2010-2013 Risk-Based Internal Audit Plan
1. Introduction
1.1 Background
As an officer of Parliament and agent of change, the Office of the Commissioner of Official Languages (OCOL) has a mandate to promote the Official Languages Act and oversee its full implementation, protect the language rights of Canadians, and promote linguistic duality and bilingualism in Canada. It is the duty of the Commissioner to take all actions and measures within the authority of the Commissioner with a view to ensuring recognition of the status of each of the official languages and compliance with the spirit and intent of this Act in the administration of the affairs of federal institutions, including any of their activities relating to the advancement of English and French in Canadian society.
The Commissioner ensures that the three key objectives of the Act are achieved and takes all necessary measures in this respect. These objectives are:
- the equality of English and French in Parliament, the Government of Canada, the federal administration and the institutions subject to the Act;
- the development and vitality of official language minority communities in Canada; and,
- the equal status of English and French in Canadian society.
OCOL has more than 170 employees and an annual budget in excess of $20 million. Annually, OCOL receives over 800 complaints, publishes 2 to 5 audit reports on average, performs legal interventions and the Commissioner performs various activities all across the country to promote official languages.
Over the last few years, OCOL has faced a number of changes and transformations including the evolution of the role of Ombudsman for official languages, the streamlining of the approach to handle complaints and the re-thinking of regional offices' structure and role. Considering that other significant changes are expected, such as an A-Base/strategic review, the implementation of a large IM/IT project and the retirement of key members of personnel, it is clear that a strong risk-based internal audit plan will be an important governance element in helping OCOL achieve its objectives.
This document outlines OCOL's internal audit annual plan for 2010-2013. It also highlights potential areas of audit focus and secures resources to ensure that requests from the Audit and Evaluation Committee and the executive committee can be ensured timely and efficiently. The plan reconfirms the objective of allocating audit resources to those areas that represent the most significant priorities to OCOL, and to ensure that internal audit services will be of greatest benefit to the organization as a whole.
1.2 Approach
The approach on which this plan is based is in compliance with the Institute of Internal Auditors (IIA) Professional Practices Framework. The audit plan was developed as follows:
Risk-Based Audit Planning Approach
1.2.1 Identification of the Audit Universe
The audit universe defines the potential scope of IA activity and is comprised of individual “auditable entities” that may be subjected to IA activity. To ensure alignment between the focus of internal audit and the operational structure of the department, the 23 auditable entities were aligned with the 3 program activities identified in the 2010-2011 Program Activity Architecture (PAA) structure. This table represents OCOL's audit universe.
| Strategic Outcome | Canadians' rights under the Official Languages Act are protected and respected by federal institutions and other organizations subject to the Act; and linguistic duality is promoted in Canadian society. | ||
|---|---|---|---|
| Program Activity | 1. Protection through Compliance Assurance | 2. Promotion through Policy and Communications | 3. Internal Services |
| Auditable Entities |
|
|
|
1.2.2 Environmental Scan of the Audit Universe
The project team conducted a series of interviews with Assistant Commissioners and members of the Audit and Evaluation Committee to identify organizational changes, key risks to which operations are exposed, and ultimately areas where internal audit can be of assistance in supporting the achievement of organizational objectives. The project team leveraged information in the Corporate Risk Profile to facilitate the identification of risk areas for audit planning purposes. This risk information not only provided important insight into the concerns of management, but also provided risk exposure information which was used to prioritize auditable entities and identify necessary audit projects.
1.2.3 Prioritization of Auditable Entities
Each entity that comprises the audit universe was ranked using 2 criteria (risk exposure and importance), each of which is weighted to reflect its relative importance. The following criteria were used, all weighted equally:
Risk Exposure:
- Review of Corporate Risk Profile and Consultations
- Degree and Recentness of Changes
- Complexity / Dependencies / Legislative Requirements
Importance:
- Materiality (the entity's budget, i.e. Low <$500k; Moderate >$500k but <$1M; High >$1M)
- Sensitivity / Public Profile
- Link to Mandate
Taken together, these criteria were applied to derive a total weighted priority score used to generate a preliminary prioritization of the audit universe. Then, recent audit coverage of the entity was considered before assigning it a requirement for audit rating. The outcome is a preliminary ranked list of audit priorities, details of which can be found in Appendix A.
