ARCHIVED - Department of Finance and Treasury Board Secretariat - Internal Audit Plan

This page has been archived.

Prepared by Internal Audit Branch - 4 February 1997

1. Introduction

This report represents the results of the internal audit planning exercise conducted on behalf of the Department of Finance and Treasury Board Secretariat.

The Internal Audit activities are directed by the Assistant Deputy Minister, Corporate Services Branch, who reports to the Deputy Minister of Finance and the Secretary of the Treasury Board. The scope of Internal Audit activities includes all internal administration activities and operating programs of the departments.

This document combines within one planning model the various internal audit plans, which had been previously assessed individually. These include the long term internal audit plans for:

• Corporate Services;
• Public Debt Program (Department of Finance);
• Loans Confirmation (Department of Finance);
• Fiscal Transfer Payments Program (Department of Finance); and,
• Treasury Board Secretariat.

While this document portrays separate audit universes for each of Corporate Services, the Department of Finance and Treasury Board Secretariat, all audit projects listed have been assessed on the same basis.

2. Approach & Methodology

Introduction

In the past, program and the corporate services activities have been assessed separately without considering the relative risks in comparison to other components of the two departments. Even within the individual internal audit plans previously developed for the departments, the business risk exposure of potential audit projects was not explicitly addressed.

The approach adopted for this planning exercise departs from the past in two ways:

1. Risk is expressly assessed and documented for each potential audit project.
   
2. There are no specific recommendations to management regarding what should be done and when.

This report provides management with an assessment of risk and a suggested audit strategy for each potential audit project.

Methodology

The underlying principle behind this methodology is that change is the only constant in today's operating environment. In order for the internal audit function to be of relevance to management, then its approach to planning must explicitly address change and its effect on operations, business processes and an organization's overall risk exposure.

The assessment provided here provides management with an appreciation of its risk exposure within a comprehensive or corporate framework. Management can then determine what needs to be done to deal with its risk exposure.

In developing this methodology, care was taken to incorporate the suggestions made by the Office of the Auditor General, in its May 1996 report on Internal Audit in Departments and Agencies.

Approach

The approach taken for this project involved the following:

• A review of the previous long term plans and related internal audits undertaken since 1990.

• Interviews with the selected managers and directors, including those responsible for Informatics and Financial Services, Systems Integration and Process Re-Engineering, Administrative Services, Personnel and Security Services and the Public Debt Program. The Director, Financial Services had previously met with the ADM, Corporate Services and conveyed the ADM's interests and priorities regarding the Internal Audit Plan.

• Development of a risk assessment model.

• Review of relevant documentation in order to develop program profiles1, which broadly assess the risks associated with each program or service area.

• Analysis of program profiles in order to define potential audit projects.

• Assessment of risk for each potential audit project.

• Development of a history of audit activity in order to provide an appreciation of the level and the nature of internal audits conducted within the two departments.

• Once finalized, the Internal Audit Plan Should be presented to the Departments' Executive Committees for review and approval and for direction on the conduct of audits and reviews for the upcoming year.

Annual Update of Program Profiles & Risk Assessments

In order to maintain the relevance of the internal audit function and to ensure that available resources are put to greatest benefit, the program profiles and risk assessments should be updated annually.

Because the departmental programs are subject to audit by the Office of the Auditor General for purposes of expressing an opinion on the Public Accounts of Canada, this update should be performed after the release of the Auditor General's management letter.

3. Risk Assessment Model

Introduction

Internal auditing is a means to minimize the business risk of an organization, through the function's examination of and providing assurances on:

• the effectiveness, efficiency and continuity of the control framework used by management to achieve organizational objectives; and,

• the integrity of performance information.

As a means to maximize the value-added possible from the function, management needs to assess its overall risk and the risk exposure associated for its component parts.

The Risk Assessment Model

To be able to evaluate and assess an organization's risk exposure, a risk assessment model needs to be developed. The model needs to first consider the factors to be used to enable risks to be classified and described. The following risk factors were used in assessing the departments' risk exposure:

• corporate priorities
• flow of funds/resources
• client and public expectations
• complexity of operations
• control environment
• change
• other factors
• familiarity of auditors and past audit results

Consideration needs to be made regarding the relative weighting of risk factors. Should they all be considered equally or should some be given a higher weight? For the model used here, different weights were assigned to the risk factors. A higher relative weight was assigned to those factors which directly related to the scope of management's responsibilities. Other factors, while important, were assigned a lesser weight, because they pertain more to factors beyond management's direct control.

A five-point scale is used here to assess the risk associated with an individual factor. A score of "5" indicates high risk exposure, whereas, "1" indicates low risk exposure. The Overall Risk, as calculated by the table, is the sum of the product for each individual risk factor.

4 Explanation of the Appendices & Their Use

This document should be considered as a tool to aid management decisions regarding the direction to be set for the internal audit function for the immediate future. Toward that end, four appendices have been prepared.

Appendices A, B and Cbreakdown the internal audit universe into three parts and respectively pertain to Corporate Services, the Department of Finance, and Treasury Board Secretariat.

Each of these appendices presents:

• in summary, the internal audit universe for that component part.

• a history of audit activity.

• detailed descriptions of each potential audit project as listed in the internal audit universe.

Appendix Dprovides an overview of the potential audit projects listed in descending order of overall risk. A summary report is followed by a more detailed report, which contains a suggested audit strategy for each project.

This information is intended primarily to provide direction to the internal audit function on what projects should be undertaken in the upcoming period.

This information is also intended to facilitate an ongoing dialogue between management and the internal audit function. Risk Assessments by Project can be considered by management during the year and if significant changes occur that could have an adverse effect on the business risk exposure, then the internal audit function could be called upon to examine certain aspects of operations, on an as needed basis. These assessments along with supporting program profiles are intended to form the basis for planning, through their update, for subsequent years.

Appendix A

Corporate Services

Internal Audit Universe

History of Audit Activity

Risk Assessment by Project

---

Program profiles are developed for each program component of the organization. Programs, as defined here, may be operational and directly to the organization's mandate, or functional and related to corporate support services. The intent is to develop a sufficient appreciation of the relative importance of a program, its key elements, activities or functional areas, which make up the program, and its business risk exposure. This information is used to complete the second part of the profile, which tasks the auditor to suggest potential audit projects related to that program. [return]