Parks Canada
Symbol of the Government of Canada

Common menu bar links

Internal Audit and Evaluation Documents

Multi-Year Internal Audit Plan 2015-2016 to 2017-2018

Photographs of some Parks Canada sites

March 2015

Office of Internal Audit and Evaluation Parks Canada

Recommended for Approval by Parks Canada Audit Committee: March 27, 2015
Date Approved by CEO: April 20, 2015

Her Majesty the Queen in Right of Canada, represented by
the Chief Executive Officer of Parks Canada, 2015

Table of Contents

Executive Summary

The Parks Canada Multi-Year Internal Audit Plan 2015-16 to 2017-18 outlines the mandate, organizational structure and resources for internal audit in the Agency, the considerations employed in developing the risk based plan and describes the audit projects and activities for the next three years.

Parks Canada's Office of Internal Audit and Evaluation (OIAE) adheres to the government's policy, directive and standards for internal audit. The audit function consists of the Chief Audit and Evaluation Executive (CAEE) and nine auditor positions.

The audit universe (i.e., the individual programs, processes or systems that may be subjected to IA activity) consists of 30 entities based on a modified version of the Agency's Program Alignment Architecture (PAA), including internal services. Audits entities are described and prioritized based on considerations of significance, public visibility and risk. In principle, audit activities should focus on the entities with the highest priority scores, as determined by a yearly review, for the three year period of the plan.

For 2015-2016 the function will focus on five assurance engagements, and continue to work on internal projects. Over the three year period 19 assurance audit engagements are planned.

Introduction

The Parks Canada Multi-Year Internal Audit plan 2015-2016 to 2017-2018, consistent with the Treasury Board (TB) Policy on Internal Audit, outlines the mandate, organizational structure and resources for internal audit in the Agency, the considerations employed in developing the risk based plan and describes the audit activities for the next three years.

Parks Canada Agency

Parks Canada was established as a separate departmental corporation in 1998. The Agency's mandate is to:

"Protect and present nationally significant examples of Canada's natural and cultural heritage, and foster public understanding, appreciation and enjoyment in ways that ensure the ecological and commemorative integrity of these places for present and future generations."

Responsibility for the Parks Canada Agency rests with the Minister of the Environment. The Parks Canada Chief Executive Officer (CEO) reports directly to the Minister.

Internal Audit Function

Applicable Policies and Professional Standards

The internal audit function at Parks Canada adheres to the Treasury Board Policy on Internal Audit (2012), and the associated directive and standards. In March 2015, a revised audit charter for the function was approved.

Mandate and Services Offered

The mandate of the function is to:

"Provide independent and objective assurance and consulting services designed to add value and improve the Agency's operations. It helps the Agency accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of governance processes, risk management strategies and practices, and management control frameworks, systems and practices."

In this context, the function provides the CEO and audit committee with assurance that:

  • Risks are appropriately identified and managed;
  • Governance arrangements are in place to support strategic direction, monitoring and accountability;
  • Significant financial, managerial and operating information is accurate, reliable and timely;
  • Activities and actions are in compliance with applicable laws, regulations policies, standards, and procedures;
  • Resources are acquired economically, used efficiently and adequately protected;
  • Programs, plans and objectives are achieved;
  • Quality and continuous improvement are fostered in the Agency's control processes;
  • Significant legislative or regulatory issues impacting the Agency are recognized and addressed properly.

Services include:

  • Assurance Audits that provide an assessment on the adequacy of the governance and controls in place to ensure that the organization's risks are managed effectively, that its goals and objectives will be achieved efficiently and economically and that rules, regulations and policies are followed;
  • Investigations of possible fraud or wrong doing;
  • Consulting, analysis and advice related to policies, programs, risks, systems and controls.

Follow-up on Management Responses

The audit cycle includes a systematic follow-up on the management responses to each audit recommendation four months after the final approval of the audit report by the Chief Executive Officer; and every six months afterwards until recommendations are fully addressed. A summary of progress made in implementing action plan is a standing item on the Audit Committee's agenda.