1.2.4 Project Selection and Plan Development
Finally, the project team developed a three year audit plan. To this end, the highest audit priorities identified serve as the starting point, and provide the main, but not only consideration for project selection. The team examined the top priority entities against a variety of constraints and opportunities, including:
- Availability of audit resources over the 3 year period;
- Feasibility of conducting an audit;
- Conduct of other reviews providing oversight (i.e. Program Evaluations, OAG audits, etc.);
- Mandated audit projects (i.e. follow-ups, OAG/PSC obligations for horizontal audits, etc.);
- Management requests; and
- Audit and Evaluation Committee direction.
New priorities are determined based on these considerations; audits are defined for the top priorities. The outcome is a short-list of audit projects and activities to be conducted during the coming three-year planning horizon.
An analysis of the proposed audit coverage of the organization is conducted in order to ensure an appropriately balanced audit plan. The project team considered the number of corporate risks covered by the plan, the number of priorities covered, and how the allocation of audit resources aligns with the organization's expenditures.
Details of audits planned are provided including the scope, objectives, key risks, rationale and timing for each engagement and estimates on resourcing levels. Timing of audits planned is provided with the tabling of the multi-year Risk-based Audit.
A budget of approximately $90,000 has been established for the Internal Audit Function for 2010-2011. The estimated breakdown of expenditures for the 2010-2011 Internal Audit budget is as follows:
- Assurance audits – 100%
- Advisory or other projects – 0%
Based on the audit plan developed and described in section 3, no resource limitations have been identified for the delivery of effective internal audit services for the period covered by this plan.
2. Planning Context
2.1 Role of Internal Audit
Internal audit is an independent, objective entity within OCOL that is designed to add value and improve the organization's operations. It helps OCOL accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. The Internal Audit group is led by the Chief Audit Executive who is supported by a variety of staff and external professional service providers with varying skill sets depending on the nature of the audit project.
Generally, OCOL's Internal Audit group provides assurance and advisory services to the Commissioner, the Executive Committee and the Audit and Evaluation Committee. Internal audit work is typically focused on assessing whether the system of internal control within OCOL is adequate and effective to support the following imperatives:
- Achievement of operational objectives;
- Safeguarding of assets;
- Economy and efficiency of operations;
- Reliability and integrity of financial and operational information; and
- Compliance with legislation, policies and procedures
2.2 Strategic Outcome and Operational Priorities
For internal audit planning purposes, it is important to use OCOL's strategic outcome and operational priorities as context for the establishment of internal audit activities to be conducted.
OCOL's strategic outcome reads as follow: Canadians' rights under the Official Languages Act are protected and respected by federal institutions and other organizations subject to the Act; and linguistic duality is promoted in Canadian society. Operational priorities read as follow:
- Work with federal institutions and other organizations subject to the Official Languages Act so that they fully integrate linguistic duality as an important element of leadership.
- Promote to Canada's two official language communities, the value of linguistic duality as one of the key elements of Canadian identity.
- Support official language minority communities in order to foster their development and vitality.
- Strengthen organizational capacity by applying sound management principles and practices with respect to corporate priorities.
2.3 Key Organizational Risks
A critical element in establishing internal audit priorities relates to the key risks being faced by OCOL. A core principle of internal audit at OCOL is to focus resources in areas that will be of the highest value to OCOL – with key risk areas representing a typical starting point. Usually, Internal Audit will build off the organization's risk management framework and OCOL has completed an exercise to develop a corporate-level risk profile.
