Risk-Based Audit Plan 2020-2022
Office of the Chief Audit Executive
October 2020
Table of contents
- 1.0 Introduction
- 2.0 Purpose
- 3.0 Risk-Based Audit Planning
- 4.0 Two Year Risk-Based Audit Plan
- Appendix A - 2019-2020 Departmental Results Framework & Program Inventory
- Appendix B – Description of 2020-2021 Engagements
- Appendix C – Focus of 2021-2022 Engagements
- Appendix D – 2020-2021 Engagements Mapped to Priorities
1.0 Introduction
The Office of the Chief Audit Executive (OCAE) provides independent assurance and objective advice to senior management on governance, risk management practices and internal controls.
The OCAE strategy is to create value for Global Affairs Canada by leveraging our expertise to drive improvements that support the Department in achieving its mandate and contribute to management excellence.
To better plan and organize the internal audit function, the OCAE has developed a multi-year Risk-Based Audit Plan (RBAP).
2.0 Purpose
The RBAP identifies the engagements to be undertaken in 2020-2021 and 2021-2022. It establishes the foundation on which the OCAE will add value to the Department. In addition, the RBAP is designed to align engagements to reflect the Department’s core responsibilities while addressing areas of high risk and significance.
The practice of internal audit, including the development of the RBAP, conforms to the International Professional Practices Framework of the Institute of Internal Auditors, the Treasury Board of Canada Policy on Internal Audit and directive as well as additional guidance from the Office of the Comptroller General.
3.0 Risk-Based Audit Planning
3.1 Methodology
The audit planning process began with a review and update of the audit universe, based on the Departmental Results Framework, which is comprised of 58 programs under six core responsibilities (See Appendix A).
Senior management consultations were completed and documents reviewed to identify areas of significance and risk. As a result of the COVID-19 pandemic that affected Canada in March 2020, risks were reassessed in light of impacts to departmental operations. Areas of focus were prioritized and engagement topics were identified resulting in the following four risk areas:
- COVID-19 Activities - Due to a high degree of ambiguity, limited information and time pressures, the extent to which critical functions and regular operations could continue was unknown.
- Program Delivery – Ineffective management and controls over program delivery could impede the achievement of business objectives, affect program integrity, and result in loss of public confidence in programs and services.
- Transfer Payments - The control framework over transfer payments may not support efficient and effective delivery and demonstration of benefit realization.
- Internal Service Delivery - Data and technology may be insufficient to support programs, service delivery and the implementation of the departmental data strategy. Internal services may not be aligned and integrated with policy development or operations. The reliance on internal partners and external third parties could impede the achievement of business objectives.
Below is a process map, which provides more detail on the methodological approach used in the preparation of the RBAP.
Text version
- Document Review
- Corporate plans (departmental, investment, security, human resources), Corporate Risk Profile, Human Resource workforce dashboards, Ministers' Mandate Letters, departmental priorities, Departmental Results Framework
- Departmental Results Reports, Management Accountability Framework Assessment results
- Reports prepared by other internal and external assurance providers
- Consultations
- Senior management
- Mission operations and functional management
- Internal audit staff of other government departments
- Coordinate with internal oversight providers (Inspection, Evaluation)
- Coordinate with external assurance providers
- Risk Identification/ prioritization (due to covid)
- Synthesize document review and prepare branch profiles
- Extract relevant data relating to missions and conduct analysis
- Identify and assess risks based on results of analysis
- Prioritize auditable entitities based on risk
- Mapping Auditable Entities (due to covid)
- Map auditable entities to Core Responsibilities, Corporate Risk Profile, Ministers' Mandate Letters, and departmental priorities to ensure adequate coverage
- Consider work conducted by other assurance providers
- Developing RBAP (due to covid)
- Prioritize auditable entitites for each fiscal year
- Ensure engagements are focused on areas that best provide insight into opportunities for improvement
- Assess whether audit/advisory is the right tool
- Document the plan and submit for approval
3.2 Risk Approach
Based on an analysis of information gathered through the documentation review and consultations, risk areas of focus were identified. The risk areas were analyzed in relation to the core responsibilities and corporate risks. This work resulted in a list of engagements assessed to be high-risk. Between April and June 2020, the OCAE reassessed risks in several areas such as governance, decision-making processes, health and wellness, people management, protection of information, program delivery, security, and emergency preparedness. The 2020-2022 audit plan was revised to include two engagements directly related to COVID-19 to provide real-time and relevant advice. In addition, planned engagements were reprioritized as well as the number of mission audits were reduced from six to one pilot remote mission audit due to travel restrictions. Each of the engagements are linked to the core responsibilities, the corporate risks and the audit risk areas (COVID-19 activities, program delivery, transfer payments, and internal services) as shown below.
Text version
Core Responsibilities
- International Advocacy and Diplomacy
- Trade and Investment
- Development, Peace and Security Programming
- Help for Canadians Abroad
- Support for Canada's Presence Abroad
- Internal Services
Corporate Risks
- International Security Landscape
- Cyber Threats
- Simultaneous Emergencies
- Resource Management
- Fund Management & Fiduciary Oversight
- Occupational Health & Safety and Well-being Management
Risk Areas / 2020-2021Engagements
COVID-19 Activities
- COVID-19 Emergency Repatriations to Canada
- COVID-19 Remote Work Risk Assessment
Program Delivery
- Remote Mission Audit
Transfer Payments
- Grants & Contributions Part II - Feminist International Assistance Policy
- Innovative Programming – Design Framework
Internal Service Delivery
- Privacy Practices
- Duty of Care – Governance & Spending
- Real Property – Investment & Portfolio Management
- Costing Methodology
- Ongoing Data Analytics
- IT Risk Assessment Part I
3.3 Consideration of Other Assurance Provider Activities
The OCAE coordinates the risk-based audit planning activities with external assurance providers to ensure audit coverage of high-risk areas, and to minimize overlap and duplication, thus reducing the engagement burden on clients.
The Office of the Auditor General repriortized its audit work at the request of Parliament. It is focusing on COVID-19 emergency responses taken by the government pursuant to the Public Health Events of National Concern Payments Act, Financial Administration Act, and Borrowing Authority Act. Currently, the Department is not implicated in any such audits. However, it is involved in the planning phase of the Audit of Public Accounts 2019-2020, which is focussed on personnel expenses.
GAC is involved in the reporting phase of the Audit of Employment Equity in Recruitment conducted by the Public Service Commission. The objectives are to examine the success rates of employment equity groups at key stages of the recruitment process; and to explore factors that may influence representation across the four designated groups during recruitment.
4.0 Two Year Risk-Based Audit Plan
4.1 Overview
This section presents an overview of the 2020-2021 to 2021-2022 Risk-Based Audit Plan. Descriptions of the planned engagements for the years are in Appendix B and C, respectively.
Table 1: Risk-Based Audit Plan
Year 1: 2020-2021 | Year 2: 2021-2022 |
---|---|
Carry Over Engagements (2019-2020)
|
|
4.2 Audit Coverage
The engagements deemed to be high risk and high priority have been included in the two-year plan. The variety of engagements covered in the RBAP addresses broad coverage of core responsibilities, departmental priorities, ministers’ mandate letters, and corporate risks as shown in Appendix D.
4.3 Changes to the Audit Plan
The RBAP is updated annually with adjustments made during the year based on an environmental scan of departmental context and risks.
Four audits were started in 2019-2020 and carried over to 2020-2021: Audit of Peace and Stabilization Operations Program, Audit of Grants and Contributions Part I, Audit of Foreign Service Directives – Relocation, and Port-au-Prince misssion audit was deferred in 2019-2020 and replaced by a mission audit in Bamako.
