Archived: Integrated Risk-Based Audit and Evaluation Plan 2015-2016: chapter 4

3. Planning Approach

3.1 Key Requirements

There are a number of requirements and considerations stemming from TB policies, directives and guidelines, and which drive audit and evaluation planning in the federal government. The more significant of these are summarized in the following sections.

A. Internal Audit

• Internal audit provides independent and objective appraisals that use a disciplined, evidence-based approach to assess and improve the effectiveness and efficiency of risk management, control and governance processes. It is intended to contribute to the basis by which decision-makers exercise oversight and control over the organization and apply sound risk management^Footnote 1.
• The DM must approve and provide annually to the Comptroller General a departmental multi-year risk-based internal audit plan that considers:
  • departmental areas of higher risk and significance;
  • predominantly focused on the provision of assurance services;
  • government-wide horizontal audits led by the Comptroller General; and
  • the recommendations of the EAAC.
• There are other audit planning considerations that stem from the Office of the Controller General (OCG) guidance and professional standards. For instance, the draft guide on Internal Audit Planning^Footnote 2 recommends the periodic conduct of specific audits of risk management and of governance. As well, OCG guidance and internal audit professional standards recommend the periodic conduct of a fraud risk assessment^Footnote 3.

B. Evaluation

• According to TB Policy, evaluations must assess the relevance and performance of Departmental programs^Footnote 4. The DM is required to submit to TBS annually a rolling five-year departmental evaluation plan. The plan's coverage must consider:
  1. The Financial Administration Act (section 42.1) requirements that evaluations be performed of all ongoing grant and contribution (G&C) programs on a five-year cycle. These are performed before the corresponding program comes up for TB renewal^Footnote 5;
  2. The TB Policy and Directive on Evaluation require that all direct program spending (DPS) be evaluated on a five-year cycle (excludes G&C programs covered above);
  3. Mandatory program evaluations are normally required for renewals of programs (not limited to G&C programs), and specific evaluation requirements or commitments can also be specified under program TB submissions and related TB decisions.
• Evaluation plans must also:
  • Align with the Management, Resources and Results Structure (MRRS);
  • Support the Expenditure Management System, including strategic reviews;
  • Include other program specific evaluations or applicable elements of the Government's Evaluation Plan if requested by TBS; and
  • Consider as part of individual evaluations, any requirements stemming from Performance Measurement and Evaluation Plans for regulatory programs^Footnote 6.

Accordingly, the evaluation plan and projects are determined by the requirements as described above. The risk assessment is used mainly to help scope ("calibrate") the evaluation projects as well as determine project priorities. The required evaluation project effort is driven by the nature (e.g. complexity, evaluability^Footnote 7, horizontality), scope and materiality of the program.

3.2 Approach and Considerations

The starting point for AEB's annual planning exercise is always the previous year's risk assessment and plans. The approach to the planning exercise is also grounded on the following key elements and principles:

1. Planning and Reporting Cycle. The RBAEP must be properly considered as part of AEB annual planning and reporting cycle. This cycle incorporates the following key components, which integrate both the internal audit and evaluation functions:

• A planning exercise is conducted before the start of each fiscal year, in consultation with senior executives, EAAC and DEC, to review AEB's plans and projects. The result is the Integrated RBAEP approved by the DM;
• At mid-year, the progress against the RBAEP is reviewed in consultation with EAAC and DEC, and the RBAEP is updated as required and any revisions approved; and
• At the end of the fiscal year, the Chief Audit and Evaluation Executive prepares an Annual Report^Footnote 8 which he submits to EAAC, DEC and the Deputy Ministers.

The planning and reporting cycle reflects that AEB plans and priorities are evolving and must remain evergreen. In addition to the mid-year review and update, progress against the RBAEP is regularly monitored at both EAAC and DEC.

2. Planning "Universe". The planning universe serves as the "roadmap" or "backdrop" for risk assessment and planning, and helps define the potential audit and evaluation areas and projects:

• For evaluation, the planned projects are defined according to EC’s 2015-16 Program Alignment Architecture (PAA), which aligns with EC's MRRS and is consistent with TB Evaluation Policy requirements (e.g., Direct Program Spending coverage);
• For internal audit, the key elements of TBS's Management Accountability Framework (MAF) are utilized to identify and organize (map) the planned audit projects.

3. Risks and Considerations. As reflected above (section 3.1), both internal audit and evaluation rely in part on risks, to either identify or scope projects, in addition to other requirements and considerations. Accordingly, as part of its planning exercise AEB conducts an independent risk assessment, based on the following steps:

• An initial assessment based on both AEB's knowledge of EC's programs and priorities, and a review of a number of key sources (e.g. prior year's assessment; past audits and evaluations; CRP exercise; latest MAF assessment; and key corporate documents); and,
• The assessment is enhanced primarily through consultations with senior executives, the EAAC, the DEC and the DMs.

The results of the risk assessment are summarized in part in the detailed audit plan (Appendix A. "Risks and Rationale" column).

4. Balanced Approach. The RBAEP is revised and updated from the previous year, by taking into account a number of competing requirements and factors, mainly:

• Internal audit requirements and coverage of key risks and considerations;
• Mandatory evaluation coverage and project risks;
• Audits or reviews to be conducted by external assurance providers (e.g. CESD, OAG and PSC) and horizontal audits planned by the OCG;
• Opportunities for possible collaboration with other departments
• Ability or capacity of EC branches to accommodate multiple projects;
• Comments and advice received from senior executives; and,
• AEB resources, capacity and expertise.

5. Process and Approval. The development of the RBAEP is founded foremost on significant phased consultations with senior executives, and accordingly the exercise is largely iterative. This year, the overall process included the following major milestones:

• Consultations with EMC members including the DMs;
• Initial consultation summary to EAAC members;
• Initial Draft RBAEP provided to DEC for comments;
• Initial Draft RBAEP provided to EAAC for review and recommendation;
• Final RBAEP approved by the DM; and
• Approved RBAEP provided to TBS, OCG and the Office of the Auditor General (OAG), and subsequently translated and posted on the EC web-site.

This final RBAEP is approved by the DM, based on the recommendation of the EAAC (audit plan component) and any comments by the DEC (evaluation plan component).