Archived: Risk-based audit and evaluation plan: 2013-14 to 2017-18: chapter 3
3. Planning Approach
3.1 Key Requirements
There are a number of requirements and obligations stemming from TB policies, directives and guidelines which drive audit and evaluation planning in the federal government.
A. Internal Audit Plan
- Internal audit provides independent and objective appraisals that use a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes. It is intended to contribute to the basis by which decision-makers exercise oversight and control over the organization and apply sound risk management.Footnote 1
- The DM must approve and provide annually to the Comptroller General a departmental multi-year risk-based internal audit plan that considers:
- departmental areas of high risk and significance;
- focussing predominantly on the provision of assurance services;
- government-wide audits led by the Comptroller General; and
- the recommendations of the External Audit Advisory Committee.
- There are other important audit planning considerations that stem from OCG guidance and professional standards. For instance, the draft guide on Internal Audit PlanningFootnote 2recommends the conduct of specific audits of risk management and of governance within the 3 year period of the plan. As well, the TBS practice guide on FraudFootnote 3recommends that the CAE conduct an overall fraud risk assessment on a periodic basis.
B. Evaluation Plan
- According to TB Policy, evaluations must evaluate the relevance and performance of Departmental programsFootnote 4. The DM is required to submit to TBS annually a rolling five-year departmental evaluation plan. The plan's required coverage is basically twofold:
- The Financial Administration Act (section 42.1) requires an evaluation be performed of all ongoing grant and contribution (G&C) programs on a five-year cycle. The evaluations are to be performed before the corresponding transfer payment program comes up for TB renewalFootnote 5;
- The TB Policy and Directive on Evaluation require that starting in 2013-14 all direct program spending (excluding ongoing G&C covered above) be evaluated on a five-year cycle.
- Mandatory program evaluations are normally required for renewals of programs (not limited to G&C programs). As well, evaluation requirements or commitments can be specified under program TB submissions and related TB decisions.
- In addition, there are a number of other potential planning requirements. For instance, evaluation plans must also:
- align with the Management, Resources and Results Structure;
- support the Expenditure Management System, including strategic reviews;
- include the administrative aspect of major statutory spending (n/a at EC);
- include other programs, specific evaluations or applicable elements of the Government's Evaluation Plan if requested by TBS;
- consider as part of individual evaluations any requirements stemming from Performance Measurement and Evaluation Plans for regulatory programsFootnote 6.
Accordingly, the evaluation plan and projects are determined mainly by mandatory requirements as described above. The risk assessment is used to help scope the evaluation projects as well as determine priorities for non-mandatory projects. The required evaluation project effort is mainly driven by the nature (e.g. complexity, evaluabilityFootnote 7, horizontality) and scope (materiality) of the program.
3.2 Approach and Considerations
The planning exercise is always based, to some extent, on the previous year's risk assessment and plans as its initial starting point. The approach to the planning exercise is also grounded on the following key elements:
- Planning "Universe". The planning universe serves as the "roadmap" or "backdrop" for risk assessment and planning, and helps define the potential audit and evaluation areas and projects.
- For evaluation, the planned projects are defined according to the department’s 2013-14 Program Alignment Architecture (PAA), which is consistent with TB Evaluation Policy requirements (e.g. Direct Program Spending coverage).
- For internal audit, the key elements of TBS's Management Accountability Framework (MAF) are utilized to identify and organize (map) the planned audit projects.
- Risks and Considerations. As indicated previously (section 3.1), both internal audit and evaluation rely in part, and to different degrees, on risks to either identify or scope planned projects, as well as rely on other requirements and considerations. Accordingly, as part of its planning exercise AEB conducts an independent risk assessment, based on the following steps:
- A preliminary risk assessment is based on AEB's knowledge of the Department's programs, priorities and risks, and includes consideration of a number of key sources (e.g. prior year's assessment; past audits and evaluation reports; the CRP exercise; current MAF assessments; and key corporate documents)
- The assessment is further developed and refined mainly through consultations with senior executives, the EAAC, the DEC and the DMs.
A summary of AEB's independent risk assessment is presented in Appendix C.
- RBAEP Update. The current RBAEP is revised and updated from the prior year such as to consider a number of competing planning requirements, priorities and risks, as outlined previously (section 3.1). The revised RBAEP must take into account:
- Internal audit requirements and coverage of key risks and considerations;
- Mandatory evaluation coverage and risks for non-mandatory evaluations;
- Audits or reviews to be conducted by external assurance providers (e.g. CESD) and horizontal audits planned by the OCG;
- Comments and advice received from senior management;
- Ability or capacity of EC branches to accommodate multiple projects; and
- Resources and capacity of the AEB.
- Process and Approval. The approach to develop AEB’s integrated RBAEP is founded foremost on significant phased consultations with senior management, and accordingly the exercise is very much iterative. This year, the consultations and overall planning process included the following major steps and milestones:
- Changes to the planning approach discussed with EAAC (December)
- Consultations with EMC members including the DMs (January-February)
- Status Update and Initial Consultation with EAAC (February)
- Summary of the Draft Evaluation Plan provided to DEC for comments (March)
- Complete Draft of the RBAEP provided to DMs and presented to EAAC for review and recommendation (March)
- RBAEP updated and Summary provided to EMC for information (April)
- Final RBAEP approved by the DM
- Approved RBAEP provided to TBS, OCG and OAG, circulated to EMC (and subsequently posted on the EC web-site).
The final RBAEP is approved by the DM, based on the review and recommendations of the EAAC (audit plan component) and of the DEC (evaluation plan component). The RBAEP is an evolving document and must remain evergreen. Accordingly, at mid-year each year (normally in November) the RBAEP is updated and resubmitted to EAAC and DEC for consideration and any changes approved by the DM. In addition, progress against the approved RBAEP is regularly monitored at both EAAC and DEC.
Page details
- Date modified: