Practice Review and Internal Audit—Risk-Based Plan for the 2017–18 to 2019–20 Fiscal Years

Practice Review and Internal Audit—Risk-Based Plan for the 2017–18 to 2019–20 Fiscal Years

ISSN 1925-8488

This document presents the Practice Review and Internal Audit Risk-Based Plan for the 2017–18 to 2019–20 fiscal years as reviewed by the Office’s Audit Committee and approved by the Auditor General on 24 May 2017.

Foreword

The Practice Review and Internal Audit (PRIA) function of the Office of the Auditor General of Canada developed the Risk-Based Plan for 2017–18 to 2019–20. The purpose of the Risk-Based Plan is to ensure that PRIA’s planned internal audit activities and engagements and practice reviews meet the Office’s assurance needs.

This document contains

In establishing its practice review and internal audit priorities, PRIA consulted with the Office’s Audit Committee and with senior management. PRIA will update the Risk-Based Plan annually based on organizational priorities, the availability of resources, and evolving risk-assessment needs.

I would like to thank the Office’s senior management, staff, and the members of the Audit Committee for their cooperation and assistance with the development of this plan. Their input will allow PRIA to assess the adequacy and effectiveness of governance, risk management, and internal control processes in the Office.

Louise Bertrand
Chief Audit Executive
Office of the Auditor General of Canada

24 May 2017

Introduction

As an Agent of Parliament, the Office of the Auditor General of Canada is independent from government and reports directly to the Parliament of Canada. Given its mandate, the Office is not subject to direct Treasury Board of Canada Secretariat oversight. Consequently, the Office’s internal oversight mechanisms are of significant importance to ensuring that adequate management practices are in place. Practice Review and Internal Audit (PRIA) is one of these oversight mechanisms, as it provides assurance to management through internal audits and practice reviews.

This document presents PRIA’s Risk-Based Plan for the 2017–18 to 2019–20 fiscal years for the Office. The Risk-Based Plan combines the plans to conduct internal audits and practice reviews over the next three fiscal years. In determining its planned activities, PRIA seeks to allocate its resources to the Office’s areas of significant risk and priorities.

PRIA’s Risk-Based Plan for the 2017–18 to 2019–20 fiscal years builds on the commitments made in its 2016–17 Plan. PRIA has updated the Risk-Based Plan to take into consideration the results of the Office’s integrated risk management process for the 2016–17 fiscal year.

The Office of the Auditor General of Canada

Mandate

The Auditor General of Canada is an Officer of Parliament, reporting directly to the Parliament of Canada. The Auditor General is independent of the government in the execution of his work and responsibilities. The Office of the Auditor General of Canada’s mandate and the Auditor General’s responsibilities are set out in the Auditor General Act, the Financial Administration Act, and other acts and orders-in-council.

The Commissioner of the Environment and Sustainable Development carries out the Auditor General’s mandate related to the environment and sustainable development.

The Office is the legislative audit office for the federal government and for the three territorial governments (Nunavut, Yukon, and the Northwest Territories).

The Office conducts independent audits and studies that provide objective information, advice, and assurance to Parliament, territorial legislatures, governments, and Canadians. The Office conducts audits according to professional auditing standards and Office policies.

The Office’s strategic outcome for the 2017–18 fiscal year continues to be to contribute to better-managed government programs and better accountability to Parliament through legislative auditing.

Strategic priorities

In its 2017–18 Departmental Plan, the Office identified three strategic objectives as priority areas for improvement:

Practice Review and Internal Audit

Mission

The Office of the Auditor General of Canada’s Practice Review and Internal Audit (PRIA) team’s mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Scope of activities

The PRIA team’s scope of activities serves two separate but related purposes:

Operational framework

The Office’s Chief Audit Executive reports functionally to the Audit Committee and administratively to the Auditor General.

The Chief Audit Executive is responsible for developing and updating PRIA’s Risk-Based Plan on an annual basis. Each spring, PRIA presents its Risk-Based Plan to the Audit Committee for its review. The Audit Committee recommends the approval of the Risk-Based Plan to the Auditor General. The Auditor General is the final approval authority for PRIA’s Risk-Based Plan.

PRIA conducts its work in accordance with established professional standards:

Objectives of PRIA’s Risk-Based Plan

The PRIA Risk-Based Plan has two key objectives:

The PRIA planning process ensures that all internal audit and practice review activities are relevant, timely, and strategically aligned to support the achievement of the Office’s strategic objectives.

Status of the 2016–17 PRIA Risk-Based Plan

Before the end of the 2016–17 fiscal year, Practice Review and Internal Audit (PRIA) completed three of four of its planned activities as described in its Risk‑Based Plan for the 2016–17 to 2018–19 fiscal years.

Summary of audit engagements performed in the 2016–17 fiscal year

Engagement Description

Internal audit on Managing Information Technology Security

PRIA examined whether the Office had an adequate and effective framework to support Information Technology security. PRIA has completed the examination work. PRIA is finalizing the internal audit report and will present it to the Audit Committee in the Fall of 2017.

Self-assessment of PRIA’s internal audit activity

In preparation for an external assessment of the Office’s internal audit function, planned for the 2017–18 fiscal year, PRIA completed a self-assessment of its internal audit activity. PRIA presented a final report to the Audit Committee in January 2017. PRIA developed a remediation plan to address suggested areas for improvement.

Core controls

PRIA investigated the use and appropriateness of a core control audit process and implemented a trial review to evaluate the value of the process and adjust it if required.

International Peer Review Readiness Assessment

PRIA conducted an International Peer Review Readiness Assessment to assess the Office’s quality management system in preparation for an upcoming external peer review. PRIA presented a letter of recommendations to the Project Champion in January 2017.

Updates to the 2016–17 Risk-Based Plan—scheduling changes

Given the results of PRIA’s 2017 annual risk assessment, PRIA amended the scheduling of two internal audits noted in its 2016–17 Risk-Based Plan.

Engagement Planned fiscal year Scheduled fiscal year

Resourcing at the Office

2018–19

2019–20

Key Components of the Office’s Departmental Security Plan

2017–18

Will be considered in the
2018–19 to 2020–21 planning cycle

PRIA has deferred the internal audit of Resourcing at the Office from the 2018–19 fiscal year to the 2019–20 fiscal year. Resourcing at the Office is undergoing significant changes, and PRIA believes resourcing needs to normalize before it conducts an internal audit in this area. For example, the Office is still defining roles and responsibilities for resource decisions, and it has not fully implemented these roles and responsibilities. PRIA has further refined the scope of the internal audit to include only the audit practices, as the Office allocates the largest percentage of resources to the Annual Audit and Direct Engagement Audit Practices.

PRIA has deferred the internal audit on Key Components of the Office’s Departmental Security Plan to the 2020–21 fiscal year. This audit was deferred as a result of the 2016–17 internal audit on Managing Information Technology Security and the recent update to PRIA’s annual assessment of the significant risks affecting the Office.

Internal Audit Plan for the 2017–18 to 2019–20 Fiscal Years

Context for performing internal audits

The Office of the Auditor General of Canada complies, as required, with the Treasury Board’s Policy on Internal Audit and the related directive, and Practice Review and Internal Audit (PRIA) adheres to the Institute of Internal Auditor’s Standards when conducting its internal audit work.

In 2015, the Office adopted the Committee of Sponsoring Organizations of the Treadway Commission’s model as the basis for its internal control framework. The implementation of the five elements of the Committee’s internal control framework (control environment, risk assessment, control activities, information and communication, and monitoring) serve to mitigate risks that could result in the organization’s failure to achieve its strategic, operational, reporting, and compliance objectives.

In developing its Risk-Based Plan, PRIA takes into consideration the Standards’ requirements and seeks to validate the effectiveness of the Office’s implementation of the Committee’s internal control framework when planning its internal audits and its assessments of internal controls.

Internal audit planning and prioritization process

PRIA has developed a comprehensive strategy for establishing its risk-based internal audit plan, which includes environmental scanning, risk assessments, and extensive consultations.

Environmental scanning

PRIA performs two types of environmental scans: external and internal.

The external environmental scans looks for changes in the environment that could affect the Office’s strategic objectives or PRIA’s internal audit mandate. For example, the Treasury Board of Canada Secretariat has conducted a policy review of its internal audit directives. PRIA is monitoring this activity to ensure that its internal policies and procedures regarding internal audit comply with the requirements of the policy amendments as they apply to the Office. Furthermore, PRIA considers the work of the Office of the Comptroller General of Canada and other government agencies that may be relevant to the Office.