Governance

The CAEE reports directly and exclusively to the Chief Executive Office (i.e., deputy head) of the Agency. Consistent with TB Policy on Internal Audit, oversight of the function is provided by an independent audit committee composed of three members external to the public service. The Chief Executive Officer, the Chief Audit and Evaluation Executive and the Chief Financial Officer are ex officio members of the committee.[1] The committee is responsible for reviewing and providing advice and/or recommendations to the CEO, as required, on issues related to:

  • Internal audit function and products;
  • External audit and review;
  • Financial statements and public accounts reporting;
  • Risk management;
  • Agency accountability reporting;
  • Values and ethics;
  • Management control framework.

Organizational Structure and Resources

The organizational chart for the function is shown below. The function currently consists of eight funded positions and one term position. Two of these positions are new in 2015-2016 as a result of the Agency receiving significant new funding for infrastructure investment as announced by the Prime Minister on November 24, 2014.

The effective staff complement for 2015-2016 is estimated to be 8.5 FTEs due to positions not being filled up at the beginning of the year. The function will pursue alternative strategies (i.e., contracting, use of temporary or term employees and/or students to ensure a full FTE complement is available for the fiscal year).

Graph of Organizational Structure and Resources

[long description]

The available budget for the audit function in 2015-2016[2], along with actual expenditures in 2014-2015 and forecasted expenditures in 2015-2016 are shown in the table below.

  Available Budget Expenditures Forecasted Expenditures
as % of Available Budget
2014-2015 2015-2016
Actual Forecast
  1,103,182 581,983    
Salaries 820,820 499,984 550,000 67%
Project Costs 282,362 39,710 77,000 49%
Non Project O&M 42,289 60,000

Audit Planning Methodology and Considerations

Audit planning is based on a listing of auditable entities (i.e., the programs, process or activities that may be subject to audit) call the audit universe. For 2015-2016, the universe is the entities that make up the internal services component of the Agency's Program Alignment Architecture (PAA).[3]

Each entity is assigned a priority rating on an assessment of its significance, public visibility and risk exposure of the entity. The ratings are combined and classified based on ranges of scores as very high, high, moderate and low audit priority. Appendices A, B, C and D provide more details on the planning process, some of the inputs to the ratings (i.e., Corporate Risk Profile and past audit coverage).

In addition to audit priority ratings, the function takes account of several additional factors in planning including external commitments to conduct an audit (i.e., typically in the context of special funding approved by TB for new programs or initiatives); past or planned coverage by other assurance providers (OAG/CESD, other Agents of Parliament, the OCG, and program evaluation within the Agency); management priorities and audit committee recommendations; and the availability of audit resources.

For this planning cycle, priorities were assessed through a series of discussions and meetings with members of Executive Management Committee and in some cases their management teams between November 2014 and February 2015. Audit staff then revised audit priority ratings for various entities based on the consultations and business knowledge of other important processes and changes in the Agency.

The major audit entities and sub-processes considered in rating entities are show below along with final priority ratings.

Table 1: Audit Entities and Priority Ratings
Entity   Priority
Real Property Land Management 3.6
Built Asset Management
Material management (inventory, fleet, asset below $10K)
Environmental Management
Water Power
Information Management Includes access to information and privacy, libraries. Record keeping etc. 2.8
Financial Management Planning Forecasting and Budgeting (including costing) 2.8
Revenues Receivables and Receipts
Purchases, Payables and Payments
Financial statements (write-off, PAYE, Special purpose accounts...)
Environmental Liabilities
Travel/Hospitality, Events and Conferences
Partnerships and Procurement including G&Cs
Management and Oversight Strategic Policy, Planning and Government Relations 2.5
Integrated Risk Management
Investment Planning and Project Management
Performance and Reporting
Values and Ethics
Human Resources Management Workplace Relations Branch (includes labor relations, classification, OHS, Compensation) 2.5
Workforce Management and Leadership Branch (includes staffing, official language)
HR Business Information and Systems Branch (system and data management)
Information Technology/Information Systems National information systems (SAP, POS, BMO, campground, travel...) 2.0
Security Security (property, personal etc.) 2.0
Business Continuity and Emergency Preparedness
Internal Communication   2.0
Legal   2.0

Planned Projects for the Next Three Years

In 2015-2016, the function:

  • will undertake four assurance engagements and will completed two engagements started in 2014-2015
  • Continue to implement 3 internal projects

Details of planned projects for the next three years are presented below.

Year 1: 2015-2016

Section A: Assurance Work

Objectives Scope/Rational
1. Two Audits of Key Financial and Administrative Processes
These audits aim to provide assurance to senior management that financial and administrative practices in place at a business unit level (i.e., a field unit, or national office directorate) are in compliance with government and Agency policies, directives and standards. The financial and administrative practices to be audited may vary from one entity to the other as well as from one year to the other based on priorities and risks.
Moderate Audit Priority Maps to Corporate Risks:
  • Information management
Maps to MAF:
  • Stewardship
  • Risk Management
  • Citizen-focused service

The audits will focus on compliance with government and Agency's policies and directives with respect to revenue collection, procurement & acquisition and travel costs at the Quebec and Ontario Waterways

The project is expected to start in the Spring of 2015 and a report tabled at Audit Committee in March 2016.

2. Point of Sale (POS) System
The audit will assess the adequacy of the control framework (governance, roles and responsibility, risks management and controls) supporting data collection through POS (i.e., revenue and social science data).
Moderate Audit Priority Maps to Corporate Risks:
  • Information Management
Maps to MAF:
  • Stewardship
  • Financial Management and Control
  • Citizen-focused service

A new common point of sale system was implemented across most of the Agency's operations in 2012-2013. The scope of this audit includes a review of processes and procedures to ensure completeness, timeliness, and accuracy of the data collected. The audit will also consider the impact of the use of the POS system on the visitor's experience.

This audit project started in the Fall of 2014 and a report is expected to be tabled at Audit Committee in December 2015.

3. Audit of the Campground Reservation System
To provide assurance that the framework in place allows for sound management of the revenue collected through Parks' Campground Reservation System (PCRS)
Moderate Audit Priority Maps to Corporate Risks:
  • Information Management
Maps to MAF:
  • Stewardship
  • Financial Management and Control
  • Citizen-focused service

The new campground reservation system, implemented in 2013-2014, allows visitors to choose and reserve ahead of time a campsite in one of the 20 National Parks of Canada. Reservations can be made on line or by phone.

Revenue collected through PCRS represent more than a third of Parks' revenue collection. The audit will provide assurance that controls in place are functioning to ensure completeness and accuracy of revenue data.

The project will begin in the September 2015 and a report tabled to Audit Committee in Fall 2016.

4. Business Continuity and Emergency Preparedness
The audit will assess the existence of a framework for business continuity and emergency preparedness at Parks and its compliance with existing TB policies and directives.
Low Audit Priority Maps to Corporate Risks:
  • Environmental Forces
  • Asset Management
Maps to MAF:
  • Risk management
  • Management of Security
  • Citizen-focused service

Business continuity planning is important in order to provide the "development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets". The Treasury Board's Operational Security Standard - Business Continuity Planning (BCP) Program requires departments to implement a Business Continuity Planning Program (BCPP) and to plan for emergencies or disruptions that could affect the delivery of critical government services. The audit will focus on Agency compliance with the relevant directive and standards.

The project began in January 2015 and a report tabled at Audit Committee in November 2015.

