ARCHIVED - Risk-Based Audit Plan 2009-2010 to 2011-2012

Notice

This website will change as a result of the dissolution of Indigenous and Northern Affairs Canada, the creation of Indigenous Services Canada and the eventual creation of Crown-Indigenous Relations and Northern Affairs Canada. During this transformation, you may also wish to consult the updated Indigenous and Northern Affairs home page.

Archived information

This Web page has been archived on the Web. Archived information is provided for reference, research or record keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Date: April 22, 2009

PDF Version (330 Kb, 39 Pages)

 

This document represents the three-year Risk-based Internal Audit Plan of Indian and Northern Affairs Canada for 2009-2012.

The Plan was received by the Audit and Evaluation Committee (AEC) at its February 26, 2009 meeting and, upon the recommendation of the Committee, approved by the Deputy Minister.

The Plan focuses primarily on the provision of assurance services to Indian and Northern Affairs Canada's AEC and Deputy Minister while ensuring that appropriate audit attention is directed to addressing areas of government-wide interest, such as fundamental controls and financial reporting, as directed by the Office of the Comptroller General (OCG).

Based on the economic stimulus package presented in the Budget 2009, the Plan has identified three projects that will ensure additional funding provided to Indian and Northern Affairs Canada reflects the principles of sound stewardship as highlighted in the Financial Accountability Act. These three projects include the Audit of Housing, the Due Diligence Review of Infrastructure Initiatives and the Audit of the Delegation of Authorities.

The Plan is intended to support an annual holistic opinion from the Chief Audit and Evaluation Executive (CAEE) on departmental governance, risk management and control processes.

 

 

Table of contents

 

 

Introduction

Background

The 2006 Treasury Board Internal Audit Policy places considerable emphasis on:

  • increasing the independence of the internal audit function

  • strengthening and further professionalizing the internal audit function

  • providing a consistent, comprehensive government-wide approach to the way internal audit activities are planned and conducted and

  • enhancing the oversight, monitoring and reporting role of the internal audit function.

The Audit and Assurance Services Branch within Indian and Northern Affairs Canada (INAC) has put in place the professional practices and management processes to ensure that it is in full compliance with the 2006 Policy, as required, by April 1, 2009.

This three-year audit plan is a key component of that compliance, providing a strong and credible audit regime that contributes to effective risk management, sound resource stewardship and good governance in the delivery of Indian and Northern Affairs Canada's programs and in the performance of its corporate activities.

Scope of the Internal Audit Function

The internal audit function plays an important role in supporting departmental operations. It provides assurance on all important aspects of risk management strategy and practices, management control frameworks and practices, and governance. Where control weaknesses exist and where the achievement of objectives is at risk, internal audit plays a role in providing constructive insight and recommendations for the strengthening of operations. In this way, internal audit contributes to enhanced accountability and performance.

The Government of Canada's standards for the professional practice of internal audit stipulate that the role of internal audit is to provide assurance that the system of internal control is adequate and effective to manage risk at a level that is acceptable to management. In this way, the internal audit function will provide the Deputy Minister and the Audit and Evaluation Committee with confidence that the risks to the achievement of INAC's objectives are being managed effectively. The internal audit function has a vital role to play in supporting the principles of modern comptrollership.

Internal control is defined broadly and encompasses those elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support the achievement of the organizational objectives.

The scope of the internal audit function is broad and includes those systems of internal control that are in place to achieve the following objectives:

  • compliance with legislation, regulations, policies and procedures

  • economy and efficiency of operations

  • safeguarding of assets

  • reliability and integrity of financial and operational information and

  • achievement of operational objectives.
 

 

Risk-based Audit Planning

In preparing this second three year audit plan within the context of the 2006 Treasury Board Internal Audit Policy, the Audit and Assurance Services Branch employed the same risk-based planning methodology as developed for the 2007-2010 Plan. The methodology is described below and is consistent with professional standards for the development of risk-based audit plans.

The methodology consists of:

  1. Identification of Auditable Units based upon an analysis and grouping of INAC's potential audit universe of programs, corporate functions, and authorities. A list of the auditable units is included as Appendix A.

  2. Risk Assessment of each auditable unit in terms of its significance, complexity, and sensitivity, using a scale of 1 to 5 for each factor where 1 is low risk and 5 is high risk. Those auditable units marked with an asterisk in Appendix A are not currently ranked as having sufficient risk to be included in the Three Year Plan.

  3. Recommendation of Audit Projects that would be most appropriate to address the highest risk areas on a priority basis.

While employing the same methodology to ensure consistency over time, care was taken to:

In the case of auditable units for which there has been little or no recent relevant audit or evaluation activity, the Branch will continue to undertake preliminary surveys as a first step in the audit process to identify the management control framework as well as potential risks that would be suitable for audit attention.

The Branch will also continue the practice of recommending a small number of audit projects that examine key issues or risks from a horizontal or cross boundary perspective.

Consultations with INAC Management

Consultations were held with the senior management of all sectors in INAC to explain and verify the identification of auditable units and to present the recommended audit projects that affect their sector or their interests as corporate managers.

 

 

The Three-Year Audit Plan

Based on the results of the risk-based prioritization of auditable units, a formal three-year audit plan has been developed, taking into consideration the known planned activities of external parties. The Three-Year Audit Plan (Table 1) sets out the recommended projects over the period from 2008-2009 to 2010-2011.

Prior to each subsequent fiscal year, the risk assessment of auditable units and the identification of projects will be updated to ensure that audit attention continues to be devoted to those areas of greatest risk that are suitable for examination.

The audit plan for 2008-2009 is presented in Table 2 with each project described in terms of its nature, its objective, its estimated timeframe, and its rationale. Regional coverage for each project will be determined as part of the planning phase.