The following engagements were deferred from 2019-2020:
- Audit of Information for Decision Making (Costing Methodology): The Office of the Comptroller General has changed its plan. The OCAE will begin this audit in 2020-2021.
- Advisory – Digital Strategy: This engagement is being removed since results of the IT Risk Assessment will inform further work in this area.
4.4 Challenges to Implementing the Two-Year Plan
The OCAE has identified the following risk factors that could impede the successful implementation of the RBAP.
- The impact of the COVID-19 pandemic on operations such as the limitations of remote work and the continued international travel restrictions may impede the OCAE from achieving its RBAP.
- The pace of change and the growing complexity in the Department are a major challenge. Management is facing more complex issues that have to be resolved quickly and Internal Audit needs to be nimble to react to the changing environment.
- Competing priorities and unanticipated demands from stakeholders may adversely affect the OCAE’s ability to deliver on expected results.
- With the availability of greater reliable data, the OCAE is expected to make better use of quantitative information.
Given this context, the RBAP remains flexible to respond to emerging risks and policy or program changes. If these risks or changes emerge and suggest higher priority audit activity, the RBAP will be adjusted so that the OCAE can take appropriate responses.
To be nimble, the OCAE has adopted an approach whereby internal resources are supplemented with qualified contractors when specialized services are required and given the cross-government shortage of qualified auditors. The establishment of the Professional Audit Support Services Supply Arrangement (PASS) by the OCAE in 2018-2019 has contributed to more efficient contracting and has helped to overcome this challenge.
4.5 Internal Audit Activities
The OCAE provides independent, objective assurance and advisory services designed to add value and improve the Department’s operations. The figure below depicts the OCAE’s suite of services.
Text version
Office of the Chief Audit Executive
Assurance and Advisory Engagements
Assurance
Internal Audits - independent and objective assessments of governance, risk management and control processes against defined criteria
Ongoing Data Analytics - automated collection and analysis of data and indicators from IT systems on a continuous basis to determine effectiveness of controls
Advisory
Consulting - objective assessments initiated at the request of management or OCAE, of limited and specific scope, less rigour than an audit, and without assuming management responsibility
Risk Assessments - assessments of inherent and residual risks to inform GAC management of risk exposure and OCAE of areas requiring further examination
Professional Practices
Risk Based Audit Plan
A multi-year plan that considers areas of highest risk and significance
Quality Assurance and Improvement Program
Systematic process to ensure IIA Standards are met relating to quality of engagements and internal audit activity
Management Action Plan Follow-Up
Status updates to Departmental Audit Committee of management action plans to address recommendations
External Assurance Liaison
Single point of contact to coordinate activities with external assurance providers
Departmental Audit Committee Secretariat
Coordination of essential part of internal audit governance that provides objective advice and recommendations to Deputy Minister
Other Support
Contribution to corporate reports, and review and advice regarding Treasury Board submissions and audit reports of multilateral organizations
4.6 Audit Resources
The OCAE’s budget for 2020-2021 is shown in Table 2 below.
