Mid-Year Update of the Risk-Based Audit Plan 2013-2014 to 2015-2016

Notice

This website will change as a result of the dissolution of Indigenous and Northern Affairs Canada, the creation of Indigenous Services Canada and the eventual creation of Crown-Indigenous Relations and Northern Affairs Canada. During this transformation, you may also wish to consult the updated Indigenous and Northern Affairs home page.

Date: September 2013

PDF Version (485 Kb, 41 Pages)

Table of Contents

Introduction

The Treasury Board Policy on Internal Audit seeks to contribute to the improvement of public sector management by ensuring a strong, credible, effective and sustainable internal audit function within departments as well as government-wide. In response to this requirement, Aboriginal Affairs and Northern Development Canada (AANDC) has developed this three-year Risk-Based Audit Plan. This plan details the assurance services that Audit and Assurance Services Branch will provide, independent of line management, to sustain a strong, credible internal audit regime that contributes directly to sound risk management, control and governance.

Purpose

The Audit and Assurance Services Branch (AASB) of AANDC has prepared this document for the Deputy Minister to outline the Risk-Based Audit Plan 2013-2014 to 2015-2016 for Aboriginal Affairs and Northern Development Canada. The plan is designed to support the allocation of audit resources to those areas that represent the most significant priorities for AANDC and to respond to the requirements of the Treasury Board Policy on Internal Audit (April 1, 2012). In considering the appropriateness of the plan, the Deputy Minister is advised by an independent Audit Committee comprised of five external members.

Document Organization

Introduction This section provides an overview of the role of the internal audit function and Treasury Board expectations with respect to audit to provide the reader with the context for this plan.
Risk-Based Audit Planning Approach This section describes the process followed to build this plan.
The Three-Year Risk-Based Audit Plan This section details the comprehensive plan for 2013-2014 to 2015-2016, including a summary of activities over three years.
Resource Considerations This section details the resource considerations required to execute the audit plan.
Appendices This section provides various detailed tables to further describe the plan.

The Role and Scope of Internal Audit

Internal audit plays a vital role in governance and accountability. Without a strong, objective and independent assurance function, the effectiveness of the overall governance framework of the organization is severely weakened. With an effective internal audit function, there is greater confidence that the decisions being taken are informed by appropriate information on risk and control. Internal audit's systematic and disciplined approach adds value and improves an organization's operations.

Through the Federal Accountability Act (2006) and Action Plan, the Government of Canada committed to strengthen auditing and accountability within departments by clarifying the managerial responsibilities of deputy heads within the framework of ministerial responsibility and by enhancing the internal audit function.

The role of the AANDC internal audit function is to ensure that, in conjunction with advice from the Audit Committee, AANDC's Deputy Minister is provided with independent assurance regarding the effectiveness of the Department's risk management, control and governance processes. The internal audit function fulfils this role by bringing a systematic, disciplined approach to assessing and improving the effectiveness of the Department's risk management, control and governance processes.

The scope of work of the internal audit function is to determine whether AANDC's network of risk management, control, and governance processes (as designed and represented by management) is adequate and functioning in a manner to ensure:

When opportunities for improving management control, governance, or resource stewardship are identified during audits, they are communicated to the suitable level of management so that appropriate action can be taken.

The internal audit function plays an important role in supporting departmental operations. It provides assurance on all the important aspects of the risk management strategy and practices, management control frameworks and practices and governance. Where control weaknesses exist and where the achievement of objectives is at risk, internal audit plays a role in providing constructive advice and recommendations. In this way, internal audit contributes to enhanced accountability and performance.

Treasury Board Policy Requirements

AANDC is subject to the Treasury Board Policy on Internal Audit. This policy states that the internal audit function in the Government of Canada "… is a professional, independent and objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes."

The Policy on Internal Audit requires that the Deputy Minister approves a risk-based audit plan that considers departmental areas of high risk and significance and Government-wide audits led by the Comptroller General. The Treasury Board Directive on Internal Auditing in the Government of Canada (April 1, 2012) requires that the Chief Audit Executive " … establish and update at least annually a multi-year plan of internal audit engagements based on a risk assessment and which is focused predominantly on the provision of assurance services." The Directive also requires that the Audit Committee "… review and recommend for approval a multi-year risk-based internal audit plan."

The Treasury Board Internal Auditing Standards for the Government of Canada (October 1, 2012) specifies that "The Government of Canada has adopted the Institute of Internal Auditors' (IIA) International Professional Practices Framework and all federal departments are required to meet the IIA Standards in undertaking their internal auditing responsibilities, unless the Standards are in conflict with the Treasury Board Policy on Internal Audit or any related directives or standards in which case the Policy, directives or standards will prevail."

The Chief Audit Executive's Annual Written Report to the Deputy Minister and the Audit Committee

One of the requirements of the Directive on Internal Auditing in the Government of Canada is that the Chief Audit Executive prepares a written report annually to the Deputy Minister and the Audit Committee that includes sections on:

  • "Internal audit's independence, proficiency, performance and results relative to its plan including resource utilization, lessons learned and influences on future years' plans
  • The results of the Quality Assurance and Improvement Program including internal audit's conformance with the Internal Auditing Standards for the Government of Canada
  • The results of the follow-up on the implementation of management action plans and
  • An overview of the aggregate findings following the execution of the risk-based audit plan including the actions taken by management to address key findings."

Collectively, the Chief Audit and Evaluation Executive's annual report and other inputs, such as the Chief Financial Officer's Statement on Internal Control and reports of other assurance agencies, provide departmental Senior Management and the Comptroller General with assurance on the state of the Department's risk management, controls and governance processes.

Risk-Based Audit Planning Approach

To meet the requirement of the Directive on Internal Auditing in the Government of Canada for the establishment, and at least annual update, of a multi-year plan of internal audit, Audit and Assurance Services' assessment of AANDC's areas of risk was reviewed and updated to ensure that audit resources continue to be targeted to areas of highest risk.

In establishing priorities for the Risk-Based Audit Plan, AASB employs a structured, risk-based approach.

Conduct and Timing of an Internal Audit

Once approved, the Risk-Based Audit Plan provides AASB with the Deputy Minister's direction on what specific audits should be undertaken in the coming year. Each audit consists of the following phases:

The Planning Phase is undertaken to gain an understanding of the objectives, activities, key risks and controls of the area subject to audit. The audit objectives and scope are finalized and audit criteria are established. During the Conduct Phase, auditors carry out the audit program to ascertain whether each audit criterion is satisfied. Auditors conduct interviews, review documentation, perform analysis, observe activities and employ other techniques to obtain sufficient, relevant and reliable information to reach conclusions and support preliminary findings. Findings are reviewed with management to validate accuracy.

During the Reporting Phase, the draft audit report is prepared outlining background and context, and the auditor's findings, conclusions and recommendations. Management presenting a Management Response and Action Plan outlining their response to the findings as well as the corrective action planned to mitigate the identified control gaps.

In the Follow-up Phase, action is taken to ensure that the required measures have indeed been implemented.

The audit may last three (3) to twelve (12) months depending on the size and complexity of the area subject to audit as well as the specific scope and objectives of the engagement.

As a first step in updating the RBAP, AASB reviewed the audit universe to confirm that the existing auditable unitsFootnote 1 were still valid. The audit universe is a collection of all auditable units. The auditable units generally correspond to the activities and sub-activities identified in AANDC Program Alignment Architecture (PAA) and to the major organizational units of the Department (Appendix A presents the entire AANDC Audit Universe). AASB updated the universe to reflect minor changes to the PAA and current and planned resources allocations associated with the auditable units. In total, there are 48 program units, 33 internal service units, and 12 sectoral and 10 regional units.

AASB then reviewed departmental priorities, business conditions and risks as identified in a wide variety of sources, including corporate, sector and program risk profiles, corporate and sector business plans, Management Accountability Framework assessments, performance reports, past audit, evaluation and review reports, and last year's risk-based planning exercise. This year, we also reviewed the proposals for the implementation of the Deficit Reduction Action Plan (DRAP).

Following the update of the audit universe and the review of documentation, AASB held a planning and prioritization workshop with its team members and Risk Management, Evaluation and Performance Measurement and Review, Assessment and Investigation Services representatives. During this workshop participants examined each auditable unit and offered their perspective on each unit's level of inherent risk, significance and legal risk.

Inherent risk level is defined as the degree of risk to which the entity is exposed, considering current and anticipated business conditions and the presence and potential impact of specific risk exposures. Significance considers the relative importance of the program activity or internal service to the achievement of the Department's overall objectives. Significance includes materiality of the entity and its intrinsic importance. Legal risk considers the level of exposure to legal issues that may affect the activities of the Department.

Using the AANDC corporate risk assessment scales, where one is low risk and five is high risk, participants provided their assessment of risk for each auditable unit, with the exception of the internal audit, evaluation, risk management and complaints and allegations functions falling within the responsibilities of the Chief, Audit and Evaluation Executive position. While evidently the internal audit function could not audit itself objectively, there would be an appearance of lack of independence and objectivity should it attempt to assess the risks associated with and plan to audit other functions belonging to the same direct report.Footnote 2 Should it come to the attention of senior management that any of these functions may constitute a high risk to AANDC and should be subject to an audit, arrangements would be made for external firms to conduct the work under the direction of a senior ADM or the Audit Committee.

Auditable Units Priority Rankings

Auditable Units Priority Rankings
Text description of Auditable Units Priority Rankings

The chart illustrates the final priority rankings for each auditable unit of AANDC's audit universe. The priority rankings are as follows:

  • Very High: 22% or 23 auditable units
  • High: 30% or 32 auditable units
  • Moderate: 34% or 35 auditable units
  • Low: 10% or 10 auditable units
  • Not rated: 4% or 4 auditable units

 

A weighting of 50% was allocated to Inherent Risk, 30% to Significance and 20% to Legal Risk to arrive at a risk score for each auditable unit assessed. A risk priority score was then assigned to each of the assessed auditable units in the universe and all units were assigned a priority score ranging from 0 to 1. As a final pass, all entities were further categorized as Very High, High, Moderate or Low risk based on the priority scores. The distribution of auditable units by rank is displayed in the chart to the right. The methodology employed is the same as was used in prior years to ensure that risk ratings and priorities are consistent on a year-to-year basis.

The products of this workshop became the basis for a consultation workshop with the members of the Directors General Implementation and Operations Committee (DGIOC) to review the risk ranking of auditable units and to comment upon an initial listing of potential projects over the three-year horizon of the plan. The information gathered during this session was useful in refining risk rankings and informing the scope and timing of planned audits.

Following revisions to the risk ranking and listing of potential projects resulting from the DGIOC session, AASB invited Assistant and Associate Deputy Ministers to provide their perspective on the recommended listing of potential projects and their scheduling. AASB also consulted with the Office of the Comptroller General, the Office of the Auditor General, and Health Canada to obtain their input on the identified risk levels and on the identification and timing of potential audits, particularly with respect to their planned audit activities. AASB also reviewed the identified risks and potential projects with members of the Audit committee.

Through discussions with Health Canada, AASB struck an agreement to work with their internal audit group over the coming year to identify AANDC and Health Canada Program Alignment Activities (PAA), which are related in some way. AANDC intends to look for opportunities to align their respective 2014-2015 audit projects to focus on higher risk areas of common interest.

Following consultations, AASB developed a final three-year audit plan taking into account the following planning considerations:

The Chief Audit and Evaluation Executive reviewed and approved the proposed Plan and presented it to Audit Committee members for their review and recommendation for approval by the Deputy Minister.

The implementation of the Plan will be monitored on a regular basis throughout the year and proposed changes will be reviewed and formally approved by the Audit Committee. An update of the plan will be presented at the mid-year meeting of the Audit Committee to confirm that it still covers the departmental priorities and highest risks.

The Three Year Risk-Based Audit Plan

This section presents an overview of the AANDC 2013-2014 to 2015-2016 Risk-Based Audit Plan.

Audit Coverage

The AANDC Risk-Based Audit Plan 2013-16 addresses areas of higher risk and significance.

This section descrisbes how the plan addresses areas of higher risk and significance. As detailed in Appendix A, there is complete coverage of all Very High and High ranked units.

The Corporate Risk Profile is management's point in time reflection of the most significant risks that threaten achievement of AANDC's mandate and AASB seeks to ensure that all of these risks are covered in the planned audits. The chart to the right summarizes the number of 2013-2014 audits that will address any one of the corporate risks. Every corporate risk is covered by at least two assurance engagements (audits). Appendix B presents the specific linkages of audits to risks.

Coverage of Corporate Risks (2013-2014)

Coverage of Corporate Risks (2013-2014)
Text description of Coverage of Corporate Risks (2013-2014)

The graph illustrates the extent to which AANDC corporate risks are covered by the new and ongoing audits and preliminary surveys in 2013-2014. Please note that individual projects may cover one or more risk area. The coverage is as follows:

  • HR Capacity and Capabilities: 9
  • Information for Decision Making: 17
  • Transformation & Implementation: 11
  • Resource Alignment Risk: 13
  • Government Partnership: 10
  • Aboriginal Relationship Risk: 12
  • External Partnership Risk: 12
  • Legal Risk: 7
  • Environmental: 2

In support of the CAEE's annual report to the Deputy Minister and the Audit Committee, the audit plan endeavours to address all elements of the Treasury Board's Management Accountability Framework (MAF). The chart to the right summarizes the extent to which the elements of this framework are covered in the planned audits for 2013-2014. Appendix C describes these linkages in greater detail.

As noted above, internal audit and evaluation are not subject to audit by internal audit as the auditor's independence and objectivity could be considered to be compromised.

Overage of MAF Areas of Management (2013-2014)

Overage of MAF Areas of Management (2013-2014)
Text description of Coverage of MAF Areas of Management (2013-2014)

The graph illustrates the extent to which the elements of the Treasury Board's Management Accountability Framework are covered by the number of planned audit projects for 2013-2014 in each Management Area.

  • Values and Ethics: 4
  • Managing for Results: 17
  • Governance and Planning: 18
  • Citizen-focused Service: 13
  • Internal Audit: 0
  • Evaluation: 0
  • Financial Management and Control: 17
  • Management of Security: 2
  • Integrated Risk Management: 13
  • People Management: 5
  • Procurement: 5
  • Information Management: 5
  • Information Technology: 3
  • Asset Management: 1
  • Investment Planning & Management of Projects: 5

2013-2014 to 2015-2016 Audit Plan

Table 1 below outlines the number of planned program or corporate service audits, Management Practices Audits, and OCG audits for each of the three years of the plan.

  Ongoing 2013-2014 2014-2015 2015-2016
Audits 2 13 13 10
Management Practices Audits 0 3 3 3
OCG Audits 0 1 1** 1**
Total 2 17 17 14

** To be determined

Table 2 below presents the planned audits for 2013-2014 and identifies the audit priority assigned to them and the fiscal quarters in which they are expected to begin and in which the results are expected to be presented to the Audit Committee (AC in the table).

Table 3 lists the proposed audits for 2014-2015 and 2015-2016 and their audit priority ranking. The audit plans for 2014-2015 and 2015-2016 are tentative and the selection and timing of audits will be revisited during next year's annual planning exercise.

Table 2 - 2013-2014 Audit Plan
  2012-2013
(ongoing)
2013-2014
(Year 1)
Note*
These audits will be completed and presented to the Audit Committee in Q1 2014-2015.
  Priority Q3 Q4 Q1 Q2 Q3 Q4
Ongoing (projects commenced in 2012-13 to be completed in 2013-14)
1. Audit of the Management Control Framework for Grants and Contributions 2012-2013
(Funding Approaches)
Very High   AC
2. Audit of Emergency Management Assistance Very High   AC  
2013-2014 Projects
1. Follow-up Audit of Capacity Development Very High     AC  
2. Audit of Negotiation of Comprehensive Land Claims and Self-Government Agreements Very High       AC
3. Audit of the Implementation of Modern Treaty Obligations Very High     AC  
4. Audit of Indian Registration System Very High         AC
5. Audit of Economic Development Programs Very High       AC
6. Audit of Grants and Contribution Management Control Framework 2013-2014 Very High       *
7. Audit of IM/IT Governance and Application Systems Integration Very High     AC  
8. Audit of Southern Oil and Gas Very High     AC  
9. Management Practices Audit of Policy and Strategic Direction Very High       AC  
10. Management Practices Audit of Treaty and Aboriginal Government Very High     AC  
11. Audit of Nutrition North High   AC  
12. Audit of Project Management of the Canadian High Arctic Research Station High       AC
13. System Under Development Audit of the Integrated Financial Management System ( SAP &  GCIMS) High     *
14. Audit of Corporate Business Planning High       AC  
15. Audit of Delegation of Authorities, Organization Design and Classification High       *
16. Management Practices Audit – Human Resources and Workplace Services High     AC  
17. OCG Horizontal Internal Audit - TBD High       *
Table 3 - 2014-2015 to 2015-2016 Audit Plan
  Priority
2014-2015 Projects
1. Follow-up Audit of the Education Information System Very High
2. Audit of Northern Contaminated Sites Very High
3. Audit of the Management Control Framework for Grants and Contributions 2014-15 Very High
4. Audit of Elementary and Secondary Education Very High
5. Management Practices Audit (three to be determined) Very High/High
6. Audit of Post Secondary Education High
7. Audit of Assisted Living and National Child Benefit Reinvestment High 
8. Follow-up Audit of the Independent Assessment Process High 
9. Audit of On-reserve Infrastructure (excluding Water and Wastewater) High 
10. Audit of Northern Oil and Gas High 
11. Audit of Litigation Management High 
12. Audit of IM/IT Security High 
13. Audit of Occupational Health and Safety High
14. Post Implementation Audit of DRAP High
2015-2016 Projects
1. Follow-up Audit of Income Assistance Very High
2. Follow-up Audit of First Nations Child and Family Services Very High
3. Follow-up Audit of Water and Wastewater Very High
4. Audit of the Management Control Framework for Grants and Contributions 2015-16 Very High
5. Audit of Information Management Very High
6. Management Practices Audit (three to be determined) Very High/High
7. Audit of Specific Claims High 
8. Follow-up Audit of Lands Management (including Lands Registry System) High 
9. Audit of Additions to Reserve High 
10. Audit of Values and Ethics High 
11. Audit of Internal Controls over Financial Reporting High 

The detailed audit plan for 2013-2014, including project objectives, scope and rationale, is presented in Appendix D. Consistent with the requirements of the Internal Auditing Standards of the Government of Canada, all audits will be designed to achieve a high level of assurance.

Changes to the Plan

As noted previously, the multi-year audit plan is updated annually with adjustments during the year, if necessary. This year's audit plan is an evolution of the 2012-2013 to 2014-2015 Plan and, as such, includes two on-going audits that will be completed in 2013-2014 and other projects that have been cancelled or deferred as a result of changing business priorities and conditions. Details of these changes can be found in Appendix E.

Challenges to Achieving Fulfillment of the Three-Year Plan

AANDC programs and services are delivered in a complex policy and political environment that is constantly evolving and shifting from a legalistic approach to a policy-based approach that is more focused on reconciliation, partnerships, and the sustainable development of Aboriginal communities. Two risk factors that were identified in the 2012-2013 Corporate Risk Profile are of particular importance to the successful implementation of the Risk-Based Audit Plan.  These are: (1) the risk related to the availability of timely, pertinent, consistent, and accurate information and (2) the risk related to the need to attract, recruit and retain sufficiently qualified, experienced and representative employees. Given this context, the plan allows flexibility to respond to emerging risks and policy or program changes. If these risks or changes emerge and suggest higher priority audit activity, the Plan will be adjusted so that internal audit can undertake appropriate responses.

To support the need for flexibility, AASB has adopted an approach whereby internal resources are supplemented with qualified contractors. Considering the cross-government shortage of qualified auditors, this approach not only allows AASB to access required capacity and skills but also facilitates transfer of knowledge and skills to internal resources, thereby building internal capacity. While contracting continues to represent challenges for a variety of reasons, AASB was successful in 2012-2013 in establishing competitive supply arrangements under the Professional Audit Support Services Supply Arrangement (PASS) should offer more efficient contracting.

AANDC's implementation of the Government of Canada's Deficit Reduction Action Plan (DRAP) will likely continue to impair AASB's ability to obtain timely access to departmental managers and staff over the planning period. It is also possible that AASB will be called upon to focus more attention on implementation of DRAP measures.

In its effort to adjust to the challenges raised by the implementation of Budget 2012 and the Deficit Reduction Action Plan, AASB has taken a series of actions including the following:

  1. Senior management and DAC members have been kept informed on a more frequent basis on the changes to the plan
  2. Reassessment of the alignment between AASB resources and the plan has been conducted to ensure the capacity exists to support the implementation of the RBAP and
  3. Consulting engagements have been employed to support the HR function in the implementation of DRAP.

Resource Considerations

This section presents the resource requirements of all internal audit activities planned for 2013-2014. Projects actually undertaken will depend on the availability of financial and human resources. The estimated resource requirements for small, medium, and large projects have been updated to reflect current forecasts and are consistent with the results of historical project cost analysis for the last three fiscal years (2010-2011 to 2012-2013). This approach has proven to be the most accurate basis for forecasting costs, as specific requirements can only be determined once audit planning has been completed.

The Audit and Assurance Services Branch assurance activities represent 92% (91% for AANDC-led and 1% for OCG-led) of branch resource requirements. Other internal audit activities, including monitoring of action plans from past audits, annual audit planning, quality assurance and improvement, reporting, learning and development, and liaison with OAG and other external assurance providers, represents 8%.

The Three-Year Plan identifies an average of 17 audit projects to be carried out on an annual basis.

Resource Requirements

While the level of effort and cost will vary from project to project, it is our professional opinion that this level of resourcing is adequate to achieve the plan.

Appendix A - AANDC Audit Universe

Very High Risk Auditable Units and Related Audit Activity 2013-2014 to 2015-2016
Departmental Program Auditable Units (12) Planned Audit(s)*
Northern Contaminated Sites Audit of Northern Contaminated Sites (2014-2015)
First Nations Child and Family Services Follow-up Audit of First Nations Child and Family Services (2015-2016)
Registration and Membership Audit of the Indian Registration System (2013-2014)
Elementary and Secondary Education Follow-up Audit of the Education Information System (2014-2015)
Audit of Elementary and Secondary Education (2014-2015)
Income Assistance Follow-up Audit of Income Assistance (2015-2016)
Environmental Management Audit of Emergency Management Assistance (began in 2012-2013)
Implementation of Modern Treaty Obligations Audit of the Implementation of Modern Treaty Obligations (2013-2014)
Water and Wastewater Infrastructure Follow-up Audit of Water and Wastewater Infrastructure (2015-2016)
Housing Audit of On-Reserve Infrastructure (2014-2015)
Negotiations of Claims and Self-Government Audit of Negotiation of Comprehensive Land Claims and Self-Government Agreements (2013-2014)
Activation of Community Assets Audit of Economic Development Programs (2013-2014)
Audit of Southern Oil and Gas (2013-2014)
Follow-up Audit of Lands Management (incl. Lands Registry System) (2015-2016)
Institutions and Organizations Follow-up Audit of Capacity Development (2013-2014)
Internal Services Auditable Units (2) Planned Audit(s) *
Grants and Contributions Controls Audit of the Management Control Framework for Grants and Contributions (begun in 2012-2013), (2013-2014), (2014-2015), (2015-2016)
Post Implementation Audit of DRAP (2014-2015)
Information Management Audit of IM/IT Governance and Application Systems Integration (2013-2014)
System Under Development Audit of the IFMS (SAP and GCIMS) (2013-2014)
Follow-up Audit of the Education Information System (2014-2015)
Audit of the Indian Registration System (2013-2014)
Audit of Information Management (2015-2016)
Follow-up Audit of Lands Management (incl. Lands Registry System) (2015-2016)

* Very High Risk Auditable Units will be subject to audit coverage (in whole or in part) at least once every three years