The status of audit projects which began in 2007-2008 but have not been substantively completed is identified as carried forward in Table 3. Projects from the 2007-2008 Audit Plan which had not begun, e.g. due to unavailability of suitable contractors or contracting vehicles, and which are still considered as high priority have been included in the 2008-2009 Plan in Table 2.

Table 1 - Three-Year Audit Plan
Auditable Unit Risk Profile 2009-2010 Audit Project 2010-2011 Audit Project 2011-2012 Audit Project Recent Audit History
Departmental Programs
Self Government/Claims High risk: significant to the achievement of the department's objectives and are financially material, highly complex to negotiate and implement, highly sensitive due to time and resources invested   Audit of Funding for Implementation and Negotiations   Preliminary Survey for Audit of Self Government, including Comprehensive Claims - 2008-09
Specific Claims High risk: new specific claims process being implemented, significant expectations on INAC to support new specific claims tribunal and timelines for resolution of claims, highly complex due to the volume of claims, sensitive to beneficiaries and public   Audit of Specific Claims   Preliminary Survey for Specific Claims - 2007-08
Indian Government Support Moderate risk: significant materiality, moderately complex, quite sensitive if programming revised   Audit of Band Classification

Audit of Indian Government Support
  Audit of Band Support Funding - 2008-09
Capacity Development High risk: moderate relative materiality (>$100 million) but significant impact on INAC's agenda and highly complex due to numerous initiatives and programs and significant cumulative resources, sensitive to public if results not evident     Audit of Lands Management Audit of Capacity Development - 2008-09
Capital Facilities and Maintenance (Infrastructure) High risk: major materiality (approaching $1 billion) with significant infusion of funding through Budget 2009, highly complex delivery model, sensitive to beneficiaries and public Audit of Housing

Due Diligence Review of Infrastructure Initiatives
Audit of Infrastructure Initiatives Follow-up Audit of Capital Facilities and Maintenance Audit of Capital Facilities and Maintenance - 2008-09
Economic Development High risk: moderate relative materiality with significant challenges of refocusing programming, inherently highly complex to pick "winners" in a multi-jurisdiction environment, highly sensitive if failures are highlighted Audit of Aboriginal Business Canada and Non-Proposal Driven Programming   Follow-up Audit of Economic Development Community Economic Development Funding - 2007-08

Preliminary Survey for Audit of Economic Development - Non-Proposal Driven - 2008-09
Office of the Federal Interlocutor (OFI) and Urban Aboriginal Strategy (UAS) Moderate risk: lower relative materiality, however, highly complex due to challenges of mandate, community based model not driven by INAC formulas but by consultations with communities, expanded Urban Aboriginal Strategy and central agency interest, sensitive to the public Audit of Implementation of the Urban Aboriginal Strategy     Audit of OFI Management Control Framework for Programs and Contributions - 2007-08
Emergency Moderate risk: normally low materiality, some complexity in implementing appropriate responses, highly sensitive if responses mismanaged     Audit of Emergency  
Natural Resources and Environmental Management Moderate risk: lower relative materiality with potentially increased significance due to contingent liabilities, complex because of competing demands - environment vs. development, public sensitivity if environment threatened   Audit of Natural Resources and Environmental Management
(Scope TBD)
  Preliminary Survey for Audit of Natural Resources and Environmental Management
Child and Family Services High risk: significant materiality (>$500 million), highly sensitive to beneficiaries and public, complex and challenging in new approach, number of agreements and participants   Audit of Child and Family Services (Enhanced Prevention Focus and Follow-up)   Audit of Child and Family Services - 2006-07

OAG Audit of Child and Family Services - May 2008
Income Assistance High risk: major materiality, highly sensitive to public - living conditions and potential for abuse, highly complex because of decentralized and devolved delivery; program being revitalized (e.g. active measures) and Preliminary Survey in 07-08 identified need for strengthened control framework Audit of Income Assistance     Preliminary Survey of Income Assistance - 2007-08
Elementary and Secondary Schools and Other Education High risk: significant level of materiality (> $1 billion), sensitive to beneficiaries and public, challenges to meet standards and improve results, renewal underway, e.g. enhanced accountability   Audit of Special Education Audit of Other Education Audit of Elementary and Secondary and Other Education - 2008-09
Post Secondary Education High risk: significant materiality, more complex delivery than elementary/secondary education - wide range of Post Secondary options and decentralized delivery, sensitive to beneficiaries (demand) and public     Follow-Up Audit of Post Secondary Education Audit of Post Secondary Education - 2008-09
Family Violence and Other Social Services Moderate risk: moderate materiality, some complexity due to number of authorities, little specific sensitivity Audit of Family Violence      
Registration and Membership High risk: low direct materiality but highly significant in terms of potential impacts, complex to determine eligibility and the various stakeholders, highly sensitive due to potential benefits associated with the Indian Status card, e.g. trans-border travel, health, tax, roll-out of new CIS may require significant shift in roles and responsibilities System Under Development Audit of CIS-IRS, continued   Audit of Registration and Membership System Under Development Audits of CIS-IRS - 2007-08 and 2008-09

Threat Risk Assessment - 2007-08
Residential Schools Resolution High risk: high materiality and high symbolic significance, high degree of complexity in a number of cases, extremely sensitive   Follow-up of Previous Audits   Audit of the Advance Payment Program - 2007-08

