Photographs of some Parks Canada sites

June 2017

Office of Internal Audit and Evaluation Parks Canada

Recommended for Approval by Parks Canada Audit Committee: June 29, 2017
Date Approved by CEO: July 19, 2017

Executive summary

The Parks Canada Multi-Year Internal Audit Plan 2017-18 to 2019-20 outlines the mandate, organizational structure and resources for internal audit in the Agency, the considerations employed in developing the risk based plan and describes the audit projects and activities for the next three years.

Parks Canada’s Office of Internal Audit and Evaluation (OIAE) adheres to the government’s policy, directive and standards for internal audit. The audit function consists of the Chief Audit and Evaluation Executive (CAEE) and nine auditor positions.

The audit universe (i.e., the individual programs, processes or systems that may be subjected to IA activity) consists of 25 entities based on the internal service groups of the Agency’s former Program Alignment Architecture (PAA). Audits entities are described and prioritized based on considerations of significance, public visibility and risk. In principle, audit activities should focus on the entities with the highest priority scores, as determined by a yearly review, for the three year period of the plan.

This plan proposes:

  • 12 assurance audit engagements including support for one project lead by the Office of Comptroller General over three years;
  • A review engagement focusing on fraud risk governance and assessment in 2017-2018;
  • An external assessment of the internal audit function as required by policy in 2017-2018.

Introduction

The Parks Canada Multi-Year Internal Audit plan 2017-2018 to 2019-2020, consistent with the Treasury Board (TB) Policy on Internal Audit, outlines the mandate, organizational structure and resources for internal audit in the Agency, the considerations employed in developing the risk based plan and describes the audit activities for the next three years.

Parks Canada Agency

Parks Canada was established as a separate departmental corporation in 1998. The Agency's mandate is to:

Protect and present nationally significant examples of Canada's natural and cultural heritage, and foster public understanding, appreciation and enjoyment in ways that ensure the ecological and commemorative integrity of these places for present and future generations.

Responsibility for the Parks Canada Agency rests with the Minister of the Environment and Climate Change. The Parks Canada Chief Executive Officer (CEO) reports directly to the Minister.

Internal audit function

Applicable policies and professional standards

The internal audit function at Parks Canada adheres to the Treasury Board Policy on Internal Audit (2017), and the associated directive and standards. In June 2017, a revised audit charter for the function was approved.

Mandate and services offered

The mandate of the function is to:

Provide independent and objective assurance and consulting services designed to add value and improve the Agency’s operations. It helps the Agency accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of governance processes, risk management strategies and practices, and management control frameworks, systems and practices.

In this context, the function provides the CEO and audit committee with assurance that:

  • Risks are appropriately identified and managed;
  • Governance arrangements are in place to support strategic direction, monitoring and accountability;
  • Significant financial, managerial and operating information is accurate, reliable and timely;
  • Activities and actions are in compliance with applicable laws, regulations policies, standards, and procedures;
  • Resources are acquired economically, used efficiently and adequately protected;
  • Programs, plans and objectives are achieved;
  • Quality and continuous improvement are fostered in the Agency’s control processes;
  • Significant legislative or regulatory issues impacting the Agency are recognized and addressed properly.

Services include:

  • Assurance Audits that provide an assessment on the adequacy of the governance and controls in place to ensure that the organization’s risks are managed effectively, that its goals and objectives will be achieved efficiently and economically and that rules, regulations and policies are followed;
  • Investigations of possible fraud or wrong doing;
  • Consulting, analysis and advice related to policies, programs, risks, systems and controls.

Follow-up on management responses

The audit cycle includes a systematic follow-up on the management responses to each audit recommendation at six month intervals until recommendations are fully addressed. A summary of progress made in implementing action plans is tabled twice a year at the Agency’s Audit Committee.

Governance

The CAEE reports directly and exclusively to the Chief Executive Office (i.e., deputy head) of the Agency. Consistent with TB Policy on Internal Audit, oversight of the function is provided by an independent audit committee composed of three members external to the public service. The Chief Executive Officer, the Chief Audit and Evaluation Executive and the Chief Financial Officer are ex officio members of the committee.Footnote 1 The committee is responsible for reviewing and providing advice and/or recommendations to the CEO, as required, on issues related to:

  • Internal audit function and products;
  • External audit and review;
  • Financial statements and public accounts reporting;
  • Risk management;
  • Agency accountability reporting;
  • Values and ethics;
  • Management control framework.

Organizational structure and resources

The organizational chart for the function is shown below. The function consists of eight permanent and one term position. The effective staff complement for 2017-2018 is estimated to be 6.0 FTEs due to positions not being filled at the beginning of the year.

Photographs of some Parks Canada sites
Organizational Structure and Resources Chart - Long description
  • Chief Executive Officer
    • Chief Audit and Evaluation Executive
      • Head, Internal Audit
        • Internal Auditor III Operations
          • Internal Auditor II
          • Internal Auditor II (Term)
        • Internal Auditor II Quality/Support
        • Internal Auditor III Operations
          • Internal Auditor II
          • Internal Auditor II
          • Internal Auditor I

The available budget for the audit function in 2017-2018Footnote 2, along with actual expenditures in 2016-2017 and forecasted expenditures in 2017-2018 are shown below.

Table 1: Actual and Forecasted Expenditures
Available budget
(000)
Expenditures (000) Forecasted expenditures as % of available budget
2016-2017 2017-2018
Actual Forecast
Salaries 675 442.8 625 93
Project costs 375 133.0 140 73
Non project O & M 27.0 135
Total 1,025 602.8 900 88

Audit planning methodology and considerations

Audit planning is based on a listing of auditable entities (i.e., the programs, process or activities that may be subject to audit) call the audit universe. For 2017-2018 the universe consists of 25 entities based on the internal service groups. The service groups and auditable elements are shown in Appendix A.

In order to prioritize the elements of the audit universe the function considers the significance, public visibility and risk exposure of each element consistent with the 2006 OCG Practice Guidebook of Internal Audit Planning for Departments and Agencies. Scores system for assessing risk is shown in Appendix B. Relevant information for assessing risks is obtained through a review of key Agency documents (e.g., plans, reports, risk profile, other analysis and presentations directed at senior management) in some cases their management teams from January and May 2017.

In addition to audit priority ratings, the function takes account of several additional factors in planning including external commitments to conduct an audit (i.e., typically in the context of special funding approved by TB for new programs or initiatives); past or planned coverage by other assurance providers (OAG/CESD, other Agents of Parliament, the OCG, and program evaluation within the Agency); and the availability of audit resources.

The process results in a list of preliminary proposed audit projects over the next three years. The proposals were presented and discussed at the Agency’s Policy and Operations Committee (APOC), and its Strategic Direction and Policy Committee (SDPC). Final recommendations for proposed projects were discussed at the Executive Management Committee (EMC) followed by validation and recommendation for approval by the Agency’s Audit Committee.

Projects

The following table presents the planned projects (internal audits and reviews). Appendix C shows the planned audits by service groups and auditable elements in the audit universe.

The table below presents the project objective, scope and timing. During the planning of each project the scope and objectives will be further refined to ensure that the greatest value is added. During next year’s RBAP update cycle, the relevancy and timing of audits in the second and third year of the plan will be re-evaluated.

Year 1

Project Priority Objective / Preliminary objective Scope / Preliminary scope Timing
1. Business continuity planning (in progress) High To provide assurance that framework for business continuity planning is in place and practices and procedures with respect to BCP are in compliance with TB and Agency policies and directives. Focuses on compliance with the relevant directive and standards by ensuring continuity of critical services in place at the Agency. Planning phase:
Q2, 2016-2017
Reporting Phase:
Q3, 2017-2018
2. Asset accounting (in progress) Moderate To provide assurance that controls and processes related to accounting for tangible capital assets are in compliance with TB accounting standards and asset policy and procedures. Includes the governance and control framework over asset accounting as of March 2016. Planning phase:
Q3, 2016-2017
Reporting Phase:
Q2, 2017-2018
3. Occupational health and safety program High To provide assurance that existing management control framework ensures compliance with occupational heal and safety laws, regulations, and policies including the Canada Labour Code Part II, as well as the Treasury Board Policy on Occupational Health and Safety. The scope of the audit includes key legal requirements related to OHS Committees and Health and Safety Representatives, Training and Awareness, Site Inspection and Incident Reporting. Planning phase:
Q3, 2017-2018
Reporting Phase:
Q2, 2018-2019
4. Fraud risk assessment High Review the Agency’s fraud governance and management framework for prevention, detection, investigation, response and reporting of fraud and conduct a high level fraud risk assessment. The scope of the review will be Agency wide and focus on the identifying Agency fraud risks and controls across several business processes (e.g., procurement, capital assets, inventories, revenues, confidential or classified information, human resources/payroll). Planning phase:
Q3, 2017-2018
Reporting Phase:
Q1, 2018-2019

Years 2 and 3

Project Priority Objective / Preliminary Objective Scope / Preliminary Scope Timing
5. OCG audit of costing High Assess whether departments have implemented costing practices in line with the TBS Guide to Costing and related policy instruments. It will also look at aspects of the Chief Financial Officer attestation requirements. Includes key costing practices and processes in place within and across departments. Costing information for Cabinet decision making could be an area of focus. Planning phase:
Q4 2018-2019
Reporting Phase:
Q1, 2020-2021
6. Information management High To assess the state of the current control framework (governance, roles and responsibilities, risk and control) for information management and provide assurance about the level of readiness to comply with applicable TB policies. Includes progress being made towards the implementation of the TB Policy on Information Management, the Directive on Information Management Roles and Responsibilities and ensuring that governance structures, mechanisms and resources are in place to support the continuous and effective management of information. Planning phase:
Q2 2018-2019
Reporting Phase:
Q2 2019-2020
7. Coordination of legal services in the Agency Moderate Assess the control framework in place to ensure that processes for legal services are managed appropriately, that advices are well communicated and can be shared easily. Includes compliance with Common Services Policy Planning phase:
Q3 2018-2019
Reporting Phase:
Q2 2019-2020
8. Selected environmental management controls High To provide assurance that management framework in place allows for sound management of the different environment management activities and that practices are in compliance with PC and government policies and directives. Includes 20 environmental aspects such as petroleum storage tanks, pesticides, halocarbons and treated wood (PCB, Storage Tanks etc.) that could be audited based on priorities and risks. Planning phase:
Q1 2018-2019
Reporting Phase:
Q4 2018-2019
9. Organization design and classification Moderate To provide assurance that decisions made with respect to organizational models and control of salary costs are being implemented as intended. Focuses on assessing continued compliance across the Agency with respect to organizational design and control of salary expenditures. Planning phase:
Q1 2019-2020
Reporting Phase:
Q4 2019-2020
10. Maximo data quality Moderate To provide assurance to senior management that information contain in the national asset information system Maximo is accurate, timely and easily accessible for decision making. Includes key practices and processes in place to ensure data quality related to assets. Planning phase:
Q2 2019-2020
Reporting Phase:
Q1 2020-2021
11. Revenue controls on canals Moderate Focus on compliance with government and Agency`s policies and directives with respect to revenue collection. Includes all types of revenues collected by waterways field units. Planning phase:
Q4 2018-2019
Reporting Phase:
Q2 2019-2020
12. Financial monitoring Moderate To provide assurance to senior management that the program is working as intended and enables management to take action in a timely manner when necessary. Focuses mainly on monitoring process for account payables and post payment verification. Planning phase:
Q2 2019-2020
Reporting Phase:
Q2 2020-2021
Financial and Administrative Processes (Core Controls) Audits in Business Units
13. Key financial and administrative processes audits in business units Moderate Provide assurance that core controls related to various financial and/or administrative processes are implemented in business units in compliance with government and Agency policies, directives and standards. Business unit is defined as a field unit, national office directorate or other distinct office. The scope of the audits may include compliance with a variety of financial and administrative requirements (e.g., contracting, travel, hospitality, financial coding, allowances etc.). Audits of core controls are planned for the latter two years of the period.

Proposed project schedule

Audit projects 2017-2018 2018-2019 2019-2020
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
1. Business continuity planning (in progress) * * *
2. Asset accounting (in progress) * *
3. Occupational health and safety program * * * *
4. OCG audit of costing * * * * *
5. Information management * * * * *
6. Coordination of legal services in the Agency * * * *
7. Selected environmental management controls * * * *
8. Organization design and classification * * * *
9. Maximo (asset) data quality * * *
10. Revenue controls on canals * * *
11. Financial monitoring * * *
Business Unit Audits
12. Key F&A audits of business units * * * * * * * *
Reviews
13. Fraud risk assessment * * *
14. External assessment (Practice inspection) * * *

Project resources (Over all years)

Project Size
Footnote 3
Hours O & M Total ($)
Footnote 4
2017-2018
1. Business continuity planning Small 925 6,000 47,700
2. Asset accounting Large 1800 150,000 168,000
3. Occupational health and safety program Medium 1300 25,000 83,500
4. Fraud risk assessment Small 55,000 55,000
5. External assessment of the function Small 400
Footnote 5
60,000 78,000
2018-2019
6. OCG audit of costing Small 400 0 18,000
7. Information management (record keeping) Large 1500 25,000 92,500
8. Coordination of legal services in the Agency Medium 1200 10,000 64,000
9. Selected environmental management controls Large 1500 25,000 92,500
2019-2020
10. Organization design and classification Small 900 6,000 46,500
11. Maximo data quality Large 1500 20,000 87,500
12. Revenue controls on canals Small 900 13,000 53,500
13. Financial monitoring Small 900 9,000 49,500
14. Key financial and administrative processes audits of business units
The resources shown in the table are for a single a single audit. The number of audits during the planning period is not known at this point but is unlikely to exceed four.
Small 900 12,000 52,500

Appendix A. Audit universe elements and past coverage

Internal services groups Auditable element Definition Past coverage
1.6.1 Management and oversight 1. Strategic policy, corporate governance, planning and integrated risk management
  • Activities undertaken for determining strategic direction,
  • Governance arrangements for the Agency as a whole
  • Corporate planning processes (e.g., system, corporate, and business plans). Note link to employee performance management through mandate letter process
  • Other key plans which require senior management or ministerial approval (e.g., species at risk plans).
  • Activities undertaken to identify corporate risks and mitigation measures.
  • Activities and processes related to cabinet and legislative affairs
OCG Audit of Compliance with the MRRS Policy (2012)

OAG Implementation of the Labrador Inuit Land Claims Agreement (2016)
2. Investment planning and project management Process and activities to prioritize and allocate (reallocate) resources to new and existing projects (assets and acquired services) that are essential to program delivery. Includes processes, controls and systems in place for managing individual projects within the Agency (e.g., environmental and cultural resource, VE assessments, and indigenous consultations as part of project planning). Entity includes processes with respect to infrastructure, conservation and contaminated site projects. Audit of FII Governance (2017)
3. Performance and reporting Processes and activities to develop and maintain the Performance Measurement Framework, related performance measurement strategies and for reporting on performance (e.g., Departmental Performance Report, State of Reports).
4. Values and ethics Processes and activities to foster an organizational culture based on the fundamental values of Respect, Engagement, Excellence, and Integrity, as specified in the Parks Canada Values and Ethics Code. Includes processes and controls for reporting ethical violations or wrong doing (e.g., Public Disclosure Protection Act) as well as advice and information on ethical situations.
1.6.2 Communication services 5. Internal Processes and procedures to create continuous, interactive and multi-directional communication within the Agency. Includes management of Agency intranet site.
6. External Frameworks, governances, processes, activities and controls associated with external communications. Includes branding (compliance with), public web site, social and new media use, advertising and promotions.
1.6.3 Legal services 7. Legal services Process and frameworks for acquiring legal advice, preparing legal documents, drafting legislation and statutory instruments (or regulations) conducting litigation, and overseeing all legal mechanisms used to achieve the overall objectives of the Agency.
1.6.4 Human resources management 8. Planning and structuring the workplace Includes planning and reporting; reviewing, assessing and developing organizational designs; job and position analysis and classification.
9. Employee management Processes and activities to support recruitment (staffing), retention, and separation as well as activities associated with employee performance, learning, development and recognition. Includes management of total compensation (e.g., pay, leave).
10. Workplace management Processes and activities associated with labor relations (e.g., third party review, managing formal complaints, grievances, discipline) as well as occupational health and safety, management of harassment and discrimination, and promotion of employee well-being. Includes management of Agency obligations with respect to Official Languages, employment equity, disability management and return to work. OCOL Audit Of Delivery of Bilingual Services to Visitors by Parks Canada (2012) 

Independent 5 Year Review Of Human Resources Regime (2014-2015)
11. HR monitoring and report Processes, activities and controls to ensure accurate and complete information about organisational structures, positions and employees to support planning, decision making and effective management of obligations and entitlements. Includes both paper and electronic records. Processes for creating reporting tools and mechanisms (e.g., HR dashboard).
1.6.5 Financial management 12. Governance, planning, forecasting, budgeting, pricing and costing Processes and activities associated with financial planning, creating authorities (chart of accounts) assigning budgets, forecasting expenditures and establishing financial management capacity. Includes processes and activities for setting prices and costing the Agency programs and initiatives. OCG Audit of financial forecasting (2013-2014)
13. Revenues, receivables and receipts Processes and controls to ensure the accurate, timely and complete management of revenue and accounts receivable. Includes management of special purpose revenues such as donations, and revenue from partnering. Audit of POS (2016)

Audit Management of Revenue Rentals and Concessions (2012)
14. Purchases, payables and payments Processes and controls to ensure authorization, accounting and timely processing of invoices for payment. Acquisition Card Process (2012)

5 Financial and Administrative Audits between April 2012 and March 2017.
15. Partnerships and procurement including G&Cs Processes and activities to ensure sound frameworks for partnering and procurement are in place and that practices are consistent with TB and Agency policies and directives, and that monitoring occurs to support various reporting requirements (both departmental and government-wide).
16. Financial monitoring and reporting Processes and activities to prepare financial reports (variance reports, financial statements, public accounts). Includes processes to monitor financial transactions.
1.6.6. and 1.6.7 Information management, technology, systems 17. Information management Includes the processes and procedures in place to achieve efficient and effective information management (IM) over its life cycle including planning and acquisition, disbursement and disposal. Includes access to information and privacy, libraries, record keeping etc.
18. Information technology Processes, activities and systems to plan, acquire, implement, operate, support and monitoring information technology (IT) hardware, software and networks. Elements included are: IT governance; strategic and investment plans; the use of common or shared IT assets and services, as well as authorized network accesses. Performance Audit of the GIS (2012)

SSC IT security and disaster recovery controls Assessment (2014-2015)

OCG- Horizontal Internal Audit of Information Technology Security in Large and Small Departments (2016)
1.6.8 Real property 19. Land management Process, activities and systems for inventorying lands, recording acquisition and disposal and for managing access to and rights related to crown land (e.g., granting of leases, concession agreements, business permitting).
20. Built asset management Process and systems for inventorying and managing Agency built assets including maintenance, inspections, and repairs. Excludes --- investment planning and asset accounting. Includes management of particular classes of assets (e.g., staff housing). Audit of Staff Housing (2014)
21. Material management Processes and activities for managing movable assets (e.g., various types of equipment, furniture and furnishings, low dollar value and attractive goods, and larger goods, such as vehicles and ships), in a sustainable and financially responsible manner that supports the cost-effective and efficient delivery of government programs.
22. Environmental management Processes and activities for ensuring that the environmental impact of operations (e.g., related to asbestos, contaminated sites, storage tanks, halocarbons, PCBs, pesticides, etc.) are effective and in compliance with legislation and Agency objectives.
23. Water power Processes and activities related to management and provision of water power on historic canals as governed by The Dominion Water Power Act and Dominion Water Power Regulations.
Security 24. Security (property, personal, etc.) Frameworks, processes and procedures to ensure the security of the property, personnel and equipment.
25. Emergency preparedness and business continuity Process and activities to plan for and manage emergency situations consistent with legislation and policy (e.g. fire and building evacuation plans; civil emergency plans) as well processes and plans for ensuring that the Agency’s critical services can resumed or continued with minimal disruption during or immediately after an event.

Appendix B. Description of audit rating

Prioritization consists of assigning a significance, public visibility and risk exposure score to each entity (i.e., each with a five point scale ranging from 1 very low significance, visibility or exposure to 5 very high significance, visibility or exposure), and then combining the scores (i.e., weighted 30% for significance, 20% for visibility and 50% for risk exposure) to create a final priority score for each entity. Based on scores entities are assigned one of four priority ratings.

Audit Reporting Rating System
Level Description
Very High Entities considered to be highly important from an audit standpoint and should be subject to internal audit activity. Where possible, audits of these priorities should be conducted early in the planning cycle to permit the generation of assurance in a timely fashion.
High Entities considered as an important audit priority and should be audited in the planning cycle, but not necessarily in the first year of the plan.
Moderate Audit resources may be expended; however these areas are only of moderate audit priority during this planning cycle.
Low Little to no justification for audit resources to be expended in these areas during this planning cycle.

Appendix C. Planned audits by service group and auditable elements

Internal Services Groups Auditable Element Audit
Legal services Legal services Coordination of legal services in the Agency
Human resources management Planning and structuring the workplace Organization design and classification
Workplace management Occupational health and safety program
Financial management Governance, planning, forecasting, budgeting, pricing and costing OCG audit of costing in large and small departments
Revenues receivables and receipts Revenue controls on canals
Financial monitoring and reporting Asset accounting

Financial monitoring
Information management, technology, and systems Information management Information management
Real property Built asset management Maximo data quality
Environmental management Selected environmental management controls
Security Emergency preparedness and business continuity Business continuity planning
Various depending on Audit Scope Key financial and administrative processes