High Risk Auditable Units and Related Audit Activity 2013-2014 to 2015-2016
Departmental Program Auditable Units (15) Planned Audit(s)*
Specific Claims Audit of Specific Claims (2015-2016)
Community Infrastructure Assets and Facilities Audit of On-Reserve Infrastructure (2014-2015)
Post-Secondary Education Audit of Post-Secondary Education Programs (2014-2015)
Aboriginal Entrepreneurship Audit of Economic Development Programs (2013-2014)
Registration of Rights and Interests in Reserve Lands Follow-up Audit of Lands Management (incl. Lands Registry System) (2015-2016)
Independent Assessment Process Follow-up Audit of the Independent Assessment Process (2014-2015)
Education Facilities Audit of On-Reserve Infrastructure (2014-2015)
Nutrition North Audit of Nutrition North Canada (2013-2014)
Management of Moneys Audit of Southern Oil and Gas (2013-2014)
Assisted Living Audit of Assisted Living and National Child Benefit Reinvestment (2013-2014)
Science Initiatives Audit of Project Management of the Canadian High Arctic Research Station (2013-2014)
First Nations Governments Follow-up Audit of Capacity Development (2013-2014)
Additions to Reserve Audit of Additions to Reserve (2015-2016)
Northern Oil and Gas Audit of Northern Oil and Gas (2014-2015)
National Child Benefit Reinvestment Audit of Assisted Living and National Child Benefit Reinvestment (2013-2014)
Information Technology Audit of the Indian Registration System (2013-2014)
Audit of IM/IT Governance and Application Systems Integration (2013-2014)
System Under Development Audit of the Integrated Financial Management System (SAP and GCIMS) (2013-2014)
Follow-up Audit of the Education Information System (2014-2015)
Follow-up Audit of Lands Management (incl. Lands Registry System) (2015-2016)
Audit of Internal Controls Over Financial Reporting (2015-2016)
Expenditure Management Post Implementation Audit of DRAP (2014-2015)
Audit of Internal Controls Over Financial Reporting (2015-2016)
Litigation Management Audit of Litigation Management (2014-2015)
IM/IT Security Audit of IM/IT Security (2014-2015)
Organizational Design and Classification Audit of Delegation of Authorities, Organizational Design and Classification (2013-2014)
Management Practices Audit of Human Resources and Workplace Services (2013-2014)
Post Implementation Audit of DRAP (2014-2015)
Corporate Business Planning Audit of Corporate Business Planning (2013-2014)
Audit of Internal Controls Over Financial Reporting (2015-2016)
IM/IT Governance Audit of IM/IT Governance and Application Systems Integration (2013-2014)
System Under Development Audit of the Integrated Financial Management System (SAP and GCIMS) (2013-2014)
Audit of the Indian Registration System (2013-2014)
Values and Ethics Audit of Values and Ethics (2015-2016)
Occupational Health and Safety Audit of Occupational Health and Safety (2014-2015)

* High Risk Auditable Units will be subject to audit coverage (in whole or in part) at least once every three years.

Moderate Risk Auditable Units 2013-2014 to 2015-2016
Departmental Program Auditable Units (14) Internal Services Auditable Units (15)
Political Development and Inter-Government Relations External Reporting
Family Violence Prevention Communications
Estate Management Assets and Property Management
Management of Treaty Relationships Performance Measurement and Reporting
Métis and Non-Status Indian Relations and Métis Rights Management Compensation and Benefits
Strategic Federal Investments and Partnerships ATIP Management
Consultation and Engagement HR Staffing and Planning
Urban Aboriginal Participation Financial Planning and Budgeting
Northern Mines and Minerals Loans and Accounts Receivable
Northern Land and Water Management Corporate Security
Northern Environmental Management Learning and Development
Clarity of Reserve Boundaries Continuity of Operations
Commemoration Strategic Policy Development
Common Experience Payment Labour Relations
  Revenues
Low Risk Auditable Units 2013-2014 to 2015-2016
Departmental Program Auditable Units (7) Internal Services Auditable Units (3)
Northern Contaminants Official Languages
Inuit Relations Accommodations
Management of Other Negotiated Settlements Library and Information Centre
Renewable Energy and Energy Efficiency  
Treaty Annuities
Support to the Truth and Reconciliation Commission  
Climate Change Adaptation  
Not Rated Auditable Units 2013-2014 to 2015-2016
Departmental Program Auditable Units (0) Internal Services Auditable Units (4)
  Audit and Evaluation
  Risk Management
  Complaints and Allegations
  Legal Services

Sectors and Regions

Auditable Units
Ranking Sectors
Chief Financial Officer Very High
Education and Social Development Programs and Partnerships Very High
Regional Operations Very High
Treaties and Aboriginal Government Very High
Resolution & Individual Affairs Very High
Policy and Strategic Direction Very High
Human Resources and Workplace Services High
Lands and Economic Development High
Northern Affairs High
Indian Residential Schools Adjudication Secretariat High
Corporate Secretariat Moderate
Communications Moderate
Auditable Units
Ranking Regions
Ontario Very High
Manitoba Very High
Atlantic Very High
Saskatchewan High
Alberta High
Nunavut High
Northwest Territories Moderate
Quebec Moderate
British Columbia Moderate
Yukon Moderate

Appendix B - Linkage of 2013-2014 Audits to the Corporate Risk Categories

2013-2014 Audit Projects HR Capacity and Capability Information for Decision Making Transformation &
Implementation
Resource Alignment Government Partnership Aboriginal Relationship External Partnership Legal Environmental
Ongoing
Audit of the Management Control Framework for Grants and Contributions 2012-2013 (Funding Approaches)       Selected Selected Selected Selected    
Audit of Emergency Management Assistance   Selected Selected Selected Selected Selected Selected Selected Selected
2013-2014 Projects
Follow-up Audit of Capacity Development   Selected Selected Selected Selected Selected Selected    
Audit of Negotiation of Comprehensive Land Claims and Self-Government Agreements   Selected Selected   Selected Selected Selected Selected  
Audit of the Implementation of Modern Treaty Obligations   Selected Selected Selected Selected Selected Selected Selected  
Audit of the Indian Registration System   Selected Selected     Selected   Selected  
Audit of Economic Development Programs   Selected Selected Selected   Selected Selected Selected  
Audit of the Management Control Framework for Grants and Contributions 2013-2014   Selected   Selected Selected Selected Selected    
Audit of IM/IT Governance and Systems Integration   Selected   Selected Selected   Selected Selected  
Audit of Southern Oil and Gas   Selected Selected Selected Selected Selected Selected Selected Selected
Management Practices Audit of Policy and Strategic Direction Selected Selected Selected Selected          
Management Practices Audit of Treaties and Aboriginal Government Selected Selected Selected Selected          
Audit of Nutrition North Selected Selected Selected     Selected Selected    
Audit of Project Management of the Canadian High Arctic Research Station Selected Selected     Selected   Selected    
System Under Development Audit of the Integrated Financial Management System ( SAP & GCIMS) Selected Selected   Selected          
Audit of Corporate Planning Selected Selected   Selected   Selected      
Audit of Delegation of Authorities, Organization Design and Classification Selected Selected     Selected Selected      
Management Practices Audit of Human Resources and Workplace Services Selected Selected Selected Selected          
OCG Horizontal Internal Audit – TBD                  

Appendix C - Linkage of 2013-2014 Audits to MAF Elements

2013-2014 Audit Projects
Value
and
Ethics
Managing
for
Results
Governance
and
Planning
Citizen-focused
Service
Internal
Audit (1)
Evaluation (1) Financial
Management
and Control
Management
of Security
Integrated
Risk
Management
People
Management
Procurement Information
Management
Information
Technology
Asset
Management
Investment
Planning
and
Management
of Projects
Note (1) - These 2 Areas of MAF are the responsibility of the CAEE; therefore, they were not considered.
Ongoing
Audit of the Management Control Framework for Grants and Contributions 2012-2013 (Funding Approaches)   Selected Selected Selected     Selected                
Audit of Emergency Management Assistance   Selected Selected       Selected   Selected            
2013-2014 Projects
Follow-up Audit of Capacity Development   Selected Selected Selected     Selected                
Audit of Negotiation of Comprehensive Land Claims and Self-Government Agreements   Selected Selected       Selected   Selected            
Audit of the Implementation of Modern Treaty Obligations   Selected Selected Selected     Selected   Selected            
Audit of Indian Registration System   Selected Selected Selected     Selected Selected Selected     Selected Selected   Selected
Audit of Economic Development Programs   Selected Selected Selected     Selected         Selected      
Audit of the Management Control Framework for Grants and Contributions 2013-2014   Selected Selected Selected     Selected     Selected          
Audit of IM/IT Governance and Application System Integration   Selected Selected       Selected   Selected     Selected Selected Selected Selected
Audit of Southern Oil and Gas   Selected Selected Selected     Selected         Selected Selected    
Management Practices Audit of Policies and Strategic Direction Selected Selected Selected Selected     Selected   Selected Selected Selected        
Management Practices Audit of Treaties and Aboriginal Government Selected Selected Selected Selected     Selected   Selected Selected Selected        
Audit of Nutrition North   Selected Selected       Selected   Selected            
Audit of Project Management of the Canadian High Arctic Research Station   Selected Selected Selected     Selected   Selected   Selected       Selected
System Under Development Audit of the Integrated Financial Management System ( SAP & GCIMS)     Selected       Selected Selected Selected   Selected Selected     Selected
Audit of Corporate Planning   Selected Selected Selected         Selected           Selected
Audit of Delegation of Authorities, Organization Design and Classification Selected Selected Selected Selected     Selected   Selected Selected          
Management Practices Audit of Human Resources and Workplace Services Selected Selected Selected Selected     Selected   Selected Selected Selected        
OCG Horizontal Internal Audit – TBD                              

Appendix D - 2013-2014 Audit Projects

The detailed audit plan for 2013-2014 is presented below with each project described in terms of its objective, scope and rationale.

Audit Objective and Scope Rationale for Conduct
Follow-up Audit of Capacity Development Very High
The objectives of the audit are to assess: the adequacy and effectiveness of departmental controls for designing, approving, integrating and reporting on capacity development programs; and the appropriateness of the design of region and sector controls for delivering capacity development programming in an integrated, efficient and effective manner.

The scope of the audit covers the period April 1, 2009 to March 31st, 2013 and included assessments of:
  1. the integration and design of capacity development programming, including linkages with other federal funders. Programming considered in this portion of the audit included programs designed to support capacity development within First Nation community governments, First Nation program service delivery organizations, First Nation institutions of government, First Nation economic development organizations and businesses, and with First Nation leaders and professionals.
  2. performance measurement, research and analysis activities that support design and redesign of capacity development programs and program investment decision-making processes.
  3. the integration of departmental processes and structures for making capacity development investment decisions, including, recipient risk and capacity assessment processes, program and regional investment decision-making processes and default prevention and management processes. Programming considered in this portion of the audit included programs designed to support capacity development within First Nation community governments and First Nation institutions of government.
The audit does not include assessments of the effectiveness of regional and program systems and controls for administering and monitoring funding agreements with recipients.
Maps to Program Alignment Architecture
  • Strategic Outcome: The Government
  • Activity: Institutions and Organizations; First Nations Government
Maps to Corporate Risk Profile
  • Information for Decision Making
  • Transformation and Implementation
  • Resource Alignment
  • Government Partnership
  • Aboriginal Relationship
  • External Partnership
Capacity development is growing in prominence as the Department moves towards implementation of a First Nations Community Development Framework. As the Audit of Capacity Development (2009) indicated, work is required to synchronize implementation of all First Nations programming directed towards development of capacity.

There is a risk that the Department's mandate of supporting Aboriginal people and Northerners in their efforts to: improve social and economic prosperity; develop healthier, more sustainable communities; and, participate more fully in Canada`s political, social and economic development, will not be realized if capacity development programming is not improved.
Audit of Negotiation of Comprehensive Land Claims and Self Government Agreements Very High
The preliminary objective of this audit is to assess the adequacy and effectiveness of controls in place to support the negotiation of comprehensive land claims and self-government agreements.

The preliminary scope will include an assessment of the adequacy of the design of the management control framework to ensure effective, efficient and timely negotiations in a results based environment. The timing of the audit will be coordinated with the Audit of the Implementation of Modern Treaty Obligations to maximize the benefits and minimize disruption to the auditee.
Maps to Program Alignment Architecture
  • Strategic Outcome: The Government
  • Activity: Negotiation of Claims and Self-Government
Maps to Corporate Risk Profile
  • Information for Decision Making
  • Transformation and Implementation
  • Government Partnership
  • Aboriginal Relationship
  • External Partnership
  • Legal
Claims and self-government activities are significant to the achievement of AANDC objectives. The complexity and length of negotiations requires a high level of knowledge and specific skills. As such, the negotiations and associated loans are high risk. Moreover, there is high risk associated with the implementation of Modern Treaties. The program area is in transition to a results based approach to negotiations and comprehensive claims. A high level of legal risk is also associated through contingent liabilities and legal impacts.
Audit of the Implementation of Modern Treaty Obligations Very High
The objective of this audit is to provide assurance to management of the adequacy and effectiveness of controls in place to support AANDC's role in the coordination and oversight of the implementation of federal obligations included within existing comprehensive land claim agreements and self-government agreements.

The scope of this audit includes obligations scheduled for implementation during the period from April 1, 2011 to March 31, 2013. This includes all agreements/ obligations which have an effective date subsequent to April 2011. An appropriate coverage of agreements and obligations will be determined through the development of a sampling approach.

Due to the inherent risks associated with non-compliance with the obligations outlined in the agreements and the role that AANDC plays in the coordination and oversight of these federal obligations, this audit focuses on the following AANDC activities:

(A) Oversight and Coordination
  1. Acting as a central point of contact for agreement signatories, other federal departments, AANDC and other line departments' regional staff, with questions about their direct and indirect responsibilities under CLCAs and SGAs.
  2. Coordinating and administering, in partnership with TAG's Mandating Coordination and Liaison Unit, the implementation management framework, which includes Federal Caucus and the Federal Steering Committee (consisting of senior-level officials from all federal departments with implementation responsibilities).
  3. Coordinating federal input into monitoring and reporting processes, such as annual reports, TOMS, CLCA.net.

    (B) Coordination of Government of Canada Obligations
  4. Administering funding for agreement signatories, some boards and committees.
  5. Providing federal input, in collaboration with other federal departments and agencies, in mandated reviews.
  6. Representing Canada on Implementation Committees, with participation by other federal departments and agencies when appropriate.

    (C) Ongoing Implementation Activities
  7. Reviewing annual audits of Aboriginal signatories, boards and committees.
  8. Managing, in conjunction with AANDC regional offices, Order-in-Council and Ministerial appointments to boards and committees (some board/committee appointments are the responsibility of other federal departments).

    (D) Managing AANDC Implementation
  9. Monitoring and managing the implementation of obligations that AANDC is specifically responsible for.
Maps to Program Alignment Architecture
  • Strategic Outcome: The Government
  • Activity: Implementation of Modern Treaty Obligations
Maps to Corporate Risk Profile
  • Information for Decision Making
  • Transformation and Implementation
  • Resource Alignment
  • Government Partnership
  • Aboriginal Relationship
  • External Partnership
  • Legal
Successful implementation of modern treaty obligations requires a high degree of knowledge and relevant skill sets. There have been no recent audits completed by AES and the OAG has identified concerns regarding implementation. There is a significant downstream risk associated with estimation of costs for implementation and implementation itself. There is potential for very high legal risk if Canada fails to meet its treaty obligations, which could impact ongoing negotiations. High dependency risk exists because of the Department's lead in providing guidance to OGDs.
Audit of the Indian Registration System Very High
The objective of this audit is to provide assurance to management on the adequacy and effectiveness of process and IT application controls in place to ensure the integrity of information contained in the Indian Registration System.

The scope of the audit covers the period November 2011 to November 2013 and will include assessments of the design and operational effectiveness of manual and automated controls used to ensure that: (i) Qalipu applications are accurately processed and recorded in Phase I (design and operational effectiveness) and are appropriately assessed in Phase II (design only); (ii) Information entered into the system through various sources, including IRAs and IROs, is reliable and access to it is protected; and, (iii) Remediation has taken place or there is a plan in place to remediate issues surrounding: IRS general system controls, core application controls, system stabilization, registration process controls, IRS governance, and project management.

