should take place before 2021, the end of the current Auditor General’s mandate. The PRIA team wants to be proactive in ensuring that the Office is ready. As a starting point, we will perform the Office readiness assessment exercise in the 2016–17 fiscal year, which will lead to management developing a remediation plan. If possible, we would participate as a reviewer in another country’s IPR to gain a better understanding of the IPR process.
Practice review plan
The hallmark of the Office is the reliability and integrity of the reports produced by its various audits and other examinations. Accordingly, emphasis and attention are directed to ensuring that the System of Quality Control for all product lines is operative and effective. This is done by periodically assessing the design of the quality management systems and by annually conducting systematic and rigorous practice reviews on a basis that covers all senior practitioners over a multi-year cycle.
CSQC 1 requires that a monitoring process be established that provides reasonable assurance that the policies and procedures relating to quality control are relevant, adequate, and operating effectively. This process must include, on a cyclical basis, an inspection of at least one completed engagement for each engagement leader (Principal), but does not prescribe a defined cycle of review.
There are currently 36 engagement leaders in the Office who conduct audits: 20 primarily lead financial engagements (including 7 who also perform special examinations), and 16 primarily lead performance audits.
We have designed a sampling approach that meets the following objective:
- Random sample of engagement leaders. We will create two pools of engagement leaders: financial attest and direct report (performance audits and special examinations). These pools will support our ability to make observations, where appropriate, for each of these two categories of assurance engagements on an annual basis.
We will review the engagement leaders in each pool at least once every four years. Engagement leaders will be selected annually using a random sampling approach. If an engagement leader has more than one audit in a pool, the audit will be randomly sampled as well. The value gained by including all engagement leaders in each pool outweighs the impact of multiple reviews of an engagement leader within a cycle. We have established a four-year review cycle for each assurance category, which will allow the review of each engagement leader within a reasonable time frame and manage any predictability in the selection process.
In the 2016–17 fiscal year, we expect to perform five practice reviews of attest engagement leaders and six reviews of direct report engagement leaders. In addition to the 11 randomly selected engagement leaders, additional practice reviews may be conducted in any given year to address situations where it is desirable to accelerate the review of a given engagement leader due to the results of past reviews, or to address other Office concerns or specific practice risks.
Resourcing
To deliver the PRIA plan, a team of three people will carry out all the practice reviews:
- Louise Bertrand, Chief Audit Executive;
- Heather Miller, Director; and
- Marc Gauthier, Director.
We may require temporary resources to help us conduct our work on an as-needed basis.
The PRIA team has a budget of 3,750 hours to perform practice reviews and a budget of 1,250 hours for internal audit work.
We will need a contracting budget to hire an information technology consultant to help us perform the internal audit on managing IT security.
A similar level of activity and effort is expected for the 2016–17 to 2018–19 fiscal years.
Appendix 1—Proposed internal audit products
Proposed title: Managing IT Security
Timing: 2016–17
Areas: IT security team; possibly the Executive Committee
Type of product: Internal audit
What do we hope to accomplish with this internal audit?
We hope to ascertain the state of the Office’s IT security and determine whether senior management is aware of and understands the level of risk associated with it. Additionally, we will look at the mechanisms for reporting IT security issues to senior management and those charged with governance. This audit links to the implementation of the Office’s security plan.
What will the internal audit examine and exclude?
We will examine the status of IT security, the risks associated with it (specifically, the cyber threats currently active in Government of Canada networks), mitigation strategies/practices, and frequencies of IT breaches. We will also look at the reporting mechanisms and consider the understandability, clarity, frequency, and reliability of the information.
Identify any significant risks for the Office related to this work.
If the report reaches a negative conclusion, it would be sensitive for the Office given that we retain sensitive information from our clients. Additionally, the subject matter is complex. The PRIA team does not have the expertise to conduct the audit and would need to hire externally.
Proposed title: Key Components of Implementing the Office’s Departmental Security Plan
Timing: 2017–18
Area: Office-wide, with a focus on the Office Security team
Type of product: Internal audit
What do we hope to accomplish with this internal audit?
The objective would be to provide senior management assurance with regards to the adequacy and effectiveness of the Office security plan.
We hope to ascertain the state of implementation of the Office’s security plan. The audit would focus on compliance with the Treasury Board’s Policy on Government Security. The policy is in the process of being updated. Depending on what changes, we may incorporate it into our criteria as well. We will also follow up on the Office’s action plan in this area.