The corporate risk profile identifies the following four high-rated risks, which are being addressed by senior management through various risk mitigation measures:
- Inadequate IM/IT systems, infrastructure and support. The risk that the IM/IT infrastructure and support are not sufficient to fulfill OCOL's current operational needs. Also the risk that information cannot be collected, analyzed and reported/communicated on a timely basis. Finally, the risk of losing valuable corporate memory.
- Perception that the Official Languages Act may be less relevant. The risk that the public and/or stakeholder groups perceive OCOL and the Official Languages Act as irrelevant. Also, the risk of loss of credibility and influence within the federal government and not being able to fulfill OCOL's mandate.
- Inadequate funding from the federal government The risk that changes to government policy/funding priorities could result in reduced funding to OCOL. Also, the risk that OCOL's expenses increase significantly, due to new requirements necessitating additional unplanned resources.
- Inadequate performance measures and reports. The risk that performance measures are not set or can't be measured. Also the risk that adequate performance information is not collected or that IT systems are not able to collect it. Finally, the risk that corrective measures to address performance gaps are not implemented.
3. Audit Plan Summary
As an Agent of Parliament, OCOL is constantly evolving to respond to the expectations of Canadians and to ensure that it remains relevant, effective and efficient. As identified by management through a series of interviews, the Commissioner's evolving role as an Ombudsman is gradually being reflected in the organization's structure. This new approach is now supported by a modernized approach to investigations, audits, promotion and prevention activities. The roles and responsibilities of regional offices will also be impacted significantly as an initiative is underway to realign regional activities.
The proposed audit plan below accounts for all of these recent changes and also focuses on risks identified in the corporate risk profile, as well as activities required to achieve the organization's strategic outcome. This audit plan will bring added value to the organization by ensuring that the Executive Committee and the Audit and Evaluation Committee are provided with recommendations on OCOL's management practices, control frameworks, policies, directives, etc. in areas considered by management as having a higher risk level or as being of particular interest to better manage the organization.
Audit projects where management determined there is the greatest need for support and value-added assistance within the first year of the plan (2010-2011) includes:
- an audit of integrated planning practices;
- an audit of investigation practices; and,
- an audit of Parliamentary relations (will be started in 2010-2011 but completed in 2011-2012).
For the following two years of the plan, it was determined that research and studies activities, the regional office restructuration pilot project, workplace health and safety and the IM/IT renewal project (when funding from this project is eventually obtained) would benefit from audit activity. Three potential audit projects have also been identified. These potential audits may be conducted if another audit project is postponed, cancelled, or if capacity is sufficient to undertake these potential audits.
The table in Section 4 provides a listing of the proposed audit projects along with their scope, objective and rationale. The proposed audit timing, relative audit effort, scope, objective and rationale might be modified through time as new issues or needs arise and are brought to the Audit and Evaluation Committee's attention. For further details on the rationale to select these audit projects, please refer to Appendix A.
To finalize this plan, it is expected that it will be recommended for approval by the Executive Committee, approved by the Audit and Evaluation Committee, and ultimately by the Commissioner.
4. Audit Project Descriptions
4.1 Audit Projects
The table below provides the objective/scope and rationale for each of the audit projects proposed for 2010 to 2013. The rationale includes, where applicable, a mapping to the identified key risks facing OCOL and a reference to the audit priority rating as detailed in Appendix A. Finally, it should be noted that final scope/objectives for the audits may be modified depending on the results of the planning phases of each of the respective projects. In addition to the proposed audit projects below, Internal Audit will continue to attend key management and Audit and Evaluation Committee meetings, conduct follow-ups on previous audits (as appropriate), and develop the annual internal audit plan (i.e. this document).
| Year | Audit Project Name | Primary Entity | Relative Audit Effort | Audit Scope/Objective/Rationale |
|---|---|---|---|---|
| 2010-2011 | Audit of Integrated Planning Practices | Corporate Services Branch | Moderate |
|
| 2010-2011 | Audit of Investigation Practices | Compliance Assurance Branch | High |
|
| 2010-2011 (will be started in 2010-2011 but completed in 2011-2012) | Audit of Parliamentary Relations | Policy and Communications Branch | Low |
|
| 2011-2012 | Audit of Regional Pilot Project | Policy and Communications Branch | Moderate |
|
| 2011-2012 | Audit of Research and Studies Activities | Policy and Communications Branch | Moderate |
|
| 2012-2013 | Workplace Health and Safety Audit | Corporate Services Branch | Low |
|
| 2012-2013 (actual timing to be aligned with project timelines) | IM/IT Renewal Project Audit | Corporate Services Branch | High |
|
| Potential Audit – timing TBD | Audit of Strategic Communications and Promotion (scope to be further refined) | Policy and Communications Branch | High |
|
| Potential Audit – timing TBD | Audit of CAB Audit Practices | Compliance Assurance Branch | High |
|
| Potential Audit – timing TBD | Audit of Strategic Performance Management | Policy and Communications Branch | High |
|
4.2 Relative Audit Effort Definitions
The following table provides a definition for the relative audit effort identified in the table above. Please note that these definitions are provided as indication only and could vary based on the audit scope and objectives.
| Relative Audit Effort Rating | Definition |
|---|---|
| Low | Less than $20,000 |
| Moderate | Between $20,000 and $40,000 |
| High | Over $40,000 |
5. Appendix A – Audit Prioritization
The following rating criteria were used to prioritize auditable entities and establish audit plan priorities.
| Criteria | Ratings | ||||
|---|---|---|---|---|---|
| Total Weight | Total Weight | Definitions | |||
When determining audit priority ratings for each audit entity, the following scale was used:
|
|||||
| Risk Exposure | 50% | Review of Corporate Risk Profile and consultations | 1/6 | Review of the Corporate Risk Profile and consultations with Assistant Commissioners and Audit and Evaluation Committee members provides insights on the risk exposure of each auditable entity. |
|
| Degree and Recentness of Changes | 1/6 | Impact of change includes the magnitude, history and timing of the change. This criterion includes all changes recently done or anticipated during the 3 years audit planning scope. Changes considered include:
|
|
||
| Complexity / Dependencies / Legislative Requirements | 1/6 | The complexity of business processes, technology and regulatory environment are considered. The greater the dependencies, the more coordination required. Legislative requirements consider the extent of obligations of OCOL from legislation. |
|
||
| Importance | 50% | Materiality | 1/6 | This criterion considers the dollar value associated with both O&M and Salaries for 2010-2011 for each entity. |
|
| Sensitivity / Public Profile | 1/6 | External and internal factors and activities influencing an organization's policy and management agenda. Factors considered include:
|
|
||
| Link to Mandate | 1/6 | All activities linked directly to OCOL's strategic outcome are inherently high risk as they are key to fulfilling the organization's mandate. |
|
||
The following table provides a complete analysis of risk exposure, importance and recent audit coverage for each activity included in the audit universe. This analysis ensures that this risk based audit plan will focus on high risk areas and areas of concern for management.