The scope of the audit alsos include an assessment of key documentation produced for the SIRCU initiative (Phase I) and for gates I and II of Phase II (Indian Registration and Estates Management System) of the IRS modernization initiative in order to identify potential weaknesses and gaps that can be address prior to the implementation of these phases. Key documentation produced for gates III to VII of Phase II will not be included in the scope of the audit, nor will key documentation for the SIRCU initiative produced after November 1, 2013.
Maps to Program Alignment Architecture
  • Strategic Outcome: The People; Internal Services
  • Activities: Registration and Membership; Information Technology; Information Management; IM/IT Governance
Maps to Corporate Risk Profile
  • Information for Decision Making
  • Transformation and Implementation
  • Aboriginal Relationship
  • Legal
Effective and successful implementation of IRS and SCIS are important to stakeholders and to AANDC credibility. Accuracy and integrity of IRS data and SCIS cards are key to minimizing false or illegitimate claims for federal funding. SCIS issuance is highly sensitive. IRS system faces increased reliability risk as a result of being obsolete.
Audit of Economic Development Programs Very High
The preliminary objective of the audit is to determine if the management control framework for funding provided to recipients under Economic Development Programs ensures that benefits or results are consistent with program goals and terms and conditions, that appropriate performance and reporting requirements are established, and that activities are monitored to ensure compliance with program terms and conditions and funding agreements.

The preliminary scope of the audit includes an examination of the adequacy of controls through testing of key controls in a sample of funding awarded.
Maps to Program Alignment Architecture
  • Strategic Outcome: The Land and the Economy
  • Activity: Activation of Community Assets; Aboriginal Entrepreneurship
Maps to Corporate Risk Profile
  • Information for Decision Making
  • Transformation and Implementation
  • Resource Alignment
  • Aboriginal Relationship
  • External Partnership
  • Legal
Programs are being realigned to streamline spending authorities and focus investments in four key areas resulting in an implicit higher risk due to change and complexity. Resources represent moderate materiality but expected impacts are significant for AANDC's agenda and First Nations. Currently there is a complex delivery structure with multiple players and jurisdictions. Control weaknesses have been identified in previous audits.
Audit of the Management Control Framework for Grants and Contributions 2013-2014 Very High
The objective of the audit is to assess the adequacy and effectiveness of the management control framework for grant and contribution programs. As the framework and the Department's programs and their risks evolve, the specific objectives and scope for audit activity in a given year are based upon a current risk assessment conducted during the planning phase.

In assessing the adequacy and effectiveness of selected controls, the audit includes an examination of their application horizontally, i.e. through a sample of programs and regions.
Maps to Program Alignment Architecture
  • Strategic Outcome: Internal Services
  • Activity: Grants and Contributions
Maps to Corporate Risk Profile
  • Information for Decision Making
  • Resource Alignment
  • Government Partnership
  • Aboriginal Relationships
  • External Partnership
Grants and Contributions are the primary transfer payment vehicles through which AANDC programming is delivered. In addition to being financially material (over $6 billion), AANDC continues to implement a strengthened Grant and Contribution Management Control Framework to achieve the expected improvements reflected in the Policy on Transfer Payments, e.g. risk-based program frameworks, recipient agreements and recipient auditing, reduced burdens on recipients. The 2012-2013 recurring audit found areas requiring improvement, e.g. need for a national governance structure, capacity and competence of Funding Services Officers, use and consistency of performance information in GCIMS.
Audit of IM/IT Governance and Application Systems Integration Very High
The objective of this audit is to assess the adequacy and effectiveness of IM/IT governance structures, processes and controls in place to support the effective management of IM/IT resources, including integration among AANDC's key IM/IT application systems.

The scope of the audit will cover the period April 1, 2011 to June 30, 2013 and will include:
  • an examination of the governance bodies and decision-making processes in place to establish priorities among, and recommend or approve funding for, IM and IT projects and initiatives;
  • an examination of roles and responsibilities and delegated authorities, taking into account the role of Shared Services Canada; and,
  • an assessment of the adequacy of planning for integration of application systems.
The audit will also include detailed testing of a sample of AANDC IM/IT projects to assess their compliance with the Project Portfolio Management Framework (PPMF). For each project selected, the audit team will obtain and evaluate project documentation that supports adherence to the requirements of the PPMF, including compliance with the requirements for information sharing and for business intelligence.

Audit fieldwork will be conducted in headquarters and in the regional offices of British Columbia and Ontario, selected for their high and moderate levels of IM/IT spending, respectively.
Maps to Program Alignment Architecture
  • Strategic Outcome: Internal Services
  • Activity: IM/IT Governance; Information Technology; Information Management
Maps to Corporate Risk Profile
  • Information for Decision Making
  • Resource Alignment
  • Government Partnership
  • External Partnership
  • Legal
New IM/IT governance processes are being implemented to better define system owners and ensure strategic allocation and approval of resources for IM/IT systems yet issues remain with business owners driving IM/IT requirements without sufficient CIO involvement and corporate oversight. It is inherently challenging for senior management to establish a governance regime that can set priorities and meet competing demands. There is a high risk to achievement of corporate objectives if IM/IT is not well governed because of program delivery's reliance on applications, technology and data. Recent preliminary survey (originally planned to be an audit) identified some areas of strength and weakness. There are key changes pending with the move to Shared Services Canada, integration with Health Canada, aging systems (e.g. IRS) and new initiatives (e.g. EIS).
Audit of Southern Oil and Gas Very High
The objective of the audit is to determine whether AANDC and Indian Oil and Gas Canada are fulfilling their obligations with respect to management of oil and gas resources on reserve in an efficient, effective and controlled manner.

The audit scope includes an assessment of the adequacy and effectiveness of the governance, risk management, and internal controls in place to support the effective and efficient execution of AANDC's and the IOGC's responsibilities in managing oil and gas resources on First Nation reserves.

The audit scope includes processes and controls in place used by IOGC to
  • manage the negotiation, issuance and administration of agreements with oil and gas companies and First Nations;
  • monitor oil and gas production and prices;
  • verify/assess and collect moneys such as bonuses, royalties and rents; and,
  • ensure environmental requirements are met.
In addition, given IOGC is a separate employer from AANDC with a compensation plan in which all employees are eligible for performance pay, the audit scope also includes IOGC's processes and controls in place with regards to the management of the staff performance appraisal process.

The scope of the audit covers all IOGC activities during the period April 1, 2011 through to March 31, 2013.
Maps to Program Alignment Architecture
  • Strategic Outcome: The Land and the Economy; The People
  • Activity: Activation of Community Assets; Management of Monies
Maps to Corporate Risk Profile
  • Information for Decision Making
  • Transformation and Implementation
  • Resource Alignment
  • Government Partnership
  • Aboriginal Relationship
  • External Partnership
  • Legal
  • Environmental
First Nations' oil and gas management is complex and involves both AANDC and Indian Oil and Gas Canada (IOGC) program areas. IOGC has not been audited directly in over ten years but was touched upon in the Audit of Trust Accounts and Alberta Region Management Practices Review. The Audit of Trust Accounts indicated that IOGC requires a more proactive receivables management approach. As First Nations sign on to the First Nations Oil and Gas Management Act (FNOGMA), the role of AANDC will be greatly reduced, however, differing agendas will pose challenges, adding to complexity (e.g. environmental stewardship vs. economic development, traditional vs. modern practices).
Management Practices Audit of Policy and Strategic Direction Very High
The objective of the audit is to provide senior management with assurance over the adequacy and effectiveness of a selection of high risk management controls and activities in place to support the achievement of the Sector's objectives.

The scope of the audit covers a range of high risk management practices as identified through a CSA workshop, preliminary interviews, a review of previous audit and review findings, and a review of departmental priorities.

Audit fieldwork is being conducted at AANDC Headquarters. Testing covers the fiscal years 2011-12 – 2012-13.
Maps to Program Alignment Architecture
  • Strategic Outcome: N/A
  • Activity: N/A
Maps to Corporate Risk Profile
  • HR Capacity and Capabilities
  • Information for Decision Making
  • Transformation and Implementation
  • Resource Alignment
Following the first round of Management Practices Reviews between 2007 and 2010, the Audit and Evaluation Sector prepared a summary report highlighting the strengths and weaknesses of the process. The report led to the initiation of a round of Management Practices Audits (MPAs) in 2011-2012. The MPA approach is more targeted towards a higher level of assurance by taking a two phase approach: a Control Self-Assessment followed by an audit of selected management practices determined on the basis of the auditor's risk assessment.
Management Practices Audit of Treaties and Aboriginal Government Very High
The objective of the audit is to provide senior management with assurance over the adequacy and effectiveness of a selection of high risk management controls and activities in place to support the achievement of the Branch's objectives.

