Internal Audit Operations for the period January 2009 to April 2010
In April of 2008, the Office of the Chief Audit Executive (CAE) for the Department of Foreign Affairs and International Trade was created. The CAE reports directly to the Deputy Ministers.
As identified in the CAE’s Report of December 2008, senior management agreed with the need to properly define an audit universe for the Department, and to integrate the role of risk management into its stewardship and delivery of its mandate. Much has been accomplished this year and a half in this regard.
This Report will demonstrate that the audit planning, and first year of implementing a three year Risk-based Audit Plan, has made a recognized contribution to the management of DFAIT. The audit work completed, and planned, is increasingly in keeping with and in support of the Department’s priorities and strategic objectives.
The advisory role of the Departmental Audit Committee has become integral to DFAIT’s internal control and governance processes.
Of particular importance, the role of the Office of the CAE in the Department of Foreign Affairs and International Trade is progressing toward a state of maturity that reflects the Government’s intended role for Internal Audit.
The Department’s first Risk Based Audit Plan for 2009-12, developed in consultation with management, was reviewed by the Departmental Audit Committee, and approved by Deputy Ministers. The Plan allowed, in 2009-2010, a solid first step to Internal Audit work in DFAIT.
In addition to commencing implementation of the first year of the three year audit plan, the CAE began to develop a constructive working relationship with DFAIT’s senior management. Attention was also paid to further establishing and refining the important contribution of the Departmental Audit Committee to DFAIT. The objective of the CAE was to balance the critical management needs of the Deputy Ministers as well as oversight and advisory role of the DAC, with the Department’s planned audit needs.
Our goal was to complete a full program of assurance work relevant to risk management, internal control and good governance. This was largely achieved as noted in Figure 1.
|1||Audits planned in 2009-2010||2||RBAP/Directed Audits completed in 2009-2010|
|RBAP 09-10||Departmental Governance Structures||RBAP 09-10||Departmental Governance Structures|
|RBAP 09-10||Resource Allocation||RBAP 09-10||Resource Allocation|
|RBAP 09-10||Expenditure Controls for high risk payments||RBAP 09-10||Expenditure Controls for high risk payments|
|Not Completed Move to 2010-11||RBAP 09-10||Information for Decision-Making||Note: Management Directed Audit 2009-2010||Financial Resource Management Risk Assessment|
|RBAP 09-10||Real Property||Note 3 Opinion|
|RBAP 09-10||Systems Management||Headquarters Growth|
|RBAP 09-10||Systems Governance||Implementation of Strategic Review Reductions of 2007|
|RBAP 09-10||TB Decisions and MCs||RBAP 09-10||Partially covered under the Financial Res. Management Risk Assessment|
|RBAP 09-10||IT Asset Management||Covered by OCG Horizontal Audits:||IT Asset Management|
|RBAP 09-10||Risk Management||Corporate Risk Profile|
Though Figure 1 indicates that the body of audit work completed was only partially in keeping with the original plan, the resulting findings for eight of these audits pointed to significant vulnerabilities in some areas of the Department’s core stewardship and risk management responsibilities. Strengthened accountability, and a focus on monitoring performance to confirm that key goals were are being met, was also highlighted in a number of our examinations.
More importantly, the majority of audit work completed met the critical and immediate needs of Deputy Ministers and aligned with the recommended directions of the Departmental Audit Committee.
The impact of much of the audit work completed in 2009-2010 was directly relevant to the management needs of DFAIT. Ten audits were planned, reflecting available Internal Audit resources. Ten audits were completed. However, as evidenced in Figure 1, there was a need to revise the audit program over the course of the year. Through ongoing discussion with Deputy Ministers, and to urgently respond to the changing requirements of the Department, we adapted and re-aligned the deployment of our Internal Audit resources to meet these needs. An urgent financial issue in DFAIT led Deputy Ministers to request a thorough Financial Resource Management Risk Assessment. It was supplemented by audits of Resource Allocation, Expenditure Controls, Growth at Headquarters and Implementation of Strategic Review Decisions. This body of audit work was viewed as integral to the Deputy Minister’s risk management, accountability and financial stewardship of DFAIT. It constituted an important step in senior management recognizing the role of its new Internal Audit function in support of the Department’s stewardship and management of risk. It also provided the CAE with additional and important knowledge of the Department and its programs.
While Figure 1 attempts to portray “the year that was” in terms of work and the resulting audit findings, the more telling story is the action taken by senior management in response to audit recommendations. For each audit conducted, the findings were reported to Deputy Ministers. Assistant Deputy Ministers whose programs were audited committed to undertakings, and presented their Management Action Plans before the Departmental Audit Committee. For example:
In June 2008, the Office of the CAE received formal approval for an Audit Follow-Up Policy on Management Action Plans (MAPs). The policy established a set of principles and procedures regarding the scope, timing, frequency, depth, roles and responsibilities of various stakeholders involved in completing the audit follow-up process for approved MAPs. As well, follow-up reports were prepared to provide departmental managers, senior management and the DAC with information on how effectively priority recommendations were being addressed.
The task at hand was to work with the DAC and key auditees to conclude follow- up on audits which had commenced prior to the establishment of the Office of the CAE. This was achieved. At the April meeting of 2009, the Office of the CAE recommended to the DAC that Follow Up Activity cease for six audits initiated between 2006 and 2008. The DAC agreed. This applied to the 2006 Audit of the Management of the Intranet; the 2006 Audit of the Human Resources Management Systems; the February 2006 Audit of Salary Devolution; the February 2007 Audit of Contracting and Financial Management Practices at the Canadian Foreign Service Institute; and, the June 2008 Audit of Electronic Authorization and Authentication Keys and Integrated Management Systems.
The DAC also agreed that follow-up continue to ensure management has addressed key control issues on the remaining audits of Cash and Banking, Passport, IT Management of Security, Network Content Security, Peace and Security Fund, Property Growth Charge, Francophonie Summit, and Mission Hospitality. By February 2010, significant progress was confirmed for a number of these.
The graph below points to Internal Audit moving from a 70% completion rate to over 90% of management actions to address audit recommendations.
With periodic follow-up reports presented and then recommended by the DAC in April 2009, June 2009, September 2009 and February 2010, issues related to financial management and reporting were addressed:
Finally, significant progress leading to full implementation of internal audit recommended actions was demonstrated for the following:
External assurance providers gave certain coverage of two key audit projects which had been retained in the 2009-2010 Risk-based Audit Plan, yet could not be completed given insufficient audit resources. Both of these subjects were partially examined by the Office of the Comptroller General’s horizontal audits in the areas of Corporate Risk Profile Development and Use and Management of IT Assets.
Given early signals in July 2009, of issues concerning the department’s financial budgeting and forecasting capacity, a finding from the Corporate Risk Profile Horizontal Audit pointed to a lack of integration between the department’s knowledge of risks and the development of its core business lines and Business Plan. This was also confirmed in the subsequent Fall 2009 Audit of Resource Allocation. The Department has agreed to address our finding of a lack of integration between business planning (which takes into account risks) and the resulting allocation of resources.
While all audits completed in 2009-2010 by the Office of the Chief Audit Executive examined some facets of stewardship, the coverage of IT Asset Management by the Office of the Comptroller General informed our Department of the effectiveness of IT asset management programs and processes. While attention is to be paid to inventory of assets, the resulting review also highlighted sound risk-based planning and implementation of the Department’s Strategic Information Technology Plan.
As the CAE is also responsible for undertaking advisory and other activities in support of the Department and the Audit Community, our advisory activities in 2009-10 ranged from confirming, for the DAC, the accuracy and reliability of Note 3 to the Financial Statements, to reporting to the Deputy Minister on the reliability of the department's financial forecasting for the period ending December 31, 2009. As a member of the Department’s Core Services Board, the CAE contributes to the oversight of the management and delivery of corporate services at DFAIT. The CAE was also called on to report on the adequacy and reliability of human resource internal controls, as well as advise on strengthening resource management at Headquarters.
The CAE took part in the OCG-led initiative to pilot a full 360 feedback and assessment process for chief audit executives. As well, a presentation on the impact of Departmental Audit Committees and departmental governance was well received at the Financial Management Institute’s Community Annual Conference. Finally, the Director of Internal Audit was invited to chair the Public Sector Internal Audit Conference. This support is appreciated by the Internal Audit community.
The CAE has taken measures this year to ensure that DFAIT’s Internal Audit planning is in line with Treasury Board Internal Audit Policy requirements. This has been largely achieved. Some key actions taken this year to strengthen the requirement include:
DFAIT’s internal audit function, and the management of its role through the Office of the CAE, has matured in its full compliance with Government of Canada Audit Standards.
In April 2008, the Office of the Chief Audit Executive set as a goal to establish a robust Quality Assurance function covering all aspects of our Internal Audit work by 2012-13. This would mark five years after the creation of the Internal Audit function at DFAIT.
It was intended in 2008 that there would be stable funding to the Internal Audit function, as well as incremental funds from Treasury Board, to support the development and maintenance of a Quality Assurance and Improvement Program. This would allow the necessary investment in human resources, as well as tools, training and the establishment of monitoring of the effectiveness and efficiency of our audit work. Due to reduced funding, this will be delayed. As an important first step, we have begun the professional practice of ensuring that we complete Quality Assurance Certificates for all audit reports and audit opinions issued during 2009-10. This practice will continue in 2010-2011 for all internal audits.
The contribution of senior management has been central to refreshing DFAIT’s Risk-based Audit Plan for 2010-2011. With the benefit of partnership in developing a Corporate Risk Profile, and an updating of the Department’s Audit Universe, our audit program scheduled for 2010-2011 is directly in keeping with DFAIT’s strategic objectives and assessed risk. Part of the maturing process of internal audit in DFAIT has been to establish an ongoing dialogue between the CAE and Deputy Ministers, and between auditors and program management. Both auditors and management have been informed and assisted by the audits done this past year. This has achieved a new level of planning and practice of audit in DFAIT. It will continue to improve.
It is also important to note that our audit planning reflects a managed evolution in its attention to core controls in DFAIT. As noted, the audit work we conducted in 2009-2010 concentrated heavily on stewardship, accountability and gaining a better understanding of DFAIT’s risk management. The seven audits recommended for 2010-2011 will contribute further to our attention to stewardship and risk, but will also broaden our focus to include program management.
Our planned internal audits for 2010-2011 reflect, in subject and relevant core controls, an effort to continue to build an audit foundation. Against the audits described in this Report for 2009-2010, our internal audit program in the coming year will give further attention to DFAIT’s management of resources, as well as management of Real property, Non-IT Assets and Travel.
This will continue our audit attention to DFAIT’s stewardship, and accountability. We will also conduct audit work on information systems that support strategic decision making, central to the Department’s policy and program delivery. Our audit plan delays our attention to human resources until 2011-2012. However, an audit of the Delivery of Corporate Services of 2010-2011 initiates our review of the core controls which concern the adequacy of the delivery of key services. The CAE continues to work closely with senior management of DFAIT to progressively build assurance reporting across DFAIT’s programs, with the goal of achieving a cycle of audit work over time that is central to the management of the Department.
|Audits as per requests and RBAP||Mandatory Audits carried out in 2010-11||Audits carried out by External Auditors- DFAIT was selected to take part|
|RBAP 09-10||Real Property||2||TB Directed||Afghanistan Contracting Special Authorities||PSC-led||Audit of Staffing at DFAIT|
|RBAP 09-10||Information for Decision-Making||In reserve||Gs and Cs Academic Relations Program||PSC-led||Study of temporary help professional services and staffing in govt|
|Management Directed||Audit of Delivery of Corporate Services at HQ||1||Global Commerce Support Program||OCG-led||Business Case Development (tbconfirmed)|
|Audit of Travel||5||MOU Standards Council Pts of Service Enquiry||OAG-led||Internal Audit|
|Follow up Resource Allocation||4||DFAIT Directed||G8/G20 Summits||OAG-led||Water Management|
|RBAP 10-11||Asset Management Non-It||3|
|RBAP 10-11||Financial Reporting Controls||6|
The Treasury Board Policy on Internal Audit requires that the CAE provide an annual overview or Assurance Report to the Deputy Head and to the Audit Committee on the adequacy and effectiveness of departmental risk management, control and governance processes. The Annual Assurance Report is part of the CAE’s Annual Report.
This Annual Assurance Report consists of a presentation of the CAE’s early perspectives on assurance. The perspective is supported by the results of an Internal Audit function’s two first years of operation. Consequently, in contrast with a mature audit service, it would be presumptuous to present a report with a high level of assurance about the state of “risk management, control and governance processes” across DFAIT at the end of year two.
A mature Annual Assurance Report will require the accumulated audit findings and intelligence from at least three full fiscal years. The typical life-cycle for this process is illustrated below:
|Practical Strategies: A Maturity Model|
|Departmental Internal Audit Risk Analysis|
|Departmental Internal Audit Plan|
|1st Generation||Internal Audit Reports: Thematically Linked through IA Risk Analysis|
|2nd Generation||CAE Perspective developed on Risk Management, Control and Governance||DFAIT’s IA maturity|
|3rd Generation||Assurance View of MAF Elements: Differential Levels of Assurance|
|4th Generation||Assurance Reporting|
It has been a very informative second year as the audits completed have provided important insight about the Department’s management framework and processes. An overview of work completed and the resulting coverage of the Core Management Controls is illustrated at Appendix A.
As reported at the beginning of this document, during the past fiscal year, most of our audit attention and resources were turned to addressing an emerging issue for the Deputy Ministers and senior management; that being, the Department’s financial situation. My team’s audit work therefore focused almost exclusively on the processes and controls in place to manage the Department’s resources, and more specifically, the supporting financial management.
Over the course of the past year, the DAC has engaged the CAE in a discussion about the role of Internal Audit with respect to governance. The DAC concluded that the term governance, as used to describe the scope of work of the Internal Audit function in Government, is not consistent with conventions around the definition and scope of this term. In view of this, the Chief Audit Executive is adopting adjusted terminology. As a working proposition, the terms strategic direction and oversight will be used in place of governance. This responds to the DAC’s concern that the defined scope of Internal Audit be better described to reflect its actual role and reporting relationships within federal departments.
The CAE agrees with the DAC position and sees little utility in adding modifiers to, or seeking to qualify the term governance (e.g. departmental internal governance) so as to respect applicable conventions. At the same time, the CAE is required to comply with the Treasury Policy on Internal Audit, and the intent of pronouncements of the Institute of Internal Auditors. It is judged important, by professional publications and policies, that modern internal auditing provide assurance relative to risk management, control and governance. As best we understand it, the intention is to ensure that Internal Audit provides assurances across the full spectrum of management processes that are to achieve purposeful control, that is, control designed to mitigate specific risks with respect to compliance of requirements and the achievement of the objectives and priorities of the Department. Accordingly, as a working model, and recognizing that the terms are not mutually exclusive, the CAE will provide assurance with respect to departmental processes for:
Prior to reaching a conclusion on the above discussion, Internal Audit performed certain work defined as addressing “governance”. DFAIT’s Deputy Ministers had set out to establish a governance structure that would contribute to integrating Foreign Affairs and International Trade. Our review of this governance structure, after 18 months, confirmed the importance of its contribution. This initiative by the Deputy Ministers reflects the new reality that policy advice is not the “be all and end all” role of Senior Executives. Managing is now a more central focus.
Our Preliminary Assessment of DFAIT Governance Structures provided some recommendations for strengthening effectiveness as the structure matures. Key recommendations focused on accountability as well as the monitoring and oversight of the implementation of decisions taken. Additional recommendations regarding governance resulted from audit findings about the department’s budget situation and resource allocation processes. These have led to significant strengthening of the organizational structure for financial management as well as a strengthened mandate for the Department’s Resource Management Committee.
DFAIT’s efforts at risk management, as observed by the CAE, are somewhat uneven. In some business sectors, risk management is relatively formal, well integrated, and supports informed decision-making. However, the observed unevenness speaks to opportunities to develop an improved understanding of risk management across the organization and to better capitalize on the associated benefits. There needs to be a broad-based discussion about the department’s risk tolerances so that risk mitigation strategies embrace purposeful control that contributes to the achievement of the objectives of the Department. This is an area that management will focus on improving in the coming year. Sound risk management ensures that assumptions are clear, tolerances drive the rigour of management processes, lessons are learned and value is created without setting perfection as the only standard.
Indeed, DFAIT participated this past year in the Office of the Comptroller General’s horizontal audit of Corporate Risk Profiles. The two findings specific to our department are:
Addressing these recommendations, I believe, would bring about a more even level of risk management, and corresponding benefits, across the organization.
Our Internal Audit work is not designed to promote controls, but to promote well-designed, purposeful controls that are cost-effective and proportionate to the levels of risks in achieving departmental objectives. A sound and effective control environment should be the result of a management structure, which has set strategic objectives, allocated resources accordingly and established risk management which includes the definition of risk tolerances. The result is an “adapted” control environment that mitigates risks to an acceptable level, supports stewardship of resources, encourages the monitoring and reporting of performance, and contributes to meeting planned objectives.
My team makes use of the Core Management Control Framework developed by the Office of the Comptroller General. Based on the Treasury Board’s Management Accountability Framework, the Framework defines the fundamental controls that are expected to be in place within all line departments. These controls are based on recognized control models and provide a starting reference standard against which my auditors can assess DFAIT’s management practices.
Our audit work over this second year of operation suggests that the Department would profit from greater attention to reliable financial and non-financial information, improved risk management, and from strengthening the control environment. In this regard, measures are already being taken to improve the reliability of financial and non-financial information pertaining to the Department’s human resources. Control weaknesses being addressed were significant contributors to the financial management difficulties that the Department has encountered.
The Department has already begun to define risk tolerances around budget management. Expectations are being communicated to departmental managers through the Department’s Performance Management Program. This is an important ingredient to improved control which we will report progress on in the CAE’s Annual Report next year.
The Department is putting in place important measures to bolster its control framework. However, audit findings over the past year suggest that this framework will need to continue to evolve and adapt in order to remain responsive to the changing risk landscape. The Departmental Audit Committee has endorsed our Risk-Based Internal Audit Plan for the coming year, and I am confident that the resulting work will further contribute to the progress currently being made in strengthening DFAIT’s control framework.
We look forward in 2010-11 to providing an improved level of assurance on DFAIT’s governance, risk management and controls as we continue to implement the Department’s Internal Audit program. As described, senior management is aware that there are important areas related to risk management and control that require improvement.
For DFAIT, 2009-10 represented a year where the Department’s assessment and confirmation of a significant financial challenge was addressed through immediate and significant cuts in operating budgets for programs and operations. Of concern to the CAE were the cuts to the Internal Audit budget, and the corresponding implications for the ability of the Office to provide adequate assurance for key departmental activities. Mitigation of this situation was addressed in three ways:
Further implications of budgetary cuts for the Office of the CAE include the following:
In January 2010, support for additional resources was signalled by the Deputy Minister via a business modeling exercise, which emphasizes common planning between Internal Audit and the Office of the Inspector General. As a result, additional resources will be provided to Audit in 2010-11 from the Office of the Inspector General for specific on site examinations.
Despite the resource constraints noted, we have tried to maintain a pace and path of audit work in keeping with the Department's assurance needs, and our audit planning with senior management. We are achieving this through efficient use of our human and operational resources:
The Office of the Chief Audit Executive is not yet fully staffed. As required we have supplemented internal resources with external ones, to meet the quantity of audit demands and to bring special knowledge to our audit work.
Through our staffing plan, supported by aggressive training plans, the skills and experience of our Internal Audit resources are improving. Of note:
The professional profile of our audit staff is improving constantly, in their education, professional designations and knowledge of DFAIT.
The second full year of the Office of the Chief Audit Executive in the Department of Foreign Affairs and International Trade can be characterized as a qualified success. The areas requiring improvement have been frankly described in this report, with an explanation of how senior management is addressing them.
The central major accomplishment this year has been our ability to respond quickly, with objectivity and value, to the changing priorities of DFAIT. As described, senior management has been well served and supported by its Internal Audit function. This will continue.
A second important accomplishment concerns the audit foundation we have begun to build in DFAIT. A mature audit function is one that assists management to identify and manage risk, and provides a high level of assurance through its work in these areas. As described in this Report, we have taken some important first steps to achieving this. Our achievement has been recognized this year by Treasury Board Secretariat in its improved rating of the internal audit function of the Department of Foreign Affairs and International Trade.
|1. Deloitte Study||2. Audit of Resource Allocation||3. Strat. Review Reductions||4. Opinion on HQ Growth||5. Audit of Expenditure Controls|
|1. Inadequate controls for the proper stewardship of the Department’s resources||1. Absence of sufficient oversight and monitoring of progress lead to additional pressures on department.||1. Information for decision-making: the systems do not allow tracking in a timely and reliable manner the number of employees working at HQ.||1. There is uneven department-wide risk assessment to support a risk-based approach.|
|2. Little integration of business and financial planning to ensure proper alignment of resources to priorities.||2. Absence of controls in place to track conversion of operating to salary, to track and prevent employee growth.||2. There is no monitoring regime in place therefore unable to assess effectiveness of controls in place.|
|3. Little oversight or tracking of decisions made to reduce resources.||3. The processes and controls for account verification are not documented re: opportunity for process improvement.|
|4. The financial structure in place is ineffective to provide the CFO with the ability to fulfill mandate.|
|G-4: The organisation has in place operational plans and objectives aimed at achieving its strategic objectives.||G-6: The oversight bodies request and receive sufficient, complete, timely and accurate information.||RM-1: Management has a documented approach with respect to risk management|
|G-6: The oversight bodies request and receive sufficient, complete, timely and accurate information.||RM-2: Management identifies the risks that may preclude the achievement of its objectives.|
|ST-1: Activities and resources needed to achieve objectives have been integrated into the budget||RM-4: Management assesses the risks it has identified.|
|ST-2: A formal process is in place to challenge assumptions and related resource allocations within the budget.||AC-2: Employees formally acknowledge their understanding and acceptance of their accountability.|
|ST-4: Forecasts are monitored on a regular basis.|
|ST-5: Financial management policies and authorities are established and communicated.|
|ST-6: Financial management policies and authorities are reviewed regularly and revised as required.|
|ST-18: Financial and non-financial reporting is reviewed and approved.|
|AC-1: Authority, responsibility and accountability are clear and communicated.|
|AC-2: Employees formally acknowledge their understanding and acceptance of their accountability.|
|6. Governance||7. OCG: Corporate Risk Profile||8. OCG IT Asset Management|
|1. At issues: accountability framework for the Chairperson and body (ctee, board) in the structure or concurrent link to the PMA.||1. An understanding of the Department’s risk tolerances is not addressed.||1. There is no physical inventory of IT assets, including software.|
|2. At issue: annual strategic plan to ensure governance bodies’ work addresses dept’s highest priorities.||2. There is little integration of the Corporate risk profile with the business plan.|
|3. At issue: no integrated risk management to assist in identifying risks which impede achievement of goals. Prevents structure from maturing.|
|4. Financial and HR information for decision-making is unreliable.|
|RM-1: Management has a documented approach with respect to risk management.||ST-8 and 9: Assets are life-cycled managed. As well, assets are protected.|
|AC-1: Authority, responsibility and accountability are clear and communicated.||RM-2: Management identifies the risks that may preclude the achievement of its objectives.|
|G-3: Organisation/clearly communicated strategic directions||RM-3: Management identifies and assesses the existing controls that are in place to manage its risks.|