Audit of the Financial Settlement Allotment - 2008-09
Grants and Contributions Horizontal Departmental Controls High risk: highest materiality and significance representing approximately 85% of INAC budget, highly complex and sensitive (variety of authorities and delivery mechanisms) Horizontal Departmental Audit - (Scope TBD) Horizontal Departmental Audit - (Scope TBD) Horizontal Departmental Audit - (Scope TBD) Audit of Intervention Policy and Quality Assurance - 2008-09
Corporate Functions
Financial Planning and Budgeting Moderate risk: significant since no basis in place for the preparation of budgeted allocations, complex in a decentralized organization, sensitive once basis of allocation established and resulting competition for resources     Audit of Financial Planning and Budgeting  
Financial Forecasting Moderate risk: potentially significant particularly at year-end, complex in a decentralized organization, little sensitivity     Audit of Forecasting  
External Reporting - Financial Statements Audit Readiness (including: Public Accounts, Audited Financial Statements, DPR/RPP, Proactive Disclosure, Contingent Liabilities) Moderate risk: high degree of sensitivity but primarily internal to government because OAG and TBS are interested, highly complex because of decentralized organization   Audit related to External Reporting (Scope TBD)   Audit of Liabilities - 2008-09
Expenditure Management High risk: potential weakness of internal controls could have high materiality, highly complex because of decentralized organization, highly sensitive due to nature of some expenditures (e.g. hospitality)   Follow-Up Audit of Travel, Taxis, Hospitality, Conferences and Acquisition Cards   Audit of Expenditure Management - 2008-09
Fraud Risk and Control Strategies Moderate risk: moderate significance and complexity although included in OCG's horizontal audit, highly sensitive due to media attention if events occur To be addressed in each audit * To be addressed in each audit * To be addressed in each audit *  
Assets and Property Management Moderate risk: moderate significance due to INAC's challenge in documenting its own assets, moderate complexity as policies and procedures exist governing expected practices, somewhat sensitive if existence of some assets cannot be determined Preliminary Survey of Assets and Property Management Audit of Assets and Property Management
(Scope TBD)
   
Revenues Moderate risk: moderate significance since revenues are relatively low, moderate complexity since majority of revenues are agreement/formula driven, not normally sensitive unless failure to collect revenues owed becomes a public issue Audit of Revenue Management     Preliminary Survey for Audit of Revenue Management - 2008-09
Trust Accounts Low risk: although significant custodial responsibility with degree of sensitivity among First Nations and some complexity to track and manage accounts, a preliminary survey identified reasonable controls Audit of Trust Accounts     Preliminary Survey for Audit of Trust Accounts - 2008-09
Loans and Accounts Receivable Moderate risk: function can be quite significant if large dollar value of loans and accounts receivable not actively managed to ensure timely receipt, moderate complexity in determining estimates on allocation, moderate sensitivity if INAC not seen as managing funds well   Audit of Loans and Accounts Receivable    
Human Resource Planning and Resourcing High risk: significant in that INAC is facing workforce shortages and competition for skilled workers in some areas, coupled with challenges in capacity issues in human resources, can be quite complex in terms of identifying future requirements, establishing plans to address them, and implementing resourcing strategies in a complex and controlled environment, initiatives are underway, however, still at an early stage, can be sensitive with respect to Aboriginal recruitment   Audit of Aboriginal Resourcing Audit of Human Resource Planning and Leadership Development

Audit of Advertised Appointments
Audit of Staffing and Classification - Manitoba - 2008-09

Audit of Staffing and Payroll for Non-Advertised Appointments and Acting Appointments - 2008-09
Organizational Design and Classification Moderate risk: effective design and appropriate classification can contribute significantly to achievement of INAC's objectives, moderate complexity to achieve most effective structures and appropriate levels, classification modernization underway with conversions to generic job descriptions for various groups such as the EC group, capacity issues for Classification Advisors, moderate sensitivity and complexity as structures become more centralized Audit of the Delegation of Authorities, Organizational Design and Classification     Audit of Staffing and Classification - Manitoba - 2008-09
Compensation and Benefits High risk: financially significant, activities are complex due to a high level of decentralization Audit of Payroll      
Learning and Development Moderate risk: can be significant if next generation of managers/leaders not adequately trained, activity not complex on its own but some complexity introduced because of challenges in obtaining commitment and ensuring learning occurs, little sensitivity as an internal activity, employees may be dissatisfied if opportunities not made equitably available   Audit of Training and Development    
Occupational Health and Safety Moderate risk:  significance is normally low unless employees perceive that their health or safety is at risk in the workplace, complexity can be moderate risk if health and safety taken for granted and if somewhat complex legislation is not respected, function could be sensitive if a serious incident can be attributed to non-compliance     Follow-up Audit of Occupational Health and Safety Audit of Occupational Health and Safety - 2008-09
Security Moderate risk: potentially significant to achievement of INAC business objectives if employees and assets not adequately safeguarded, can be complex to keep abreast of threats and in the conduct of threat risk assessments, highly sensitive if major threats or security violations occur   Follow-Up Audit of IT Security Audit of Personnel and Physical Security Audit of IT Security - 2007-08
IM/IT Governance High risk: highly significant because of potential impacts on program delivery and corporate services, highly challenging for senior management to establish a governance regime that can set priorities and meet competing demands, sensitive if needs not met Audit of Regional IT Expenditures Audit of IM/IT Governance   Preliminary Survey of IM/IT Policy, Planning and Management and Applications Development and Support - 2007-08
Information Management Moderate Risk: Potentially significant in terms of achieving efficient and affective information management to support program and service delivery, complex to implement consistently across a large decentralized organization, not normally sensitive unless breaches occur, survey of IM/IT applications identified CIDM as a primary risk area     Follow-up Audit of Information Management (CIDM focus) Audit of Information Management (CIDM focus) - 2008-09
IM/IT Applications High risk: potential for significant impact if corporate or program systems not reliable or effective, system development can be quite complex, sensitivity can be high if expenditures do not achieve objectives Post-Implementation Audit of First Nations and Inuit Transfer Payment System

Audit of PeopleSoft
Audit of Systems Under Development or Application in Place - Enterprise Data Warehouse, Specific Claims Data Base

Preliminary Survey of OASIS

Preliminary Survey of GroupWise
Audit of OASIS

Audit of GroupWise
System Under Development Audit of FNITP - 2006-07

Preliminary Survey for IM/IT Applications - 2007-08

Preliminary Survey for Audit of PeopleSoft - 2008-09
Strategic Policy and Planning Moderate risk: function can be significant in terms of determining and achieving INAC policies and programs, complex in terms of identifying, obtaining, and effectively utilizing required inputs, moderate sensitivity given management interest   Audit of Strategic Policy or Planning   Preliminary Survey for Audit of Strategic Policy and Planning - 2008-09
Official Languages Low risk: activity relates indirectly to achievement of INAC's objectives, little complexity to adopt existing policies yet practice can result in lapses in a large organization, moderate sensitivity, especially among central agencies and public     Audit of Official Languages  
Entity Level Controls High risk: highly significant due to OAG and TBS interest and linkages to Audited Financial Statements and to Management Accountability Framework, highly complex because of decentralized organization   Audit of Governance Structure Audit of Risk Management Preliminary Survey of ELC for External Reporting - 2007-08

Update of the Corporate Risk Profile - 2008-09

Values and Ethics - Organizational Risk Assessment - 2008-09
Complaints and Allegations Moderate risk: moderate complexity to determine facts and appropriate course of action, significant in terms of INAC's integrity and responsiveness   Post Implementation Audit of Forensic Audit Policy and Revised Complaints and Allegation Policy   Special Study of Complaints and Allegations - 2007-08
Continuity of Operations Low risk: normally, activity relates only indirectly to achievement of INAC objectives, complexity revolves around challenge of maintaining plans current, sensitivity low except in the case of a major failure     Audit of Continuity of Operations  
Communications Moderate risk: indirectly significant to achievement of INAC objectives, complex to communicate consistent messages across a large decentralized organization and with numerous stakeholders, sensitive when attention focused on INAC Preliminary Survey For Audit of Internal and External Communications Audit of Internal or External Communications
(Scope TBD)
   
Legal Services and Litigation Management High risk: significant in terms of potential claims, high degree of sensitivity, highly complex because of decentralized organization and response timeframes Preliminary Survey of Litigation Management      
Management Practices
Regions Generic Risk: Potential disconnects between strategic direction and program implementation in highly decentralized organization Audit of Management Practices
(Regions TBD)
Audit of Management Practices
(Regions TBD)
Audit of Management Practices
(Regions TBD)
Management Practices Reviews of Atlantic, Quebec, Ontario, Manitoba, Saskatchewan, Alberta,BC, Yukon, NWT, Nunavut
Headquarters Sectors Generic Risk: Sectors are key to providing effective policy framework and direction to regions and for setting the tone at the top Audit of Management Practices
(Sectors TBD)
Audit of Management Practices
(Sectors TBD)
Audit of Management Practices
(Sectors TBD)
Management Practices Reviews of LTS, TAG, NAP**

* "Internal auditors are responsible for assisting companies to prevent fraud by examining and evaluating the adequacy and effectiveness of their internal controls' system, commensurate with the extent of potential exposure within the organization. … In conducting engagements, the internal auditor's responsibilities for detecting fraud are to: consider fraud risks in the assessment of control design and determination of audit steps to perform, have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed, be alert to opportunities that could allow fraud, evaluate the indicators of fraud and notify the appropriate authorities within the organization if a fraud has occurred to recommend an investigation." (The IIA Professional Practices Framework).

** The following Sectoral Management Practice Reviews will be completed by April 1, 2009: Chief Financial Officer, Planning and Strategic Direction, Resolution & Individual Affairs Sector, Lands & Economic Development.

Audit Projects for 2009-2010
Audit Project Audit Objective Timeframe Rationale
Audit of Housing Provide assurance that the Housing program, especially the Budget 2009 components, is being implemented in a well-controlled manner in accordance with approved terms and conditions. Fall 2009
  • Previous audits, evaluations, and reviews have identified significant challenges relating to the provision of housing
Audit of Aboriginal Business Canada and Non-Proposal Driven Programming Provide assurance on the adequacy and appropriateness of management control frameworks to ensure that funds are being used for the intended purpose. Spring 2009
  • Audit of these components will ensure that all high risk economic development programs have been subject to recent audit
Audit of Implementation of the Urban Aboriginal Strategy Provide assurance on the adequacy and appropriateness of management control frameworks to ensure that program outcomes are being achieved and funds are being used for the intended purpose. Summer 2009
  • The Urban Aboriginal Strategy was excluded from the Audit of the Office of the Federal Interlocutor in 2007-08
Audit of Income Assistance Provide assurance that an appropriate management control framework has been established to ensure that program outcomes are being achieved and funds are being used for the intended purpose. Summer 2009
  • The 2007-08 Preliminary Survey recommended a full audit in 2009-10
Audit of Family Violence Provide assurance on the adequacy and appropriateness of management control frameworks to ensure that program outcomes are being achieved and funds are being used for the intended purpose. Fall 2009
  • Audit of these components will ensure that all high risk social development programs have been subject to recent audit
System Under Development Audit of CIS-IRS, continued Provide assurance that the implementation of the new Certificate of Indian Status card includes appropriate controls as recommended by earlier audit and Threat Risk Assessment studies. Dependent Upon Project Status
  • Security over card issuance is highly sensitive due to potential benefits associated with the card, e.g. transborder travel, health, tax

  • Roll-out of new card may require significant shift in roles and responsibilities
Grants and Contributions - Horizontal Departmental Controls (Scope TBD) Provide assurance with respect to the adequacy of controls related to either the implementation of the new Transfer Payment Policy or smaller programs/funding authorities or the Alternative Funding Arrangement Authority. Spring 2009
  • Highest risk area comprising approximately 85% of expenditures with high degrees of reputational and public awareness sensitivity and complex inter-relationships and delivery mechanisms

  • Annual audit activity to focus on horizontal assessment of key controls to contribute to a holistic opinion
Audit of Revenue Management Provide assurance that INAC revenues are adequately identified, recorded and received. Dependent Upon Outcome of Preliminary Survey
  • Preliminary survey will be completed by April 2009 and will identify whether and when additional audit work would be appropriate
Audit of Trust Accounts Provide assurance on the adequacy and appropriateness of the management control framework to ensure that trust funds are managed in compliance with legislation and authorities. Summer 2009
  • Although low risk based on apparent controls, the Audit and Evaluation Committee supported a management request that audit be conducted because of length of time since last audit and to focus on a new Trust Funds Management System
Audit of the Delegation of Authorities, Organizational Design and Classification Provide assurance that INAC's organizations are designed to maximize accountability, sound stewardship and efficiency and effectiveness and that classification of positions is appropriate to the authority delegated and the nature of responsibilities. Spring 2009
  • Following the 2008-09 Audit of Staffing, the Audit and Evaluation Committee recommended that an audit of Classification be conducted in 2009-10

  • Previous audits and management practices reviews have identified a number of issues related to delegation of authority and appropriateness of organization design
Audit of Payroll Provide assurance that regular and special payments are accurate. Summer 2009
  • The 2008-09 Audit of Staffing identified potentially significant issues
Audit of Regional IT Expenditures Provide assurance that regional IT expenditures are consistent with the corporate IM/IT vision and the delegation of roles and responsibilities and are reliably accounted for. Spring 2009
  • The CIO has requested an audit to identify regional IM/IT expenditures to ensure that INAC resources are used in the most effective manner possible
Post-Implementation Audit of First Nations & Inuit Transfer Payment System Provide assurance that the system has been implemented as intended, is fulfilling its objectives, and has appropriate controls. Spring 2009
  • System under Development Audit in 2006-2007 recommended a post-implementation audit

  • Key system supporting expenditure of billions of dollars of grant and contribution funding
Audit of PeopleSoft Provide assurance that the data entry process is consistent with low levels of error and the recent upgrade has been conducted with proper strategy, sufficient resource levels and minimal impact on data and supports the business process, contains secured quality of data, appropriate controls and complies with departmental and governmental policies. Summer 2009
  • The survey of IM/IT applications identified PeopleSoft as a major risk area and the 2008-09 Audit of Staffing identified data integrity issues. A preliminary survey on PeopleSoft recommended a full scale audit. The recommendation was approved by the Audit and Evaluation Committee in December 2008.
Preliminary Survey of Assets and Property Management Identify the scope and materiality of INAC assets and property, assess associated risks, determine whether the management control framework is adequate to manage them, and recommend whether additional audit work is required. Fall 2009
  • Little previous internal audit work has been completed related to INAC assets and property management
Preliminary Survey for Audit of Internal and External Communications Document communication responsibilities and activities, identify associated risks, and recommend whether additional audit work is required. Fall 2009
  • Little previous internal audit work has been completed related to communications
Preliminary Survey of Litigation Management Document the sector's activities and risks and recommend objectives and priorities for a future audit(s) of Litigation Management. Summer 2008
  • AES has little knowledge of litigation management processes and needs to identify areas of risk and key control points to support scoping of a future audit(s)
Management Practices Reviews of Regions (2-3 TBD) Assist regional management in assessing whether their management practices and controls are designed to achieve objectives in an efficient and effective manner and inform on areas of strength and weakness. Fall 2009

Winter 2010
  • Management Practices Reviews assist HQ and regional management and inform the risk-based planning process for future internal audit activity
Management Practices Reviews of Sectors - Regional Operations and Education and Social Development Policy and Partnerships - Adjudication Secretariat Assist sector management in assessing whether their management practices and controls are designed to achieve objectives in an efficient and effective manner and inform on areas of strength and weakness. Spring 2009
  • Management Practices Reviews assist HQ management and inform the risk-based planning process for future internal audit activity

  • An additional sector may be identified for its second review or for follow-up
Case Study and Analysis of Management Practice Reviews Conducted between 2006 - 2009 Document, synthesize and analyze the results of the Regional and Sector management practices reviews conducted between 2006 - 2009. Spring 2009
  • Will serve to identify department-wide best practices and control weaknesses in support of the CAEE's annual holistic opinion

  • Results will also inform the objectives, scope and risk-based priorities for future management practices reviews
Due Diligence Review of Infrastructure Spending Provide a low level of assurance that appropriate controls are in place to ensure that Budget 09 expenditures are used as intended. Ongoing
  • Significant risks associated with large expenditures in a limited timeframe
Departmental Framework for Assessing and Addressing Recipient Program Delivery Risk Develop a practical set of tools that will assist programs and regions in establishing appropriate monitoring, compliance and auditing regimes to address recipient risk Spring 2009
  • Audits and reviews have identified that there are no consistently applied effective approaches to ensure that recipient risk profiles are developed and used to establish monitoring, compliance, and auditing regimes
 
Table 3 – Carry Forward from the 2008-2009 Plan
Audit Project Audit Objective Status as of April 1, 2009 Status
Audit of Expenditure Management Monitoring Provide assurance on the adequacy and effectiveness of departmental controls for monitoring and managing expenditures on a risk-informed basis, including both transfer payments and operational expenditures 50% complete
  • Terms of Reference approved by AEC: January 2009; grants and contributions excluded from the scope

  • Final Report to AEC: June 2009
Audit of Information Management (CIDM focus) Provide assurance that information is created, stored and managed in accordance with government policy and standards 20% remaining
  • Terms of Reference approved by AEC: December 2008
Audit of Liabilities Provide assurance on the adequacy and effectiveness of controls for accurately quantifying and reporting liabilities and contingent liabilities 25% remaining
  • Terms of Reference approved by AEC: December 2008

  • Final Report to AEC: April 2009
System Under Development Audit of CIS-IRS Provide assurance that implementation of the new Certificate of Indian Status card includes appropriate controls as recommended by earlier audit and Threat Risk Assessment studies 25% remaining
  • Terms of Reference approved by AEC: December 2008

  • Summary Report to AEC: June 2009
Audit of Occupational Health and Safety Provide assurance on the adequacy and effectiveness of INAC's management control framework for occupational health and safety 25% remaining
  • Audit added to the Plan at the request of the Departmental Security Officer

  • Terms of Reference approved by AEC: December 2008

  • Final Report to AEC: June 2009
 

Performance of the Audit Engagements

The Audit and Assurance Services Branch will carry out the approved 2009-2010 audit engagements on a systematic basis. Having established a sound working relationship with the limited number of firms pre-qualified (until November 2009) to provide audit services on a priority and timely basis and having significantly increased its internal audit management resources, the Audit and Assurance Services Branch is well positioned to initiate and complete the planned audit projects within the fiscal year if current contracting vehicles are extended or if replacement vehicles are in place in a timely manner.

To that end, all projects have been scheduled to begin no later than the end of Fall 2009.

Audits will be carried out in accordance with the Professional Standards for Internal Audit as outlined in the TB Policy on Internal Audit.

Modification to the Plan

The risk-based audit plan will be updated, where justified on the basis of risk and urgency, as departmental and governmental risks evolve. Modifications to the plan will be presented at AEC meetings and submitted to the Deputy Minister for approval.

The Audit and Assurance Services Branch has reviewed recent audit activities and has not currently identified any standalone follow-up work to be completed during 2009-2010. As part of its ongoing monitoring of the implementation of management action plans arising from previous audits, the Audit and Assurance Services Branch may decide, however, to conduct formal audit follow-up activity during the year.

The Audit and Assurance Services Branch will also continue to monitor the scope and timing of emerging external audits (e.g. OAG, OCG, Public Service Commission, Office of the Commissioner of Official Languages) in order to optimize coverage and minimize duplication of effort.

Level of Activity and Direct Resource Requirements

The Three-Year Plan identifies that approximately 20 audit projects will be carried out on an annual basis. This number has increased slightly from earlier Plans as a result of the integration of Indian Residential Schools Resolution Canada into INAC. While the level of audit effort will vary from project to project, it is the Audit and Assurance Services Branch's professional opinion that this level of activity is the minimum necessary to provide adequate and meaningful risk-based coverage of the programs and corporate functions of INAC and to meet the requirements of the Treasury Board Policy. Appendix E illustrates how the audit projects proposed for 2009-2010 will provide coverage of the Management Accountability Framework elements and will support the preparation of an Annual Report and Holistic Opinion.

The Branch has been advised that this level of activity is commensurate with that required and undertaken in other government departments of similar size.

For purposes of identifying initial resource requirements, the Audit and Assurance Services Branch has assumed, based on experience, that its average portfolio of twenty audit projects will be comprised normally of large, medium, and small audit engagements. During 2008-2009, the Audit and Assurance Services Branch developed, and had accepted by the Audit and Evaluation Committee, a costing model that estimated the indirect costs, e.g. sector or regional auditee time and administrative expenses, for the three sizes of audit engagement.

The anticipated direct and indirect costs of audit projects in 2009-2010 are detailed below:

Cost Factors Large Audit Medium Audit Small Audit Preliminary Surveys
Direct Costs
 Contract Dollars $222,000 $147,000 $73,000 $25,000
 FTEs $23,000 $15,000 $8,000 $5,000
 Travel $50,000 $33,000 $17,000 -
Indirect Costs
  $58,000 $38,000 $19,000 $10,000
 Total $353,000 $233,000 $117,000 $40,000
 

and result in an annual requirement for a budget equivalent to approximately $3,530,000 in contract funds. These costs are reflected in Appendix F.

Infrastructure and Non-Core Resource Requirements

In addition to the resource requirements for the carrying out of audit projects, the Audit and Assurance Services Branch also faces significant demands on its existing resource base to:

Role Rationale Resource Requirement
Departmental Liaison Serve as the Departmental liaison with the Office of the Auditor General and the Commissioner for the Environment and Sustainable Development, the Public Service Commission, the Office of the Comptroller General and other Agencies One senior level full time equivalent
Risk Management Provide advice, guidance and challenge on the identification and assessment of risks and related mitigation strategies and on the preparation of the Corporate Risk Profile One senior level full time equivalent
$400,000 contracts
Professional Standards Update, maintain and inculcate a set of professional standards and practices (e.g. Audit Manual, Code of Ethics, Quality Assurance) that will enhance the capacity of the Branch to add value. One senior level full time equivalent
 

Challenges to Achievement of the Audit Plan

The extent to which the Branch is able to achieve full implementation of the Plan is dependent, however, on a number of factors:

  • the Branch must continue to have access to efficient contracting vehicles. The primary contracting vehicles which the Branch employs expire in the Fall of 2009. While there is provision for an option year, there are significant downsides to exercising the option. If a decision is made to seek new arrangements within the mandatory government-wide contracting vehicle, there are serious risks that delays will occur in contracting for projects

  • the Branch must be able to successfully avoid having its contractors over-commit and under-deliver

  • the Branch may have to respond in an incremental fashion to OCG requirements for government-wide audit activity and

  • the Branch may have to respond to emerging INAC or government-wide priorities or issues.

The Audit and Assurance Services Branch will continue to provide an update to the Audit Committee at each of its meetings on the progress it is making in implementing the Plan and the challenges it is facing in so doing.

 

 

Appendix A – Auditable Units

Auditable Unit Significance
(1-5)
Complexity
(1-5)
Sensitivity
(1-5)
Risk Score
(Sum of Significance + Complexity + Sensitivity)
Departmental Programs
Capital Facilities and Maintenance (Infrastructure) 5 5 5 15
Income Assistance 5 5 5 15
Elementary and Secondary Schools and Other Education 5 5 5 15
Specific Claims 5 5 4 14
Registration and Membership 4 5 5 14
Self Government and Comprehensive Claims 5 5 3 13
Economic Development 3 5 5 13
Child and Family Services 4 4 5 13
Capacity Development 5 5 3 13
Post Secondary Education 5 4 4 13
Residential Schools Resolution 5 4 3 12
Indian Government Support  (includes Brand Support Funding) 4 3 4 11
Office of the Federal Interlocutor and Urban Aboriginal Strategy 3 4 4 11
Emergency 3 3 5 11
Natural Resources and Environmental Management 4 4 3 11
Family Violence and Other Social Services 2 3 2 7
Northern Air Stage Funding Subsidy (Food Mail) 1 2 2 5
Corporate Functions
Compensation and Benefits (Payroll) 5 5 5 15
IM/IT Applications 5 5 5 15
Expenditure Management (including: Procurement & Acquisition Cards, Contracting, Travel & Expenditure Claims, Hospitality, Memberships, Compliance Monitoring, Settled Claims) 5 5 4 14
Entity Level Controls – Risk Management (including: Follow-up of Audit and Evaluation Recommendations, Policies and Practices, Corporate Risk Profile, Intervention Policy, Business Planning), Values and Ethics (including: Staff Ombudsman, Integrity), Delegation of Authorities, Governance Structure (including: Roles and Responsibilities, Committees) 5 4 5 14
Legal Services and Litigation Management 4 5 5 14
Human Resource Planning and Resourcing (including: Human Resource Planning, Corporate Resourcing and Aboriginal and other Resourcing, Executive Resourcing, Staffing) 4 4 5 13
IM/IT Governance 5 4 4 13
Financial Planning and Budgeting 4 4 4 12
Strategic Policy and Planning – Research (including: Aboriginal Peoples Survey, Legislation) 5 4 3 12
External Reporting - Financial Statements Audit Readiness (including: Public Accounts, Audited Financial Statements, DPR/RPP, Proactive Disclosure, Contingent Liabilities) 4 5 3 12
Fraud Risk and Control Strategies 3 4 5 12
Security (including: Physical and Personnel) 4 4 4 12
IM/IT Security 4 5 3 12
Organizational Design and Classification 3 4 4 11
Information Management 4 4 3 11
Communications (Internal and External) 3 4 4 11
Loans and Accounts Receivable 4 3 3 10
Complaints and Allegations 3 3 4 10
Financial Forecasting (Management Variance Reporting) 3 4 2 9
Learning and Development 4 2 3 9
Labour Relations 2 3 4 9
Occupational Health and Safety 3 3 3 9
Assets and Property Management 3 3 2 8
Revenues 3 3 2 8
Trust Accounts 3 2 2 7
Continuity of Operations (including: Crises and Emergencies) 2 3 2 7
Official Languages 2 2 3 7
ATIP 1 1 4 6
Sustainable Development 2 2 2 6

Auditable Units Not Ranked Due to Apparent Low Risks

Auditable Units Not Ranked Due to Potential Conflict of Interest

Auditable Units to be Subject to an Updated Risk Ranking Process for Management Practices Reviews

  1. Regions
    • British Columbia Region
    • Alberta Region
    • Saskatchewan Region
    • Manitoba Region
    • Ontario Region
    • Quebec Region
    • Atlantic Region
    • Yukon Region
    • NWT Region
    • Nunavut Region

  2. Sectors
    • Treaties and Aboriginal Government (formerly Claims and Indian Government) Sector
    • Education and Social Development Policies and Partnerships
    • Regional Operations Sector
    • Lands and Economic Development Sector (including: Oil and Gas Canada)
    • Resolution and Individual Affairs Sector
    • Northern Affairs Sector
    • Chief Financial Officer Sector
    • Planning and Strategic Development Sector

  3. Other Organizations
    • Inuit Relations Secretariat
    • International Polar Year
 

 

Appendix B – 2009-2010 Audits Prioritized from Highest to Lowest Risk

Ranking Audit Title
1 Audit of Income Assistance
2 Audit of Payroll
3 Audit of Housing
4 Post-Implementation Audit of First Nations & Inuit Transfer Payment System
5 Audit of PeopleSoft
6 Grants and Contributions – Horizontal Departmental Controls
7 System Under Development Audit of CIS-IRS
8 Audit of Aboriginal Business Canada and Non-Proposal Driven Programming
9 Audit of Trust Accounts
10 Audit of Regional IT Expenditures
11 Audit of the Delegation of Authorities, Organizational Design and Classification
12 Audit of Implementation of the Urban Aboriginal Strategy
13 Audit of Family Violence
14 Audit of Revenue Management
 

 

Appendix C – Linkage of 2009-10 Audits to the Corporate Risk Profile

Senior Executive Risk Assessment
Risk Name Risk Description: There is a risk that
1. Information for Decision-making Risk INAC will make sufficient progress to improve acess to timely, pertinent, consistent and accurate information to support planning, resource allocation and programming decisions, monitoring/oversight, and to fulfill its acountability obligations.
2. HR Capacity and Capabilities Risk INAC will not be able to attract, recruit and retain sufficiently qualified, experienced and representative Human Resources.
3. Program Alignment Risk There will be misalignment between the departmental mandate, program authorities, program design, and the use of program funding.
4. Legal Risk INAC will not be able to forsee, plan for, pre-empt or respond effectively and efficiently to legal decisions that impact program mandates.
5. Management Practices Risk INAC will not be able to develop and suatain the necessary managerial practices to support an accountable, well-managed and resilient department.
6. Aboriginal Relationship Risk INAC will fail to foster and sustain strong and constructive Aboriginal relationships on key Federal priorities.
7. Government Partnership Risk INAC and its Federal /Provincial/Territorial/government partners will not effectivelt collaborate in their approaches or delivery of horizontal programs and policies.
8. Implementation Risk INAC will not be able to create or maintain the necessary systems, pracices and governance rigour to successfully implement strategic initatives.
 
