This year EC has strengthened its approach to risk-based audit and evaluation planning, in accordance with the requirements of the TBS Policy on Internal Audit and Evaluation Policy. An important element of the internal audit policy is for the CAE to provide the Deputy Minister with an annual holistic opinion on the state of risk management, controls and governance. One of the chief means of ensuring sufficient audit coverage in support of this holistic opinion is through a robust, risk-based annual plan.
This year’s risk assessment and prioritization process was conducted through using the new OCG RBAP guide. The process used a more comprehensive and rigorous approach to risk-based annual planning.
Examples of enhancements achieved through this approach include:
According to the RBAP guide and methodology, there are four steps to developing a modern risk-based audit and evaluation plan:
The starting point for the planning process was the organization’s internal audit and evaluation universe. The audit and evaluation universe represents the potential range of all audit and evaluation activities and comprises of a number of entities. These entities generally include a range of programs, activities, functions, structures and initiatives which collectively contribute to the achievement of the department’s strategic objectives. Through the audit and evaluation planning process, the entities were ranked relative to one another to derive the audit and evaluation priorities and plans.
To ensure adequate coverage of the audit and evaluation universe, this year’s annual audit and evaluation plan was mapped against the latest PAA. The risk assessment was conducted by conducting a comprehensive mapping to over 160 entities.
To demonstrate further alignment of the audit and evaluation activities with the objectives of the organization, each of the entities was also mapped to the organization’s strategic objectives. The entities were also mapped to the relevant aspects of the MAF, as these ten elements represent important government-wide objectives. Finally the entities were mapped to the CRP, to ensure corporate risks were sufficiently covered by the plan.
Through the risk-based audit and evaluation planning process, audit and evaluation priorities were identified and potential audit engagements and evaluation projects were ranked according to departmental need or priority. Two criteria were used to complete the prioritization of entities - risk exposure and significance.
The primary source of information for this process was the departmental Strategic Review from 2008. These documents were very comprehensive, but primarily available for the program boards. The enabling (support) boards were not covered, except for those few areas that were already linked to a program e.g. Pacific Environmental Centre (PEC), Aboriginal Affairs, and Long-Term Global Climate Change Regime. These information “gaps” were completed through in-depth management consultations.
In addition to these documents, the comprehensive risk analysis included several other key sources of information, including the CRP, the latest MAF assessment, departmental priorities (RPP), board priorities and the ongoing financial readiness assessment.
Each entity was assessed in terms of its risk exposure (by document review and consultations) which was defined as the level of risk to which each entity is exposed, and considered the following:
Assessing Risk Exposure
Assessing the Significance of the Entities
Determining the Preliminary Priority
In addition to the preliminary audit and evaluation priority assigned by the audit and evaluation planning team described above, other factors were considered in order to finalize the audit and evaluation priorities and determine the audit engagements and evaluation projects to be conducted:
To validate the preliminary risk assessment and prioritization of entities and potential projects/engagements, the SPC team conducted a series of comprehensive senior management consultations (17) with program and enabling boards, with the following objectives:
Information from these consultations was used to improve the list of potential projects and engagements, including risk and priority rankings. AEB directors then validated the final priority rankings and provided supplementary information for the individual projects/engagements, including rationale, scope and objectives, timelines and resource estimates.
The final steps for completing and approving the annual audit and evaluation plan were:
With planned resources, it is expected that AEB will achieve coverage of its very high audit and evaluation priorities over the three year planning horizon. In general, the highest audit and evaluation priorities are scheduled for completion earliest in the planning horizon. Exceptions to this rule may occur when the feasibility of conducting an audit or evaluation is in question, owing to factors such as major changes, lack of resources or subject matter expertise, etc. In such cases the CAE/Director General AEB should bring this to the attention of the Deputy Head and Audit/Evaluation Committee.