The internal scan also looks for changes in the Office’s internal environment such as the introduction of new policies, procedures, and programs. For example, the Office introduced a comprehensive review of its internal policies to ensure that they were still effective and compliant with relevant authorities. The internal scan also includes a review of previous PRIA plans and the findings of previous internal audits and practice reviews.

Risk assessments

PRIA’s Risk-Based Plan is based on an assessment of risk affecting the audit services and audit practices. PRIA reviews the risks the Office faces using the results of the Office’s integrated risk management exercise, including the risk registries for the audit practices and audit services. The Office’s corporate, practice, and service risk registers identify key risks that must be monitored and managed to ensure the Office meets its commitments and achieves its objectives. The Office’s Integrated Risk Management Framework assesses risks and assigns them to strategic, compliance, and operations categories.

PRIA classifies the risks as low or high by considering the risk mitigation activities by practice and service areas. For its planning purposes, PRIA classifies risks that are identified as having been reported to the Office’s Executive Committee for ongoing monitoring as low risk. PRIA also looks for risks that cross cut more than one service area and considers such risks to be higher.

Consultations

The PRIA team seeks clarification, if required, with senior management to better understand management’s assessment of risk and to discuss management’s other activities to better document the controls or mitigate the risks.

PRIA uses these activities to establish a list of auditable activities.

Prioritization

To prioritize auditable activities and other types of work, PRIA prepares a template, and it considers how the issues identified link with risk factors and Office strategies.

PRIA defines risk factors as

PRIA ranks the relationships between the auditable activity with the risk factors and the Office’s 11 strategic objectives using a rating scale of one to five, with one meaning low relation and five meaning high relation.

The result of the audit activity prioritization is the identification of new engagements. Audit activity prioritization may also affect the scheduling of previously planned engagements.

New internal audit engagements

As a result of PRIA’s 2016 risk assessment and of the Office’s 2016 integrated risk management exercise, PRIA plans to conduct the following new internal audit engagements.

Engagement Objective Planned fiscal year

Learning and Development

Determine whether the management control framework for learning and development is designed and administered in an effective manner to help the Office achieve its strategic objective of developing and maintaining a skilled, engaged, and bilingual workforce.

2017–18

Compliance Project

Determine whether an appropriate management control framework is in place to ensure that the Office remains in compliance with relevant legislation and Treasury Board policies and directives.

2019–20

Overall internal audit plan for the 2017–18 to 2019–20 fiscal years

For the 2017–18 to 2019–20 fiscal years, PRIA plans to conduct the following internal audits and projects.

Fiscal year Activity Name Governance Risk management Internal controls

2017–18

Internal audit

The effectiveness of the Office’s management control framework for learning and development

Yes

Yes

Yes

2017–18

Business process review

External Review of PRIA’s Internal Audit Activity

N/A

N/A

N/A

2017–18

Assessment of internal controls

Assessment of internal controls for the management of fraud risks

N/A

N/A

Yes

2018–19

Business process review

Performance Audit Reporting and Redesign Project (PARRP)—External Review

Yes

N/A

Yes

2018–19

Assessment of internal controls

Assessment of internal controls for the management of corporate credit cards

N/A

N/A

Yes

2019–20 

Internal audit

Resourcing for the Audit Practices

Yes

Yes

Yes

2019–20 

Internal audit

Compliance Project

Yes

Yes

Yes

2019–20

Assessment of internal controls

Assessment of internal controls for the management of contracts

N/A

N/A

Yes

Details of internal audit engagements can be found in Appendix A.

PRIA will also conduct the following projects:

Practice Review Plan for the 2017–18 Fiscal Year

Context for performing practice reviews

The Chartered Professional Accountants of Canada’s Canadian System of Quality Control 1 (CSQC 1)—Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements requires the Office of the Auditor General of Canada to establish a monitoring process that provides reasonable assurance that the policies and procedures for quality control are relevant, adequate, and operate effectively. The process must include, on a cyclical basis, an inspection of at least one completed engagement for each engagement leader (Principal).