What will the internal audit examine and exclude?
We will examine the Office’s compliance with Section 6 of the policy. This means we will consider whether
- the Auditor General has met his responsibilities (Section 6.1);
- the monitoring and reporting requirements have been met (Section 6.3), including periodic reviews to assess whether the departmental security program is effective;
- the goals, strategic objectives, and control objectives detailed in the Departmental Security Plan were achieved; and
- the Departmental Security Plan remains appropriate to the needs of the Office.
We will exclude in-depth IT security audit work.
Identify any significant risks for the Office related to this work.
If the report reaches a negative conclusion, it could be sensitive for the Office given that we retain sensitive information from our clients. Additionally, the subject matter is complex. The PRIA team does not have the expertise to conduct the audit and would need to hire externally.
Proposed title: Review of the Performance Audit Reporting and Redesign Project
Timing: 2018–19
Areas: Direct Engagement audit area, Communications, Editorial Services, Legal
Type of product: Business process mapping
What do we hope to accomplish with the business process mapping exercise?
We are proposing to provide assurance in the 2018–19 fiscal year on whether the new process is being implemented as intended. We will also report on the inefficiencies in the processes, if any.
What will the mapping exercise examine and exclude?
In particular, we will examine the roles and responsibilities for accuracy in direct engagement audit reports. Our Office-wide risk assessment process identified a variety of teams that see themselves as having responsibility for accuracy in reports. We could consider business process mapping and control points to identify inefficiencies, duplication of effort, and areas that require clarity in roles and responsibilities. Our deliverable could be a management letter.
Proposed title: Resourcing at the Office
Timing: 2018–19
Areas: Comptroller’s group and Office-wide
Type of product: Internal audit
What do we hope to accomplish with this internal audit?
We want to look at whether Office resource allocation takes into consideration factors such as how audits drive resource requirements, new initiatives, system and maintenance requirements, etc. Also, we will consider how forecasting provides information regarding future needs for audit and support, as well as the degree of flexibility to respond to emerging/changing priorities.
What will the internal audit examine and exclude?
We will examine how the Office prioritizes resource allocations (overall) and how key areas do so at their divisional levels (such as Human Resources, IT, Editorial Services, and Audit). We will also examine the availability and use of relevant, timely, and accurate information for sound decision making.
Identify any significant risks for the Office related to this work.
This could be a sensitive topic. The findings may have an impact on our requests for resources or may identify the need to reduce service levels or the number of audits we complete.
Appendix 2—Critical risks facing the Office of the Auditor General of Canada
The following table summarizes the six corporate risks identified for the Office in 2016, the organizational response required to manage these risks, and the Internal Audit team involvement needed to address them.
| 2016 corporate risks | Organizational response | Internal Audit involvement |
|---|---|---|
|
Implementation of the new senior audit roles and responsibilities |
A Project Management Office and Change Management Champion will oversee implementation. The Executive Committee will receive monthly reports on progress. Leadership enhancement workshops for the Executive Committee—and leadership and empowerment workshops for senior management and other staff—will support implementation. |
We will meet regularly with the Change Management Champion and review the monthly progress report. |
|
Implementation of the Official Languages Strategy |
An Official Languages Champion will be designated to monitor and report monthly on the development and execution of detailed group language plans and budgets as well as other key strategy indicators. |
We will meet regularly with the Official Languages Champion and review the monthly progress report. |
|
Addressing IT infrastructure needs |
An IT investment plan will be developed by 31 January 2016. |
We will review the IT Investment Plan. We are also planning to perform the following internal audits:
|
|
Office resourcing |
The Executive Committee will review mandate, service, and budget options. |
We will follow up on the Executive Committee decision for mandate, service, and budget options. We are planning to do the following internal audit:
|
|
Impact of federal labour relations |
This will be monitored by the Principal, Human Resources, with regular updates to the Executive Committee. A contingency plan will be developed. |
We will monitor future development and review the Contingency Plan, if applicable. |
|
Ensuring selection and continuance of high-value audit products |
The Office will
|
We will discuss with management the status of the initiatives on the financial audit portfolio, the forensic audit capacity, and the special examination mandate. We are also planning to perform an internal audit of the Performance Audit Reporting and Redesign Project (2018–19). |
PDF Versions
To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet: