Government of Canada
Symbol of the Government of Canada

Common menu bar links

Warning This Web page has been archived on the Web.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the Contact Us page.


Environment Canada's Three-Year Risk-Based Audit and Evaluation Plan 2009-2012

| TOC | Previous |

Appendix E – Planning Methodology

This year EC has strengthened its approach to risk-based audit and evaluation planning, in accordance with the requirements of the TBS Policy on Internal Audit and Evaluation Policy. An important element of the internal audit policy is for the CAE to provide the Deputy Minister with an annual holistic opinion on the state of risk management, controls and governance. One of the chief means of ensuring sufficient audit coverage in support of this holistic opinion is through a robust, risk-based annual plan.

This year’s risk assessment and prioritization process was conducted through using the new OCG RBAP guide. The process used a more comprehensive and rigorous approach to risk-based annual planning.

Examples of enhancements achieved through this approach include:

  • Risk methodology based upon the Policy on Internal Audit (April 2006) and consistent with the TBS IRMF
  • Identification and ranking of the audit universe by priorities with the selection or projects by highest risk
  • Improved coverage of risk management, controls and governance processes (as per TBS Policy on Internal Audit and Federal Accountability Act)
  • Improved alignment and integration with key corporate activities – departmental strategic review, CRP, MAF assessment, departmental priorities (RPP) and board priorities, financial readiness assessment, and board priorities
  • Alignment and integration with external and horizontal audits by other audit assurance providers – OAG/CESD, TBS/OCG, Privacy Commissioner, COL, and PSC
  • Improved description and linkage of projects/engagements with risks (rationale, risk description, scope and objectives, start date and tabling date)
  • Improved rationale and reporting for carry-over projects
  • Improved follow-up on recommendations and management action plans

According to the RBAP guide and methodology, there are four steps to developing a modern risk-based audit and evaluation plan:

  1. Development of the Audit/Evaluation Universe
  2. Preliminary Prioritization of the Audit/Evaluation Universe
  3. Final Prioritization of the Audit/Evaluation Universe
  4. Audit/Evaluation Plan Development and Approval

Step One: Development of the Audit and Evaluation Universe

The starting point for the planning process was the organization’s internal audit and evaluation universe. The audit and evaluation universe represents the potential range of all audit and evaluation activities and comprises of a number of entities. These entities generally include a range of programs, activities, functions, structures and initiatives which collectively contribute to the achievement of the department’s strategic objectives. Through the audit and evaluation planning process, the entities were ranked relative to one another to derive the audit and evaluation priorities and plans.

To ensure adequate coverage of the audit and evaluation universe, this year’s annual audit and evaluation plan was mapped against the latest PAA. The risk assessment was conducted by conducting a comprehensive mapping to over 160 entities.

To demonstrate further alignment of the audit and evaluation activities with the objectives of the organization, each of the entities was also mapped to the organization’s strategic objectives. The entities were also mapped to the relevant aspects of the MAF, as these ten elements represent important government-wide objectives. Finally the entities were mapped to the CRP, to ensure corporate risks were sufficiently covered by the plan.

Step Two: Preliminary Prioritization of the Audit and Evaluation Universe

Through the risk-based audit and evaluation planning process, audit and evaluation priorities were identified and potential audit engagements and evaluation projects were ranked according to departmental need or priority. Two criteria were used to complete the prioritization of entities - risk exposure and significance.

The primary source of information for this process was the departmental Strategic Review from 2008. These documents were very comprehensive, but primarily available for the program boards. The enabling (support) boards were not covered, except for those few areas that were already linked to a program e.g. Pacific Environmental Centre (PEC), Aboriginal Affairs, and Long-Term Global Climate Change Regime. These information “gaps” were completed through in-depth management consultations.

In addition to these documents, the comprehensive risk analysis included several other key sources of information, including the CRP, the latest MAF assessment, departmental priorities (RPP), board priorities and the ongoing financial readiness assessment.

Each entity was assessed in terms of its risk exposure (by document review and consultations) which was defined as the level of risk to which each entity is exposed, and considered the following:

Assessing Risk Exposure

  • The entity’s current and anticipated business conditions and the presence of risk factors (includes a separate list of criteria)
  • The number and nature of potential risk events to which the entity is exposed, as a result of its business conditions risk factors (includes a separate list of criteria)
  • The severity of consequences if the risks to which the entity is exposed materialized
  • The overall state of control in place within a given entity

Assessing the Significance of the Entities

  • The second criterion used to prioritize the entity was that of ‘significance’.
  • Significance is defined as the value or significance of the entity, in the context of the department or agency’s overall objectives. Significance considers, but was not restricted to the materiality of the unit and its significance to the department. Other considerations included the expected benefits of the entity to the department and its stakeholders and the degree to which a given entity is exposed to public or political scrutiny.

Determining the Preliminary Priority

  • Each entity was assigned a rating for risk exposure and significance
  • Ratings and substantiating analysis were used to generate a global priority score for each entity, which were used to generate a preliminary prioritization of the audit/evaluation universe
  • Taken together, these criteria were applied to derive a total weighted priority score which was used to generate a preliminary prioritization of the entities that comprise the audit/evaluation universe (High, Medium and Low rankings)
  • From this list, a preliminary list of potential projects and engagements was developed, addressing the areas of highest priority

Step Three: Final Prioritization of the Audit and Evaluation Universe

In addition to the preliminary audit and evaluation priority assigned by the audit and evaluation planning team described above, other factors were considered in order to finalize the audit and evaluation priorities and determine the audit engagements and evaluation projects to be conducted:

  • Management/Audit and Evaluation Committee Requests
  • Mandated Audits/Evaluations
  • The projects of other Assurance Providers (OAG, CESD, PSC, Privacy Commissioner, OCOL)
  • Time since Last Audit
  • Carry-over audits and evaluations
  • Follow-up audits and evaluations

Management consultations

To validate the preliminary risk assessment and prioritization of entities and potential projects/engagements, the SPC team conducted a series of comprehensive senior management consultations (17) with program and enabling boards, with the following objectives:

  • Validate preliminary risk ranking and prioritization of potential projects/engagements
  • ather additional information to close the information gaps, especially for enabling/support functions
  • Gather any additional information that management viewed as being significant for potential risk identification and prioritization of entities
  • Identification of other potential areas of audit and evaluation.

Information from these consultations was used to improve the list of potential projects and engagements, including risk and priority rankings. AEB directors then validated the final priority rankings and provided supplementary information for the individual projects/engagements, including rationale, scope and objectives, timelines and resource estimates.

Step Four: Audit and Evaluation Plan Development and Approval

The final steps for completing and approving the annual audit and evaluation plan were:

  • AE review and approval of the plan
  • Audit/Evaluation Committee review of the plan
  • Audit Committee recommendation of the audit component of the plan for approval by the Deputy Head (Deputy Minister)
  • Evaluation Committee approval of the evaluation portion of the plan
  • Deputy Head (Deputy Minister) review and approval the plan
  • CAE/Director General AEB providing the OCG and OAG with a copy of the approved plan

With planned resources, it is expected that AEB will achieve coverage of its very high audit and evaluation priorities over the three year planning horizon. In general, the highest audit and evaluation priorities are scheduled for completion earliest in the planning horizon. Exceptions to this rule may occur when the feasibility of conducting an audit or evaluation is in question, owing to factors such as major changes, lack of resources or subject matter expertise, etc. In such cases the CAE/Director General AEB should bring this to the attention of the Deputy Head and Audit/Evaluation Committee.