PRIA is responsible for conducting inspections at the engagement level by assessing the design and implementation of the Office’s System of Quality Control in accordance with the CSQC 1 for all product lines to ensure its operational effectiveness. To do so, PRIA periodically assesses the design of the system of quality control and annually conducts systematic and rigorous practice reviews on a basis that covers all senior practitioners over a multi-year cycle.

PRIA’s approach to engagement selection

There are 32 engagement leaders in the Office who conduct audits: 18 primarily lead financial engagements (including 3 who also perform special examinations), and 14 primarily lead performance audits. PRIA used a random sampling approach to select engagement leaders for practice review. To randomly select engagement leaders for review, PRIA created two pools of engagement leaders: one for financial attest and the other for direct report (performance audits and special examinations). Creating these pools allowed PRIA to make pertinent observations and recommendations for each engagement leader within their respective audit practices, where appropriate.

Engagement leader review

PRIA reviews engagement leaders in each pool at least once every four years. If an engagement leader has more than one audit in a pool, PRIA also randomly samples the audit. PRIA’s four-year review cycle for each assurance category allows for the review of each engagement leader within a reasonable time frame.

Practice reviews planned for the 2017–18 fiscal year

In the 2017–18 fiscal year, PRIA expects to perform up to six practice reviews of financial attest engagement leaders and up to six reviews of direct report engagement leaders. In addition to the random selection of engagement leaders, PRIA may conduct additional practice reviews to review a given engagement leader due to the results of past reviews or to address other concerns or specific audit practice risks.

Resourcing

To deliver the Practice Review and Internal Audit (PRIA) Risk-Based Plan, a team of five people will carry out all the practice reviews and internal audits:

The PRIA team has 7,425 hours available to perform practice reviews and internal audit work.

PRIA may engage temporary resources as needed.

Appendix A—Internal Audit Project Descriptions

Proposed title: The effectiveness of the Office’s management control framework for learning and development

  • Timing: 2017–18 fiscal year
  • Budget: 1,200 hours
  • Areas: Professional Development, Human Resources
  • Type of engagement: Assurance (internal audit)

Audit coverage

Governance Risk Internal controls

Yes

Yes

Yes

Was this engagement included in the Practice Review and Internal Audit Risk-Based Plan for 2016–2019?

No. This engagement was not included in the Practice Review and Internal Audit (PRIA) Risk-Based Internal Audit Plan for 2016–2019. PRIA is proposing this new engagement as a result of the recent update to its annual assessment of the significant risks affecting the Office of the Auditor General of Canada.

What does PRIA hope to accomplish with this internal audit?

The objective of the internal audit would be to determine whether the management control framework for learning and development is designed and administered in an effective manner to help the Office achieve its strategic objective of developing and maintaining a skilled, engaged, and bilingual workforce.

What will the internal audit examine and exclude?

The internal audit will assess the effectiveness of the management control framework for learning and development and its contribution to the Office’s strategic objective of developing and maintaining a skilled, engaged, and bilingual workforce.

Specifically, PRIA will assess the following elements of the management control framework:

Identify any significant risks for the Office related to this work

If the report reaches a negative conclusion, it could be sensitive for the Office. The Office has dedicated significant resources to learning and development to foster a skilled, engaged, and bilingual workforce and to meet professional and legislative requirements. An ineffective management control framework for learning and development could mean that the Office is not able to ensure that it meets operational and strategic objectives.


 

Proposed title: Review of the performance audit reporting and redesign project (PARRP)

  • Timing: 2018–19 fiscal year
  • Budget: 450 hours
  • Areas: Direct Engagement audit teams, External Communications, Editorial Services and Translation, Legal Services
  • Type of engagement: Business process review

Audit coverage

Governance Risk Internal controls

Yes

N/A

Yes

Was this engagement included in the PRIA Risk-Based Plan for 2016–2019?

Yes. The business process mapping exercise was scheduled to be completed in the 2018–19 fiscal year. The timing for this engagement is unchanged.

What does PRIA hope to accomplish with the business process mapping exercise?

The objective of the mapping exercise would be to determine whether the new reporting process is implemented as intended and is improving and simplifying the reporting process. PRIA will also report on any inefficiencies in the processes.

What will the mapping exercise examine and exclude?

PRIA could consider business process mapping and control points to identify inefficiencies, duplication, and areas that require clarity in roles and responsibilities. PRIA’s deliverable could be a management letter.

Are there events that may affect the timing of the business process mapping exercise?

The PARRP is under way. Management expects that a lessons-learned activity will take place in fall 2017, and management may issue recommendations at that time. If management accepts and implements the recommendations of the PARRP in the 2017–18 fiscal year, PRIA anticipates conducting its business process mapping exercise in the 2018–19 fiscal year. If management does not issue recommendations in 2017 or if the PARRP is not implemented as intended, PRIA will review the proposal and its timeline in December 2017.


 

Proposed title: Compliance project

  • Timing: 2019–20 fiscal year
  • Budget: 750 hours
  • Areas: Legal Services and Office-wide
  • Type of engagement: Assurance (internal audit)

Audit coverage

Governance Risk Internal controls

Yes

Yes

Yes

Was this engagement included in the PRIA Risk-Based Plan for 2016–2019?

No. This engagement was not included in the PRIA Risk-Based Internal Audit Plan for 2016–2019. PRIA is proposing this new engagement as a result of the recent update to its annual assessment of the significant risks affecting the Office.

What does PRIA hope to accomplish with this internal audit?

The objective of the internal audit would be to determine whether an appropriate management control framework is in place to ensure that the Office remains in compliance with relevant legislation and Treasury Board policies and directives. The Office recently reviewed its policies and practices to ensure that it complies with relevant legislation and Treasury Board policies. This review, known as the Compliance Project, entailed three key activities: creating an inventory, determining responsibility for each instrument, and assessing the Office’s compliance with each instrument.

PRIA wants to examine whether the Office has met the Compliance Project’s outcomes and whether management has appropriate controls to ensure that the Office remains in compliance.

What will the internal audit examine and exclude?

PRIA will examine plans, activities, and outcomes related to the Office’s Compliance Project to assess if they provide sufficient control to ensure that the Office will remain compliant with relevant compliance requirements.

Identify any significant risks for the Office related to this work.

This is a sensitive topic, as a negative conclusion could affect the Office’s reputation with the public and the entities it audits.


 

Proposed title: Resourcing for the audit practices

  • Timing: 2019–20 fiscal year
  • Budget: 1,200 hours
  • Areas: Comptroller’s Service and Office-wide
  • Type of engagement: Assurance (internal audit)

Audit coverage

Governance Risk Internal controls

Yes

Yes

Yes

Was this engagement included in the PRIA Risk-Based Plan for 2016–2019?

Yes. This internal audit was scheduled to be completed in the 2018–19 fiscal year as a result of PRIA’s annual assessment. Resourcing at the Office is undergoing significant changes, and PRIA feels resourcing needs to normalize before it conducts an internal audit in this area. For example, the Office has taken actions in the past six months to address elevated employee stress by determining the minimum required number of direct engagements to be performed during a calendar year. Furthermore, the Office is still defining roles and responsibilities for resource decisions, and it has not fully implemented these roles and responsibilities. PRIA further refined the scope of the engagement to include only the audit practices, as the Office allocates the largest percentage of resources to the Annual Audit and Direct Engagement Audit Practices.

What does PRIA hope to accomplish with this internal audit?

The objective of the internal audit would be to determine whether an effective management control framework is in place for ensuring the Office has sufficient resources to carry out planned audit work in the audit practices. Notably, PRIA will examine how the audit practices prioritize their resource allocations at the practice and engagement levels. PRIA will also examine how the practices use relevant, timely, accurate, and complete information to support decisions about resource allocations.

The internal audit will also include a review of how the Office forecasts its audit resource allocation. The review will assess the completeness of this forecasting process and whether it is flexible enough to respond to unexpected events or changing priorities. PRIA will also look at the information that the audit practices collect to support the Office’s human resources strategies.

What will the internal audit examine and exclude?

The internal audit will look at the control environment; the risk identification, assessment, and mitigation strategies; and the control activities supporting audit resources planning and allocation.

The internal audit will exclude resource planning and allocation for Corporate Services.

Identify any significant risks for the Office related to this work.

There could be a reputational risk to the Office if the internal audit finds that the management control framework for ensuring that sufficient resources are allocated for planned audits in the audit practices is ineffective.