Parks Canada
Symbol of the Government of Canada

Common menu bar links

Internal Audit and Evaluation Documents

Multi-Year Internal Audit Plan 2016-2017 to 2018-2019

Photographs of some Parks Canada sites

June 2016

Office of Internal Audit and Evaluation Parks Canada

Recommended for Approval by Parks Canada Audit Committee: June 2, 2016
Date Approved by CEO: June 21, 2016

Table of Contents

Executive Summary

The Parks Canada Multi-Year Internal Audit Plan 2016-17 to 2018-19 outlines the mandate, organizational structure and resources for internal audit in the Agency, the considerations employed in developing the risk based plan and describes the audit projects and activities for the next three years.

Parks Canada's Office of Internal Audit and Evaluation (OIAE) adheres to the government's policy, directive and standards for internal audit. The audit function consists of the Chief Audit and Evaluation Executive (CAEE) and nine auditor positions.

The audit universe (i.e., the individual programs, processes or systems that may be subjected to IA activity) consists of 25 entities based on the internal service groups of the Agency's Program Alignment Architecture (PAA). Audits entities are described and prioritized based on considerations of significance, public visibility and risk. In principle, audit activities should focus on the entities with the highest priority scores, as determined by a yearly review, for the three year period of the plan.

For 2016-2017 the function will focus on five assurance engagements. Over the three year period 15 assurance audit engagements are planned including the Office of Comptroller General project. In addition, a practice inspection is planned for the end of fiscal year 2017-2018.

Introduction

The Parks Canada Multi-Year Internal Audit plan 2016-2017 to 2018-2019, consistent with the Treasury Board (TB) Policy on Internal Audit, outlines the mandate, organizational structure and resources for internal audit in the Agency, the considerations employed in developing the risk based plan and describes the audit activities for the next three years.

Parks Canada Agency

Parks Canada was established as a separate departmental corporation in 1998. The Agency's mandate is to:

“Protect and present nationally significant examples of Canada's natural and cultural heritage, and foster public understanding, appreciation and enjoyment in ways that ensure the ecological and commemorative integrity of these places for present and future generations.”

Responsibility for the Parks Canada Agency rests with the Minister of the Environment and Climate Change. The Parks Canada Chief Executive Officer (CEO) reports directly to the Minister.

Internal Audit Function

Applicable Policies and Professional Standards

The internal audit function at Parks Canada adheres to the Treasury Board Policy on Internal Audit (2012), and the associated directive and standards. In March 2015, a revised audit charter for the function was approved.

Mandate and Services Offered

The mandate of the function is to:

“Provide independent and objective assurance and consulting services designed to add value and improve the Agency's operations. It helps the Agency accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of governance processes, risk management strategies and practices, and management control frameworks, systems and practices.”

In this context, the function provides the CEO and audit committee with assurance that:

  • Risks are appropriately identified and managed;
  • Governance arrangements are in place to support strategic direction, monitoring and accountability;
  • Significant financial, managerial and operating information is accurate, reliable and timely;
  • Activities and actions are in compliance with applicable laws, regulations policies, standards, and procedures;
  • Resources are acquired economically, used efficiently and adequately protected;
  • Programs, plans and objectives are achieved;
  • Quality and continuous improvement are fostered in the Agency's control processes;
  • Significant legislative or regulatory issues impacting the Agency are recognized and addressed properly.

Services include:

  • Assurance Audits that provide an assessment on the adequacy of the governance and controls in place to ensure that the organization's risks are managed effectively, that its goals and objectives will be achieved efficiently and economically and that rules, regulations and policies are followed;
  • Investigations of possible fraud or wrong doing;
  • Consulting, analysis and advice related to policies, programs, risks, systems and controls.

Follow-up on Management Responses

The audit cycle includes a systematic follow-up on the management responses to each audit recommendation at six month intervals until recommendations are fully addressed. A summary of progress made in implementing action plans is tabled at the Agency's Audit Committee.

Governance

The CAEE reports directly and exclusively to the Chief Executive Office (i.e., deputy head) of the Agency. Consistent with TB Policy on Internal Audit, oversight of the function is provided by an independent audit committee composed of three members external to the public service. The Chief Executive Officer, the Chief Audit and Evaluation Executive and the Chief Financial Officer are ex officio members of the committee.[1] The committee is responsible for reviewing and providing advice and/or recommendations to the CEO, as required, on issues related to:

  • Internal audit function and products;
  • External audit and review;
  • Financial statements and public accounts reporting;
  • Risk management;
  • Agency accountability reporting;
  • Values and ethics;
  • Management control framework.

Organizational Structure and Resources

The organizational chart for the function is shown below. The function consists of eight permanent and one term position. The effective staff complement for 2016-2017 is estimated to be 6.5 FTEs due to positions not being filled up at the beginning of the year.

Graph of Organizational Structure and Resources

[long description]

The available budget for the audit function in 2016-2017[2], along with actual expenditures in 2015-2016 and forecasted expenditures in 2016-2017 are shown below.

Table 1: Actual and Forecasted Expenditures, 2016-2017
  Available
Budget
(000)
Expenditures (000) Forecasted Expenditures
as % of Available Budget
2015-2016 2016-2017
Actual Forecast
Salaries 735 545,1 625,0 85.0
Project Costs 165 38,9 104,0 99.4
Non Project O&M 36,2 60,0
  900 620,2 789,0 87.7

Audit Planning Methodology and Considerations

Audit planning is based on a listing of auditable entities (i.e., the programs, process or activities that may be subject to audit) call the audit universe. For 2016-2017 the universe consists of 25 entities based on the internal service groups of the Agency's Program Alignment Architecture (PAA). The service groups and auditable elements are shown in Appendix A.

In order to prioritize the elements of the audit universe the function considers the significance, public visibility and risk exposure of each element consistent with the 2006 OCG Practice Guidebook of Internal Audit Planning for Departments and Agencies. Relevant information for assessing risks is obtained through a review of key Agency documents (e.g., plans, reports, risk profile, other analysis and presentations directed at senior management) as well a series of discussions and meetings with members of Executive Management Committee and in some cases their management teams in January and February 2016.

In addition to audit priority ratings, the function takes account of several additional factors in planning including external commitments to conduct an audit (i.e., typically in the context of special funding approved by TB for new programs or initiatives); past or planned coverage by other assurance providers (OAG/CESD, other Agents of Parliament, the OCG, and program evaluation within the Agency); and the availability of audit resources.

The process results in a list of proposed audit projects over the next three years. The list of proposed projects is presented to the Agency's Executive Management Committee and the Agency's Audit Committee for validation and recommendation for approval.

Planned Projects for the Next Three Years

Audit Projects by Group, Element and Year
Internal Services Groups Auditable Element 2016-17 2017-18 2018-19
Management and Oversight Investment Planning And Project Management Audit of FII Governance

Audit(s) of Management of Selected Projects
   
Human Resources Management Planning And Structuring The Workplace     Audit of Organization Design and Classification
Workplace Management   Audit of Occupational Health and Safety Program  
HR Monitoring And Report Audit of HR Data Integrity Controls (Phase 1)    
Financial Management Governance, Planning, Forecasting, Budgeting, Pricing And Costing OCG Audit of Costing in Large and Small Departments (Tentative)    
Revenues Receivables And Receipts     Audit of Revenue Controls on Canals
Purchases, Payables And Payments      
Partnerships And Procurement Including G&Cs Office of Procurement Ombudsman (OPO) Review of Bid Evaluation Practices[3]   Audit of Procurement Instrument Selection
Financial Monitoring And Reporting Audit of Asset Accounting   Audit of Financial Monitoring
Information Management, Technology, and Systems Information Management   Audit of Information Management (record keeping)  
Real Property Land Management Audit of Realty Control Framework    
Built Asset Management   Audit of Maximo Data Quality  
Environmental Management   Audit of Selected Environmental Management Controls  
Emergency Preparedness And Business Continuity Audit of Business Continuity Planning    
Total Project by Year   7 4 4

Audit Projects

Each audit is mapped to the audit universe elements over which it will provide assurance as well as to its objectives, scope and timing. During the planning of each audit, the project scope and objectives will be future refined to ensure the greatest value is added.

Project Priority Objective Scope Timing
2016-2017
1. Audit of FII Governance High Assess governance, risk management and control frameworks in place to ensure effective management of the investment planning program as well as the delivery of projects from an operational perspective. Includes elements such as roles and responsibilities, accountability structure, tools, human resource planning along with monitoring and reporting. Planning phase:
2015-2016
Reporting Phase:
Q2, 2016-2017
2. Audit(s) of Management of Selected Infrastructure Projects High Assess PCA's project management compliance with rules and regulations as well as PCA's framework. Includes key practices and processes in place for managing major capital projects using dedicated funds from budget 2014 and budget 2015. Planning phase:
Q1, 2016-2017
Reporting Phase:
Q4, 2016-2017
3. Audit of HR Data Integrity Controls (Phase 1) High Provide assurance to senior management that controls are in place to ensure accuracy of payment of employees' salary as well as compliance of PCA's employees' files with established guidelines. Includes key practices and processes in place to ensure HR Data Integrity and compliance to established guidelines. Planning phase:
Q1, 2016-2017
Reporting Phase:
Q3, 2016-2017
4. Audit of Asset Accounting Moderate Determine whether controls and processes related to accounting for tangible capital assets are in compliance with TB accounting standards and asset policy and procedures. Includes the governance and control framework over asset accounting as of March 2016. Planning phase:
Q2, 2016-2017
Reporting Phase:
Q4, 2016-2017
5. Audit of Realty Control Framework Moderate Assess the control framework in place to ensure quality of realty data and active management of realty obligations as set out in various realty instruments. Includes the control and oversight regime in place to monitor adherence to the TB Policy on Management of Real Property and the Reporting Standard on Real Property with respect to land management and obligations related to land use (i.e., an estimated 8,500 land-use documents, ranging from leases to concessions to utility agreements). Planning phase:
Q4, 2016-2017
Reporting Phase:
Q3, 2017-2018
6. Audit of Business Continuity Planning High Assess the existence of a framework for business continuity Planning at Parks and its compliance with existing TB policies and directives. Focuses on compliance with the relevant directive and standards by ensuring continuity of critical services in place at the Agency. Planning phase:
Q2, 2016-2017
Reporting Phase:
Q4, 2016-2017
7. OCG Audit of Costing Unrated Assess whether departments have implemented costing practices in line with the TBS Guide to Costing and related policy instruments. It will also look at aspects of the Chief Financial Officer attestation requirements. Includes key costing practices and processes in place within and across departments. Costing information for Cabinet decision making could be an area of focus. Planning phase:
Reporting Phase:
2017-2018
8. Audit of Occupational Health and Safety Program High Assess that OHS activities within the Agency are in compliance with the existing framework at the national level as well as the local level. Includes duties derived from the Canada Labour Code, Part II. Planning phase:
Q1, 2017-2018
Reporting Phase:
Q3, 2017-2018
9. Audit of Information Management (record keeping) High To assess the state of the current control framework (governance, roles and responsibilities, risk and control) for information management and provide assurance about the level of readiness to comply with applicable TB policies. Includes progress being made towards the implementation of the TB Policy on Information Management, the Directive on Information Management Roles and Responsibilities and ensuring that governance structures, mechanisms and resources are in place to support the continuous and effective management of information. Planning phase:
Q4, 2017-2018
Reporting Phase:
Q3, 2018-2019
10. Audit of Selected Environmental Management Controls Very High Provide assurance that management framework in place allows for sound management of the different environment elements and that practices are in compliance with PC and government policies and directives. Includes 20 environmental aspects such as petroleum storage tanks, pesticides, halocarbons and treated wood (PCB, Storage Tanks etc.) that could be audited based on priorities and risks. Planning phase:
Q1, 2017-2018
Reporting phase:
Q4, 2017-2018
11. Audit of Maximo Data Quality Moderate To provide assurance to senior management that information contain in the national asset information system Maximo is accurate, timely and easily accessible for decision making. Includes key practices and processes in place to ensure data quality related to assets. Planning phase:
Q2, 2017-2018
Reporting Phase:
Q1, 2018-2019
2018-2019
12. Audit of Organization Design and Classification Moderate To provide assurance that decisions made with respect to organizational models and control of salary costs are being implemented as intended. Focuses on assessing continued compliance across the Agency with respect to organizational design and control of salary expenditures. Planning phase:
Q1, 2018-2019
Reporting Phase:
Q3, 2018-2019
13. Audit of Revenue Controls on Canals Moderate Focus on compliance with government and Agency`s policies and directives with respect to revenue collection. Includes all types of revenues collected by waterways field units. Planning phase:
Q4, 2017-2018
Reporting Phase:
Q2, 2018-2019
14. Audit of Procurement Instrument Selection High Provide senior management with an overall assurance that the procurement instrument select within the Agency respects Parks and TBS' rules and policies.

Includes financial mechanisms such as

  1. Contracts
  2. Contractual arrangements
  3. Contributions
  4. Administrative arrangements
  5. Grants
  6. Exchange letters.
Planning phase:
Q2, 2018-2019
Reporting Phase:
Q1, 2019-2020
15. Audit of Financial Monitoring Moderate Provide assurance to senior management that the program is working as intended and enables management to take action in a timely manner when necessary. Focuses mainly on monitoring process for account payables and post payment verification. Planning phase:
Q3, 2018-2019
Reporting Phase:
Q1, 2019-2020

Prioritization of Audit Entities

Prioritization consists of assigning a significance, public visibility and risk exposure score to each entity (i.e., each with a five point scale ranging from 1 very low significance, visibility or exposure to 5 very high significance, visibility or exposure), and then combining the scores (i.e., weighted 30% for significance, 20% for visibility and 50% for risk exposure) to create a final priority score for each entity.

Level Range Description
Very High 4.26 – 5.00 Entities considered to be highly important from an audit standpoint and should be subject to internal audit activity. Where possible, audits of these priorities should be conducted early in the planning cycle to permit the generation of assurance in a timely fashion.
High 3.51. – 4.25 Entities considered as an important audit priority and should be audited in the planning cycle, but not necessarily in the first year of the plan.
Moderate 2.51 – 3.50 Audit resources may be expended; however these areas are only of moderate audit priority during this planning cycle.
Low 0.00 – 2.50 Little to no justification for audit resources to be expended in these areas during this planning cycle.


Audit Resources (Over All Years)
Project Size[4] Hours O & M Total ($)[5]
2016-2017
1. Audit of FII Governance Large 2200 6,000 102,800
2. Audit(s) of Management of Selected Infrastructure Projects Large 1800[6] 30,000 109,200
3. Audit of HR Data Integrity Controls (Phase 1) Medium 1200 6,000 58,800
4. Audit of Asset Accounting Medium 1300 54,000 78,200
5. Audit of Realty Control Framework Large 1500 6,000 72,000
6. Audit of Business Continuity Planning Small 600 8,000 34,400
7. OCG Audit of Costing Small 400 0 17,600
2017-2018
8. Audit of Occupational Health and Safety Program Small 900 15,000 54,600
9. Audit of Information Management (record keeping) Large 1500 10,000 76,000
10. Audit of Selected Environmental Management Controls Large 1500 30,000 96,000
11. Audit of Maximo Data Quality Large 1500 20,000 86,000
2018-2019
12. Audit of Organization Design and Classification Small 900 6,000 45,600
13. Audit of Revenue Controls on Canals Small 900 13,000 52,600
14. Audit of Procurement Instrument Selection Large 1700 17,000 91,800
15. Audit of Financial Monitoring Small 900 7,000 46,600

Appendix A. Audit Universe Elements and Past Coverage

Internal Services Groups Auditable Element Definition Past Coverage
1.6.1 Management and Oversight 1. Strategic Policy, corporate governance, planning and integrated risk management
  • Activities undertaken for determining strategic direction,
  • Governance arrangements for the Agency as a whole
  • Corporate planning processes (e.g., system, corporate, and business plans). Note link to employee performance management through mandate letter process
  • Other key plans which require senior management or ministerial approval (e.g., species at risk plans).
  • Activities undertaken to identify corporate risks and mitigation measures.
OCG Audit of Compliance with the MRRS Policy (2012)

OAG Implementation of the Labrador Inuit Land Claims Agreement (2016)
2. Investment Planning and Project Management Process and activities to prioritize and allocate (reallocate) resources to new and existing projects (assets and acquired services) that are essential to program delivery. Includes processes, controls and systems in place for managing individual projects within the Agency (e.g., environmental and cultural resource, VE assessments, and indigenous consultations as part of project planning). Entity includes processes with respect to infrastructure, conservation and contaminated site projects  
3. Performance and Reporting Processes and activities to develop and maintain the Performance Measurement Framework, related performance measurement strategies and for reporting on performance (e.g., Departmental Performance Report, State of Reports)  
4. Values and Ethics Processes and activities to foster an organizational culture based on the fundamental values of Respect, Engagement, Excellence, and Integrity, as specified in the Parks Canada Values and Ethics Code. Includes processes and controls for reporting ethical violations or wrong doing (e.g., Public Disclosure Protection Act) as well as advice and information on ethical situations  
1.6.2 Communication Services 5. Internal Processes and procedures to create continuous, interactive and multi-directional communication within the Agency. Includes management of Agency intranet site.  
6. External Frameworks, governances, processes, activities and controls associated with external communications. Includes branding (compliance with), public web site, social and new media use, advertising and promotions, (and consultations?).  
1.6.3 Legal Services 7. Legal Services Include providing legal advice, preparing legal documents, drafting legislation and statutory instruments (or regulations) conducting litigation, and overseeing all legal mechanisms used to achieve the overall objectives of the government.  
1.6.4 Human Resources Management 8. Planning and Structuring the Workplace Includes planning and reporting; reviewing, assessing and developing organizational designs; job and position analysis and classification  
9. Employee management Processes and activities to support recruitment (staffing), retention, and separation as well as activities associated with employee performance, learning, development and recognition. Includes management of total compensation (e.g., pay, leave). HR Process In Coastal BC (2011)
10. Workplace Management Processes and activities associated with labor relations (e.g., managing complaints, grievances, discipline) as well as occupational health and safety, management of harassment and discrimination, and promotion of employee well-being. Includes management of Agency obligations with respect to Official Languages, employment equity, disability management and return to work. OCOL Audit Of Delivery of Bilingual Services to Visitors by Parks Canada (2012) 

Independent 5 Year Review Of Human Resources Regime (2014-2015)
11. HR monitoring and Report Processes, activities and controls to ensure accurate and complete information about organisational structures, positions and employees to support planning, decision making and effective management of obligations and entitlements. Includes both paper and electronic records. Processes for creating reporting tools and mechanisms (e.g., HR dashboard)  
1.6.5 Financial Management 12. Governance, planning, forecasting, budgeting, pricing and costing Processes and activities associated with financial planning, creating authorities (chart of accounts) assigning budgets, forecasting expenditures and establishing financial management capacity. Includes processes and activities for setting prices and costing the Agency programs and initiatives OCG Audit of financial forecasting (2013-2014)
13. Revenues Receivables and Receipts Processes and controls to ensure the accurate, timely and complete management of revenue and accounts receivable. Includes management of special purpose revenues such as donations, and revenue from partnering. Audit of POS (2016)

Audit Management of Revenue Rentals and Concessions (2012)
14. Purchases, Payables and Payments Processes and controls to ensure authorization, accounting and timely processing of invoices for payment Acquisition Card Process (2012)

4 Financial And Administrative Audits between April 2011 and March 2016.
15. Partnerships and Procurement including G&Cs Processes and activities to ensure sound frameworks for partnering and procurement are in place and that practices are consistent with TB and Agency policies and directives, and that monitoring occurs to support various reporting requirements (both departmental and government-wide).  
16. Financial monitoring and Reporting Processes and activities to prepare financial reports (variance reports, financial statements, public accounts). Includes processes to monitor financial transactions  
1.6.6. and 1.6.7 Information Management, Technology, Systems 17. Information Management Includes the processes and procedures in place to achieve efficient and effective information management (IM) over its life cycle including planning and acquisition, disbursement and disposal. Includes access to information and privacy, libraries, record keeping etc.  
18. Information Technology Processes, activities and systems to plan, acquire, implement, operate, support and monitoring information technology (IT) hardware, software and networks. Elements included are: IT governance; strategic and investment plans; the use of common or shared IT assets and services, as well as authorized network accesses. Performance Audit of the GIS (2012)

SSC IT security & disaster recovery controls Assessment (2014-2015)

OCG- Horizontal Internal Audit of Information Technology Security in Large and Small Departments (2016)
1.6.8 Real Property 19. Land Management Process, activities and systems for inventorying lands, recording acquisition and disposal and for managing access to and rights related to crown land.  
20. Built Asset Management Process and systems for inventorying and managing Agency built assets including maintenance, inspections, and repairs. Excludes — investment planning and asset accounting. Includes management of particular classes of assets (e.g., staff housing) Audit of Staff Housing (2014)
21. Material management Processes and activities for managing movable assets (e.g., various types of equipment, furniture and furnishings, low dollar value and attractive goods, and larger goods, such as vehicles and ships), in a sustainable and financially responsible manner that supports the cost-effective and efficient delivery of government programs.  
22. Environmental Management Processes and activities for ensuring that the environmental impact of operations (e.g., related to asbestos, contaminated sites, storage tanks, halocarbons, PCBs, pesticides, etc.) are effective and in compliance with legislation and Agency objectives.  
23. Water Power Processes and activities related to management and provision of water power on historic canals as governed by The Dominion Water Power Act and Dominion Water Power Regulations  
Security 24. Security (property, personal etc.) Frameworks, processes and procedures to ensure the security of the property, personnel and equipment.  
25. Emergency Preparedness and Business Continuity Process and activities to plan for and manage emergency situations consistent with legislation and policy (e.g. fire and building evacuation plans; civil emergency plans) as well processes and plans for ensuring that the Agency's critical services can resumed or continued with minimal disruption during or immediately after an event.  

[1] The terms of reference for the committee were updated in March 2015.

[2] Salary and operating costs of the audit committee, typically about $100K per year of which 80% to 85% covers salaries (i.e., costs in 2015-2016 were $99.8K of which 84% was salary) appear under a separate budget.

[3] The project is not included in the total project per year.

[4] Size is being define by the overall amount of time spent on a project (sometimes over more than one fiscal year) using the following guideline: small <1K hrs, medium between 1K and 1.5K hrs and large over 1.5K hrs.

[5] The total dollars is the cost for auditor salary and expenses associated with the various projects that could overlap two fiscal years.

[6] Total for all infrastructure projects selected in 2016-2017.