Prepared by Internal Audit Branch - 4 February 1997
1. Introduction
This report represents the results of the internal audit planning exercise
conducted on behalf of the Department of Finance and Treasury Board Secretariat.
The Internal Audit activities are directed by the Assistant Deputy Minister,
Corporate Services Branch, who reports to the Deputy Minister of Finance and the
Secretary of the Treasury Board. The scope of Internal Audit activities includes
all internal administration activities and operating programs of the
departments.
This document combines within one planning model the various internal audit
plans, which had been previously assessed individually. These include the long
term internal audit plans for:
- Corporate Services;
- Public Debt Program (Department of Finance);
- Loans Confirmation (Department of Finance);
- Fiscal Transfer Payments Program (Department of Finance); and,
- Treasury Board Secretariat.
While this document portrays separate audit universes for each of Corporate
Services, the Department of Finance and Treasury Board Secretariat, all audit
projects listed have been assessed on the same basis.
2. Approach & Methodology
Introduction
In the past, program and the corporate services activities have been assessed
separately without considering the relative risks in comparison to other
components of the two departments. Even within the individual internal audit
plans previously developed for the departments, the business risk exposure of
potential audit projects was not explicitly addressed.
The approach adopted for this planning exercise departs from the past in two
ways:
- Risk is expressly assessed and documented for each potential audit
project.
- There are no specific recommendations to management regarding what should
be done and when.
This report provides management with an assessment of risk and a suggested
audit strategy for each potential audit project.
Methodology
The underlying principle behind this methodology is that change is the only
constant in today's operating environment. In order for the internal audit
function to be of relevance to management, then its approach to planning must
explicitly address change and its effect on operations, business processes and
an organization's overall risk exposure.
The assessment provided here provides management with an appreciation of its
risk exposure within a comprehensive or corporate framework. Management can then
determine what needs to be done to deal with its risk exposure.
In developing this methodology, care was taken to incorporate the suggestions
made by the Office of the Auditor General, in its May 1996 report on Internal
Audit in Departments and Agencies.
Approach
The approach taken for this project involved the following:
- A review of the previous long term plans and related internal audits
undertaken since 1990.
- Interviews with the selected managers and directors, including those
responsible for Informatics and Financial Services, Systems Integration and
Process Re-Engineering, Administrative Services, Personnel and Security
Services and the Public Debt Program. The Director, Financial Services had
previously met with the ADM, Corporate Services and conveyed the ADM's
interests and priorities regarding the Internal Audit Plan.
- Development of a risk assessment model.
- Review of relevant documentation in order to develop program profiles1,
which broadly assess the risks associated with each program or service area.
- Analysis of program profiles in order to define potential audit projects.
- Assessment of risk for each potential audit project.
- Development of a history of audit activity in order to provide an
appreciation of the level and the nature of internal audits conducted within
the two departments.
- Once finalized, the Internal Audit Plan Should be presented to the
Departments' Executive Committees for review and approval and for direction
on the conduct of audits and reviews for the upcoming year.
Annual Update of Program Profiles & Risk Assessments
In order to maintain the relevance of the internal audit function and to
ensure that available resources are put to greatest benefit, the program
profiles and risk assessments should be updated annually.
Because the departmental programs are subject to audit by the Office of the
Auditor General for purposes of expressing an opinion on the Public Accounts of
Canada, this update should be performed after the release of the Auditor
General's management letter.
3. Risk Assessment Model
Introduction
Internal auditing is a means to minimize the business risk of an
organization, through the function's examination of and providing assurances on:
- the effectiveness, efficiency and continuity of the control framework used
by management to achieve organizational objectives; and,
- the integrity of performance information.
As a means to maximize the value-added possible from the function, management
needs to assess its overall risk and the risk exposure associated for its
component parts.
The Risk Assessment Model
To be able to evaluate and assess an organization's risk exposure, a risk
assessment model needs to be developed. The model needs to first consider the
factors to be used to enable risks to be classified and described. The following
risk factors were used in assessing the departments' risk exposure:
- corporate priorities
- flow of funds/resources
- client and public expectations
- complexity of operations
- control environment
- change
- other factors
- familiarity of auditors and past audit results
Consideration needs to be made regarding the relative weighting of risk
factors. Should they all be considered equally or should some be given a higher
weight? For the model used here, different weights were assigned to the risk
factors. A higher relative weight was assigned to those factors which directly
related to the scope of management's responsibilities. Other factors, while
important, were assigned a lesser weight, because they pertain more to factors
beyond management's direct control.
A five-point scale is used here to assess the risk associated with an
individual factor. A score of "5" indicates high risk exposure,
whereas, "1" indicates low risk exposure. The Overall Risk, as
calculated by the table, is the sum of the product for each individual risk
factor.
4 Explanation of the Appendices & Their Use
This document should be considered as a tool to aid management decisions
regarding the direction to be set for the internal audit function for the
immediate future. Toward that end, four appendices have been prepared.
Appendices A, B and Cbreakdown the internal audit universe into three parts
and respectively pertain to Corporate Services, the Department of Finance, and
Treasury Board Secretariat.
Each of these appendices presents:
- in summary, the internal audit universe for that component part.
- a history of audit activity.
- detailed descriptions of each potential audit project as listed in the
internal audit universe.
Appendix Dprovides an overview of the potential audit projects listed in
descending order of overall risk. A summary report is followed by a more
detailed report, which contains a suggested audit strategy for each project.
This information is intended primarily to provide direction to the internal
audit function on what projects should be undertaken in the upcoming period.
This information is also intended to facilitate an ongoing dialogue between
management and the internal audit function. Risk Assessments by Project can be
considered by management during the year and if significant changes occur that
could have an adverse effect on the business risk exposure, then the internal
audit function could be called upon to examine certain aspects of operations, on
an as needed basis. These assessments along with supporting program profiles are
intended to form the basis for planning, through their update, for subsequent
years.
Appendix A
Corporate Services
Internal Audit Universe
History of Audit Activity
Risk Assessment by Project
Program profiles are developed for each program
component of the organization. Programs, as defined here, may be operational and
directly to the organization's mandate, or functional and related to corporate
support services. The intent is to develop a sufficient appreciation of the
relative importance of a program, its key elements, activities or functional
areas, which make up the program, and its business risk exposure. This
information is used to complete the second part of the profile, which tasks the
auditor to suggest potential audit projects related to that program. [return]
|