The scope of the audit covers the following five management practices areas, as identified through a CSA workshop, preliminary interviews, a review of previous audit and review findings, and a review of departmental priorities.
  • Management and oversight bodies
  • Accountability
  • Risk management
  • Values and ethics
  • Policy development and program design
Audit fieldwork is being conducted primarily in Headquarters. Testing covers the fiscal years 2010-11, 2011-12 and 2012-13.
Maps to Program Alignment Architecture
  • Strategic Outcome: N/A
  • Activity: N/A
Maps to Corporate Risk Profile
  • HR Capacity and Capabilities
  • Information for Decision Making
  • Transformation and Implementation
  • Resource Alignment
Following the first round of Management Practices Reviews between 2007 and 2010, the Audit and Evaluation Sector prepared a summary report highlighting the strengths and weaknesses of the process. The report led to the initiation of a round of Management Practices Audits (MPAs) in 2011-2012. The MPA approach is more targeted towards a higher level of assurance by taking a two phase approach: a Control Self-Assessment followed by an audit of selected management practices determined on the basis of the auditor's risk assessment.
Audit of Nutrition North Canada High
The objective of the audit is to assess the extent to which the Nutrition North Canada (NNC) Program has been implemented as intended, and that adequate and effective governance, risk management, and management controls are in place to support effective and efficient administration and program delivery.

The audit scope includes an assessment of the following:
  • Program governance and risk management activities;
  • Processes and controls in place to determine eligibility of participating communities, suppliers, and retailers;
  • Processes and controls in place to determine subsidy rates;
  • Processes and controls in place to manage funding agreements (Review, approval, monitoring/reporting, compliance);
  • Processes and controls in place to review and approve applications from potential recipients;
  • Program controls in place to assure there is appropriate oversight of the third-party claims processor and approval of claim payments; and,
  • Program planning, performance measurement, monitoring, and reporting activities.
The scope of the audit covers all NNC Program activities during the period April 2011 through to March 30, 2013. The scope of the audit does not include transition activities related to the Food Mail Program which occurred between April 2011 and October 2012. The scope of the audit does not include an examination of third-party claims processor internal controls.
Maps to Program Alignment Architecture
  • Strategic Outcome: The North
  • Activity: Nutrition North
Maps to Corporate Risk Profile
  • HR Capacity and Capabilities
  • Information for Decision Making
  • Transformation and Implementation
  • Aboriginal Relationship
  • External Partnership
This new program was implemented on April 1, 2011 to replace the former Food Mail program that was subject to considerable scrutiny. With the shift to a new program model (retail subsidies) and new controls, the risk is inherently high, e.g. high Northern public visibility, and management needs early assurance that implementation is occurring as intended. The OAG has expressed an interest in the new program.
Audit of Project Management of the Canadian High Arctic Research Station High
The objective of the audit is to provide assurance to management that an appropriate project management framework between AANDC, PWGSC and Public-Private Partnerships (PPP) Canada is in place to ensure that the CHARS facility is delivered on time and within budget, and that the CHARS facility is aligned to meet the strategic objectives of the Science and Technology program planned for the facility.

The scope of the audit includes an examination of the governance and project management practices related to the definition, design, build and planned operation of the research station such that it supports the Science and Technology program planned for the facility. The scope period of the audit spans from the announcement of the project in November 2007 (Definition Phase) to 31 July 2013 (currently in Design Phase), understanding that the project is still ongoing and components of the project management approach are still under development. There is a requirement for regional site visits to the regional PWGSC offices in both Edmonton and Winnipeg, where resources responsible for project management, contracting, and procurement are located.

The audit does not seek to examine the processes by which the location of the CHARS facility was selected nor will it seek to evaluate the effectiveness of the Science and Technology program.
Maps to Program Alignment Architecture
  • Strategic Outcome: The North
  • Activity: Science Initiatives
Maps to Corporate Risk Profile
  • HR Capacity and Capabilities
  • Information for Decision Making
  • Government Partnership
  • External Partnership
Construction of the High Arctic Research Station has had some known contracting issues and is a significant project in the North, with an estimated $250M total project costs. Despite the Department's experience with the construction of infrastructure projects South of the 60th parallel, it has limited experience with construction projects of this magnitude in the High Arctic. As a result, early audit activity can support effective project management and control.
System under Development Audit of the Integrated Financial Management System (SAP and GCIMS) High
The preliminary objective of the audit is to assess the adequacy and likely effectiveness of the project management framework in place to ensure that expected results are delivered within budget and on time with no loss of data integrity or functionality.

The scope of the audit includes an examination of governance and project management practices.
Maps to Program Alignment Architecture
  • Strategic Outcome: Internal Services
  • Activity: IM/IT Governance; Information Technology; Information Management
Maps to Corporate Risk Profile
  • HR Capacity and Capabilities
  • Information for Decision Making
  • Resource Alignment
There is a high risk to achievement of control and accountability objectives if AANDC's transfer to SAP and Health Canada's adoption of GCIMS results in unreliable or unavailable financial information. Migration projects are typically subject to a high degree of risk in terms of loss or corruption of data or untimely availability. Early audit activity can support effective project management and control.
Audit of Corporate Business Planning High
The objective of this audit is to assess the adequacy and effectiveness of those management controls that support corporate business planning and compliance with relevant Treasury Board and departmental requirements. Specifically, the objective is to assess the extent to which corporate business planning processes:
  • Support the development of effective plans that are meaningful and useful as decision-making and oversight tools;
  • Demonstrate efficient utilization of Departmental resources engaged in the planning process; and,
  • Comply with the Treasury Board of Canada Secretariat's Policy on Management, Resources and Results Structures (parliamentary reporting only).
The scope of the audit includes an examination of those governance, risk management and control processes that support adequate and effective business planning at a corporate level. Specifically, the audit will examine:
  • The governance structures and related processes that support the quality assurance, integration and oversight of business planning processes;
  • Processes, tools and other mechanisms that support the incorporation of performance reporting and risk information into departmental planning; and,
  • The controls that support and promote effective and efficient departmental business planning, including those controls designed to support:
    • A consistent and integrated approach to departmental business planning and related reporting;
    • The integration of clearly defined business objectives into formal plans;
    • Effective communication and shared understanding of corporate priorities; and,
    • Effective and timely monitoring of progress against plans.
The audit will include an examination of the full planning cycle for 2012-2013. As such, the examination considers the results of the 2011-2012 Corporate Business Plan, and how these results were incorporated into the 2012-2013 Corporate Business Plan. Furthermore, the examination considers how the 2012-2013 results were compiled and incorporated into the 2013-2014 Corporate Business Plan.
Maps to Program Alignment Architecture
  • Strategic Outcome: internal Services
  • Activity: Corporate Business Planning; Strategic Policy Development; Performance Measurement and Reporting
Maps to Corporate Risk Profile
  • HR Capacity and Capabilities
  • Information for Decision Making
  • Resource Alignment
  • Aboriginal Relationship
While corporate business planning is critical to ensuring alignment of resources, effective planning is inherently complex in AANDC due to a wide range of programs and linkages. Corporate plans have been developed and quarterly reports formalized for sectors and regions at considerable effort and in significant volume, in some cases, but with concerns as to whether the effort has improved focus on key activities and resulted in greater integration. Risk management has been incorporated in the planning process but with consistency and quality concerns. With government's focus on back-room efficiency, there is a need to ensure that processes are meaningful and productive.
Audit of the Delegation of Authorities, Organization Design and Classification High
The objective of this audit is to provide assurance that AANDC management controls in place for organizational design, classification, and associated delegation of authorities are adequate and effective in supporting efficient delivery of programs and services.

The audit scope includes an assessment of:
  • Risk management, governance and oversight practices for organizational design and classification;
  • Controls used to verify accuracy, completeness, and validity, and ensure compliance to policy requirements and delegation of authorities;
  • Training, systems, tools, and support provided to management and staff in order to fulfill their responsibilities; and,
  • Practices used in monitoring quality and performance;
The audit scope includes testing of controls related to the organizational design and classification process within the Regions, Regional HR Service Centers, and Headquarters. The scope of the audit includes both EX and non-EX classification actions.

