Multi-Year Internal Audit Plan - 2018-2019 to 2019-2020
Office of Internal Audit and Evaluation Parks Canada
Recommended for Approval by Parks Canada Audit Committee: June 27, 2018
Date Approved by CEO: June 29 2018
Table of Contents
- Executive summary
- Parks Canada Agency
- Internal audit function
- Audit planning methodology and considerations
- Appendix A. Audit universe elements and past coverage
- Appendix B. Description of audit rating
- Appendix C. Planned audits by service group and auditable elements
The Parks Canada Multi-Year Internal Audit Plan 2018-19 to 2019-20 outlines the mandate, organizational structure and resources for internal audit in the Agency, the considerations employed in developing the risk based plan and describes the audit projects and activities for the next two years.
Parks Canada’s Office of Internal Audit and Evaluation (OIAE) adheres to the government’s policy, directive and standards for internal audit. The audit function consists of the Chief Audit and Evaluation Executive (CAEE) and nine auditor positions.
The audit universe (i.e., the individual programs, processes or systems that may be subjected to IA activity) consists of 25 entities based on the internal service groups of the Agency’s former Program Alignment Architecture (PAA). Audits entities are described and prioritized based on considerations of significance, public visibility and risk. In principle, audit activities should focus on the entities with the highest priority scores, as determined by a yearly review, for the two year period of this plan.
For 2018-19 there was no new scoring of risks, rather a review of the proposed projects from the 2017-18 to 2019-20 plan. This plan proposes:
- Seven assurance audit engagements; and
- A review engagement focusing on fraud risk governance and assessment in 2018-2019.
The Parks Canada Multi-Year Internal Audit plan 2018-2019 to 2019-2020, consistent with the Treasury Board (TB) Policy on Internal Audit, outlines the mandate, organizational structure and resources for internal audit in the Agency, the considerations employed in developing the risk based plan and describes the audit activities for the next two years.
Parks Canada Agency
Parks Canada was established as a separate departmental corporation in 1998. The Agency's mandate is to:
“Protect and present nationally significant examples of Canada's natural and cultural heritage, and foster public understanding, appreciation and enjoyment in ways that ensure the ecological and commemorative integrity of these places for present and future generations.”
Responsibility for the Parks Canada Agency rests with the Minister of the Environment and Climate Change. The Parks Canada Chief Executive Officer (CEO) reports directly to the Minister.
Internal audit function
Applicable policies and professional standards
The internal audit function at Parks Canada adheres to the Treasury Board Policy on Internal Audit (2017), and the associated directive. In June 2017, a revised audit charter for the function was approved.
Mandate and services offered
The mandate of the function is to:
“Provide independent and objective assurance and consulting services designed to add value and improve the Agency’s operations. It helps the Agency accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of governance processes, risk management strategies and practices, and management control frameworks, systems and practices.”
In this context, the function provides the CEO and audit committee with assurance that:
- Risks are appropriately identified and managed;
- Governance arrangements are in place to support strategic direction, monitoring and accountability;
- Significant financial, managerial and operating information is accurate, reliable and timely;
- Activities and actions are in compliance with applicable laws, regulations policies, standards, and procedures;
- Resources are acquired economically, used efficiently and adequately protected;
- Programs, plans and objectives are achieved;
- Quality and continuous improvement are fostered in the Agency’s control processes;
- Significant legislative or regulatory issues impacting the Agency are recognized and addressed properly.
- Assurance Audits that provide an assessment on the adequacy of the governance and controls in place to ensure that the organization’s risks are managed effectively, that its goals and objectives will be achieved efficiently and economically and that rules, regulations and policies are followed;
- Investigations of possible fraud or wrong doing;
- Consulting, analysis and advice related to policies, programs, risks, systems and controls.
Follow-up on management responses
The audit cycle includes a systematic follow-up on the management responses to each audit recommendation at quarterly intervals until recommendations are fully addressed. A summary of progress made in implementing action plans is tabled twice a year at the Agency’s Audit Committee.
The CAEE reports directly and exclusively to the Chief Executive Office (i.e., deputy head) of the Agency. Consistent with TB Policy on Internal Audit, oversight of the function is provided by an independent audit committee composed of three members external to the public service. The Chief Executive Officer, the Chief Audit and Evaluation Executive and the Chief Financial Officer are ex officio members of the committee.Footnote 1 The committee is responsible for reviewing and providing advice and/or recommendations to the CEO, as required, on issues related to:
- Internal audit function and products;
- External audit and review;
- Financial statements and public accounts reporting;
- Risk management;
- Agency accountability reporting;
- Values and ethics;
- Management control framework.
Organizational structure and resources
The organizational chart for the function is shown below. The function consists of eight permanent and one term positions. The effective staff complement for 2018-2019 is estimated to be 5.0 FTEs due to positions not being filled at the beginning of the year.
The available budget for the audit function in 2018-2019Footnote 2, along with actual expenditures in 2017-2018 and forecasted expenditures in 2018-2019 are shown below.
|Expenditures (000’s)||Forecasted expenditures
as % of available budget
|Non project O&M||20.7||80|
As of June 2018, the capacity for the internal audit team to carry out the RBAP is impacted by a current shortage of resources, as only 4 of the 9 positions are currently occupied. The audit team expects to fill one vacant manager position, and one internal auditor position during the summer. There is a high likelihood that the two B-base senior internal audit positions will not be staffed and the associated funding, $170K, is earmarked for Federal Infrastructure Investment (FII) related projects. This FII-related funding may be used by the Program Evaluation team.
Audit planning methodology and considerations
Audit planning is based on a listing of auditable entities (i.e., the programs, process or activities that may be subject to audit) call the audit universe. For 2018-2019 the universe consists of 25 entities based on the internal service groups. The service groups and auditable elements are shown in Appendix A.
In order to prioritize the elements of the audit universe the function considers the significance, public visibility and risk exposure of each element consistent with the 2006 OCG Practice Guidebook of Internal Audit Planning for Departments and Agencies. The scoring system for assessing risk is shown in Appendix B. Relevant information for assessing risks is obtained through a review of key Agency documents (e.g., plans, reports, risk profile, other analysis and presentations directed at senior management) and in some cases their management teams in January and February 2018.
In addition to audit priority ratings, the function takes account of several additional factors in planning including external commitments to conduct an audit (i.e., typically in the context of special funding approved by TB for new programs or initiatives); past or planned coverage by other assurance providers (OAG/CESD, other Agents of Parliament, the OCG, and program evaluation within the Agency); and the availability of audit resources.
The process results in a list of preliminary proposed audit projects over the next two years. The proposals were presented and discussed at the Agency’s Policy and Operations Committee (APOC). Final recommendations for proposed projects were discussed at the Executive Management Committee (EMC) followed by validation and recommendation for approval by the Agency’s Audit Committee.
The following table presents the planned projects (internal audits and reviews). Appendix C shows the planned audits by service groups and auditable elements in the audit universe. The table below presents the project objective, scope and timing. During the planning of each project the scope and objectives will be further refined to ensure that the greatest value is added. During next year’s RBAP update cycle, the relevancy and timing of audits in the second year of the plan will be re-evaluated. The RBAP process is currently under review to improve the process and benchmark with other federal government organizations. For 2018-19 there was no new scoring of projects, rather a review of the proposed projects from the 2017-18 to 2019-20 plan that resulted in the following changes:
- the removal of the Audit of Organization Design and Classification;
- elements of the Audit of Selected Environmental Management Controls were incorporated into the audit of OHS; and
- Pulling in the timeframe audits of finance and administration of specific Field Units.
|Project||Priority||Objective / Preliminary objective||Scope / Preliminary scope||Timing|
|1. Occupational health and safety program||High||To provide assurance that existing management control framework ensures compliance with occupational health and safety laws, regulations, and policies including the Canada Labour Code Part II, as well as the Treasury Board Policy on Occupational Health and Safety. Also includes aspects of environmental management controls with an OHS perspective.||The scope of the audit includes key legal requirements related to OHS Committees and Health and Safety Representatives, Training and Awareness, Site Inspection and Incident Reporting. It will also include testing some of the controls related to environmental management.||Planning phase:
|2. Fraud risk assessment||Moderate||Review the Agency’s fraud governance and management framework for prevention, detection, investigation, response and reporting of fraud and conduct a high level fraud risk assessment.||The scope of the review will be Agency wide and focus on the identifying Agency fraud risks and controls across several business processes (e.g., procurement, capital assets, inventories, revenues, confidential or classified information, human resources/payroll).||Planning phase:
|3. Coordination of legal services in the Agency||Moderate||Assess the control framework in place to ensure that processes for legal services are managed appropriately, that advices are well communicated and can be shared easily.||Includes compliance with Common Services Policy||Planning phase:
|4. Information management||High||To assess the state of the current control framework (governance, roles and responsibilities, risk and control) for information management (IM) and provide assurance about the level of readiness to comply with applicable TB policies.||Includes progress being made towards the implementation of the TB Policy on IM, the Directive on IM Roles and Responsibilities and ensuring that governance structures, mechanisms and resources are in place to support the continuous and effective management of information.||Planning phase:
|5. Key financial and administrative processes audits in business units||Moderate||Provide assurance that core controls related to various financial and/or administrative processes are implemented in business units in compliance with government and Agency policies, directives and standards. Business unit is defined as a field unit, national office directorate or other distinct office.||The scope of the audits may include compliance with a variety of financial and administrative requirements (e.g., contracting, travel, hospitality, financial coding, allowances etc.).||Planning phase:
|6. Audit of costing||High||Assess whether departments have implemented costing practices in line with the TBS Guide to Costing and related policy instruments. It will also look at aspects of the Chief Financial Officer attestation requirements.||Includes key costing practices and processes in place within and across departments. Costing information for Cabinet decision making could be an area of focus.||Planning Phase:
|7. Maximo data quality||Moderate||To provide assurance to senior management that information contain in the national asset information system Maximo is accurate, timely and easily accessible for decision making.||Includes key practices and processes in place to ensure data quality related to assets.||Planning phase:
|8. Revenue controls on canals||Moderate||Focus on compliance with government and Agency`s policies and directives with respect to revenue collection.||Includes all types of revenues collected by waterways field units.||Planning phase:
|1. Occupational health and safety program||•||•||•||•|
|2. Fraud risk assessment||•||•|
|3. Coordination of legal services in the Agency||•||•||•||•|
|4. Information management||•||•||•||•||•|
|5. Key F&A audits of business units||•||•||•||•||•|
|6. Audit of costing||•||•||•||•||•|
|7. Maximo (asset) data quality||•||•||•||•|
|8. Revenue controls on canals||•||•||•||•||•|
|Project||SizeFootnote 3||Hours||O & M||Total ($)Footnote 4|
|1. Occupational health and safety program||Large||3000||80,000||215,000|
|2. Fraud risk assessment||Small||300||60,000||73,500|
|3. Coordination of legal services in the Agency||Medium||1000||10,000||55,000|
|4. Information management (record keeping)||Medium||1500||25,000||92,500|
|5. 2 Key financial and administrative processes audits of business units
The resources shown in the table are for two audits. The number of audits during the planning period is not known at this point but is unlikely to exceed two.
|6. Audit of costing||Medium||1500||20,000||87,500|
|7. Maximo data quality||Medium||1500||15,000||82,500|
|8. Revenue controls on canals||Medium||1000||15,000||60,000|
Appendix A. Audit universe elements and past coverage
|Internal services groups||Auditable element||Definition||Past coverage|
|1.6.1 Management and oversight||1. Strategic policy, corporate governance, planning and integrated risk management||
||OCG Audit of Compliance with the MRRS Policy (2012)
OAG Implementation of the Labrador Inuit Land Claims Agreement (2016)
|2. Investment planning and project management||Process and activities to prioritize and allocate (reallocate) resources to new and existing projects (assets and acquired services) that are essential to program delivery. Includes processes, controls and systems in place for managing individual projects within the Agency (e.g., environmental and cultural resource, VE assessments, and indigenous consultations as part of project planning). Entity includes processes with respect to infrastructure, conservation and contaminated site projects.||Audit of FII Governance (2017)|
|3. Performance and reporting||Processes and activities to develop and maintain the Performance Measurement Framework, related performance measurement strategies and for reporting on performance (e.g., Departmental Performance Report, State of Reports).|
|4. Values and ethics||Processes and activities to foster an organizational culture based on the fundamental values of Respect, Engagement, Excellence, and Integrity, as specified in the Parks Canada Values and Ethics Code. Includes processes and controls for reporting ethical violations or wrong doing (e.g., Public Disclosure Protection Act) as well as advice and information on ethical situations.|
|1.6.2 Communication services||5. Internal||Processes and procedures to create continuous, interactive and multi-directional communication within the Agency. Includes management of Agency intranet site.|
|6. External||Frameworks, governances, processes, activities and controls associated with external communications. Includes branding (compliance with), public web site, social and new media use, advertising and promotions.|
|1.6.3 Legal services||7. Legal services||Process and frameworks for acquiring legal advice, preparing legal documents, drafting legislation and statutory instruments (or regulations) conducting litigation, and overseeing all legal mechanisms used to achieve the overall objectives of the Agency.|
|1.6.4 Human resources management||8. Planning and structuring the workplace||Includes planning and reporting; reviewing, assessing and developing organizational designs; job and position analysis and classification.|
|9. Employee management||Processes and activities to support recruitment (staffing), retention, and separation as well as activities associated with employee performance, learning, development and recognition. Includes management of total compensation (e.g., pay, leave).|
|10. Workplace management||Processes and activities associated with labor relations (e.g., third party review, managing formal complaints, grievances, discipline) as well as occupational health and safety, management of harassment and discrimination, and promotion of employee well-being. Includes management of Agency obligations with respect to Official Languages, employment equity, disability management and return to work.||OCOL Audit Of Delivery of Bilingual Services to Visitors by Parks Canada (2012)
Independent 5 Year Review Of Human Resources Regime (2014-2015)
|11. HR monitoring and report||Processes, activities and controls to ensure accurate and complete information about organisational structures, positions and employees to support planning, decision making and effective management of obligations and entitlements. Includes both paper and electronic records. Processes for creating reporting tools and mechanisms (e.g., HR dashboard).|
|1.6.5 Financial management||12. Governance, planning, forecasting, budgeting, pricing and costing||Processes and activities associated with financial planning, creating authorities (chart of accounts) assigning budgets, forecasting expenditures and establishing financial management capacity. Includes processes and activities for setting prices and costing the Agency programs and initiatives.||OCG Audit of financial forecasting (2013-2014)|
|13. Revenues, receivables and receipts||Processes and controls to ensure the accurate, timely and complete management of revenue and accounts receivable. Includes management of special purpose revenues such as donations, and revenue from partnering.||Audit of POS (2016)
Audit Management of Revenue Rentals and Concessions (2012)
|14. Purchases, payables and payments||Processes and controls to ensure authorization, accounting and timely processing of invoices for payment.||Acquisition Card Process (2012)
5 Financial & Administrative Audits between April 2012 and March 2017.
|15. Partnerships and procurement including G&Cs||Processes and activities to ensure sound frameworks for partnering and procurement are in place and that practices are consistent with TB and Agency policies and directives, and that monitoring occurs to support various reporting requirements (both departmental and government-wide).|
|16. Financial monitoring and reporting||Processes and activities to prepare financial reports (variance reports, financial statements, public accounts). Includes processes to monitor financial transactions.||Audit of Asset Accounting (2018)|
|1.6.6. and 1.6.7 Information management, technology, systems||17. Information management||Includes the processes and procedures in place to achieve efficient and effective information management (IM) over its life cycle including planning and acquisition, disbursement and disposal. Includes access to information and privacy, libraries, record keeping etc.|
|18. Information technology||Processes, activities and systems to plan, acquire, implement, operate, support and monitoring information technology (IT) hardware, software and networks. Elements included are: IT governance; strategic and investment plans; the use of common or shared IT assets and services, as well as authorized network accesses.||Performance Audit of the GIS (2012)
SSC IT security & disaster recovery controls Assessment (2014-2015)
OCG- Horizontal Internal Audit of Information Technology Security in Large and Small Departments (2016)
|1.6.8 Real property||19. Land management||Process, activities and systems for inventorying lands, recording acquisition and disposal and for managing access to and rights related to crown land (e.g., granting of leases, concession agreements, business permitting).|
|20. Built asset management||Process and systems for inventorying and managing Agency built assets including maintenance, inspections, and repairs. Excludes --- investment planning and asset accounting. Includes management of particular classes of assets (e.g., staff housing).||Audit of Staff Housing (2014)|
|21. Material management||Processes and activities for managing movable assets (e.g., various types of equipment, furniture and furnishings, low dollar value and attractive goods, and larger goods, such as vehicles and ships), in a sustainable and financially responsible manner that supports the cost-effective and efficient delivery of government programs.|
|22. Environmental management||Processes and activities for ensuring that the environmental impact of operations (e.g., related to asbestos, contaminated sites, storage tanks, halocarbons, PCBs, pesticides, etc.) are effective and in compliance with legislation and Agency objectives.|
|23. Water power||Processes and activities related to management and provision of water power on historic canals as governed by The Dominion Water Power Act and Dominion Water Power Regulations.|
|Security||24. Security (property, personal, etc.)||Frameworks, processes and procedures to ensure the security of the property, personnel and equipment.|
|25. Emergency preparedness and business continuity||Process and activities to plan for and manage emergency situations consistent with legislation and policy (e.g. fire and building evacuation plans; civil emergency plans) as well processes and plans for ensuring that the Agency’s critical services can resumed or continued with minimal disruption during or immediately after an event.||Audit of BCP (2018)|
Appendix B. Description of audit rating
- Prioritization consists of assigning a significance, public visibility and risk exposure score to each entity (i.e., each with a five point scale ranging from 1 very low significance, visibility or exposure to 5 very high significance, visibility or exposure), and then combining the scores (i.e., weighted 30% for significance, 20% for visibility and 50% for risk exposure) to create a final priority score for each entity. Based on these scores entities are assigned one of four priority ratings. This rating exercise will be included in the RBAP process review and was not performed in detail in recent years.
|Very High||Entities considered to be highly important from an audit standpoint and should be subject to internal audit activity. Where possible, audits of these priorities should be conducted early in the planning cycle to permit the generation of assurance in a timely fashion.|
|High||Entities considered as an important audit priority and should be audited in the planning cycle, but not necessarily in the first year of the plan.|
|Moderate||Audit resources may be expended; however these areas are only of moderate audit priority during this planning cycle.|
|Low||Little to no justification for audit resources to be expended in these areas during this planning cycle.|
Appendix C. Planned audits by service group and auditable elements
|Internal Services Groups||Auditable Element||Audit|
|Legal services||Legal services||Coordination of legal services in the Agency|
|Human resources management||Workplace management||Occupational health and safety (OHS) program|
|Financial management||Governance, planning, forecasting, budgeting, pricing and costing||Costing|
|Revenues receivables and receipts||Revenue controls on canals|
|Information management, technology, and systems||Information management||Information management|
|Real property||Built asset management||Maximo data quality|
|Environmental management||OHS – includes selected environmental management controls|
|Various depending on Audit Scope||Key financial and administrative processes|