5. Frameworks of Infrastructure Funding
The audit will assess governance, risk management and control frameworks in place to ensure effective management of the investment planning program as well as the delivery of projects from an operational perspective.
High Audit Priority Maps to Corporate Risks:
  • Asset Management
Maps to MAF:
  • Risk management
  • Stewardship
  • Financial Management and Control
On November 24, 2014 the Prime Minister announced more than $2B in planned investment in Agency Infrastructure over the next several years. In the first year of the funding internal audit work will focus on providing assurance that national frameworks with respect to 1) planning, risk management and organizational capacity and 2) monitoring and reporting are in place and functioning effectively.

Section B: Others Work

Objectives Scope/Rational
OAG- Audit of the Implementation of the Labrador Inuit Land Claims Agreement The audit will be looking at whether selected entities' have implemented their obligations as per the Agreement. Parks Canada is one of the entities with obligations as stated in the Agreement.

Section C: Internal Projects

Objectives Scope/Rational
1. Analysis in Support of Continuous Auditing The function focus on identifying key processes and questions that can be addressed through continuous auditing and on writing scripts to extract relevant data from the financial system. Although consultations with TBS experts and the working group will continue, the Internal Audit function expect to have one FTE fully dedicated to data extraction and analysis to support our audit work. The analysis will be used to create a framework for standardizing the use of continuous auditing in the function.
2. Team Mate Implementation The Team Mate audit software was acquired through PWGSC in 2013-2014. Initial configuration system took place at the end of March 2014. Lack of human resources and in-depth knowledge delayed the implementation of the system. It is expected that the implementation be completed in the first half of 2015-2016 and that the system will be used in parallel with old system for the rest of the year.


Project Resources Size[4] Hours[5] O & M ($)
2015-2016
Total ($)[6]
Overall Total 8,750 65,500 417,300
Two Audits of Key Financial and Administrative processes Medium 2,000 20,000 110,000
Point of Sale (POS) System (2-year project) Large 1,000 22,000 67,000
Audit of the Campground Reservation System (2-year project) Large 1,000 5,000 50,000
Business Continuity and Emergency Preparedness Small 750 7,000 40,750
Frameworks of Infrastructure Funding Large 2,000 10,000 100,000
Total 6,750 64,000 367,750
Internal Projects
Continuous Auditing   1,200   52,800
Team Mate Implementation   800 1,500 36,700
Sub Total Internal Projects 2,000 1,500 96,300

Year 2: 2016-2017

Preliminary Objectives Preliminary Scope/Rational
1. Audit of Information Management
To assess the state of the current control framework (governance, roles and responsibilities, risk and control) for information management and provide assurance about the level of readiness to comply with applicable TB policies.
Moderate Audit Priority Maps to Corporate Risks:
  • Information Management
Maps to MAF:
  • Managing for Results
  • Risk Management
The scope will include progress being made towards the implementation of the TB Policy on Information Management, the Directive on Information Management Roles and Responsibilities including ensuring that governance structures, mechanisms and resources are in place to support the continuous and effective management of information.
2. Two Audits of Key Financial and Administrative Processes
These audits aim to provide assurance to senior management that financial and administrative practices in place at a business unit level (i.e., a field unit, or national office directorate) are in compliance with government and Agency policies, directives and standards. The financial and administrative practices to be audited may vary from one entity to the other as well as from one year to the other based on priorities and risks.
Moderate Audit Priority Maps to Corporate Risks: Maps to MAF:
  • Stewardship
  • Results and performance
  • Financial Management
The selection of the two directorates for 2016-2017 (CFOD and ERVE) is based on major operational changes that took place over the last two years and the inherent risk of the nature of their operations.
3. Project management (Infrastructure funding)
The audit will aim to assess PCA's project management compliance with rules and regulations as well as PCA's framework in completing major capital projects using dedicated funds from budget 2014 and budget 2015.
High Audit Priority Maps to Corporate Risks:
  • Asset Management
Maps to MAF:
  • Investment Planning and Management of Projects
Selection of projects to be assessed will be done at a local level or national level based on project magnitude, complexity and materiality as well as progress of work and/or phase completed.
4. Realty Governance
The audit will assess the framework in place to ensure quality of realty data and active management of realty obligations as set out in various realty instruments.
High Audit Priority Maps to Corporate Risks: Maps to MAF:
  • Stewardship
The scope include the control and oversight regime in place to monitor adherence to the TB Policy on Management of Real Property and the Reporting Standard on Real Property with respect to land management and obligations related to land use (i.e., an estimated 8,500 land-use documents, ranging from leases to concessions to utility agreements).
5. Audit of Compliance with Organizational Design Requirements
To provide assurance that decisions made with respect to organizational models and control of salary costs are being implemented as intended.
Moderate Audit Priority Maps to Corporate Risks: Maps to MAF:
The Agency has created a suite of organizational models for various functions (e.g., External Relations, Visitor Experience, and Resource Conservation) and implemented requirements to control salary costs (e.g., costed organizational charts). The audit is focused on assessing continued compliance across the Agency with respect to organizational design and control of salary expenditures.
6. BMO Credit Card Controls
This audit aims to provide assurance to senior management that controls in place are sufficient and functioning to ensure that use of acquisition card complies with existing policies and directives.
Moderate Audit Priority Maps to Corporate Risks: Maps to MAF:
  • Stewardship
  • Financial management
As of March 2015, the Agency implemented the new acquisition card payment process. Starting with only National Office transactions for the first year, the process is to be expanded to all FUs and Directorates in 2016-2017. Post payment verification activities should have been determined and applied to mitigate the risk originating from the removal of typical pre-payment verification controls.


