Foreign Affairs, Trade and Development Canada
Symbol of the Government of Canada

Foreign Affairs, Trade and Development Canada

international.gc.ca

CAE Annual Report

Internal Audit Operations for the period January 2009 to April 2010

(PDF Version, 1.3 MB)  *

Table of Contents

Introduction

In April of 2008, the Office of the Chief Audit Executive (CAE) for the Department of Foreign Affairs and International Trade was created. The CAE reports directly to the Deputy Ministers.

As identified in the CAE’s Report of December 2008, senior management agreed with the need to properly define an audit universe for the Department, and to integrate the role of risk management into its stewardship and delivery of its mandate. Much has been accomplished this year and a half in this regard.

This Report will demonstrate that the audit planning, and first year of implementing a three year Risk-based Audit Plan, has made a recognized contribution to the management of DFAIT. The audit work completed, and planned, is increasingly in keeping with and in support of the Department’s priorities and strategic objectives.

The advisory role of the Departmental Audit Committee has become integral to DFAIT’s internal control and governance processes.

Of particular importance, the role of the Office of the CAE in the Department of Foreign Affairs and International Trade is progressing toward a state of maturity that reflects the Government’s intended role for Internal Audit.

Top of page

1. Performance of the Internal Audit Function

1.1 Delivering on the Plan

The Department’s first Risk Based Audit Plan for 2009-12, developed in consultation with management, was reviewed by the Departmental Audit Committee, and approved by Deputy Ministers. The Plan allowed, in 2009-2010, a solid first step to Internal Audit work in DFAIT.

In addition to commencing implementation of the first year of the three year audit plan, the CAE began to develop a constructive working relationship with DFAIT’s senior management. Attention was also paid to further establishing and refining the important contribution of the Departmental Audit Committee to DFAIT. The objective of the CAE was to balance the critical management needs of the Deputy Ministers as well as oversight and advisory role of the DAC, with the Department’s planned audit needs.

Our goal was to complete a full program of assurance work relevant to risk management, internal control and good governance. This was largely achieved as noted in Figure 1.

Figure 1
 1Audits planned in 2009-20102RBAP/Directed Audits completed in 2009-2010
 RBAP 09-10Departmental Governance StructuresRBAP 09-10Departmental Governance Structures
RBAP 09-10Resource AllocationRBAP 09-10Resource Allocation
RBAP 09-10Expenditure Controls for high risk paymentsRBAP 09-10Expenditure Controls for high risk payments
Not Completed Move to 2010-11RBAP 09-10Information for Decision-MakingNote: Management Directed Audit 2009-2010Financial Resource Management Risk Assessment
RBAP 09-10Real PropertyNote 3 Opinion
RBAP 09-10Systems ManagementHeadquarters Growth
RBAP 09-10Systems GovernanceImplementation of Strategic Review Reductions of 2007
 RBAP 09-10TB Decisions and MCsRBAP 09-10Partially covered under the Financial Res. Management Risk Assessment
RBAP 09-10IT Asset ManagementCovered by OCG Horizontal Audits:IT Asset Management
RBAP 09-10Risk ManagementCorporate Risk Profile

Though Figure 1 indicates that the body of audit work completed was only partially in keeping with the original plan, the resulting findings for eight of these audits pointed to significant vulnerabilities in some areas of the Department’s core stewardship and risk management responsibilities. Strengthened accountability, and a focus on monitoring performance to confirm that key goals were are being met, was also highlighted in a number of our examinations.

More importantly, the majority of audit work completed met the critical and immediate needs of Deputy Ministers and aligned with the recommended directions of the Departmental Audit Committee.

The impact of much of the audit work completed in 2009-2010 was directly relevant to the management needs of DFAIT. Ten audits were planned, reflecting available Internal Audit resources. Ten audits were completed. However, as evidenced in Figure 1, there was a need to revise the audit program over the course of the year. Through ongoing discussion with Deputy Ministers, and to urgently respond to the changing requirements of the Department, we adapted and re-aligned the deployment of our Internal Audit resources to meet these needs. An urgent financial issue in DFAIT led Deputy Ministers to request a thorough Financial Resource Management Risk Assessment. It was supplemented by audits of Resource Allocation, Expenditure Controls, Growth at Headquarters and Implementation of Strategic Review Decisions. This body of audit work was viewed as integral to the Deputy Minister’s risk management, accountability and financial stewardship of DFAIT. It constituted an important step in senior management recognizing the role of its new Internal Audit function in support of the Department’s stewardship and management of risk. It also provided the CAE with additional and important knowledge of the Department and its programs.

2009-2010 Findings: Management Responsiveness to our Findings

While Figure 1 attempts to portray “the year that was” in terms of work and the resulting audit findings, the more telling story is the action taken by senior management in response to audit recommendations. For each audit conducted, the findings were reported to Deputy Ministers. Assistant Deputy Ministers whose programs were audited committed to undertakings, and presented their Management Action Plans before the Departmental Audit Committee. For example:

  • From the Financial Resource Management Risk Assessment (FRMRA) Exercise, formal leadership was assumed as early as October 2009 by the Associate Deputy Minister. He has been reporting to the Executive Council on an ongoing basis on achieved results. As of February 2010, from the 49 recommendations requiring action, we can confirm that 37% are completed; 55 % are in progress and only 8% have not yet been initiated.
  • As well, from the FRMRA, an implementation plan of the CFO Model has been presented at the Executive Council. The accompanying piece, that is, the Financial Management Advisor Model, is also underway. To note, the Audit of Delivery of Corporate Services at Headquarters which we initiated in late February 2010 is expected to provide additional analysis of the activities of the Area Management Offices.
  • From the Resource Allocation Audit, the following management responses and improvements are underway:
    • Strengthened corporate oversight by the Resources Management Committee which is chaired by the Associate Deputy Minister. The Committee’s role is to enhance the budget review and challenge process of the Department. Individual Assistant Deputy Ministers have been assigned responsibility to report on the implementation of critical decisions.
    • Implementation of a new multi-year Integrated Planning Process to ensure improved alignment of resources to priorities.
    • Improved alignment of the annual reference levels with the strategic decisions taken by the Department. This strengthens financial sustainability.
    • Implementation of the Chief Financial Officer (CFO) Model and the corresponding Financial Management Advisor (FMA) function on April 1st, 2010. The CFO will play a crucial role in strengthening accountability across the Department.
    • Improvement in the use of automated reporting tools to provide managers with sound financial, human resource and forecasting information for decision making.
  • From the Audit Opinion on Growth at Headquarters, standardized monthly reporting will be established by April 1st 2010. The ADM of Human Resources and the CFO are to report, on a bi-annual basis, a DFAIT Headquarters’ headcount and total salary cost.
  • A Committee of Headquarters Operations (CoHO) has been established. Responding to risk and corporate oversight for risk management, the Committee is responsible for developing a formal process which integrates the business lines’ risk information into the multi-year planning and resource allocation process.

1.2 Effective Follow-Up

In June 2008, the Office of the CAE received formal approval for an Audit Follow-Up Policy on Management Action Plans (MAPs). The policy established a set of principles and procedures regarding the scope, timing, frequency, depth, roles and responsibilities of various stakeholders involved in completing the audit follow-up process for approved MAPs. As well, follow-up reports were prepared to provide departmental managers, senior management and the DAC with information on how effectively priority recommendations were being addressed.

The task at hand was to work with the DAC and key auditees to conclude follow- up on audits which had commenced prior to the establishment of the Office of the CAE. This was achieved. At the April meeting of 2009, the Office of the CAE recommended to the DAC that Follow Up Activity cease for six audits initiated between 2006 and 2008. The DAC agreed. This applied to the 2006 Audit of the Management of the Intranet; the 2006 Audit of the Human Resources Management Systems; the February 2006 Audit of Salary Devolution; the February 2007 Audit of Contracting and Financial Management Practices at the Canadian Foreign Service Institute; and, the June 2008 Audit of Electronic Authorization and Authentication Keys and Integrated Management Systems.