Risks 2009-10 Audits
1 2 3 4 5 6 7 8 Audit Title
Selected Selected Selected Selected Selected     Selected Income Assistance
  Selected     Selected       Payroll
Selected Selected Selected Selected Selected   Selected Selected Housing
Selected Selected     Selected Selected   Selected First Nations & Inuit Transfer Payment System
Selected Selected     Selected     Selected PeopleSoft
Selected Selected Selected   Selected Selected Selected Selected Grants and Contributions – Horizontal Departmental Controls
Selected Selected   Selected Selected Selected Selected Selected CIS-IRS
Selected Selected Selected   Selected Selected Selected Selected Aboriginal Business Canada and Non-Proposal Driven Programming
  Selected     Selected Selected     Trust Accounts
Selected       Selected     Selected Regional IT Expenditures
Selected   Selected   Selected     Selected Delegation of Authorities, Organizational Design and Classification
Selected Selected Selected Selected Selected Selected Selected Selected Implementation of the Urban Aboriginal Strategy
Selected Selected Selected Selected Selected Selected Selected Selected Family Violence
Selected       Selected       Revenue Management
Selected Selected Selected   Selected     Selected Management Practices Review
 

 

Appendix D – Anticipated 2009 - 2010 Regional Site Visits

Project Title Regions
Large Projects
Audit of Housing Quebec, Ontario, Manitoba, British Columbia, Alberta
Audit of Aboriginal Business Canada and Non-Proposal Driven Programming Manitoba, Saskatchewan, Alberta, Quebec, Ontario
Audit of Income Assistance Atlantic, Quebec, Manitoba, Saskatchewan, Alberta
System Under Development Audit of CIS-IRS, continued Atlantic, Quebec, Ontario, Manitoba, Saskatchewan
Grants and Contributions - Horizontal Departmental Audit (Scope TBD) Atlantic, Quebec, Ontario, Manitoba, Saskatchewan, Alberta, British Columbia, Yukon, Northwest Territories, Nunavut
Audit of Payroll Atlantic, Ontario, Manitoba, British Columbia
Post-Implementation Audit of First Nations and Inuit Transfer Payment System Quebec, Ontario, Manitoba, British Columbia, Alberta
Audit of the Delegation of Authorities, Organizational Design and Classification Atlantic, Ontario, Saskatchewan, British Columbia, Nunavut
Medium Projects
Audit of Implementation of the Urban Aboriginal Strategy Ontario, Saskatchewan, Alberta
Due Diligence Review of Infrastructure Spending Ontario, Manitoba, British Columbia
Audit of Family Violence Atlantic, Quebec, British Columbia
Audit of Trust Accounts Atlantic, Quebec, Saskatchewan, Alberta
Audit of Regional IT Expenditures Atlantic, Quebec, British Columbia
Small Projects
Audit of Revenue Management British Columbia, Alberta
Audit of PeopleSoft Saskatchewan, Nunavut
Departmental Framework for Assessing and Addressing Recipient Program Delivery Risk N/A
 

 

Appendix E – Coverage of MAF Elements

  1 Public Service Values 2 Governance and Strategic Directions 3 Policy and Programs 4 Results and Performance 5 Learning, Innovation and Change Management 6 Risk Management 7 People 8 Stewardship 9 Citizen-focused Service 10 Accountability
Carry-Over from 2008-2009 (ongoing)                    
Audit of Expenditure Management Monitoring           Selected   X    
Audit of Information Management (CIDM focus)           Selected   Selected    
Audit of Liabilities           Selected   Selected    
System Under Development Audit of CIS-IRS, continued         Selected Selected   Selected Selected  
Audit of Occupational Health and Safety           Selected Selected Selected   Selected
2009-2010                    
Audits                    
Audit of Housing     Selected Selected   Selected   Selected Selected Selected
Audit of Aboriginal Business Canada and Non-Proposal Driven Programming     Selected Selected   Selected   Selected Selected Selected
Audit of Implementation of the Urban Aboriginal Strategy     Selected Selected   Selected   Selected Selected Selected
Audit of Income Assistance     Selected     Selected   Selected Selected Selected
Audit of Family Violence     Selected Selected   Selected   Selected Selected Selected
System Under Development Audit of CIS-IRS, continued         Selected Selected   Selected    
Grants and Contributions - Horizontal Departmental Controls (Scope TBD)     Selected Selected   Selected   Selected Selected Selected
Audit of Revenue Management           Selected   Selected Selected Selected
Audit of Trust Accounts           Selected   Selected   Selected
Audit of the Delegation of Authorities, Organizational Design and Classification   Selected       Selected Selected Selected   Selected
Audit of Payroll           Selected Selected Selected    
Audit of Regional IT Expenditures           Selected   Selected   Selected
Post-Implementation Audit of First Nations and Inuit Transfer Payment System       Selected Selected Selected   Selected Selected  
Audit of PeopleSoft         Selected Selected Selected Selected   Selected
Preliminary Surveys                    
Preliminary Survey of Assets and Property Management           Selected   Selected    
Preliminary Survey for Audit of Internal and External Communications Selected         Selected Selected   Selected Selected
Preliminary Survey of Litigation Management     Selected     Selected   Selected Selected Selected
Other Initiatives                    
Management Practices Reviews of Regions (2-3 TBD) Selected Selected Selected Selected Selected Selected Selected Selected Selected Selected
Management Practices Reviews of Sectors – Regional Operations and Education and Social Development Policy and Partnerships – Adjudication Secretariat Selected Selected Selected Selected Selected Selected Selected Selected Selected Selected
Case Study and Analysis of Management Practice Reviews Conducted between 2006 – 2009 Selected Selected Selected Selected Selected Selected Selected Selected Selected Selected
Due Diligence Review of Infrastructure Spending     Selected Selected   Selected   Selected    
Departmental Framework for Assessing and Addressing Recipient Program Delivery Risk   Selected Selected Selected   Selected   Selected   Selected
 
 
Date modified: