This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
This report represents the results of the internal audit planning exercise conducted on behalf of the Department of Finance and Treasury Board Secretariat.
The Internal Audit activities are directed by the Assistant Deputy Minister, Corporate Services Branch, who reports to the Deputy Minister of Finance and the Secretary of the Treasury Board. The scope of Internal Audit activities includes all internal administration activities and operating programs of the departments.
This document combines within one planning model the various internal audit plans, which had been previously assessed individually. These include the long term internal audit plans for:
While this document portrays separate audit universes for each of Corporate Services, the Department of Finance and Treasury Board Secretariat, all audit projects listed have been assessed on the same basis.
In the past, program and the corporate services activities have been assessed separately without considering the relative risks in comparison to other components of the two departments. Even within the individual internal audit plans previously developed for the departments, the business risk exposure of potential audit projects was not explicitly addressed.
The approach adopted for this planning exercise departs from the past in two ways:
This report provides management with an assessment of risk and a suggested audit strategy for each potential audit project.
The underlying principle behind this methodology is that change is the only constant in today's operating environment. In order for the internal audit function to be of relevance to management, then its approach to planning must explicitly address change and its effect on operations, business processes and an organization's overall risk exposure.
The assessment provided here provides management with an appreciation of its risk exposure within a comprehensive or corporate framework. Management can then determine what needs to be done to deal with its risk exposure.
In developing this methodology, care was taken to incorporate the suggestions made by the Office of the Auditor General, in its May 1996 report on Internal Audit in Departments and Agencies.
The approach taken for this project involved the following:
In order to maintain the relevance of the internal audit function and to ensure that available resources are put to greatest benefit, the program profiles and risk assessments should be updated annually.
Because the departmental programs are subject to audit by the Office of the Auditor General for purposes of expressing an opinion on the Public Accounts of Canada, this update should be performed after the release of the Auditor General's management letter.
Internal auditing is a means to minimize the business risk of an organization, through the function's examination of and providing assurances on:
As a means to maximize the value-added possible from the function, management needs to assess its overall risk and the risk exposure associated for its component parts.
To be able to evaluate and assess an organization's risk exposure, a risk assessment model needs to be developed. The model needs to first consider the factors to be used to enable risks to be classified and described. The following risk factors were used in assessing the departments' risk exposure:
Consideration needs to be made regarding the relative weighting of risk factors. Should they all be considered equally or should some be given a higher weight? For the model used here, different weights were assigned to the risk factors. A higher relative weight was assigned to those factors which directly related to the scope of management's responsibilities. Other factors, while important, were assigned a lesser weight, because they pertain more to factors beyond management's direct control.
A five-point scale is used here to assess the risk associated with an individual factor. A score of "5" indicates high risk exposure, whereas, "1" indicates low risk exposure. The Overall Risk, as calculated by the table, is the sum of the product for each individual risk factor.
This document should be considered as a tool to aid management decisions regarding the direction to be set for the internal audit function for the immediate future. Toward that end, four appendices have been prepared.
Appendices A, B and Cbreakdown the internal audit universe into three parts and respectively pertain to Corporate Services, the Department of Finance, and Treasury Board Secretariat.
Each of these appendices presents:
Appendix Dprovides an overview of the potential audit projects listed in descending order of overall risk. A summary report is followed by a more detailed report, which contains a suggested audit strategy for each project.
This information is intended primarily to provide direction to the internal audit function on what projects should be undertaken in the upcoming period.
This information is also intended to facilitate an ongoing dialogue between management and the internal audit function. Risk Assessments by Project can be considered by management during the year and if significant changes occur that could have an adverse effect on the business risk exposure, then the internal audit function could be called upon to examine certain aspects of operations, on an as needed basis. These assessments along with supporting program profiles are intended to form the basis for planning, through their update, for subsequent years.
Internal Audit Universe
History of Audit Activity
Risk Assessment by Project
Program profiles are developed for each program component of the organization. Programs, as defined here, may be operational and directly to the organization's mandate, or functional and related to corporate support services. The intent is to develop a sufficient appreciation of the relative importance of a program, its key elements, activities or functional areas, which make up the program, and its business risk exposure. This information is used to complete the second part of the profile, which tasks the auditor to suggest potential audit projects related to that program. [return]