The DAC also agreed that follow-up continue to ensure management has addressed key control issues on the remaining audits of Cash and Banking, Passport, IT Management of Security, Network Content Security, Peace and Security Fund, Property Growth Charge, Francophonie Summit, and Mission Hospitality. By February 2010, significant progress was confirmed for a number of these.

The graph below points to Internal Audit moving from a 70% completion rate to over 90% of management actions to address audit recommendations.

With periodic follow-up reports presented and then recommended by the DAC in April 2009, June 2009, September 2009 and February 2010, issues related to financial management and reporting were addressed:

  • In the area of improvements recommended by Internal Audit to documented processes which address accounts payable controls, delays had been noted by our office as early as April 2009. By November 2009, with senior management implementation of the CFO financial model, delays largely ceased.
  • Concerning payment verification for expenditures under the Francophonie Summit, attention to documented sampling plans for the verification of these accounts will also be addressed with the implementation of the CFO model.

Finally, significant progress leading to full implementation of internal audit recommended actions was demonstrated for the following:

  • All recommended actions for improvements to Passport Canada’s Revenue Processing as well as Services at Missions were completed through established business processes and systems.
  • All recommended actions regarding Property Growth Charges were addressed by management.
  • Most recommended actions in the area of management of IT security as well as Network Content Security were completed. Further necessary actions will be addressed via the Department’s full response in 2010 to a comprehensive study of its security at Headquarters and abroad.

1.3 Engagements completed by External Auditors in 2009-2010

External assurance providers gave certain coverage of two key audit projects which had been retained in the 2009-2010 Risk-based Audit Plan, yet could not be completed given insufficient audit resources. Both of these subjects were partially examined by the Office of the Comptroller General’s horizontal audits in the areas of Corporate Risk Profile Development and Use and Management of IT Assets.

Given early signals in July 2009, of issues concerning the department’s financial budgeting and forecasting capacity, a finding from the Corporate Risk Profile Horizontal Audit pointed to a lack of integration between the department’s knowledge of risks and the development of its core business lines and Business Plan. This was also confirmed in the subsequent Fall 2009 Audit of Resource Allocation. The Department has agreed to address our finding of a lack of integration between business planning (which takes into account risks) and the resulting allocation of resources.

While all audits completed in 2009-2010 by the Office of the Chief Audit Executive examined some facets of stewardship, the coverage of IT Asset Management by the Office of the Comptroller General informed our Department of the effectiveness of IT asset management programs and processes. While attention is to be paid to inventory of assets, the resulting review also highlighted sound risk-based planning and implementation of the Department’s Strategic Information Technology Plan.

1.4 Other activities of the Office of the Chief Audit Executive

As the CAE is also responsible for undertaking advisory and other activities in support of the Department and the Audit Community, our advisory activities in 2009-10 ranged from confirming, for the DAC, the accuracy and reliability of Note 3 to the Financial Statements, to reporting to the Deputy Minister on the reliability of the department's financial forecasting for the period ending December 31, 2009. As a member of the Department’s Core Services Board, the CAE contributes to the oversight of the management and delivery of corporate services at DFAIT. The CAE was also called on to report on the adequacy and reliability of human resource internal controls, as well as advise on strengthening resource management at Headquarters.

The CAE took part in the OCG-led initiative to pilot a full 360 feedback and assessment process for chief audit executives. As well, a presentation on the impact of Departmental Audit Committees and departmental governance was well received at the Financial Management Institute’s Community Annual Conference. Finally, the Director of Internal Audit was invited to chair the Public Sector Internal Audit Conference. This support is appreciated by the Internal Audit community.

Top of page

2. Performance Regarding Professional Practice

2.1 Full implementation of the requirements of the 2009 TB Policy on Internal Audit

The CAE has taken measures this year to ensure that DFAIT’s Internal Audit planning is in line with Treasury Board Internal Audit Policy requirements. This has been largely achieved. Some key actions taken this year to strengthen the requirement include:

  • Integration of the Office of the CAE in DFAIT’s senior management governance structure. This year, the CAE’s sustained presence at the Resource Management Committee and the Core Services Board generated interest and buy in from ADMs on a number of recommended processes which concerned growth of FTEs and upcoming implementation of the Strategic Review Reductions to the budget.
  • Twelve meetings were held between the DAC, the Office of the CAE and the Deputy Ministers, with all of these including in camera discussion. Three conference calls were held to steer a proposed strategy to examine the root causes of the Department’s resource management issues and risks. A further six full DAC meetings covered Internal Audit reports, the role of Internal Audit, financial management, corporate risk, corporate reporting and values and ethics. As a result, all aspects of the DAC’s key Charter responsibilities were reviewed. The DAC also held discussions with the Auditor General on financial machinery which led to improvements in the reporting of the Financial Statements related to the Canada Account. Finally, two progress meetings were held between the DAC and the Deputies to confirm strategic directions and agreement on the management of DFAIT resource issues.
  • Discussions between the CAE and DAC Members on their respective Charters led to amendments to both. These amendments recognized the strategic role of the Deputy Minister in setting the priorities for Internal Audit, and aligned DAC’s review of the Financial Statements with the July 2009 Treasury Board Policy changes.
  • OAG liaison was established with all OAG activities and plans shared with the Office of the CAE. Review by the DAC of the OAG’s One-Pass-Plan has been scheduled.
  • An Internal Audit manual was developed based on guidance from the Office of the Comptroller General.

DFAIT’s internal audit function, and the management of its role through the Office of the CAE, has matured in its full compliance with Government of Canada Audit Standards.

2.2 Quality Assurance at the Office of the Chief Audit Executive

In April 2008, the Office of the Chief Audit Executive set as a goal to establish a robust Quality Assurance function covering all aspects of our Internal Audit work by 2012-13. This would mark five years after the creation of the Internal Audit function at DFAIT.

It was intended in 2008 that there would be stable funding to the Internal Audit function, as well as incremental funds from Treasury Board, to support the development and maintenance of a Quality Assurance and Improvement Program. This would allow the necessary investment in human resources, as well as tools, training and the establishment of monitoring of the effectiveness and efficiency of our audit work. Due to reduced funding, this will be delayed. As an important first step, we have begun the professional practice of ensuring that we complete Quality Assurance Certificates for all audit reports and audit opinions issued during 2009-10. This practice will continue in 2010-2011 for all internal audits.

2.3 Audit Planning for 2010-2011

The contribution of senior management has been central to refreshing DFAIT’s Risk-based Audit Plan for 2010-2011. With the benefit of partnership in developing a Corporate Risk Profile, and an updating of the Department’s Audit Universe, our audit program scheduled for 2010-2011 is directly in keeping with DFAIT’s strategic objectives and assessed risk. Part of the maturing process of internal audit in DFAIT has been to establish an ongoing dialogue between the CAE and Deputy Ministers, and between auditors and program management. Both auditors and management have been informed and assisted by the audits done this past year. This has achieved a new level of planning and practice of audit in DFAIT. It will continue to improve.

It is also important to note that our audit planning reflects a managed evolution in its attention to core controls in DFAIT. As noted, the audit work we conducted in 2009-2010 concentrated heavily on stewardship, accountability and gaining a better understanding of DFAIT’s risk management. The seven audits recommended for 2010-2011 will contribute further to our attention to stewardship and risk, but will also broaden our focus to include program management.

Our planned internal audits for 2010-2011 reflect, in subject and relevant core controls, an effort to continue to build an audit foundation. Against the audits described in this Report for 2009-2010, our internal audit program in the coming year will give further attention to DFAIT’s management of resources, as well as management of Real property, Non-IT Assets and Travel.

This will continue our audit attention to DFAIT’s stewardship, and accountability. We will also conduct audit work on information systems that support strategic decision making, central to the Department’s policy and program delivery. Our audit plan delays our attention to human resources until 2011-2012. However, an audit of the Delivery of Corporate Services of 2010-2011 initiates our review of the core controls which concern the adequacy of the delivery of key services. The CAE continues to work closely with senior management of DFAIT to progressively build assurance reporting across DFAIT’s programs, with the goal of achieving a cycle of audit work over time that is central to the management of the Department.

Audits Planned in 2010-2011
Audits as per requests and RBAPMandatory Audits carried out in 2010-11Audits carried out by External Auditors- DFAIT was selected to take part
RBAP 09-10Real Property2TB DirectedAfghanistan Contracting Special AuthoritiesPSC-ledAudit of Staffing at DFAIT
RBAP 09-10Information for Decision-MakingIn reserveGs and Cs Academic Relations ProgramPSC-ledStudy of temporary help professional services and staffing in govt
Management DirectedAudit of Delivery of Corporate Services at HQ1Global Commerce Support ProgramOCG-ledBusiness Case Development (tbconfirmed)
Audit of Travel5MOU Standards Council Pts of Service EnquiryOAG-ledInternal Audit
Follow up Resource Allocation4DFAIT DirectedG8/G20 SummitsOAG-ledWater Management
RBAP 10-11Asset Management Non-It3 
RBAP 10-11Financial Reporting Controls6

Top of page

3. Cae’s Annual Assurance Report

What is an Annual Assurance Report?

The Treasury Board Policy on Internal Audit requires that the CAE provide an annual overview or Assurance Report to the Deputy Head and to the Audit Committee on the adequacy and effectiveness of departmental risk management, control and governance processes. The Annual Assurance Report is part of the CAE’s Annual Report.

This Annual Assurance Report consists of a presentation of the CAE’s early perspectives on assurance. The perspective is supported by the results of an Internal Audit function’s two first years of operation. Consequently, in contrast with a mature audit service, it would be presumptuous to present a report with a high level of assurance about the state of “risk management, control and governance processes” across DFAIT at the end of year two.

A mature Annual Assurance Report will require the accumulated audit findings and intelligence from at least three full fiscal years. The typical life-cycle for this process is illustrated below:

Building Assurance

Practical Strategies: A Maturity Model
Practical Strategies: A Maturity Model
 Departmental Internal Audit Risk Analysis 
Departmental Internal Audit Plan
1st GenerationInternal Audit Reports: Thematically Linked through IA Risk Analysis
2nd GenerationCAE Perspective developed on Risk Management, Control and GovernanceDFAIT’s IA maturity
3rd GenerationAssurance View of MAF Elements: Differential Levels of Assurance 
4th GenerationAssurance Reporting

It has been a very informative second year as the audits completed have provided important insight about the Department’s management framework and processes. An overview of work completed and the resulting coverage of the Core Management Controls is illustrated at Appendix A.

As reported at the beginning of this document, during the past fiscal year, most of our audit attention and resources were turned to addressing an emerging issue for the Deputy Ministers and senior management; that being, the Department’s financial situation. My team’s audit work therefore focused almost exclusively on the processes and controls in place to manage the Department’s resources, and more specifically, the supporting financial management.

About Governance:

Over the course of the past year, the DAC has engaged the CAE in a discussion about the role of Internal Audit with respect to governance. The DAC concluded that the term governance, as used to describe the scope of work of the Internal Audit function in Government, is not consistent with conventions around the definition and scope of this term. In view of this, the Chief Audit Executive is adopting adjusted terminology. As a working proposition, the terms strategic direction and oversight will be used in place of governance. This responds to the DAC’s concern that the defined scope of Internal Audit be better described to reflect its actual role and reporting relationships within federal departments.

The CAE agrees with the DAC position and sees little utility in adding modifiers to, or seeking to qualify the term governance (e.g. departmental internal governance) so as to respect applicable conventions. At the same time, the CAE is required to comply with the Treasury Policy on Internal Audit, and the intent of pronouncements of the Institute of Internal Auditors. It is judged important, by professional publications and policies, that modern internal auditing provide assurance relative to risk management, control and governance. As best we understand it, the intention is to ensure that Internal Audit provides assurances across the full spectrum of management processes that are to achieve purposeful control, that is, control designed to mitigate specific risks with respect to compliance of requirements and the achievement of the objectives and priorities of the Department. Accordingly, as a working model, and recognizing that the terms are not mutually exclusive, the CAE will provide assurance with respect to departmental processes for:

  • Strategic Direction and Oversight (including accountability reporting);
  • Risk Management; and
  • Control.

Prior to reaching a conclusion on the above discussion, Internal Audit performed certain work defined as addressing “governance”. DFAIT’s Deputy Ministers had set out to establish a governance structure that would contribute to integrating Foreign Affairs and International Trade. Our review of this governance structure, after 18 months, confirmed the importance of its contribution. This initiative by the Deputy Ministers reflects the new reality that policy advice is not the “be all and end all” role of Senior Executives. Managing is now a more central focus.

Our Preliminary Assessment of DFAIT Governance Structures provided some recommendations for strengthening effectiveness as the structure matures. Key recommendations focused on accountability as well as the monitoring and oversight of the implementation of decisions taken. Additional recommendations regarding governance resulted from audit findings about the department’s budget situation and resource allocation processes. These have led to significant strengthening of the organizational structure for financial management as well as a strengthened mandate for the Department’s Resource Management Committee.

Risk Management:

DFAIT’s efforts at risk management, as observed by the CAE, are somewhat uneven. In some business sectors, risk management is relatively formal, well integrated, and supports informed decision-making. However, the observed unevenness speaks to opportunities to develop an improved understanding of risk management across the organization and to better capitalize on the associated benefits. There needs to be a broad-based discussion about the department’s risk tolerances so that risk mitigation strategies embrace purposeful control that contributes to the achievement of the objectives of the Department. This is an area that management will focus on improving in the coming year. Sound risk management ensures that assumptions are clear, tolerances drive the rigour of management processes, lessons are learned and value is created without setting perfection as the only standard.

Indeed, DFAIT participated this past year in the Office of the Comptroller General’s horizontal audit of Corporate Risk Profiles. The two findings specific to our department are:

  1. An understanding of the Department’s risk tolerances is not addressed; and,
  2. There is no integration of the Department’s corporate risk profile with its business planning.

Addressing these recommendations, I believe, would bring about a more even level of risk management, and corresponding benefits, across the organization.

The Control Environment:

Our Internal Audit work is not designed to promote controls, but to promote well-designed, purposeful controls that are cost-effective and proportionate to the levels of risks in achieving departmental objectives. A sound and effective control environment should be the result of a management structure, which has set strategic objectives, allocated resources accordingly and established risk management which includes the definition of risk tolerances. The result is an “adapted” control environment that mitigates risks to an acceptable level, supports stewardship of resources, encourages the monitoring and reporting of performance, and contributes to meeting planned objectives.

My team makes use of the Core Management Control Framework developed by the Office of the Comptroller General. Based on the Treasury Board’s Management Accountability Framework, the Framework defines the fundamental controls that are expected to be in place within all line departments. These controls are based on recognized control models and provide a starting reference standard against which my auditors can assess DFAIT’s management practices.

Five Attributes of an Effective Control Environment

  1. Employees demonstrate sound values and ethics so that laws, regulations and authorities are respected;
  2. People are competent in their jobs (effectiveness and efficiency);
  3. Program activities and resources are focused on results and reliable financial and non-financial information is used to adjust operations and report on performance;
  4. Risks are managed to encourage intelligent risk-taking and protect against malfeasance or other events that compromise the achievement of results; and,
  5. Essential resources are protected – they are maintained, renewed or replaced when necessary.

Our audit work over this second year of operation suggests that the Department would profit from greater attention to reliable financial and non-financial information, improved risk management, and from strengthening the control environment. In this regard, measures are already being taken to improve the reliability of financial and non-financial information pertaining to the Department’s human resources. Control weaknesses being addressed were significant contributors to the financial management difficulties that the Department has encountered.

The Department has already begun to define risk tolerances around budget management. Expectations are being communicated to departmental managers through the Department’s Performance Management Program. This is an important ingredient to improved control which we will report progress on in the CAE’s Annual Report next year.

The Department is putting in place important measures to bolster its control framework. However, audit findings over the past year suggest that this framework will need to continue to evolve and adapt in order to remain responsive to the changing risk landscape. The Departmental Audit Committee has endorsed our Risk-Based Internal Audit Plan for the coming year, and I am confident that the resulting work will further contribute to the progress currently being made in strengthening DFAIT’s control framework.

We look forward in 2010-11 to providing an improved level of assurance on DFAIT’s governance, risk management and controls as we continue to implement the Department’s Internal Audit program. As described, senior management is aware that there are important areas related to risk management and control that require improvement.

Top of page

4. Management of the IA Function:

4.1 Resources of the Office of the Chief Audit Executive

For DFAIT, 2009-10 represented a year where the Department’s assessment and confirmation of a significant financial challenge was addressed through immediate and significant cuts in operating budgets for programs and operations. Of concern to the CAE were the cuts to the Internal Audit budget, and the corresponding implications for the ability of the Office to provide adequate assurance for key departmental activities. Mitigation of this situation was addressed in three ways:

  • As reconciliations reported in the Financial Statements remained an issue for the DAC, the Office of the CAE completed an examination and validation exercise for Note 3 of the DFAIT Financial Statement. This work was funded through an internal re-allocation of the budget.
  • The Office of the CAE shared, in the early Fall, an assessment of the impact of budgetary reductions with the Departmental Audit Committee. As these were reviewed, the DAC supported changes to the Audit Plan and agreed that only three of seven audits would be completed in 2009-10.
  • In its involvement and management of the Financial Risk Assessment Exercise, Internal Audit was tasked with and received funding for this work.

Further implications of budgetary cuts for the Office of the CAE include the following:

  • Coverage of key areas such as Real Property, Non IT Assets and Information for Decision-Making are confirmed as priorities. These audits will be conducted in 2010-11.
  • Dependence on outsourcing will continue as some audit work often requires accessing professional resources with particular project management skills and comprehensive knowledge of certain DFAIT operations.
  • The development of a professional practice function has been delayed.
  • The development of a robust audit planning function is also delayed.

In January 2010, support for additional resources was signalled by the Deputy Minister via a business modeling exercise, which emphasizes common planning between Internal Audit and the Office of the Inspector General. As a result, additional resources will be provided to Audit in 2010-11 from the Office of the Inspector General for specific on site examinations.

4.2 Effectiveness of current resource utilization

Despite the resource constraints noted, we have tried to maintain a pace and path of audit work in keeping with the Department's assurance needs, and our audit planning with senior management. We are achieving this through efficient use of our human and operational resources:

  • First, and most importantly, we pay particular attention when assigning projects to our Internal Audit teams. Audit projects are carefully planned to assess the number of audit hours required. The skills, knowledge, and available hours of our internal auditors have been well matched against our identified audit requirements.
  • We have had success with mixing our Internal Audit teams, using the knowledge and experience of certain auditors to contribute to an audit project. At any given time a single auditor may be assigned to a number of audit projects.
  • We have taken advantage of external audits to contribute to meeting our assurance objectives. For example, two external audits in 2009-2010 (IT Asset Management and Corporate Risk Profiles) in part addressed, in part, two audit subjects planned. There are five such external audits planned for 2010-2011.

The Office of the Chief Audit Executive is not yet fully staffed. As required we have supplemented internal resources with external ones, to meet the quantity of audit demands and to bring special knowledge to our audit work.

Through our staffing plan, supported by aggressive training plans, the skills and experience of our Internal Audit resources are improving. Of note:

  • Our staffing of the CAE office is progressing. We currently have 15 positions filled against a complement of 22 positions. We have authority to staff four more positions. Through our staffing we intend to increase our knowledge of DFAIT programs, and to fill certain gaps in our internal skills in such areas as systems auditing.
  • Each employee of the Office of the CAE has agreed with management to a learning plan that meets both career development and audit skill requirements of the Office. These plans have been considerably implemented over the course of this year.

The professional profile of our audit staff is improving constantly, in their education, professional designations and knowledge of DFAIT.

Top of page

5. Conclusion

The second full year of the Office of the Chief Audit Executive in the Department of Foreign Affairs and International Trade can be characterized as a qualified success. The areas requiring improvement have been frankly described in this report, with an explanation of how senior management is addressing them.

The central major accomplishment this year has been our ability to respond quickly, with objectivity and value, to the changing priorities of DFAIT. As described, senior management has been well served and supported by its Internal Audit function. This will continue.

A second important accomplishment concerns the audit foundation we have begun to build in DFAIT. A mature audit function is one that assists management to identify and manage risk, and provides a high level of assurance through its work in these areas. As described in this Report, we have taken some important first steps to achieving this. Our achievement has been recognized this year by Treasury Board Secretariat in its improved rating of the internal audit function of the Department of Foreign Affairs and International Trade.

Top of page

Appendix A: Annual Assurance Report : related findings and core controls

Table 1
1. Deloitte Study2. Audit of Resource Allocation3. Strat. Review Reductions4. Opinion on HQ Growth5. Audit of Expenditure Controls
Principal Observations
1. Inadequate controls for the proper stewardship of the Department’s resources1. Absence of sufficient oversight and monitoring of progress lead to additional pressures on department.1. Information for decision-making: the systems do not allow tracking in a timely and reliable manner the number of employees working at HQ.1. There is uneven department-wide risk assessment to support a risk-based approach.
2. Little integration of business and financial planning to ensure proper alignment of resources to priorities. 2. Absence of controls in place to track conversion of operating to salary, to track and prevent employee growth.2. There is no monitoring regime in place therefore unable to assess effectiveness of controls in place.
3. Little oversight or tracking of decisions made to reduce resources. 3. The processes and controls for account verification are not documented re: opportunity for process improvement.
4. The financial structure in place is ineffective to provide the CFO with the ability to fulfill mandate. 
G-4: The organisation has in place operational plans and objectives aimed at achieving its strategic objectives.G-6: The oversight bodies request and receive sufficient, complete, timely and accurate information.RM-1: Management has a documented approach with respect to risk management
G-6: The oversight bodies request and receive sufficient, complete, timely and accurate information. RM-2: Management identifies the risks that may preclude the achievement of its objectives.
ST-1: Activities and resources needed to achieve objectives have been integrated into the budgetRM-4: Management assesses the risks it has identified.
ST-2: A formal process is in place to challenge assumptions and related resource allocations within the budget. AC-2: Employees formally acknowledge their understanding and acceptance of their accountability.
ST-4: Forecasts are monitored on a regular basis. 
ST-5: Financial management policies and authorities are established and communicated.
ST-6: Financial management policies and authorities are reviewed regularly and revised as required.
ST-18: Financial and non-financial reporting is reviewed and approved.
AC-1: Authority, responsibility and accountability are clear and communicated.
AC-2: Employees formally acknowledge their understanding and acceptance of their accountability.
Table 2
6. Governance7. OCG: Corporate Risk Profile8. OCG IT Asset Management
Principal Observations
1. At issues: accountability framework for the Chairperson and body (ctee, board) in the structure or concurrent link to the PMA.1. An understanding of the Department’s risk tolerances is not addressed.1. There is no physical inventory of IT assets, including software.
2. At issue: annual strategic plan to ensure governance bodies’ work addresses dept’s highest priorities.2. There is little integration of the Corporate risk profile with the business plan. 
3. At issue: no integrated risk management to assist in identifying risks which impede achievement of goals. Prevents structure from maturing. 
4. Financial and HR information for decision-making is unreliable.
RM-1: Management has a documented approach with respect to risk management.ST-8 and 9: Assets are life-cycled managed. As well, assets are protected.
AC-1: Authority, responsibility and accountability are clear and communicated.RM-2: Management identifies the risks that may preclude the achievement of its objectives. 
G-3: Organisation/clearly communicated strategic directionsRM-3: Management identifies and assesses the existing controls that are in place to manage its risks.

* If you require a plug-in or a third-party software to view this file, please visit the alternative formats section of our help page.

Footer

Date Modified:
2013-08-06