Project Resources Size Hours O & M ($) Total ($)
Overall Total   10,400 111,000 569,000
Carry forward from 2015-2016
Audit of the Campground Reservation System (2-year project)[7] Large 1,000 30,000 75,000
New projects for 2016-2017  
1. Audit of Information Management Large 1,500 9,000 76,500
2. Two Audits of Key Financial and Administrative Processes Medium 1,500 13,000 80,500
3. Monitoring and Project Delivery Medium 1,500 35,000 102,500
4. Realty Governance Large 1,500 8,000 75,500
5. Audit of Compliance with Organizational Design Requirements Medium 1,200 8,000 62,000
6. BMO Credit Card Controls Medium 1,000 8,000 53,000
Total   9,200 111,000 525,000
Internal Projects
Continuous Auditing   1,200   54,000

Year 3: 2017-2018

Preliminary Objectives Preliminary Scope/Rational
1. Two Audits of Key Financial and Administrative Processes
These audits aim to provide assurance to senior management that financial and administrative practices in place at a business unit level (i.e., a field unit, or national office directorate) are in compliance with government and Agency policies, directives and standards. The financial and administrative practices to be audited may vary from one entity to the other as well as from one year to the other based on priorities and risks.
Moderate Audit Priority Maps to Corporate Risks: Maps to MAF:
  • Stewardship
  • Results and performance
  • Financial Management
Sites and topics will be determined at the beginning of the fiscal year based on risks and materiality.
2. HR data integrity (PeopleSoft and paper files)
This audit aims to provide assurance to senior management that controls are in place to ensure accuracy of payment of employees' salary as well as compliance of PCA's employees' files with established guidelines.
Moderate Audit Priority Maps to Corporate Risks: Maps to MAF:
  • Stewardship
While Miramichi will process the payment as presented, the Agency retains the accountability of ensuring completeness and accuracy of the information provided by the employees. Part of the Pay consolidation, the Agency also led a file data clean up exercise to ensure consistency in the relevant information to maintain within Parks while ensuring transfer of required paper records to Miramichi. Also, information other than for payroll are kept in the paper file of the employee or in PeopleSoft system such as training, language requirements and test results, etc. and will be subject of the audit.
3. Project management (Infrastructure Funding)
The audit will assess PCA's project management efficiency in completing major capital projects using dedicated funds from budget 2014 and budget 2015.
High Audit Priority Maps to Corporate Risks:
  • Information Management
  • Asset Management
Maps to MAF:
  • Investment Planning and Management of Projects
  • Procurement
Selection of projects to be assessed will be done at a local level or national level based on project magnitude, complexity and materiality as well as progress of work and/or phase completed.
4. Revenue collected by third party
The audit will assess the framework and the effectiveness of the controls surrounding the collection of revenue on behalf of PCA to ensure the Agency is receiving all revenues its entitled to.
Moderate Audit Priority Maps to Corporate Risks: Maps to MAF:
Field units enter into contracts with third parties (mostly bus tour, tourism associations and hotels) that allow them to collect revenue on behalf of PCA (e.g., entry fees that are embedded in a package fee). These amounts are to be remitted to the Agency at the time the tour is taking place or according to pre-established schedules.
5. Occupational Health and Safety (OHS)
The audit will assess that OHS activities within the Agency are in compliance with the existing framework at the national level as well as the local level.
Moderate Audit Priority Maps to Corporate Risks: Maps to MAF:
According to PCA's Occupational Health and Safety Policy, each and every employees are responsible for working in a manner that safeguards themselves, their colleagues and the environment. Their duties are derived from the Canada Labour Code, Part II.


Project Resources Size Hours O & M ($) Total ($)
Total   6,000 71,500 341,500
1. Two Audits of Key Financial and Administrative Processes Small 1,500 14,000 81,500
2. HR data integrity (PeopleSoft and paper files) Large 1,500 20,000 87,500
3. Monitoring and delivery -Infrastructure funding Medium 1,200 15,000 69,000
4. Revenue collected by third party Small 900 15,000 55,500
5. Occupational Health and Safety Small 900 7,500 48,000

Appendix A. Steps in Audit Planning

1. Audit Universe

The Office of Internal Audit and Evaluation has chosen to divide in two stream its original universe that consisted of 30 entities reflecting sub-programs in the PAA and internal services with some adjustments and modifications to amalgamate sub-programs where it makes sense and to add a few entities that are not part of the PAA structure.[8] As of 2015-2016, the Internal Audit function will focus its activities on entities that make up the internal services component of the PAA.

2. Describing and documenting Audit Entities

A description of each audit entity is prepared with basic information (purpose, budget, expenditures, governance framework, owner, partners, stakeholders, supporting information systems, and financial coding, etc.). Additional information is gathered to then rate the entity on three dimensions adapted from the OCG Practice Guidebook --- Internal Audit Planning for Departments and Agencies (2006):

  • Significance reflects the overall importance of the entity to Agency, the scope of its reach, the dollar value (materiality) associated with it and/or impact of the entity on stakeholders;
  • Public Visibility reflects the extent to which an entity is routinely subject to scrutiny by the general public, stakeholder groups and the media;
  • Risk Exposure takes account of the number, nature and types of risk to which an entity is exposed and the severity and breath of possible consequences.

3. Prioritization of Audit Entities

Prioritization consists of assigning a significance, public visibility and risk exposure score to each entity (i.e., each with a five point scale ranging from 1 very low significance, visibility or exposure to 5 very high significance, visibility or exposure), and then combining the scores (i.e., weighted 30% for significance, 20% for visibility and 50% for risk exposure) to create a final priority score for each entity.

Level Range Description
Very High 4.26 - 5.00 Entities considered to be highly important from an audit standpoint and should be subject to internal audit activity. Where possible, audits of these priorities should be conducted early in the planning cycle to permit the generation of assurance in a timely fashion.
High 3.51. - 4.25 Entities considered as an important audit priority and should be audited in the planning cycle, but not necessarily in the first year of the plan.
Moderate 2.51 - 3.50 Audit resources may be expended; however these areas are only of moderate audit priority during this planning cycle.
Low 0.00 - 2.50 Little to no justification for audit resources to be expended in these areas during this planning cycle.