| Audit Entity | 2010-2013 Audit Prioritization | Proposed 2010-2013 Audits | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Risk Exposure | Importance | Audit Priority Rating | Recent Audit Coverage | Audit Requirement Rating and Rationale | ||||||
| Consultations & Risk Profile | Recentness of Changes | Complexity & Dependencies | Materiality | Sensitivity & Public Profile | Link to Mandate | |||||
| 1. Investigations | 2 | 3 | 2 | 3 | 3 | 3 | 2.66 High |
No recent audit coverage. | Audit Requirement Rating: High |
2010-11
Audit
Projects
|
| Considering the high audit priority rating, the lack of past audit coverage and recent structural changes at OCOL impacting investigations, an audit of investigation practices would be beneficial to help ensure that investigation practices are appropriate. | ||||||||||
| 2. Audits | 2 | 2 | 2 | 3 | 3 | 3 | 2.5 High |
The External Audits Process went through a Quality Assurance Review in April 2010. | Audit Requirement Rating: Moderate |
Potential
Audit
Project
|
| Considering that the audit process has gone through a quality assurance review recently, an audit may not be required at this time; however, considering the importance of this activity, a potential audit project has been identified. | ||||||||||
| 3. Strategic Performance Management | 1 | 1 | 1 | 3 | 3 | 3 | 2.00
Moderate |
No recent audit coverage. | Audit Requirement Rating: Moderate |
Potential
Audit
Project
|
| Considering the audit priority rating and discussions with management, an audit may not be required at this time as there were no significant issues identified with this activity; however, considering the importance of this activity, a potential audit project has been identified. | ||||||||||
| 4. Legal Affairs | 1 | 2 | 1 | 2 | 3 | 3 | 2.00
Moderate |
No recent audit coverage. | Audit Requirement Rating: Moderate | None identified |
| Considering the audit priority rating and discussions with management, an audit is not required at this time as there were no significant issues identified with this activity. | ||||||||||
| 5. Branch Management Support (CAB & LAB) | 1 | 1 | 2 | 3 | 1 | 2 | 1.67
Low |
No recent audit coverage. | Audit Requirement Rating: Low | None identified |
| Considering the audit priority rating and discussions with management, an audit is not required at this time as there were no significant issues identified with this activity. | ||||||||||
| 6. Policy and Research | 3 | 2 | 2 | 3 | 2 | 3 | 2.50 High |
No recent audit coverage. | Audit Requirement Rating: High |
2011-12
Audit
Projects
|
| Considering the high audit priority rating, the lack of recent audit coverage, management consultations and the recent changes with this activity, an audit of research activities is recommended. | ||||||||||
| 7. Parliamentary Relations | 3 | 1 | 1 | 1 | 3 | 3 | 2.00
Moderate |
No recent audit coverage. | Audit Requirement Rating: Moderate |
2010-11
Audit
Projects
|
| Considering the Moderate audit priority rating, the lack of recent audit coverage, the recent changes in the Commissioner's role and the importance of parliamentary relations, an audit of this activity is recommended. | ||||||||||
| 8. Strategic Communications and Promotion | 2 | 1 | 1 | 3 | 3 | 3 | 2.17
Moderate |
No recent audit coverage. | Audit Requirement Rating: Moderate |
Potential
Audit
Project
|
| Considering the audit priority rating and discussions with management, an audit is not required at this time as there were no significant issues or changes identified with this activity; however, considering the importance of this activity, a potential audit project has been identified. | ||||||||||
| 9. Regional Operations | 3 | 3 | 1 | 3 | 2 | 2 | 2.33 High |
No recent audit coverage. | Audit Requirement Rating: High |
2011-12
Audit
Projects
|
| Considering the high audit priority rating, changes in the Commissioner's role, upcoming structural changes and based on discussions with management, an audit of this activity is recommended. | ||||||||||
| 10. Branch Management Support (PCB) | 1 | 1 | 1 | 2 | 1 | 2 | 1.33
Low |
No recent audit coverage. | Audit Requirement Rating: Low | None identified |
| Considering the low audit priority rating and discussions with management, an audit is not required at this time as there were no significant issues identified with this activity. | ||||||||||
| 11. Strategic Planning | 3 | 2 | 2 | 1 | 1 | 2 | 1.83
Moderate |
No recent audit coverage. | Audit Requirement Rating: Moderate |
2010-11
Audit
Projects
|
| Considering that the planning function has been recently relocated within Corporate Services, and that integrated planning is relatively new yet increasingly important as OCOL is faced with important decisions when it comes to funds allocations, an audit of this activity is recommended. | ||||||||||
| 12. Human Resources Management | 2 | 1 | 2 | 2 | 1 | 2 | 1.67
Low |
An internal Audit of Human Resources Management Practices was completed in June 2009. The Public Service Commission also regularly audits OCOL's HR practices. | Audit Requirement Rating: Low | None identified |
| Considering the low audit priority rating, the fact that an audit of HR practices was recently completed and that no other significant HR related issues were brought up by management, an audit is not required at this time. | ||||||||||
| 13. Finance | 1 | 1 | 2 | 2 | 1 | 2 | 1.50
Low |
OAG's annual financial audits. | Audit Requirement Rating: Low | None identified |
| Considering the low audit priority rating and discussions with management, an audit is not required at this time as there were no significant issues identified with this activity. | ||||||||||
| 14. Information Technologies | 3 | 3 | 3 | 3 | 1 | 2 | 2.50 High |
An internal Audit of Information Management and Information Technology Governance was completed in January 2010. | Audit Requirement Rating: Moderate |
2012-13
Audit
Projects
|
| As considerable amounts of resources are being allocated to the IM/IT Renewal Project, its success is critical to the organization. Large IM/IT projects are inherently risky as they introduce numerous organizational changes. The timing of the audit is intended to align with the mid-point of the project lifecycle. | ||||||||||
| 15. Information Management | 3 | 3 | 3 | 2 | 1 | 2 | 2.33 High |
An internal Audit of Information Management and Information Technology Governance was completed in January 2010. | Audit Requirement Rating: Moderate |
2012-13
Audit
Projects
|
| Considering the fact that an audit of IM/IT governance was completed recently and that no other significant IM related issues were brought up by management, an audit is not required at this time. | ||||||||||
| 16. Commissioner's Office | 1 | 1 | 1 | 2 | 2 | 2 | 1.50
Low |
No recent audit coverage. | Audit Requirement Rating: Low | None identified |
| Considering the low audit priority rating and discussions with management, an audit is not required at this time as there were no significant issues identified with this activity. | ||||||||||
| 17. Internal Audit and Evaluation | 1 | 2 | 1 | 1 | 2 | 2 | 1.50
Low |
No recent audit coverage. | Audit Requirement Rating: Low | None identified |
| Considering the low audit priority rating and discussions with management, an audit is not required at this time as there were no significant issues identified with this activity. | ||||||||||
| 18. Access to Information and Privacy | 1 | 1 | 2 | 1 | 3 | 2 | 1.66
Low |
No recent audit coverage. | Audit Requirement Rating: Low | None identified |
| Considering the low audit priority rating and discussions with management, an audit is not required at this time as there were not significant issues identified with this activity. | ||||||||||
| 19. Procurement, Acquisition Cards and Contracting | 1 | 1 | 2 | 1 | 2 | 2 | 1.50
Low |
No recent audit coverage. | Audit Requirement Rating: Low | None identified |
| Considering the low audit priority rating and discussions with management, an audit is not required at this time as there were not significant issues identified with this activity. | ||||||||||
| 20. OCOL Travel and Hospitality | 1 | 1 | 1 | 2 | 2 | 2 | 1.50
Low |
No recent audit coverage. | Audit Requirement Rating: Low | None identified |
| Considering the low audit priority rating and discussions with management, an audit is not required at this time as there were not significant issues identified with this activity. | ||||||||||
| 21. Values and Ethics | 1 | 2 | 1 | 1 | 1 | 2 | 1.33
Low |
No recent audit coverage. | Audit Requirement Rating: Low | None identified |
| Considering the low audit priority rating and discussions with management, an audit is not required at this time as there were not significant issues identified with this activity. | ||||||||||
| 22. Branch Management Support (CSB) | 1 | 1 | 2 | 1 | 1 | 2 | 1.33
Low |
No recent audit coverage. | Audit Requirement Rating: Low | None identified |
| Considering the low audit priority rating and discussions with management, an audit is not required at this time as there were not significant issues identified with this activity. | ||||||||||
| 23. Administrative Services | 3 | 2 | 2 | 2 | 1 | 2 | 2.0
Moderate |
No recent audit coverage. | Audit Requirement Rating: Moderate |
2012-13
Audit
Projects
|
| Workplace health and safety across the federal government is an important issue. OCOL recognized the importance of health and safety by recently creating a committee dedicated to this area. An audit of activities and practices pertaining to health and safety is recommended. | ||||||||||