Multi-Year Internal Audit Plan - 2017-2018 to 2019-2020
Office of Internal Audit and Evaluation Parks Canada
Recommended for Approval by Parks Canada Audit Committee: June 29, 2017
Date Approved by CEO: July 19, 2017
- Executive summary
- Parks Canada Agency
- Internal audit function
- Audit planning methodology and considerations
- Appendix A. Audit universe elements and past coverage
- Appendix B. Description of audit rating
- Appendix C. Planned audits by service group and auditable elements
The Parks Canada Multi-Year Internal Audit Plan 2017-18 to 2019-20 outlines the mandate, organizational structure and resources for internal audit in the Agency, the considerations employed in developing the risk based plan and describes the audit projects and activities for the next three years.
Parks Canada’s Office of Internal Audit and Evaluation (OIAE) adheres to the government’s policy, directive and standards for internal audit. The audit function consists of the Chief Audit and Evaluation Executive (CAEE) and nine auditor positions.
The audit universe (i.e., the individual programs, processes or systems that may be subjected to IA activity) consists of 25 entities based on the internal service groups of the Agency’s former Program Alignment Architecture (PAA). Audits entities are described and prioritized based on considerations of significance, public visibility and risk. In principle, audit activities should focus on the entities with the highest priority scores, as determined by a yearly review, for the three year period of the plan.
This plan proposes:
- 12 assurance audit engagements including support for one project lead by the Office of Comptroller General over three years;
- A review engagement focusing on fraud risk governance and assessment in 2017-2018;
- An external assessment of the internal audit function as required by policy in 2017-2018.
The Parks Canada Multi-Year Internal Audit plan 2017-2018 to 2019-2020, consistent with the Treasury Board (TB) Policy on Internal Audit, outlines the mandate, organizational structure and resources for internal audit in the Agency, the considerations employed in developing the risk based plan and describes the audit activities for the next three years.
Parks Canada Agency
Parks Canada was established as a separate departmental corporation in 1998. The Agency's mandate is to:
Protect and present nationally significant examples of Canada's natural and cultural heritage, and foster public understanding, appreciation and enjoyment in ways that ensure the ecological and commemorative integrity of these places for present and future generations.
Responsibility for the Parks Canada Agency rests with the Minister of the Environment and Climate Change. The Parks Canada Chief Executive Officer (CEO) reports directly to the Minister.
Internal audit function
Applicable policies and professional standards
The internal audit function at Parks Canada adheres to the Treasury Board Policy on Internal Audit (2017), and the associated directive and standards. In June 2017, a revised audit charter for the function was approved.
Mandate and services offered
The mandate of the function is to:
Provide independent and objective assurance and consulting services designed to add value and improve the Agency’s operations. It helps the Agency accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of governance processes, risk management strategies and practices, and management control frameworks, systems and practices.
In this context, the function provides the CEO and audit committee with assurance that:
- Risks are appropriately identified and managed;
- Governance arrangements are in place to support strategic direction, monitoring and accountability;
- Significant financial, managerial and operating information is accurate, reliable and timely;
- Activities and actions are in compliance with applicable laws, regulations policies, standards, and procedures;
- Resources are acquired economically, used efficiently and adequately protected;
- Programs, plans and objectives are achieved;
- Quality and continuous improvement are fostered in the Agency’s control processes;
- Significant legislative or regulatory issues impacting the Agency are recognized and addressed properly.
- Assurance Audits that provide an assessment on the adequacy of the governance and controls in place to ensure that the organization’s risks are managed effectively, that its goals and objectives will be achieved efficiently and economically and that rules, regulations and policies are followed;
- Investigations of possible fraud or wrong doing;
- Consulting, analysis and advice related to policies, programs, risks, systems and controls.
Follow-up on management responses
The audit cycle includes a systematic follow-up on the management responses to each audit recommendation at six month intervals until recommendations are fully addressed. A summary of progress made in implementing action plans is tabled twice a year at the Agency’s Audit Committee.
The CAEE reports directly and exclusively to the Chief Executive Office (i.e., deputy head) of the Agency. Consistent with TB Policy on Internal Audit, oversight of the function is provided by an independent audit committee composed of three members external to the public service. The Chief Executive Officer, the Chief Audit and Evaluation Executive and the Chief Financial Officer are ex officio members of the committee.Footnote 1 The committee is responsible for reviewing and providing advice and/or recommendations to the CEO, as required, on issues related to:
- Internal audit function and products;
- External audit and review;
- Financial statements and public accounts reporting;
- Risk management;
- Agency accountability reporting;
- Values and ethics;
- Management control framework.
Organizational structure and resources
The organizational chart for the function is shown below. The function consists of eight permanent and one term position. The effective staff complement for 2017-2018 is estimated to be 6.0 FTEs due to positions not being filled at the beginning of the year.
Organizational Structure and Resources Chart - Long description
- Chief Executive Officer
- Chief Audit and Evaluation Executive
- Head, Internal Audit
- Internal Auditor III Operations
- Internal Auditor II
- Internal Auditor II (Term)
- Internal Auditor II Quality/Support
- Internal Auditor III Operations
- Internal Auditor II
- Internal Auditor II
- Internal Auditor I
- Internal Auditor III Operations
- Head, Internal Audit
- Chief Audit and Evaluation Executive
The available budget for the audit function in 2017-2018Footnote 2, along with actual expenditures in 2016-2017 and forecasted expenditures in 2017-2018 are shown below.
|Expenditures (000)||Forecasted expenditures as % of available budget|
|Non project O & M||27.0||135|
Audit planning methodology and considerations
Audit planning is based on a listing of auditable entities (i.e., the programs, process or activities that may be subject to audit) call the audit universe. For 2017-2018 the universe consists of 25 entities based on the internal service groups. The service groups and auditable elements are shown in Appendix A.
In order to prioritize the elements of the audit universe the function considers the significance, public visibility and risk exposure of each element consistent with the 2006 OCG Practice Guidebook of Internal Audit Planning for Departments and Agencies. Scores system for assessing risk is shown in Appendix B. Relevant information for assessing risks is obtained through a review of key Agency documents (e.g., plans, reports, risk profile, other analysis and presentations directed at senior management) in some cases their management teams from January and May 2017.
In addition to audit priority ratings, the function takes account of several additional factors in planning including external commitments to conduct an audit (i.e., typically in the context of special funding approved by TB for new programs or initiatives); past or planned coverage by other assurance providers (OAG/CESD, other Agents of Parliament, the OCG, and program evaluation within the Agency); and the availability of audit resources.
The process results in a list of preliminary proposed audit projects over the next three years. The proposals were presented and discussed at the Agency’s Policy and Operations Committee (APOC), and its Strategic Direction and Policy Committee (SDPC). Final recommendations for proposed projects were discussed at the Executive Management Committee (EMC) followed by validation and recommendation for approval by the Agency’s Audit Committee.
The following table presents the planned projects (internal audits and reviews). Appendix C shows the planned audits by service groups and auditable elements in the audit universe.
The table below presents the project objective, scope and timing. During the planning of each project the scope and objectives will be further refined to ensure that the greatest value is added. During next year’s RBAP update cycle, the relevancy and timing of audits in the second and third year of the plan will be re-evaluated.
|Project||Priority||Objective / Preliminary objective||Scope / Preliminary scope||Timing|
|1. Business continuity planning (in progress)||High||To provide assurance that framework for business continuity planning is in place and practices and procedures with respect to BCP are in compliance with TB and Agency policies and directives.||Focuses on compliance with the relevant directive and standards by ensuring continuity of critical services in place at the Agency.||Planning phase:
|2. Asset accounting (in progress)||Moderate||To provide assurance that controls and processes related to accounting for tangible capital assets are in compliance with TB accounting standards and asset policy and procedures.||Includes the governance and control framework over asset accounting as of March 2016.||Planning phase:
|3. Occupational health and safety program||High||To provide assurance that existing management control framework ensures compliance with occupational heal and safety laws, regulations, and policies including the Canada Labour Code Part II, as well as the Treasury Board Policy on Occupational Health and Safety.||The scope of the audit includes key legal requirements related to OHS Committees and Health and Safety Representatives, Training and Awareness, Site Inspection and Incident Reporting.||Planning phase:
|4. Fraud risk assessment||High||Review the Agency’s fraud governance and management framework for prevention, detection, investigation, response and reporting of fraud and conduct a high level fraud risk assessment.||The scope of the review will be Agency wide and focus on the identifying Agency fraud risks and controls across several business processes (e.g., procurement, capital assets, inventories, revenues, confidential or classified information, human resources/payroll).||Planning phase:
Years 2 and 3
|Project||Priority||Objective / Preliminary Objective||Scope / Preliminary Scope||Timing|
|5. OCG audit of costing||High||Assess whether departments have implemented costing practices in line with the TBS Guide to Costing and related policy instruments. It will also look at aspects of the Chief Financial Officer attestation requirements.||Includes key costing practices and processes in place within and across departments. Costing information for Cabinet decision making could be an area of focus.||Planning phase:
|6. Information management||High||To assess the state of the current control framework (governance, roles and responsibilities, risk and control) for information management and provide assurance about the level of readiness to comply with applicable TB policies.||Includes progress being made towards the implementation of the TB Policy on Information Management, the Directive on Information Management Roles and Responsibilities and ensuring that governance structures, mechanisms and resources are in place to support the continuous and effective management of information.||Planning phase:
|7. Coordination of legal services in the Agency||Moderate||Assess the control framework in place to ensure that processes for legal services are managed appropriately, that advices are well communicated and can be shared easily.||Includes compliance with Common Services Policy||Planning phase:
|8. Selected environmental management controls||High||To provide assurance that management framework in place allows for sound management of the different environment management activities and that practices are in compliance with PC and government policies and directives.||Includes 20 environmental aspects such as petroleum storage tanks, pesticides, halocarbons and treated wood (PCB, Storage Tanks etc.) that could be audited based on priorities and risks.||Planning phase:
|9. Organization design and classification||Moderate||To provide assurance that decisions made with respect to organizational models and control of salary costs are being implemented as intended.||Focuses on assessing continued compliance across the Agency with respect to organizational design and control of salary expenditures.||Planning phase:
|10. Maximo data quality||Moderate||To provide assurance to senior management that information contain in the national asset information system Maximo is accurate, timely and easily accessible for decision making.||Includes key practices and processes in place to ensure data quality related to assets.||Planning phase:
|11. Revenue controls on canals||Moderate||Focus on compliance with government and Agency`s policies and directives with respect to revenue collection.||Includes all types of revenues collected by waterways field units.||Planning phase:
|12. Financial monitoring||Moderate||To provide assurance to senior management that the program is working as intended and enables management to take action in a timely manner when necessary.||Focuses mainly on monitoring process for account payables and post payment verification.||Planning phase:
|Financial and Administrative Processes (Core Controls) Audits in Business Units|
|13. Key financial and administrative processes audits in business units||Moderate||Provide assurance that core controls related to various financial and/or administrative processes are implemented in business units in compliance with government and Agency policies, directives and standards. Business unit is defined as a field unit, national office directorate or other distinct office.||The scope of the audits may include compliance with a variety of financial and administrative requirements (e.g., contracting, travel, hospitality, financial coding, allowances etc.).||Audits of core controls are planned for the latter two years of the period.|
Proposed project schedule
|1. Business continuity planning (in progress)||*||*||*||–||–||–||–||–||–||–||–||–|
|2. Asset accounting (in progress)||*||*||–||–||–||–||–||–||–||–||–||–|
|3. Occupational health and safety program||–||–||*||*||*||*||–||–||–||–||–||–|
|4. OCG audit of costing||–||–||–||–||–||–||–||*||*||*||*||*|
|5. Information management||–||–||–||–||–||*||*||*||*||*||–||–|
|6. Coordination of legal services in the Agency||–||–||–||–||–||–||*||*||*||*||–||–|
|7. Selected environmental management controls||–||–||–||–||*||*||*||*||–||–||–||–|
|8. Organization design and classification||–||–||–||–||–||–||–||–||*||*||*||*|
|9. Maximo (asset) data quality||–||–||–||–||–||–||–||–||–||*||*||*|
|10. Revenue controls on canals||–||–||–||–||–||–||–||*||*||*||–||–|
|11. Financial monitoring||–||–||–||–||–||–||–||–||–||*||*||*|
|Business Unit Audits|
|12. Key F&A audits of business units||–||–||–||–||*||*||*||*||*||*||*||*|
|13. Fraud risk assessment||–||–||*||*||*||–||–||–||–||–||–||–|
|14. External assessment (Practice inspection)||–||–||*||*||*||–||–||–||–||–||–||–|
Project resources (Over all years)
|Hours||O & M||Total ($)
|1. Business continuity planning||Small||925||6,000||47,700|
|2. Asset accounting||Large||1800||150,000||168,000|
|3. Occupational health and safety program||Medium||1300||25,000||83,500|
|4. Fraud risk assessment||Small||–||55,000||55,000|
|5. External assessment of the function||Small||400
|6. OCG audit of costing||Small||400||0||18,000|
|7. Information management (record keeping)||Large||1500||25,000||92,500|
|8. Coordination of legal services in the Agency||Medium||1200||10,000||64,000|
|9. Selected environmental management controls||Large||1500||25,000||92,500|
|10. Organization design and classification||Small||900||6,000||46,500|
|11. Maximo data quality||Large||1500||20,000||87,500|
|12. Revenue controls on canals||Small||900||13,000||53,500|
|13. Financial monitoring||Small||900||9,000||49,500|
|14. Key financial and administrative processes audits of business units
The resources shown in the table are for a single a single audit. The number of audits during the planning period is not known at this point but is unlikely to exceed four.
Appendix A. Audit universe elements and past coverage
|Internal services groups||Auditable element||Definition||Past coverage|
|1.6.1 Management and oversight||1. Strategic policy, corporate governance, planning and integrated risk management||
||OCG Audit of Compliance with the MRRS Policy (2012)
OAG Implementation of the Labrador Inuit Land Claims Agreement (2016)
|2. Investment planning and project management||Process and activities to prioritize and allocate (reallocate) resources to new and existing projects (assets and acquired services) that are essential to program delivery. Includes processes, controls and systems in place for managing individual projects within the Agency (e.g., environmental and cultural resource, VE assessments, and indigenous consultations as part of project planning). Entity includes processes with respect to infrastructure, conservation and contaminated site projects.||Audit of FII Governance (2017)|
|3. Performance and reporting||Processes and activities to develop and maintain the Performance Measurement Framework, related performance measurement strategies and for reporting on performance (e.g., Departmental Performance Report, State of Reports).||–|
|4. Values and ethics||Processes and activities to foster an organizational culture based on the fundamental values of Respect, Engagement, Excellence, and Integrity, as specified in the Parks Canada Values and Ethics Code. Includes processes and controls for reporting ethical violations or wrong doing (e.g., Public Disclosure Protection Act) as well as advice and information on ethical situations.–|
|1.6.2 Communication services||5. Internal||Processes and procedures to create continuous, interactive and multi-directional communication within the Agency. Includes management of Agency intranet site.–|
|6. External||Frameworks, governances, processes, activities and controls associated with external communications. Includes branding (compliance with), public web site, social and new media use, advertising and promotions.–|
|1.6.3 Legal services||7. Legal services||Process and frameworks for acquiring legal advice, preparing legal documents, drafting legislation and statutory instruments (or regulations) conducting litigation, and overseeing all legal mechanisms used to achieve the overall objectives of the Agency.–|
|1.6.4 Human resources management||8. Planning and structuring the workplace||Includes planning and reporting; reviewing, assessing and developing organizational designs; job and position analysis and classification.–|
|9. Employee management||Processes and activities to support recruitment (staffing), retention, and separation as well as activities associated with employee performance, learning, development and recognition. Includes management of total compensation (e.g., pay, leave).–|
|10. Workplace management||Processes and activities associated with labor relations (e.g., third party review, managing formal complaints, grievances, discipline) as well as occupational health and safety, management of harassment and discrimination, and promotion of employee well-being. Includes management of Agency obligations with respect to Official Languages, employment equity, disability management and return to work.||OCOL Audit Of Delivery of Bilingual Services to Visitors by Parks Canada (2012)
Independent 5 Year Review Of Human Resources Regime (2014-2015)
|11. HR monitoring and report||Processes, activities and controls to ensure accurate and complete information about organisational structures, positions and employees to support planning, decision making and effective management of obligations and entitlements. Includes both paper and electronic records. Processes for creating reporting tools and mechanisms (e.g., HR dashboard).–|
|1.6.5 Financial management||12. Governance, planning, forecasting, budgeting, pricing and costing||Processes and activities associated with financial planning, creating authorities (chart of accounts) assigning budgets, forecasting expenditures and establishing financial management capacity. Includes processes and activities for setting prices and costing the Agency programs and initiatives.||OCG Audit of financial forecasting (2013-2014)|
|13. Revenues, receivables and receipts||Processes and controls to ensure the accurate, timely and complete management of revenue and accounts receivable. Includes management of special purpose revenues such as donations, and revenue from partnering.||Audit of POS (2016)
Audit Management of Revenue Rentals and Concessions (2012)
|14. Purchases, payables and payments||Processes and controls to ensure authorization, accounting and timely processing of invoices for payment.||Acquisition Card Process (2012)
5 Financial and Administrative Audits between April 2012 and March 2017.
|15. Partnerships and procurement including G&Cs||Processes and activities to ensure sound frameworks for partnering and procurement are in place and that practices are consistent with TB and Agency policies and directives, and that monitoring occurs to support various reporting requirements (both departmental and government-wide).–|
|16. Financial monitoring and reporting||Processes and activities to prepare financial reports (variance reports, financial statements, public accounts). Includes processes to monitor financial transactions.–|
|1.6.6. and 1.6.7 Information management, technology, systems||17. Information management||Includes the processes and procedures in place to achieve efficient and effective information management (IM) over its life cycle including planning and acquisition, disbursement and disposal. Includes access to information and privacy, libraries, record keeping etc.–|
|18. Information technology||Processes, activities and systems to plan, acquire, implement, operate, support and monitoring information technology (IT) hardware, software and networks. Elements included are: IT governance; strategic and investment plans; the use of common or shared IT assets and services, as well as authorized network accesses.||Performance Audit of the GIS (2012)
SSC IT security and disaster recovery controls Assessment (2014-2015)
OCG- Horizontal Internal Audit of Information Technology Security in Large and Small Departments (2016)
|1.6.8 Real property||19. Land management||Process, activities and systems for inventorying lands, recording acquisition and disposal and for managing access to and rights related to crown land (e.g., granting of leases, concession agreements, business permitting).–|
|20. Built asset management||Process and systems for inventorying and managing Agency built assets including maintenance, inspections, and repairs. Excludes --- investment planning and asset accounting. Includes management of particular classes of assets (e.g., staff housing).||Audit of Staff Housing (2014)|
|21. Material management||Processes and activities for managing movable assets (e.g., various types of equipment, furniture and furnishings, low dollar value and attractive goods, and larger goods, such as vehicles and ships), in a sustainable and financially responsible manner that supports the cost-effective and efficient delivery of government programs.–|
|22. Environmental management||Processes and activities for ensuring that the environmental impact of operations (e.g., related to asbestos, contaminated sites, storage tanks, halocarbons, PCBs, pesticides, etc.) are effective and in compliance with legislation and Agency objectives.–|
|23. Water power||Processes and activities related to management and provision of water power on historic canals as governed by The Dominion Water Power Act and Dominion Water Power Regulations.–|
|Security||24. Security (property, personal, etc.)||Frameworks, processes and procedures to ensure the security of the property, personnel and equipment.–|
|25. Emergency preparedness and business continuity||Process and activities to plan for and manage emergency situations consistent with legislation and policy (e.g. fire and building evacuation plans; civil emergency plans) as well processes and plans for ensuring that the Agency’s critical services can resumed or continued with minimal disruption during or immediately after an event.–|
Appendix B. Description of audit rating
Prioritization consists of assigning a significance, public visibility and risk exposure score to each entity (i.e., each with a five point scale ranging from 1 very low significance, visibility or exposure to 5 very high significance, visibility or exposure), and then combining the scores (i.e., weighted 30% for significance, 20% for visibility and 50% for risk exposure) to create a final priority score for each entity. Based on scores entities are assigned one of four priority ratings.
|Very High||Entities considered to be highly important from an audit standpoint and should be subject to internal audit activity. Where possible, audits of these priorities should be conducted early in the planning cycle to permit the generation of assurance in a timely fashion.|
|High||Entities considered as an important audit priority and should be audited in the planning cycle, but not necessarily in the first year of the plan.|
|Moderate||Audit resources may be expended; however these areas are only of moderate audit priority during this planning cycle.|
|Low||Little to no justification for audit resources to be expended in these areas during this planning cycle.|
Appendix C. Planned audits by service group and auditable elements
|Internal Services Groups||Auditable Element||Audit|
|Legal services||Legal services||Coordination of legal services in the Agency|
|Human resources management||Planning and structuring the workplace||Organization design and classification|
|Workplace management||Occupational health and safety program|
|Financial management||Governance, planning, forecasting, budgeting, pricing and costing||OCG audit of costing in large and small departments|
|Revenues receivables and receipts||Revenue controls on canals|
|Financial monitoring and reporting||Asset accounting
|Information management, technology, and systems||Information management||Information management|
|Real property||Built asset management||Maximo data quality|
|Environmental management||Selected environmental management controls|
|Security||Emergency preparedness and business continuity||Business continuity planning|
|Various depending on Audit Scope||Key financial and administrative processes|