Appendix B. Corporate Risk Profile 2015-2016 to 2017-2018

Risk Category and Label Risk Statement Risk Owner
Public
Aboriginal Support A diminished level of Aboriginal support for Parks Canada may impact the Agency's ability to deliver on and advance its programs. Director, Aboriginal Affairs Secretariat
Partnering Parks Canada may not be able to effectively collaborate with potential partners due to internal capacity (such as deficiencies in financial authorities) or external factors. This could limit our ability to leverage opportunities, extend our reach, grow our base of support, and advance our programs. VP, External Relations and Visitor Experience
Public Awareness and Support Local communities, stakeholders, NGOs, and the Canadian public may not be sufficiently aware or supportive of Parks Canada, compromising the Agency's ability to fulfill its mandate. VP, External Relations and Visitor Experience
Socio-economic
Competitive Position Parks Canada programs, services and experiences may be less attractive or less of an interest to Canadian compared to alternative leisure activities. VP, External Relations and Visitor Experience
External Development Pressures Development pressures may limit opportunities for establishment of new national parks and national marine conservation areas; and may affect the ecological integrity of national parks, the ecologically sustainable use of national marine conservation areas, the commemorative integrity of national historic sites, and the heritage value of cultural resources in heritage places. VP, Protected Areas Establishment and Conservation; VP, Heritage Conservation and Commemoration
Environmental
Natural Disasters Natural disasters may lead to the loss or impairment of natural and cultural resources, visitor experience opportunities and contemporary assets, resulting in increased operational costs and compromising the Agency's ability to deliver its mandate. VP, Operations, Eastern Canada; VP, Operations, Western and Northern Canada
Environmental Forces Environmental forces may limit the Agency's ability to maintain or improve ecological integrity in national parks and to foster ecologically sustainable use of National Marine Conservation Areas. VP, Protected Areas Establishment and Conservation
Parks Canada's Business Operations
Asset Condition The Agency's ability to deliver on its mandate is impaired due to an inability to make appropriate ongoing investments for maintenance and recapitalization of its built asset portfolio. Chief Administrative Officer; VP, Heritage Conservation and Commemoration
Information Management Failure to identify, capture, manage, share and report pertinent data, plus maintain security of information and knowledge, may hinder the ability to effectively manage all program areas and meet legal requirements. Chief Administrative Officer

Source: Parks Canada Agency Corporate Risk Profile 2015-16

Appendix C. Risk Taxonomy

The list below provides potential risk areas adapted from the Guide to Risk Taxonomies developed by the TBS Center of Excellence on Risk Management. The likelihood and impact of these risks varies for each audit universe element.

Risk Domain Definition Risk Area Risk Area Definition
A. Strategic Loss or damage caused by external conditions or events which may negatively affect the government's policy or program position, asset base or other decisions. 1. Organizational Transformation and change management The risks associated with significant structural or behavioral change within an organization related to mandate, operating context, leadership and strategic direction.
2. Governance and strategic direction The risks associated with the Agency's approach to leadership, decision-making and management capacity.
3. Reputational The risks associated with the Agency's reputation and credibility with its partners, stakeholders and the Canadian public.
4. Economic The risks associated with major disruptions in the Canadian or world economy.
B. Operational Loss or damage caused by failures in people, processes or internal systems. 1. Business processes The risks associated with business process design and implementation
2. Capital Infrastructure The risks associated with deteriorating or damaged capital infrastructure including hard assets (e.g., buildings, vessels, scientific equipment), but excluding IT infrastructure.
3. Communication The risks associated with the approach and culture of communication, consultation, transparency and information-sharing, both within and outside the Agency.
4. Conflict of interest Risks associated with perceived or potential conflicts between private and public interests.
5. Financial management Risks associated with the structures and processes to ensure sound management of financial resources and the compliance with financial management policies and standards.
6. Fraud The risks associated with illegal acts or irregularities resulting from intentional misrepresentation or corruption by internal personnel, a partner or the public for personal gain.
7. Human Resources The risks associated with staff/management turnover; employment/work culture; recruitment, retention and staffing processes and practices; succession planning and talent management; employee development, training and capacity building.
8. Information management Risks associated with the Agency's capacity and sustainability of information management procedures and practices.
9. Information Technology The risks associated with the Agency's capacity and sustainability of information technology, both the infrastructure and utilization of technological applications.
10. Knowledge Management The risks associated with collection and management of knowledge, including intellectual property, organizational or operational information and records, and scientific data.
11. Legal The risks associated with management of legislative, advisory and litigation activities, including the development and renewal of, and compliance with, laws, regulations, international treaties/agreements and policies.
12. Policy development and implementation Risks associated with the design, implementation and compliance with the government-wide policy suite as well as PCA's internal policies and procedures.
13. Privacy/Information stewardship Risks associated with protection of personal information
14. Project management Risks associated with process and practice of developing and managing major projects in support of the overall mandate.