Table 2: Budgeted Resources for 2020-2021
Salaries ($) | Operating ($) | Total ($) | |
---|---|---|---|
Assurance & Advisory Services | 2,480,370 | 67,000 | 2,547,370 |
Professional Practices Unit | 865,813 | 865,813 | |
Departmental Audit Committee Activities | 75,819 | $27,100 | 102,919 |
Professional Services | 540,000 | 540,000 | |
Training | 78,000 | 78,000 | |
Travel | 375,000 | 375,000 | |
Total | 3,422,002 | 1,087,100 | 4,509,102 |
Appendix A - 2019-2020 Departmental Results Framework & Program Inventory
International Advocacy and Diplomacy | Trade and Investment | Development, Peace and Security Programming | Help for Canadians Abroad | Support for Canada’s Presence Abroad | Internal Services |
---|---|---|---|---|---|
1. International Policy Coordination 2. Multilateral Policy 3. International Law 4. The Office of Protocol 5. Europe, Arctic, Middle East and Maghreb Policy & Diplomacy 6. Americas Policy & Diplomacy 7. Asia Pacific Policy & Diplomacy 8. Sub-Saharan Africa Policy & Diplomacy 9. Geographic Coordination and Mission Support 10. Gender Equality and the Empowerment of Women and Girls 11. Humanitarian Action 12. Human Development: Health & Education 13. Growth that Works for Everyone 14. Environment and Climate Action 15. Inclusive Governance 16. Peace and Security Policy 17. International Security Policy and Diplomacy | 18. Trade Policy, Agreements, Negotiations, and Disputes 19. Trade Controls 20. International Business Development 21. International Innovation and Investment 22. Europe, Arctic, Middle East and Maghreb Trade 23. Americas Trade 24. Asia Pacific Trade 25. Sub-Saharan Africa Trade | 26. International Assistance Operations 27. Humanitarian Assistance 28. Partnerships and Development Innovation 29. Multilateral International Assistance 30. Peace and Stabilization Operations 31. Anti-Crime and Counter-Terrorism Capacity Building 32. Weapons Threat Reduction 33. Canada Fund for Local Initiatives 34. Europe, Arctic, Middle East and Maghreb International Assistance 35. Americas International Assistance 36. Asia Pacific International Assistance 37. Sub-Saharan Africa International Assistance 38. Grants and Contributions Policy and Operations | 39. Consular Assistance and Administrative Services for Canadians Abroad 40. Emergency Preparedness and Response | 41. Platform Corporate Services 42. Foreign Service Directives 43. Client Relations and Mission Operations 44. Locally Engaged Staff Services 45. Real Property Planning and Stewardship 46. Real Property Project Delivery, Professional and Technical Services 47. Mission Readiness and Security 48. Mission Network Information Management / Information Technology | 49. Management & Oversight 50. Communications 51. Legal Services 52. Human Resources 53. Financial Management 54. Information Management 55. Information Technology 56. Real Property (Domestic) 57. Materiel Management 58. Acquisition Management |
Appendix B – Description of 2020-2021 Engagements
# | Year 1 - 2020-2021 | Link to Audit Universe | Description | Tabling Date |
---|---|---|---|---|
1 | Carry Over Audit of Peace and Stabilization Operations Program | International Advocacy and Diplomacy Development Peace and Security Programming $150M annually | Objective: To determine whether the Program has implemented an effective management control framework to ensure that the Program is meeting strategic and operational objectives. Scope: The audit will examine key elements of the Program’s management framework including program planning and funding, project delivery and monitoring, and performance measurement and reporting activities. This scope will also include the eligibility, level of funding, compliance with terms and conditions of agreements, and results of projects. Background:
| October 2020 |
2 | Carry Over Joint Mission Audit/Inspection – Bamako, Mali | Support for Canada’s Presence Abroad | Objective: To determine whether sound management practices and effective controls are in place to ensure good stewardship of resources at the mission in support of the achievement of Global Affairs Canada objectives. Scope: The audit will examine the mission’s common services, property, consular and readiness programs. The scope will include the management of real property, vehicles, machinery and equipment, material inventory, consular revenue and cash, and LES overtime. Background:
| October 2020 |
