Home > Proactive Disclosure > Audits and Evaluations > A&E Reports > 2010-2011 > Chief Audit Executive / Director General, Audit and Evaluation Branch – Annual Report – 2009-2010

Chief Audit Executive / Director General, Audit and Evaluation Branch – Annual Report – 2009-2010

June 2010

Previous page | Table of Contents | Next page

3 Performance Summary: Internal Audit

• 3.1 Progress Against Plan
• 3.2 Activities of Other Assurance Providers
• 3.3 Professional and Practices Development
• 3.4 Assurance Overview Reporting
• 3.5 Follow-up on Recommendations and Management Action Plans
• 3.6 Client Surveys
• 3.7 Quality Assurance
• 3.8 Lessons Learned

3.1 Progress Against Plan

We recognize that outcomes-based measures are needed and are in the process of being developed. In the interim the following table summarizes the progress that was made against the internal audit projects contained in the multi-year audit and evaluation plan:

Progress Against Plan:  Internal and External Audit

Top of Page

3.2 Activities of Other Assurance Providers

The AEB continues to coordinate activities with the Office of the Auditor General (OAG) through regular discussions with OAG/Commissioner of the Environment and Sustainable Development (CESD) representatives concerning the latter's audit work plan and its impact on the department's internal audit work plan.  This year, the AEB also provided extensive consulting and support services in the development of two recent reports by the CESD, one an assessment of the Draft Federal Sustainable Development Strategy and the other, a Discussion Paper on Managing Sustainable Development.

As well, the AEB continues to build its working relationships with other external auditors such as the Public Service Commission (PSC) and the Commissioner of Official Languages (COL) that are increasing the number of audits in which the Department is included. The OCG and the OAG continue to include us in the scope of their audits, as outlined above in the Table.

Top of Page

3.3 Professional and Practices Development

The IA Policy aims to professionalize the function of internal audit across government.  Accordingly, Central Agency expectations for strong professional practices and capacity building within the Branch are high and remain a priority for AEB.  In keeping with these expectations, in 2009, AEB contracted with Ernst and Young to conduct an External Quality Assessment Review of our practices.  This report was presented to the EAAC in July and concluded that the internal audit function (IA and Strategic Planning and Coordination) and processes generally conform to the International Standards for the Professional Practice of Internal Auditing.

An action plan was subsequently developed during the past fiscal year to address the recommendations arising from that review.  Many of the following activities and accomplishments were in line with this action plan:

• In 2009-10, a progress reporting tool was developed and implemented to track the progress of audit projects against the risk-based audit plan, including timelines for completion and a rationale for deviations from the plan.  The progress report is presented at every EAAC meeting.
• To continue our efforts to build and sustain our ranks of professional staff, AEB provided active leadership through participation on the TBS collective staffing of auditors initiative.
• In an effort to demonstrate leadership in the development of professional practices government wide, the Director General participated on several OCG committees including the CAE Committee on Government of Canada horizontal audit plan.
• Internal audit has committed resources to further the development of its employees and the development of an AEB Logic Model.  A detailed performance management strategy, including the identification of key performance indicators, is underway.
• In addition, the activities of IA are furthered through the use of audit software such as TeamMate and Audit Command language.

To reflect the changes in the revised IA Policy, the IA Division reviewed the IA Charter and included the AEB's Mission, Vision, Mandate and Values Statements.  The IA Charter was reviewed by EAAC and approved by the DM.

Top of Page

3.4 Assurance Overview Reporting

The TB Directive on CAE, Internal Audit Plans, and Support to the Comptroller General requires the CAE to provide “annual overview assurance reporting to the Deputy Head and audit committee on the adequacy and effectiveness of departmental risk management, control and governance processes”.  This overview assurance reporting will progress over time in terms of comprehensiveness and rigour and will be in addition to the reporting on individual risk-based audits.

In order to prepare for this, EC has taken the following steps and progress made to date includes:

• An analysis of all past audits and other sources of information was conducted to identify sources of information on areas within the internal control framework.  The other sources of information included documents such as the Corporate Risk Profile (CRP), the Departmental Performance Reports (DPR), various plans, such as the integrated HR plan, staff survey, departmental policies, etc. This analysis indicated that historically audit work focused mainly in the areas of stewardship, financial management and people management.  As such, the branch will be considering broadening this analysis to include information from other assurance providers, such as the OAG, the CESD and the OCG and the Management and Accountability Framework (MAF) assessments.
• The risk-based audit plan (RBAP) describes how all the high risk areas in the department will be examined by internal audit or other assurance providers, such as the OAG or the departmental evaluation group.
• The risk-based audit plan links each audit project to the CRP, the Corporate Priorities, and the MAF key elements, in order to ensure coverage and to help reporting.
• All past recommendations, from internal audit, evaluation and external audits have been recorded in a database in TeamMate and will be categorized against the MAF core controls.
• All future recommendations will also be recorded in TeamMate and categorized against the MAF core controls in order to collect information to support assurance reporting on an ongoing basis.
• The use of continuous auditing will also be explored, based on the guidance e received from the OCG for continuous auditing.  The internal audit division already possesses the tools and the capacity to conduct this kind of audits.

As well, since last fiscal year, the audit engagements are moving away from compliance audits to program and performance audits that better support the annual overview assurance.  The following engagements illustrate this shift:

2009-2010 Audit engagements:

• Governance of Specialized Information Technology Resources
• Governance of Information Management
• National Hydrometric Program (one of the two audit objectives was related to governance)

2010-2011 Audit engagement:

• Risk Management

While progress has been made in 2009-2010, further work is required and will continue in the following fiscal year to better define and develop how the branch will be providing annual assurance.

Top of Page

3.5 Follow-up on Recommendations and Management Action Plans

To strengthen reporting and accountability for implementation of recommendations, the Branch has developed a common approach for the development of management action plans for individual audits, both internal and external, and for overall reporting on the status of implementation of recommendations. The EAAC has noted the progress made by the department with regards to the quality of management responses and action plans as a result of the efforts of the Branch.

Follow-up processes have been enhanced and regular reporting to senior management of the status of past recommendations has been improved.  These new procedures provide senior management and the EAAC with comprehensive information on the status of implementation of management action plans and implementation of recommendations.  All internal audit follow-up recommendations have been transferred to TeamMate, an audit software application.  Evidence is analysed and documented in the software to track progress on implementing recommendations on a more timely basis (in accordance with management actions plans).  The new software is in place and is ready to be used in 2010-11.  Follow-up on recommendations are conducted on an ongoing basis to ascertain the degree to which the action plans in response to recommendations made in previous audits have been implemented, and to determine outstanding gaps/risks.  Progress reports on follow-ups are provided on a regular basis to the EAAC, the Executive Management Committee and the Deputy Minister.  A detailed report on the status of internal audit recommendations and management actions at year end is provided in Appendix B.

Top of Page

3.6 Client Surveys

After each audit, the IA Division sends surveys to clients in order to assess internal audit products and services.  Managers are asked to provide feedback on the quality of the internal audit products and services.  The Assistant Deputy Ministers (ADMs) responsible for the function that was audited are asked about the value of the audit.  During this year, the IA Division sent out surveys for three audits (Efficiency of staffing operations, Occupational Health and Safety and Costing and Pricing Processes for Revenue Generation).  The Division received responses from ADMs and managers for two audits.  One included positive comments about the value of the audit and the quality of audit services provided while the other indicated some concern over the audit process.  Survey results and the corresponding lessons learned are being used as part of the continuous improvement process.

Top of Page

3.7 Quality Assurance

One of the hallmarks of the internal audit profession is the commitment to quality assurance and review.  During previous reporting periods both internal and external quality assurance reviews identified some opportunities for improvement.  Efforts to address these findings have been undertaken.

As part of the AEB Quality Assurance Program, the IA and Strategic Planning and Coordination (SPC) Divisions conduct an annual internal quality assessment (IQA) against the Institute of Internal Auditor (IIA) Standards and Policy on Internal Audit.  The January 2010 IQA conducted (using the updated Internal Audit Quality Assessment Tool which reflects all changes to the Policy on Internal Audit and the IIA International Professional Practices Framework (IPPF)), confirmed that the IA (both IA and SPC) function is in general compliance.

As previously noted, an External Quality Assessment was conducted in May 2009 and the results presented to EAAC.  The Assessment found that there was general compliance with relevant standards.  The Assessment did identify two areas of partial compliance and made a number of recommendations.  The areas of partial compliance concerned planning and follow-up which have been addressed.  A detailed action plan was developed to address the recommendations and was presented to EAAC in June 2009.  Progress on the action plan is presented to the EAAC at every meeting.  Most actions had been completed by January 2010.

Top of Page

3.8 Lessons Learned

A number of important themes developed over the course of the past year as a result of the Branch's activities and can be treated as relevant lessons learned going forward.  These lessons will be responded to through future audit plans and activities and are presented here, at a high level, for broad consideration.

Lessons Learned by Internal Audit relevant to the overall Department:

• Various audits conducted in 2009-2010 indicate that organizations need to define more clearly their roles and responsibilities.  This could have been due to the implementation of the revised Program Activity Architecture (PAA).  Going forward, IA will continue to track the issue of governance and accountability, to determine if any systemic issues surface and where recommendations may be needed.
• In addition, audits showed that practices are not always consistent across regions. Inconsistencies are in part due to a lack of guidance from departmental Head Quarter.
• It was also highlighted that some internal services should be more client-oriented, which includes monitoring client satisfaction.

Lessons Learned by Internal Audit relevant to the AEB:

• The internal audit team has implemented a more rigorous approach to risk analysis in audit engagements, which has proven beneficial to the scoping and added value of projects.
• For department wide audits, audit processes will ensure that all ADMs will be considered and consulted in the planning phase of the audit.
• Senior management is increasingly requesting debriefs, which indicates an increased appetite for partaking in the internal audit process.  Building on this interest, the internal audit team is working towards improving their communication strategy with senior management and audit entities.

Lessons Learned from External Audit relevant to the AEB:

In addition to the themes identified for internal audit, lessons learned that pertain to both the Audit and Evaluation Branch's management of, as well as the department's participation in, external audits are:

• Early engagement of senior management, a lesson for both the Audit and Evaluation Branch and the department can be key to influencing the focus and approach of the audit so that it addresses effectively addresses issues that are of concern to the department.  Further early engagement supports the branch or branches ability to plan for the upcoming work and to constructively engage partners in other government departments where this is appropriate.
• On a more general point, regular consideration by senior managers of upcoming external audits that includes assessing their potential impact in the context of planned departmental undertakings such as Treasury Board submissions, memoranda to Cabinet or program announcements will contribute to the department's capacity to manage and respond to external audits in a strategic manner.
• Issues and subject areas are selected by external auditors for a variety of reasons including legislative requirements and risk assessment that may be founded on a different or broader set of concerns than are any of the departmental risk assessment exercises.  Because of this, audit work and any consequent recommendations, may not always be well aligned with the department's priorities or its assessment of most significant risk.  Therefore, it is particularly important that the department work with external auditors when recommendations are being drafted to ensure that will be as beneficial as possible and that any management commitments made in response to recommendations are well aligned with existing and resourced departmental plans and priorities.
• Finally, an ongoing need is to continue to improve communications and relationships with the department's external auditors in order to enhance the value for the department that may be drawn from externally generated audit work.

Previous page | Table of Contents | Next page