Risks associated with specific projects that may require ongoing management.
15. Stakeholders and partnerships The risks associated with partners and stakeholders demographics, characteristics and activities
16. Values and ethics Risks associated with the Agency's culture and capacity to adhere to the spirit and intent of the Values and Ethics Code.
C. Hazard Loss or damage caused by natural, accidental or pre-meditated actions 1. Natural Hazards The risks associated with natural, e.g., biological or climatic hazards.
2. Human Actions - intentional or unintentional The risks associated with chemical, nuclear or other hazards, resulting from deliberate actions or accidents.

Appendix D. Past Coverage by Entity

PA Number Entity Audits
6.2.3 Information Management
  • Audit of Information Management (2010)
6.2.2 Financial Management
  • 7 Finance And Administrative Audits between April 2010 and March 2015.
  • OCG Audit of financial forecasting (2013-2014)
  • Audit Management of Revenue Rentals and Concessions (2012)
  • Acquisition Card Process (2012)
6.2.4 Information Technology
  • Performance Audit of the GIS (2012)
  • SSC IT security & disaster recovery controls Assessment (2014-2015)
6.3.1 Real Property
  • Audit of Staff Housing (2014)
6.1.1 Management and Oversight
  • OCG Audit of Compliance with the MRRS Policy (2012)
6.2.5 Other Administrative Services (security, business continuity)  
6.2.1 Human Resources Management Services
  • Independent 5 Year
  • Review Of Human Resources Regime (2014-2015)
  • HR Process In Coastal BC (2011)
  • OCOL Audit Of Delivery of Bilingual Services to Visitors by Parks Canada (2012)
6.1.2 Internal Communication  
6.1.3 Legal  

[1] The terms of reference for the committee were updated in March 2015.

[2] Salary and operating costs of the audit committee, typically about $100K per year of which 80% to 85% covers salaries (i.e., costs in 2014-2015 were $75.1K of which 77% was salary) appear under a separate budget.

[3] Previously the universe included all the PAA sub-programs. This was changed for this round of planning since in practice many of the traditional sub-programs were never identified as high audit priorities (i.e., they were covered by evaluation or external audit). In some cases, aspects of the traditional programs (e.g., management of environmental impact assessment, contaminated sites) are included in our definitions of specific internal services.

[4] Size is being define by the overall amount of time spent on a project (sometimes over more than one fiscal year) using the following guideline: small <1K hrs, medium between 1K and 1.5K hrs and large over 1.5K hrs.

[5] Hours and O&M reflects the expected amount of money to be spent on the project during the fiscal year.

[6] The total dollars is the cost for auditor salary and expenses associated with the various projects for the current fiscal year.

[7] Completion of a 2-year project started in 2015-2016. We estimated the cost for salaries and expenses associated with the project for the fiscal year 2016-2017.

[8] These are the Law Enforcement Program and the General Class Contribution Program.