3 | Carry Over Audit of Grants & Contributions Part I – Oversight & Monitoring | International Advocacy and Diplomacy Trade and Investment Development Peace and Security Programming $4.6B in grant & contribution payments in 2018-2019 | Objective: To assess whether appropriate grants and contributions oversight and program monitoring are in place and operating effectively to support the achievement of departmental objectives Scope: The audit will examine the management and operational practices and controls at headquarters and at the program and project levels, including both centralized and decentralized programs. Background:
| December 2020 |
4 | Carry Over Audit of Foreign Service Directive - Relocation | Support for Canada’s Presence Abroad $37M of FSD Relocation payments made in 2019 | Objective: To examine whether appropriate controls are in place for the administration and management of Foreign Service Directive (FSD) Relocation. Scope: This audit will include a sample of significant FSD Relocation expenditures to assess the effectiveness of the administrative processes, systems and procedures. Background:
| December 2020 |
New Engagements | ||||
1 | Advisory COVID – 19 Emergency Repatriations to Canada | Help for Canadians Abroad | Objective: To provide timely advice to departmental officials on the management controls framework to support the delivery of the Department’s COVID-19 repatriation activities. Scope: This review will focus on activities related to flight reconciliation and emergency loan recovery activities. Background:
| October 2020 |
2 | Advisory Grants & Contributions Part II – Feminist International Assistance Policy (FIAP) | International Advocacy and Diplomacy Trade and Investment Development Peace and Security Programming $2B in new funding over 5 years | Objective: To identify and assess steps taken by the Department to improve the effectiveness of international assistance through the implementation of the Feminist International Assistance Program (FIAP). Scope: The review will assess key aspects of a management control framework including governance, planning, monitoring and reporting activities. Background:
| December 2020 |
3 | Advisory Duty of Care – Governance & Spending | Support for Canada’s Presence Abroad $1B over 10 years | Preliminary Objective: To examine the governance structure as well as expenditures within the Duty of Care envelope. Preliminary Scope: This review will include a sample of significant expenditures in each of the four pillars: infrastructure, securing information, mission readiness, and Kabul. The scope will also include a review of the accountability framework, decision-making framework and performance reporting structure for the Duty of Care initiative. Background:
| Spring 2021 |
4 | Advisory COVID – 19 Remote Work Risk Assessment | Internal Services | Preliminary Objective: To identify and assess the risks related to the Department’s remote work practices and framework and to prioritize areas that may require further examination. Preliminary Scope: This review will assess risk areas related to remote work such as organizational resilience, health and safety, work productivity and performance, and values and ethics. Background:
| Spring 2021 |
5 | Audit of Real Property – Strategic Investment & Portfolio Management | Support for Canada’s Presence Abroad | Preliminary Objective: To determine whether there are effective processes and structures in place to manage the Department’s real property portfolio. Preliminary Scope: The audit will examine processes to identify and value real properties. The scope will also include strategic investment decision-making, accountability and risk management. Background:
| Summer 2021 |
6 | Advisory Innovative Programming – Design Framework | International Advocacy and Diplomacy Development Peace and Security Programming | Preliminary Objective: To provide advice on the funding mechanism for the Innovation Fund. Preliminary Scope: The review will focus on key aspects of the design framework of innovative programming initiatives including governance, risk management and stakeholder engagement. Background:
| Spring 2021 |
7 | Audit of Privacy Practices | Internal Services | Preliminary Objective: To determine whether there is an appropriate privacy management framework to support compliance with the Privacy Act. Preliminary Scope: The audit will include the collection, use, disclosure and retention of information. Background:
| Summer 2021 |
8 | Advisory IT Risk Assessment Part I | Internal Services | Preliminary Objective: To identify and assess risks within the IT universe. Preliminary Scope: The assessment will identify risks and complexities to inform prioritizations of areas requiring further examination by the OCAE. Background:
| Spring 2021 |
