At a glance – Two-year Risk-based Audit Plan, 2019 to 2021, Environment and Climate Change Canada

About the Risk-based Audit Plan

The Treasury Board of Canada (TB) Policy on Internal Audit requires the Deputy Minister to approve a risk-based audit plan (RBAP) that spans multiple years, focuses primarily on providing assurance that the Department’s activities are managed responsibly and considers departmental areas of high risk and significance. The RBAP also takes into consideration the horizontal audits led by the Comptroller General, planned audits led by external assurance providers and other departments, as appropriate, as well as other oversight engagements.

The Audit and Evaluation Branch (AEB) prepared this document for the Deputy Ministers. It presents audits planned for fiscal year (FY) 2019 to 2020 to FY 2020 to 2021. It supports the allocation of audit resources to those areas that represent the most significant risks to the achievement of ECCC’s objectives.

The plan was reviewed at the ADM Corporate Operations Committee, the Executive Management Committee It was also discussed by Departmental Audit Committee (DAC), which recommended the RBAP for approval by the Deputy Ministers. The RBAP was subsequently approved by the Deputy Ministers on March 29, 2019.

Project selection

Each year, the ECCC Chief Audit Executive is required to prepare an RBAP. This plan sets out the priorities for the internal audit activity, in keeping with the organization’s goals and priorities. In preparing the current plan, the AEB sought input from ECCC’s Departmental Audit Committee (DAC), as well as ECCC’s senior management. The AEB took the comments and suggestions received under advisement in setting the internal audit activity priorities for FY 2019 to 2020 to FY 2020 to 2021.

The starting point for the risk-based planning process was the identification of the audit universe, a set of all auditable entities. These entities generally correspond to programs, functions or major organizational units. In developing this RBAP, a review was undertaken to align the audit universe with the Departmental Results Framework (DRF), in compliance with the TB Policy on Results (2016). Research was completed to describe each DRF program and the major activities that support the delivery of program results. Risks were identified for each program based on the Performance Information Profiles and branch risk documentation received. Potential auditable entities were identified based on an analysis of the DRF programs and their supporting activities. Internal services were also defined and auditable entities were identified for each. The audit universe will be adjusted over time as departmental and government priorities and their associated programs change.

Internal audit takes risks into account to identify or help determine the scope of planned projects. Risks are assessed according to the likelihood of occurrence and the potential impact of an occurrence. Programs, management activities, processes, policies and control functions, along with departmental and government-wide initiatives, were subjected to a risk assessment and risk-ranking exercise to select audit projects in order of priority. Potential audit projects were then assigned a risk rating.

Each internal audit project included in the 2019 to 2021 RBAP was selected based on its potential to add value to ECCC’s strategic outcomes and operational objectives through the continuous improvement of governance, risk management and control processes. Professional judgment and the information gained from discussions with ECCC senior management and their management teams were used to assess risk and rank the auditable entities.

The audit and evaluation functions held joint consultations with senior management and staff, to ensure that the planning process for both functions was effective, efficient and coordinated. As a result, this year’s RBAP update includes a potential joint audit and evaluation project. Collaborative efforts in the project will range from conducting joint interviews and collecting and sharing information, to conducting hybrid audit and evaluation engagements.

External assurance providers

The Department is also subject to audits by external assurance providers. The Office of the Auditor General annually conducts an audit of Public Accounts. As well, the Commissioner of the Environment and Sustainable Development has planned seven audits to take place during fiscal years 2019 to 2020 and fiscal years 2020 to 2021. The Office of the Comptroller General and the Public Service Commission will each work on two audits during that time.

The present RBAP takes into account the coverage and frequency of planned external audit engagements. They are factored into the identification of risks and the selection of projects. Wherever possible, the AEB will leverage external audits to optimize the coverage and timing of its own planned audits and minimize duplication.

Follow-up process for past audit recommendations

The AEB is required by Treasury Board policies to regularly monitor and report on the implementation of management actions and commitments made in response to internal and external audit recommendations. The follow-up process allows management to provide, on an ongoing basis, evidence of actions taken and deliverables completed in response to the audit recommendations. The audit team is responsible for validating the implementation of actions and completion of deliverables.

The Chief Audit Executive reports quarterly to the Deputy Ministers, DAC and the Performance Measurement, Evaluation and Results Committee on progress in implementing management responses to recommendations. Any significant delays or changes to action plans and planned deliverables, as well as any associated risks, are flagged. The quarterly follow-up reports are approved by the Deputy Ministers and provided to the Office of the Comptroller General.

Quality assurance and improvement program

The AEB Quality assurance and improvement program (QAIP) is in place and DAC is regularly briefed on its status.

The primary objective of a QAIP is to promote continuous improvement. It is an ongoing and periodic assessment of the entire spectrum of audit and consulting work performed by the internal audit function. It includes both internal and external assessments.

In compliance with the Treasury Board of Canada’s policies, which includes the Institute of Internal Auditors’ International Professional Practices Framework, an external assessment of the audit function must be performed every five years. An external practice inspection of the ECCC audit function was completed in March 2019. It consisted of a self-assessment done by the AEB’s Professional Practices and Liaison Division in February 2019, followed by a validation by an external validator. The external validator confirmed the global rating of “generally conforms”.

ECCC internal audit projects for fiscal years 2019 to 2020 and 2020 to 2021

All internal audit projects included in the present RBAP were ranked as having an overall high risk.

The following list sets out the planned projects, by fiscal year of tabling. Three audit projects were carried over from FY 2018 to 2019: Assessment of pay-related controls; Audit of occupational health and safety; Joint audit/evaluation of the management of the Pan-Canadian Framework on Clean Growth and Climate Change. As well, two audits will be started in FY 2020 to 2021 but will be tabled in FY 2021 to 2022.

Overview of planned ECCC internal audit projects, by fiscal year of tabling to the Departmental Audit Committee

Tabling in FY 2019 to 2020

• Assessment of pay-related controls (June 2019))
• Audit of occupational health and safety (November 2019)
• Joint audit/evaluation of the management of the Pan-Canadian Framework on Clean Growth and Climate Change (November 2019)
• Audit of project management (March 2020)

Tabling in FY 2020 to 2021

• Audit of the management of the Low Carbon Economy Fund (June 2020)
• Audit of the implementation of the Nature Legacy Initiative (March 2021)
• Audit of information technology governance (March 2021)
• Audit of the management of consultations with Indigenous peoples (March 2021)

Tabling in FY 2021 to 2022

• Audit of information management (November 2021)
• Audit of the implementation of the action plan for Greening Government Operations (March 2022)

Internal audit resources and capacity

The Internal Audit Division forecasts a budget of $1.9 million, with 18.44 full-time equivalent employees to provide audit and advisory services in FY 2019 to 2020. The Internal Audit Division shares resources with the Evaluation Division for the provision of support to committees, document editing and web publication, follow-up on recommendations and advice on practices and methodologies.