A sample of organization design changes and classifications actions will be reviewed based on risk and audit coverage. For sampling purposes, the review and the testing will cover the period from April 1, 2012 to August 31, 2013. Sample selection will performed in a manner which complements monitoring file review performed by the Quality Assurance Unit (QAU) (i.e. coverage, type of action, risk level). A sample of QAU monitoring review files will be selected to provide assurance on QAU monitoring practices.

Audit fieldwork will include site visits to the three Regional HR Service Centers.

The audit scope will not include an audit of the IT systems supporting delegation of authority, organizational design, and classification roles and responsibilities.
Maps to Program Alignment Architecture
  • Strategic Outcome: Internal Services
  • Activity: Organizational Design and Classification
Maps to Corporate Risk Profile
  • HR Capacity and Capabilities
  • Information for Decision Making
  • Government Partnership
  • Aboriginal Relationship
Effective organizational design and formalized delegation of appropriate authorities are integral to achievement of AANDC's objectives. This has been identified as an area of high risk in numerous previous audits and management practice reviews. There is increasing importance post DRAP in ensuring that structures are effective and classifications appropriate to requirements.
Management Practices Audit of Human Resources and Workplace Services High
The objective of the audit is to provide senior management with assurance over the adequacy and effectiveness of a selection of high risk management controls and activities in place to support the achievement of the Branch's objectives.

The scope of the audit covers the following five management practices areas, as identified through a CSA workshop, preliminary interviews, a review of previous audit and review findings, and a review of departmental priorities.
  • Management and oversight bodies
  • Operational Objective-Setting and Planning
  • Client-centered Service
  • Internal Communications
  • Accountability
Audit fieldwork is being conducted primarily in Headquarters. Testing covers the fiscal years 2011-12 to 2012-13.
Maps to Program Alignment Architecture
  • Strategic Outcome: N/A
  • Activity: N/A
Maps to Corporate Risk Profile
  • HR Capacity and Capabilities
  • Information for Decision Making
  • Transformation and Implementation
  • Resource Alignment
Following the first round of Management Practices Reviews between 2007 and 2010, the Audit and Evaluation Sector prepared a summary report highlighting the strengths and weaknesses of the process. The report led to the initiation of a round of Management Practices Audits (MPAs) in 2011-2012. The MPA approach is more targeted towards a higher level of assurance by taking a two phase approach: a Control Self-Assessment followed by an audit of selected management practices determined on the basis of the auditor's risk assessment.
OCG Horizontal Internal Audit - TBD High
Objective and scope TBD. Maps to Program Alignment Architecture:
  • TBD
Maps to Corporate Risk Profile:
  • TBD

Appendix E - Changes to the Audit Plan

Ongoing Audits

The resource implications of audit projects that began in 2012-2013, but were not completed within that period are identified below.

2012-2013 Ongoing Audits Expected Completion Date
Audit of Grants and Contributions Management Control Framework Q1 2013-2014
Audit of Emergency Management Assistance Q1 2013-2014

Removed, Deferred or Added Audits

The table below identifies all the changes to the 2012-2013 to 2014-2015 Plan, and the 2013-2014 to 2015-2016 Plan approved by the Deputy Minister on February 27, 2013.

Audit Name and Year Planned Rationale
Audit of Elementary and Secondary Schools (2013-2014) This audit has been deferred to 2014-2015 (and renamed as the Audit of Elementary and Secondary Education) because the later timing will provide more value to the program as it will be in the process of implementing new legislation that is expected to be passed during 2013-14. This legislation is expected to bring major changes to the program.
Audit of the Management of Moneys (2013-2014) This audit has been removed from the plan. The Management of Moneys auditable unit, which was identified as a high risk, will be covered through the Audit of Southern Oil and Gas (2013-14).
Audit of Claims, Litigation and Environmental Liabilities (2013-14) This audit has been removed from the audit plan and replaced with an Audit of Negotiation of Comprehensive Land Claims and Self-Government Agreements (2013-14) and an Audit of Litigation Management (2014-15). The environmental liabilities component of the audit was removed as it was covered in the Fall 2012 report of the Commissioner of the Environment and Sustainable Development – Financial Assurances for Environmental Risks.
Post – Implementation Audit of the Education Information System (2013-2014) This audit has been deferred to 2014-2015 (and renamed as the Follow-up Audit of the Education Information System).
Management Practices Audit of the Resolution & Individual Affairs (2013-2014) This audit has been removed from the plan as it was not identified in the revised risk assessment of MPA sectors and regions that was undertaken in 2013-2014 to determine the specific organizations to be audited in year one of the plan.
Management Practices Audit of the Ontario Region (2013-2014) This audit has been removed from the plan as it was not identified in the revised risk assessment of MPA sectors and regions that was undertaken in 2013-2014 to determine the specific organizations to be audited in year one of the plan.
Management Practices Audit of the Manitoba Region (2013-2014) This audit has been removed from the plan as it was not identified in the revised risk assessment of MPA sectors and regions that was undertaken in 2013-2014 to determine the specific organizations to be audited in year one of the plan.
Audit of Southern and Northern Oil and Gas (2014-2015) The audit has been removed from the plan (and replaced with an Audit of Southern Oil and Gas (2013-2014) and an Audit of Northern Oil 2014-2015))
Management Practices Audit of the Lands and Economic Development (2014-2015) A revised risk assessment of MPA sectors and regions will be undertaken in 2014-2015 to determine the specific organizations to be audited in years two and three of the Plan.
Management Practices Audit of the Northern Affairs (2014-2015) A revised risk assessment of MPA sectors and regions will be undertaken in 2014-2015 to determine the specific organizations to be audited in years two and three of the Plan.
Management Practices Audit of the Indian Resolution Schools Adjudication Secretariat (2014-2015) A revised risk assessment of MPA sectors and regions will be undertaken in 2014-2015 to determine the specific organizations to be audited in years two and three of the Plan.
Management Practices Audit of the Atlantic Region (2014-2015) A revised risk assessment of MPA sectors and regions will be undertaken in 2014-2015 to determine the specific organizations to be audited in years two and three of the Plan.
Management Practices Audit of the Alberta Region (2014-2015) A revised risk assessment of MPA sectors and regions will be undertaken in 2014-2015 to determine the specific organizations to be audited in years two and three of the Plan.
Management Practices Audit of the Nunavut Region (2014-2015) A revised risk assessment of MPA sectors and regions will be undertaken in 2014-2015 to determine the specific organizations to be audited in years two and three of the Plan.

Additions

Audit Name and Year Planned Rationale
Audit of Capacity Development (2013-2014) The audit was renamed as the Follow-up Audit of Capacity Development.
Audit of Delegation of Authorities, Organization Design and Classification (2013-2014) The audit was identified as a high risk during the 2013-2014 RBAP risk assessment.
Audit of IM/IT Governance and Application Systems Integration (2013-2014) The audit was included in the plan to address risks associated with the Department's IM/IT governance and systems integration practices identified in previous audits.
Audit of Nutrition North (2013-2014) The audit was renamed as the Audit of Nutrition North Canada.
Audit of Project Management of the Canadian High Arctic Research Station (2013-2014) The audit was identified as a high risk during the 2013-2014 RBAP risk assessment.
System Under Development Audit of the Integrated Financial Management System (SAP & GCIMS) (2013-2014) The audit was identified as a high risk during the 2013-2014 RBAP risk assessment.
Audit of Negotiation of Comprehensive Land Claims and Self-Government Agreements (2014-2015) The audit was advanced to 2013-2014 as a partial replacement for the Audit of Claims, Litigation and Environmental Liabilities (2013-14) that was removed from the plan.
Audit of IT Security (2014-2015) The audit was renamed the Audit of IM/IT Security to ensure that IM and IT security risks were both assessed.
Audit of Southern and Northern Oil and Gas (2014-2015) The audit has been removed from the plan (and replaced with an Audit of Southern Oil and Gas (2013-2014) and an Audit of Northern Oil 2014-2015.
Audit of Strategic and Business Planning (2014-2015) The audit was advanced to 2013-2014 (and renamed the Audit of Corporate Business Planning) to address risks associated with the Department's planning processes identified in previous audits.
Audit of the Indian Registration System (2014-2015) The audit was advanced to 2013-2014 to address the risks associated with increased processing of Indian registration applications and the development and implementation of a new Indian Registration Systems.
Date modified: