Practice Review and Internal Audit—Risk-Based Audit and Evaluation Plan for the 2022–23 and 2023–24 Fiscal Years
Message from the Chief Audit Executive
I am pleased to present my first Risk-Based Audit and Evaluation Plan as the newly appointed Chief Audit Executive of the Office of the Auditor General of Canada (OAG). We developed this evergreen plan for the 2022–23 and 2023–24 fiscal years to ensure that our planned engagements meet the OAG’s assurance and information needs.
“A bend in the road is not the end of the road … unless you fail to make the turn.”
A higher level of uncertainty and change has become increasingly normal because of the coronavirus disease (COVID‑19) pandemic and the evolving technological, economic, and labour-market environments, just to name a few. As is expected, uncertainty and change bring their own set of challenges and risks, but they also bring a multitude of opportunities if one is attentive to them, has the mechanism in place to capture and analyze data, and is willing to seize them. Our team, while ensuring its independence, will take steps to become a stronger strategic partner for the organization to support it in navigating this uncertainty and change so the OAG can continue to deliver for Canadians.
To achieve this, the team will leverage best practices in communication, change management, innovation, and client service to support the OAG’s strategic objectives around the Care, Connect, and Modernize pillars. We will adapt and modernize our services and adopt more agile principles to provide increasingly value-added and impactful products and information to support senior management in its risk-based and evidence-based decision making.
This plan contains details about the team’s role and its capacity, an overview of the plan development process, an overview of the planned engagements and other activities, an overview of performance measures, and an estimated budget in hours to deliver on the plan. We will keep this plan evergreen. By using an agile approach, we will reassess and refine the timing, objective, and scope of engagements on the basis of organizational priorities and evolving risk areas and information needs.
I would like to thank the OAG’s senior management, staff, and Audit Committee members for their cooperation, assistance, and more importantly, support in developing and delivering on this plan. This continued collaborative approach will ensure a more relevant and impactful suite of products and services from the team.
Julie Bastarache
Chief Audit Executive
Office of the Auditor General of Canada
June 2022
Oversight
As an officer of Parliament, the Auditor General of Canada is independent from government and reports directly to the Parliament of Canada. Given its mandate, the OAG is not subject to direct Treasury Board of Canada Secretariat oversight. Consequently, the OAG’s internal oversight mechanisms are of particular importance for ensuring that adequate management practices are in place. The Practice Review and Internal Audit team’s work is one of these oversight mechanisms, providing assurance to management through internal audit, evaluation, advisory services, and other activities.
Reporting relationships
The Chief Audit Executive leads the internal audit and evaluation functions. The Chief Audit Executive reports functionally to the OAG’s Audit Committee and administratively to the Auditor General. The Audit Committee is composed of 3 members, including the chair, who meet regularly to support the team’s work and to provide oversight and advice to senior management on important subjects.
The Chief Audit Executive is responsible for developing and updating the risk-based audit and evaluation plan annually and presenting it to the Audit Committee for review. The Audit Committee recommends the approval of the plan to the Auditor General. The Auditor General is the final approval authority for the plan.
Our team and our objectives and services
Under the leadership of the Chief Audit Executive, Julie Bastarache, appointed in March 2022, the team consists of dedicated and engaged people who deliver quality products and services to support the OAG’s objectives. At the time of publication, the team included the following key members:
- Marianne Avarello, Director
- Karen O’Reilly, Administrative Assistant
- Michelle Robert, Director
- Caroline Viens, Director
In order to meet the capacity needs of the team to deliver on its commitments, additional people may be hired on a temporary or permanent basis. They may include subject matter experts in specific fields or generalists, hired through available human-resource and procurement mechanisms depending on the specific operational needs and resource availability. The team also relies on others in the organization to support it in its various activities, including the Audit Committee’s activities.
As the team expands on its products and services over the next 2 years and beyond and modernizes its activities, it is committed to continuously improving and learning to build on its existing skillsets. For these reasons, an increased investment in training and learning is expected. Examples of planned areas for further development include data analytics and visualization, evaluation principles and methodology, change management, and risk management, to name only a few. We also ensure integrity and professionalism by pursuing and maintaining relevant professional designations and certifications within the team and by continuing to develop other important competencies crucial to our work and objectives. The team has 2 key objectives and provides internal audit and evaluation services and advisory and consulting services (Exhibit 1).
Exhibit 1—Summary of plan objectives and supporting activities
Exhibit 1—text version
Key Objectives of the Risk-Based Audit and Evaluation Plan
- Ensure that all internal audit, evaluation, advisory services, and other activities are agile, relevant, timely, and strategically aligned to support the achievement of the Office of the Auditor General’s strategic objectives and its 3 pillars of Care, Connect, and Modernize.
- Elevate the team’s profile and position it as a stronger strategic partner for the organization.
Internal Audit and Evaluation ServicesNote *
Internal Audit
Provide independent and objective assurance to add value and improve OAG operations.
Evaluation (NEW)
Provide information through the systematic and neutral collection and analysis of evidence to assess merit, worth, and value towards the achievement of expected results and outcomes.
Types of products and services
- internal audits
- evaluations (NEW)
- hybrid audits/evaluations (NEW)
- reviews
- other assessments
Advisory Services and Other Activities
- Provide timely and relevant advisory and consulting services in areas requiring lower levels of assurance and neutrality.
Types of products and services
- lessons learned
- health checks
- targeted research
- advice on performance measurement, risk management, governance, results, process design, and so on
- practice review activities
- internal audit specialist function
- administration activities to support the Audit Committee
- awareness, facilitation, and training activities
- activities within the internal audit and evaluation communities of practice, corporate initiatives, committees, and working groups
Risk-Based Plan for the 2022–23 to 2023–24 Fiscal Years
Planning and prioritization process
The team revises and prepares its plan on the basis of a robust process that it completes at least yearly. In the spirit of continuous improvement and learning, the team reviews its process and seeks feedback to assess what changes can be made to further improve the process. This collaborative and data-driven exercise allows the plan to remain relevant to the evolving needs of the OAG while ensuring that the work is prioritized on the basis of risks, priorities, and potential opportunities. The team’s process is composed of 4 important actions that are performed continuously to establish and maintain the team’s evergreen audit and evaluation plan (Exhibit 2).
Exhibit 2—Process for establishing priorities
Exhibit 2—text version
- Environmental scan
Identify internal and external events that could affect objectives and mandates. - Risk assessment
Monitor and assess risks through formal and informal channels (integrated risk assessment exercise). - Consultation
Seek input at all levels to identify and understand challenges and opportunities for improvements. - Prioritization
Assess significance of risks and opportunities and prioritize activities based on the value added.
Environmental scan
The OAG continued to build its executive team over the last year. It welcomed a new assistant auditor general who has assumed the responsibility for strategic planning, risk management, and change management. In addition, a new chief audit executive with a breadth of knowledge in auditing, risk management, and evaluation was appointed following the incumbent’s retirement.
An area of continuous change for the OAG involves its workforce. The OAG continues to integrate a significant number of new employees who were hired as part of the OAG’s expansion over the last 2 years. Also, challenges to retention and recruitment as a result of restricted labour markets have only been exacerbated by the recent labour dispute at the OAG. This plan reflects the risks that the OAG is facing with respect to these and other human resource management issues.
The needs of its clients and its stakeholders and the environment it operates in are continuously evolving. In order to remain relevant and deliver audits effectively and efficiently, the OAG is interested in improving its performance audit selection process and its stakeholder relationships. Our function is no different. Furthermore, the OAG is undertaking significant efforts in digital transformation. This is a significant long-term initiative that aims to enable changes by using data and digital solutions. The pervasive nature of this initiative increases its risk and warrants independent oversight. These priorities have been considered in the development of this plan.
Risk assessment and consultations
This risk-based plan is meant to be evergreen, meaning it will be periodically revised to reflect emerging risks and priorities. The environmental scan, described above, also included top risks identified externally, such as those identified by the Institute of Internal Auditors and the Treasury Board of Canada Secretariat.
Based on the review of the results of the OAG integrated risk assessment exercise and the consultations across the various functions, the team identified the top 5 risk areas that would likely benefit the most from work related to internal audit and evaluation and would provide the greatest value for the organization (Exhibit 3). These included the following primary and related secondary risk areas.
Exhibit 3—Top risk areas
Exhibit 3—text version
Strategic planning for performance audit
- Risk assessment and audit selection
- Stakeholder relationships
- Structure and governance
Management of human resources
- Employee onboarding and integration
- Diverse and inclusive workplace
- Talent and performance management and professional development
- Strike management and post-strike relations
- Health and psychological safety
information technologyIT systems support for operations
- Working paper software for audit practices (CaseWare)
- Modernization of systems (such as learning management systemLMS and MicrosoftMS365)
- Digital transformation initiative (for future phases)
Adaptability to change
- Digital transformation initiative (current phase)
- Strategic planning
- Culture and change management
- Budget and financial management
- Governance and information sharing for decision making
Data security, privacy, and management
- Cybersecurity
- Data security
- Data management
Priorities for the 2022–23 fiscal year
1 Complete the review of the Audit Working Paper Software Project (CaseWare)
Related risk: IT Systems Support for Operations
The review began in the 2021–22 fiscal year. This review’s objective is to provide the executive sponsor with an independent assessment of whether the project was appropriately planned and monitored to be able to achieve its minimum viable product (core features and functionality) by the 31 December 2022 deadline. The estimated budget for this engagement is approximately 400 hours. As with any engagement, there is a possibility that results from the initial review could indicate that additional work needs to be performed. If that happens, the intention would be to complete any additional work under a separate engagement.
2 Advisory services on the performance audit selection process
Related risk: Strategic Planning for Performance Audit
This research and advisory project’s objective will be to provide senior management with information to support the modernization of this important process by fall 2022, when the exercise is planned, to help determine the audits to be completed in the 2023–24 cycle. This project may also touch on stakeholder relationships and will include a research component. The estimated budget for this engagement is approximately 1,000 hours but may vary depending on the final scope of the project. Additional work, such as lessons-learned, review, or audit activities, may be conducted after the 2023–24 planning exercise has been completed to further help refine the process for future years.
3 Audit or review of the budget and financial management process
Related risk: Adaptability to Change
This will likely include full-time-equivalent allocation and budgeting. The preliminary objective of this work will be to determine if the budget and financial management processes are optimized for decision making and are designed to optimize the culture and accountability that it aims to achieve. The estimated budget for this engagement is approximately 1,000 hours but may vary depending on the final scope and type of engagement for this initiative.
4 Review of advisory services on the larger digital transformation initiative
Related risk: Adaptability to Change
As part of the Phase I—Discovery portion of the initiative, the preliminary objective of this work will be to determine if the organization has considered all necessary factors in order to successfully define its business and organization needs related to digital transformation. The estimated budget for this engagement is approximately 400 hours but may vary depending on the final scope and type of engagement for this initiative.
5 Audit and evaluation of the resource planning and management processes
Related risk: Management of Human Resources
The preliminary objective of this work will be to determine if these processes support an effective and efficient workforce to deliver on organizational objectives, if it is sufficiently nimble and adaptable to the evolving environment, and if it contributes to the organizational culture sought. This project may touch on elements related to onboarding and integration. The estimated budget for this engagement is approximately 1,200 hours but may vary depending on the final scope for this engagement. This work is directly linked to the work performed on the audit or review of the budget and financial management process. Note: The internal audit reports Integrated Human Resource Planning and Framework for Employee Learning, Training, and Development were issued in October 2015 and October 2018, respectively. Also, the Review of the Work on Internal Controls for Payroll Transactions was issued in July 2019.
Although no additional specific work is planned around the risk of Data Security, Privacy, and Management, the audit report Managing Information Technology Security was issued in January 2018 and the audit report Follow‑up on the January 2018 Internal Audit Report on Managing Information Technology Security was issued in January 2019. Therefore, the team will monitor the implementation of recommendations and the evolving risks and work with the appropriate stakeholders to determine their impact and adjust its risk-based plan as appropriate.
Additional areas for consideration have been communicated to the team and additional engagements may be added as time and resources permit. Given the rapidly changing landscape of the labour market and the evolution of work, among other factors, an area of particular interest will be other elements related to human resources, given the complexity, risks, and opportunities involved. Given the nature of this topic, the support through advisory services would likely be considered as a starting point.
Furthermore, the team plans to integrate elements around culture, change management, risk management, governance, and internal controls as appropriate. It will strive to deliver its products and services along horizontal themes and make links across the organization’s various functions as appropriate to allow for organization-wide recommendations that have more impact. It will also monitor the implementation of past recommendations and ongoing initiatives and remain available for advisory services as they may be needed.
Practice reviews for the 2022–23 fiscal year
Overview
Practice reviews are a component of the OAG’s overall system of quality control, which complies with the Chartered Professional Accountants of Canada’s Canadian System of Quality Control 1 standard (to be replaced by the Canadian standards on quality management 1 and 2, effective 15 December 2022). Practice reviews are performed at the engagement level and provide the Auditor General of Canada with assurance that engagement leaders are complying with professional standards, OAG policies and applicable laws and regulations, and that the audit reports that are issued are supported and appropriate. The selection of engagement leaders to undergo a practice review in the cycle is based on risk and requires all engagement leaders responsible for financial audits and direct engagements (performance audits and special examinations) to be reviewed at least once every 4 years. There are 12 practice reviews currently planned for the 2022–23 fiscal year: 6 are related to financial audits and 6 are related to direct engagements (special exams and performance audits).
Collaboration
As a member of the Peer Review Committee of the Canadian Council of Legislative Auditors, the team collaborates with provincial audit offices to perform interjurisdictional reviews of audit files to learn from each other and develop best practices. We also coordinate any inspections of our regional offices and head office by external oversight bodies, including those of the provincial institutes of chartered professional accountants.
Proposed changes to the function
In the recent past, the internal audit function has been responsible for performing practice reviews at the OAG. In an effort to allow the function to focus on its modernization and value-added efforts, discussions are currently underway about transferring this responsibility to another group in the OAG over the next year. We are exploring strategies that will ensure a smooth transfer, including the possibility of securing external resources to help facilitate less impact during the transition period. In addition, the team is reviewing the program used in practice review activities to focus on the compliance with standards and OAG methodology policies, with less of a focus on supporting guidance. The team will also strengthen its risk-based approach in the selection of engagement leaders and audits to be reviewed. As the intention is to have the practice review function completed by a different group, no specific information is provided in this plan for the 2023–24 fiscal year. However, the breadth of work is likely to stay relatively similar in future years.
Measuring Performance
Prior year
In the prior year plan, the team identified performance measures that align with certain objectives of the 3 strategic pillars of the OAG: Care, Connect, and Modernize. See Appendix A for details.
The team values and actively solicits feedback on its performance from its stakeholders, including the Audit Committee members. In 2021–22, the team achieved many of the performance targets it had set for the period or was making progress toward their achievement; however, a number of areas also required further attention. Areas for development include further data analytics skill development and use and improvement to feedback processes to increase focus on outcomes. The team completed most of the activities it had planned, including the finalization of 1 internal audit, 2 internal reviews, and the latest cycle of practice reviews. The vacancy in the chief audit executive position for part of the year and the redeployment of resources to assist other OAG departments during the labour dispute contributed to some planned internal review work being delayed.
Future years
Looking forward to the next 2 years, the team has revised its key priorities and performance measures to support its modernization and value-added propositions. These 5 elements, each supporting at least 2 of the 3 Care, Connect, and Modernize pillars, are detailed in Appendix B.
These will be in addition to ensuring that we respect the appropriate professional standards and other applicable policies and guidance, the most relevant of which include the following
- International Professional Practices Framework issued by the Institute of Internal Auditors
- Treasury Board’s Policy on Internal Audit, the Directive on Internal Audit, and the Policy on Results as they apply and are relevant to the OAG
The internal audit function will also undergo an external quality assessment in 2022–23. The purpose of this review is to evaluate whether the internal audit activities conform to the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics and to assess the efficiency and effectiveness of the internal audit activity. Given our intention to modernize the internal audit function and diversify the range of services we deliver, we also plan to include an assessment of our risk-based plan and a revised charter for the team’s activities within the scope of work.
Budget
While it is too early to establish a precise budget as we have not determined the scope and timing of our audit and evaluation engagements, we have developed the following preliminary budget for the upcoming year based on prior year experience and based on the most up-to-date information received (Exhibit 4).
Exhibit 4—Preliminary budget for the 2022–23 fiscal year
| Activities | Estimated hours |
|---|---|
|
Internal audit and evaluation engagements:
|
4,500 |
|
Practice reviews—Financial audit and direct engagements (subject to change if function is reallocated) |
1,800 |
|
Knowledge of business, assessments of internal controls, the Quality Assurance and Improvement Program, and risk-based planning |
1,500 |
|
Audit Committee and follow‑up of recommendations |
1,500 |
|
Administration and team management |
1,500 |
|
Total |
10,800 |
Appendix A—Performance Measures and Results for the 2021–22 Fiscal Year
| Performance measure | Result against strategic objective | ||
|---|---|---|---|
| Care | Connect | Modernize | |
|
Completion of optional data analytics courses Note: This was partially completed but not fully completed because of the availability of courses. Plan to complete it in next fiscal year. |
Exclamation point in a yellow circle | ||
|
Certification of management team members: Certified Internal Auditor (CIA), Chartered Professional Accountant (CPA) |
Check mark in a green circle | ||
|
On-time practice review report publishing |
Check mark in a green circle | ||
|
Stakeholder communication done in language of choice Note: The question was not asked in the surveys and needs to be confirmed. The assessment is based on verbal confirmation from team members. |
Check mark in a green circle | ||
|
Recommendations addressed by management within planned timelines of action plans Note: A formal follow-up was not completed in the last quarter because of competing priorities and the effects of the strike, but some action plans were also delayed for the same reasons. Regular follow-ups will resume in the new fiscal year. |
Exclamation point in a yellow circle | ||
|
Clients feel that findings reflect key issues that contributed to future improvements Note: Responses from client surveys were mixed with some room for improvement noted. |
Exclamation point in a yellow circle | ||
|
Projects include a mix of products and services that meet stakeholders’ needs and add value for them |
Check mark in a green circle | ||
|
Activities carried out meet the Audit Committee’s expectations Note: Some areas for improvement noted, which the team will work to address in its modernization efforts and in the delivery of its renewed audit and evaluation plan. |
Exclamation point in a yellow circle | ||
|
Agile auditing approaches considered and documented |
Check mark in a green circle | ||
|
Use of data analytics techniques during planning Note: This was used to some extent, but this is an area for improvement for use in all phases of engagements (where appropriate). |
Exclamation point in a yellow circle | ||
|
Hold lessons-learned sessions after implementing new or innovative products, services, and approaches |
Check mark in a green circle | ||
|
Legend—Result against the performance measure Check mark in a green circle The result was achieved Exclamation point in a yellow circle The result was partially achieved An X in a red circle The result was not achieved |
|||
Appendix B—Key Priorities and Performance Measures for the 2022–23 and 2023–24 Fiscal Years
| Key priorities | Strategic objectives | ||
|---|---|---|---|
| Care | Connect | Modernize | |
|
Complete an appropriate mix of audit-, evaluation-, and advisory-related products and services to support the achievement of objectives related to the Care, Connect, and Modernize pillars. |
Star | Star | Star |
|
Modernize the processes and outputs related to audit, evaluation, and advisory services to increase stakeholder engagement and the practical use of reports and related products. |
Star | Star | |
|
Develop team members’ skills and competencies related to data analytics and visualization, evaluation principles and methodology, change management, and risk management, including relevant certification to support a professional workforce. |
Star | Star | |
|
Build stronger relationships and awareness with stakeholders by using and modernizing feedback, outreach, and communication activities available both to raise the function’s profile and to position it as a stronger corporate strategic partner. |
Star | Star | |
|
Increase networking efforts across relevant communities of practice and leverage the sharing of lessons learned and best practices from these networks to improve the team’s activities. |
Star | Star | |