9 | Audit of Costing Methodology | Internal Services | Preliminary Objective: To determine whether departmental processes and frameworks are in place to provide costing information to support decision-making. Preliminary Scope: The audit will examine financial and human resource components of costing projects/programs that are used to support attestation by the Chief Financial Officer. Background:
| Summer 2021 |
10 | Ongoing Data Analytics | Internal Services | Preliminary Objective: To identify areas of risks in key data sets to support the assessment of the effectiveness of controls. Preliminary Scope: The scope will include the ongoing analysis of data in departmental systems related to finance, human resources, property etc. Background:
| Summer 2021 |
11 | Remote Mission Audit | Support for Canada’s Presence Abroad | Preliminary Objective: To determine whether sound management practices and effective controls are in place to ensure good stewardship of resources at the mission in support of the achievement of Global Affairs Canada objectives. Preliminary Scope: The audit will examine select elements of a mission’s common services, property, consular and readiness programs that can be done remotely from headquarters. Background:
| Summer 2021 |
Appendix C – Focus of 2021-2022 Engagements
# | Year 2 - 2021-2022 | Link to Audit Universe | Area of Focus |
---|---|---|---|
1 | Follow-up on Implementation of COVID-19 After Action Review & Lessons Learned | Internal Services | Assess whether actions documented as a result of the After Action Review and Lessons Learned exercises have been implemented within committed timelines. |
2 | Audit of Cost Optimization | Internal Services | Assess whether initiatives drive spending and cost reduction, while maximizing business value. |
3 | Advisory - Export Import Control System | Internal Services | Provide independent advice after minimum viable product delivery related to implementation and change management. |
4 | Audit of Internal Controls Over Financial Reporting | Internal Services | Examine the framework to manage, monitor, and report on key controls of selected business processes for operating effectiveness. |
5 | Audit of IT Part II | Internal Services | Examine IT related subject post IT risk assessment identification of priority area. |
6 | Advisory - Global Affairs Canada Data Strategy | Internal Services | Examine the implementation of the data strategy to support organizational goals and objectives. |
7 | Audit of Management of Honorary Consuls | Support for Canada’s Presence Abroad | Examine the appointment, oversight and expenditures of operations related to Honorary Consuls. |
8 | Audit of Trade Commissioner Service – Regional Operations | Trade and Investment | Optimization and integration of regional activities within the overall Trade Commissioner Service transformation initiative. |
9 | 5 Year Cyclical Assessment - New Direction in Staffing | Internal Service | Assess compliance to relevant staffing regulations as well as departmental awareness and understanding of staffing requirements. |
10 to 15 | Six Mission Audits – locations to be determined | Support for Canada’s Presence Abroad | Management practices and controls related to financial management, procurement, asset management, and LES human resource processes. |
Appendix D – 2020-2021 Engagements Mapped to Priorities
Core Responsibilities | Engagements | Priorities | Mandate Letters | Corporate Risk Profile |
---|---|---|---|---|
International Advocacy and Diplomacy | Peace and Stabilization Operations Program | x | x | x |
Grants & Contributions Part I – Oversight & Monitoring | x | x | x | |
Grants & Contributions Part II – Feminist International Assistance Policy | x | x | x | |
Innovative Programming - Design Framework | x | x | x | |
Trade and Investment | Grants & Contributions Part I – Oversight & Monitoring | x | x | x |
Grants & Contributions Part II – Feminist International Assistance Policy | x | x | x | |
Development, Peace and Security Programing | Peace and Stabilization Operations Program | x | x | x |
Grants & Contributions Part I – Oversight & Monitoring | x | x | x | |
Grants & Contributions Part II – Feminist International Assistance Policy | x | x | x | |
Innovative Programming - Design Framework | x | x | x | |
Help for Canadians Abroad | COVID-19 Emergency Repatriations to Canada | x | x | x |
Support for Canada’s Presence Abroad | Foreign Service Directive - Relocation | x | x | |
Duty of Care – Governance & Spending | x | x | x | |
Mission Audit – Bamako, Mali | x | x | ||
Real Property – Strategic Investment & Portfolio Management | x | x | ||
Remote Mission Audit | x | x | ||
Internal Services | COVID-19 Remote Work Risk Assessment | x | x | |
Privacy Practices | x | x | ||
IT Risk Assessment Part I | x | x | ||
Costing Methodology | x | x | ||
Ongoing Data Analytics | x | x |