At a glance – Two-year risk-based audit plan, 2018 to 2020, Environment and Climate Change Canada

About the risk-based audit plan

The Treasury Board of Canada (TB) Policy on Internal Audit requires the Deputy Minister to approve a risk-based audit plan (RBAP) that spans multiple years, focuses primarily on providing assurance that the Department’s activities are managed responsibly and considers departmental areas of high risk and significance. The RBAP also takes into consideration the horizontal audits led by the Comptroller General, planned audits led by external assurance providers and other departments, as appropriate, as well as other oversight engagements.

The Audit and Evaluation Branch (AEB) prepared the RBAP for the consideration of the Deputy Minister. It presents the internal audits planned for fiscal year 2018 to 2019 to fiscal year 2019 to 2020 and supports the allocation of audit resources to those areas that represent the most significant risks to the achievement of ECCC’s objectives.

ECCC’s Departmental Audit Committee reviewed the RBAP at its March 20, 2018, meeting and recommended that the plan be presented to the Deputy Minister for approval. The RBAP was approved by the Deputy Minister on June 18, 2018.

Project selection

Each year, the ECCC Chief Audit Executive (CAE) is required to prepare an RBAP. This plan sets out the priorities for the internal audit activity, in keeping with the organization’s goals and priorities. In preparing the current plan, the AEB sought input from ECCC’s Departmental Audit Committee (DAC), as well as ECCC’s senior management. It took the comments and suggestions received under advisement in setting the internal audit activity priorities for fiscal year 2018 to 2019 to fiscal year 2019 to 2020.

The starting point for the risk-based planning process was the identification of the audit universe. However, planning for the RBAP occurred during a transition that all federal Government departments were going through in moving from a Program Alignment Architecture (PAA) structure to a Departmental Results Framework (DRF), to comply with the TB Policy on Results (2016). As an interim measure, the AEB chose a streamlined approach using last year’s audit universe and a focus on risk areas identified by senior management. For subsequent RBAPs, the AEB will organize the audit universe according to the new DRF and updated program risk registries for fiscal year 2018 to 2019.

Using the previous audit universe descriptions corresponding to the ECCC branch structure, the AEB updated its knowledge of the audit universe for new programs, priorities and initiatives. It also used the following to assess the completeness of the audit universe:

• the priorities identified in the Departmental Plan and  the ECCC Minister’s mandate letter
• the Department’s relevant legislation
• the Departmental Corporate Risk Profile and Risk Registers
• the latest Management Accountability Framework (MAF) assessment
• the Government of Canada priorities
• previous audit results (both internal and external)
• previous evaluation results

Internal audit takes risks into account to identify or help determine the scope of planned projects. Risks are assessed according to the likelihood of occurrence and the potential impact of an occurrence. Programs, management activities, processes, policies and control functions, along with departmental and government-wide initiatives, are subjected to a risk assessment and risk-ranking exercise to select audit projects in order of priority.

The audit and evaluation functions held joint consultations with senior management and staff, to ensure that the planning process for both functions was effective, efficient and coordinated. As a result, this year’s RBAP update includes a potential joint audit and evaluation project. Collaborative efforts in the project will range from conducting joint interviews and collecting and sharing information, to conducting hybrid audit and evaluation engagements.

Nine of the highest priority internal audit projects and one review are planned for the next two years, with three projects carried over from fiscal year 2017 to 2018, for reporting in fiscal year 2018 to 2019. The RBAP will be reviewed with DAC during the year and modified as appropriate.

External assurance providers

The Department is also subject to audits by external assurance providers. The Office of the Auditor General (OAG) annually conducts an audit of Public Accounts, and the Commissioner of the Environment and Sustainable Development (CESD) has planned 10 audits to take place during in fiscal years 2018 to 2019 and 2019 to 2020. The present RBAP has taken into account the coverage and frequency of these engagements when assessing risk and selecting projects, to avoid duplication. Where applicable, the work of these external assurance providers may be relied upon for specific projects. As well, horizontal audits planned by the Office of the Comptroller General are taken into consideration, since ECCC may be scoped in for some of these future projects.

Other audit-related activities

The CAE reports biannually to the Deputy Minister and DAC on management progress in implementing recommendations from past audits. The report helps identify significant delays or changes to action plans and associated risks.

The AEB will continue to conduct periodic internal quality assessments and to implement recommended improvements. An external practice inspection of the Quality Assurance Improvement Program (QAIP) is planned for the 2018 to 2019 fiscal year.

Audit resources and capacity

The Internal Audit Division forecasts a budget of $1.8 million, with 14.6 indeterminate full-time equivalent employees for fiscal year 2018 to 2019. The Internal Audit Division shares resources with the Evaluation Division for branch administration, the provision of support to committees, the publication of reports and follow-up on recommendations.

ECCC internal audit projects for fiscal years 2018 to 2019 and 2019 to 2020

All internal audit projects included in the present RBAP were ranked as having an overall high risk. The following table presents an overview of the planned projects, by fiscal year of tabling. Three audit projects were carried over from fiscal year 2017 to 2018: the Audit of expenditure management and controls, the Audit of enforcement management and operations and the Audit of the management of grants and contributions. The plan also includes a potential joint audit and evaluation project. Collaborative efforts on this joint project may range from conducting joint interviews and collecting and sharing information, to conducting hybrid engagements.

Overview of planned ECCC internal audit projects, by fiscal year of tabling to the Departmental Audit Committee

Fiscal year 2018 to 2019

• Audit of expenditure management and controls (June 2018)
• Audit of enforcement management and operations (June 2018)
• Audit of the management of grants and contributions (November 2018)
• Audit of infrastructure renewal within the Meteorological Service of Canada (March 2019)
• Joint Audit/Evaluation of the management of the Pan Canadian Framework (March 2019)

Fiscal year 2019 to 2020

• Review of the management of pay and benefits processes (advisory project) (June 2019)
• Audit of the management of the Oceans Protection Plan – ECCC Component (June 2019)
• Audit of occupational health and safety (November 2019)
• Audit of the implementation strategy for Greening Government Operations (March 2020)
• Audit of the management of consultations with Indigenous Peoples (March 2020)

Fiscal year 2020 to 2021

• Audit of project management (June 2020)
• Audit of information management (November 2020)
• Audit of the implementation of the Nature Legacy for Canada (November 2020)