Risk-Based Internal Audit Plan 2016-2017 to 2018-2019

[ * ] An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and Privacy Act.

[ PDF version ]



1 Introduction

1.1 Purpose

This document presents the Privy Council Office (PCO) 2016-19 Risk Based Audit Plan (RBAP) which replaces PCO’s existing 2015-18 RBAP. This new RBAP identifies and describes the internal auditing engagements PCO’s Audit and Evaluation Division (AED) will conduct over the next three fiscal years to provide independent assurance to the Clerk of the Privy Council and PCO senior management on risk management, control and governance processes within the department. 

Robust risk based audit planning lays the foundation for a strong internal audit function and is necessary to provide the Chief Audit and Evaluation Executive (CAEE) with information needed to plan value added assurance engagements that are both meaningful and relevant to the department. The engagements included in this plan were selected on the basis of a comprehensive analysis of key PCO and other documents supported by consultations with PCO senior executives, the external members of the PCO Audit Committee, the CAEE at Shared Services Canada, and the CAEEs from two departments with which PCO is proposing to conduct joint audits. The engagements identified herein focus on areas of risk and significance and on PCO priority areas.

1.2 Internal audit policy

The Treasury Board (TB) Policy on Internal Audit (2012) defines internal auditing in the Government of Canada as a professional, independent and objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes. This is also referred to as providing assurance. It is intended to assist decision-makers with exercising oversight and control over their organizations and with applying sound risk management.

The Policy and its supporting Directive on Internal Auditing in the Government of Canada and the Internal Auditing Standards for the Government of Canada confer planning responsibilities on Chief Audit Executives, Departmental Audit Committees (DAC), Deputy Heads and the Comptroller General for Canada. PCO’s CAEE prepares the department’s RBAP and ensures it is vetted with PCO’s Executive Committee and DAC prior to it being jointly recommended by PCO’s CAEE and DAC Chair for approval by the Clerk.

1.3 Profile of the Department

PCO provides professional, non-partisan advice and support to the Prime Minister, the ministers in the Prime Minister’s portfolio and Cabinet. PCO supports the development of the Government of Canada’s policy and legislative agendas, coordinates responses to issues facing the Government and the country, and supports the effective operation of Cabinet. PCO is led by the Clerk of the Privy Council. In addition to serving as the Deputy Head for PCO, the Clerk also acts as Secretary to the Cabinet and the Head of the Public Service.

PCO has three primary roles:

  1. provide non-partisan advice to the Prime Minister, portfolio ministers, Cabinet and Cabinet committees on matters of national and international importance;

  2. support the smooth functioning of the Cabinet decision-making process and facilitate the implementation of the Government’s agenda; and

  3. foster a high performing and accountable Public Service.

1.4 The PCO Internal Audit Function

The internal audit function at PCO is delivered by the department’s Audit and Evaluation Division, with the scope of AED’s activities being defined in the PCO Internal Audit Charter1. The Director, AED serves as PCO’s Chief Audit and Evaluation Executive with a direct reporting relationship to the Clerk. The CAEE also serves as Secretary to the PCO Audit Committee. In addition to the CAEE, AED is funded for two full-time equivalent (FTE) internal audit positions and one FTE to provide administrative support.

AED has an annual budget of just under $700,000 for 2016-17 and for each of the two subsequent fiscal years. The budget includes salaries of the Division’s four staff and the three external members of the Audit Committee, as well as the operating budgets for both AED and Audit Committee.  

AED will manage its financial resources prudently while keeping its focus on delivering the auditing engagements outlined herein. Should financial resources become a constraint to delivering planned projects, the CAEE will work with PCO Finance, management and with the Audit Committee to effectively manage any budget or project delivery issues in light of established audit priorities.

1.5 Performance relative to Last Year’s RBAP

In 2015-16, AED worked forward on a variety of diverse projects from the earlier 2014-17 RBAP. This included completing three projects that were in progress at the start of 2015-16; launching and completing one project during the year; launching two other projects that were nearing completion at year end; and launching an additional project just before year end that is being completed in 2016-17.  The table below provides additional details.

Summary of Auditing Engagements Performed in 2015-16
Title Description
Fraud Risk Assessment Project was completed in 2014-15; project report was approved in 2015-16.
Audit of Information Technology Management Project was completed in 2014-15; management’s action plan (MAP) was finalized in 2015-16; project report with MAP was approved in 2016-17.
Audit of Internal Controls Over Financial Reporting   Project launched in 2014-15 and was completed in 2015-16; project report with MAP was approved in 2015-16.
Audit of Recordkeeping Transformation Activities Project launched and was completed in 2015-16; project report with MAP was approved in 2016-17.
Audit of the Management and Use of Acquisition Cards Project launched in 2015-16 and was completed in 2016-17; project report with MAP will be approved in 2016-17.
Performance measurement strategy for PCO’s Central Innovation Hub Project launched in 2015-16 and was completed in 2016-17; project report will be approved in 2016-17.
Risk Assessment of PCO’s Personal Information Holdings Project launched in 2015-16 and is being completed in 2016-17; project report will be approved in 2016-17.

2 Audit Planning Approach, Methodology and Priorities

2.1 Planning Approach

PCO’s first RBAP was prepared in 2008. That RBAP, and all which have followed it, were prepared based on guidance from the Office of the Comptroller General (OCG) and based on audit planning requirements outlined in the TB Internal Audit Policy Suite. 

When developing the RBAP two years ago, AED adopted and used expanded audit planning consultations (see Section 2.2), a more streamlined audit universe reflective of PCO’s Program Alignment Architecture (Section 2.3), and a more objective approach to assessing risk and internal controls (Section 2.4). These elements were repeated during the development of last year’s RBAP, and were maintained during the development of this new 2016-19 RBAP. Consistent with a change in the RBAP clearance process implemented last year, this year’s RBAP was vetted first with Executive Committee members and then at DAC before being jointly recommended by the DAC Chair and CAEE for Clerk approval.

2.2 Planning Inputs

As in past years, several information sources were used to develop this RBAP:

  • ongoing priority areas for audit coverage identified by the Clerk to Audit Committee;

  • input from Deputy Secretaries and other senior managers provided to Audit Committee;

  • CAEE interviews with Deputy Secretaries, the Assistant Deputy Minister, Corporate Services Branch (ADM-CSB), the external members of PCO’s DAC, and the CAEE at Shared Services Canada;

  • areas of risk identified in PCO’s evolving Risk Profile, and coverage of management priorities in documents such as PCO’s Report on Plans and Priorities, its Departmental Performance Report, and PCOs Integrated Business and Human Resources Plan;

  • Management Accountability Framework assessment results;

  • information on OCG and other external assurance provider audits; and

  • results from prior internal audits including management’s self-reporting on corrective actions implemented in response to prior audit recommendations.

2.3 The PCO Audit Universe

The audit universe below is based on PCO’s Program Alignment Architecture and includes auditable entities that may be audited in whole or in part.

Program Areas
Internal Services
Advice and Support to the Prime Minister and Portfolio Ministers

Advice and Support to the Prime Minister and Portfolio Ministers on:

  • Issues, Policies, Machinery, Communications and Appointments
  • International Affairs and National Security
  • Intergovernmental Affairs
  • Legislation, Parliamentary Issues and Democratic Reform
  • Offices of the Prime Minister and Portfolio Ministers (e.g. correspondence, technical, audio-visual and telecommunications support)
Government-wide Communications

Governor in Council Appointments

Parliamentary Returns

Results and Delivery

Advice and Support to Cabinet and Cabinet Committees

Operation of Cabinet Committees

Integration Across the Federal Government

Orders-in Council

Cabinet Papers and Confidences

Public Service Leadership and Direction

Business Transformation & Public Service Renewal (includes the Central Innovation Hub)

Management of Senior Leaders

Commissions of Inquiry

Support to Commissions of Inquiry
Management and Oversight, including:

  • Corporate Governance and Reporting;
  • Values and Ethics
  • Integrated Risk Management
  • Third-party Services
Security and Emergency Management

  • Departmental Security
  • Emergency Management
  • Business Continuity Management
Financial Management

  • Financial Planning and Forecasting
  • Financial Operations and Reporting
  • Expenditure Controls / Management
Human Resources Management

  • Human Resources Planning, Classification, Recruitment and Staffing
  • Compensation - Pay and Benefits
  • Training, Development and Performance
  • Staff Relations, Consultancy and Well-being
Information Technology (IT)

  • IT Support and Service Delivery
  • Distributed Computing and Telecommunication Services
  • Application Development and Program Management
  • IT Security
Information and Records Management

Access to Information and Privacy

Departmental Communication Services

Asset Management Services

  • Accommodation and Building Services
  • Procurement and Contracting Services
  • Material and Asset Management

2.4 Ranking the Audit Universe

Next, audit planning ranked the various auditable entities in the audit universe using a three step process. The following describes the process and criteria, and the manner in which they were applied.

Step 1: Assessing Risk Exposure

First, using the indicators below, the CAEE assessed all auditable entities for their risk exposure based on known risk information and the risk environment: 

Risk Indicators Description
a. Degree and recentness of change The more change in the internal and external environments, the more exposed the entity is to risk. This indicator encompasses both the magnitude and the recentness of the change as well as the impacts these factors may have on risk levels.
b. Degree of complexity The more complex the business function, the higher the exposure to operational risk. This indicator refers to the complexity of business processes, technology and regulatory environment; however, the complexity of governance, the arrangements with key stakeholders and the relationships with stakeholders were also considered. 
c. Legislative or other compliance requirements The higher the degree of compliance requirements, the more stringent the control requirements. This inherently exposes the entity to risk stemming from insufficient adherence to obligations, whether statutory or otherwise and can expose the department to reputational consequences.
d. Degree of knowledge The higher the knowledge requirements, the higher the exposure to risk that may stem from loss of key personnel, operational or relational knowledge. This indicator incorporates personnel and corporate knowledge that may reside in processes, business rules, and systems.
e. Degree of dependencies The more dependent the entity is on other parties, the more it is exposed to risk that may originate from a lack of control. In addition, the greater the dependencies, the more coordination is required and thus, the higher the exposure to risk. 

This analysis provided information on the risk exposure of auditable entities. Internal controls in place to mitigate risk were assessed next.

Step 2: Assessing the Internal Control Framework

The second step involved assessing management’s internal control framework as it applies to each auditable entity. To structure this portion of the analysis, AED adopted the Committee of Sponsoring Organizations’ (COSO)2 Internal Control – Integrated Framework3 (2013), which consists of the five inter related components of internal control presented below.

Components Description
a. Control environment The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization/entity. It includes the tone at the top regarding the importance of internal control and expected standards of conduct established by senior management.
b. Risk assessment Involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity's objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.
c. Control activities Actions established by the policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment.
d. Information and communication Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities.
e. Monitoring Activities Ongoing assessments, separate assessments, or some combination of the two are used to ascertain whether each of the five components of internal control are present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management.

Step 3: Bringing it all together

The systematic application of the steps described above produced risk information on each auditable entity in the audit universe. The CAEE and the AED team then considered this risk information in relation to the various planning inputs described in Section 2.2 above, and applied professional judgement in categorizing each auditable entity within one of the three Audit Priority categories in the table below. Once this analysis was completed and the auditable entities were prioritized, individual projects were identified for inclusion in this 2016-19.  The table below presents the three Audit Priority categories.

Audit Priority Description
High Audit Priority These auditable entities are seen as the most important from an audit standpoint and are the top candidate areas for internal audit activity within the planning horizon. 
Moderate Audit Priority While there is value in auditing within these auditable entities during the planning horizon, they are not seen as the highest of priorities from an audit standpoint.
Low Audit Priority Engagements in these auditable entities would only be performed within the planning horizon if time and resources permit.

3 Three-Year Audit Plan

3.1 Audit Plan Summary

Under the TB Directive on Internal Auditing in the Government of Canada, CAEEs are responsible for “…..establishing and updating at least annually a multi-year plan of internal audit engagements….which is focused predominantly on the provision of assurance services…”.  Internal auditing is designed to add value and improve an organization’s operations by providing assurance on those areas to which internal audit resources are applied. However, recognizing that a “one size fits all” approach is not always best, this RBAP includes two forms of assurance engagements which are widely accepted within the internal audit community – audit engagements and review engagements. 

Audits and reviews are similar in that they are both conducted to provide assurance on a given subject. They differ in that a review will not normally involve the extensive data gathering and in‑depth substantive testing which are typical characteristics of an audit. For this reason, a review will generally be shorter in duration and less costly than an audit, but an audit will provide a higher level of assurance than a review.

The focus of an assurance project (audit or review) may be at the auditable entity level, or it may be on a component organization, operation or activity within an auditable entity. An assurance project may also cut across auditable entity lines if the organization, operation or activity being audited or reviewed similarly cuts across auditable entity lines.

Within the subset of audits proposed here-in, PCO plans to undertake its first two (2) joint audits in partnership with other federal departments.  This RBAP also proposes other types of projects including risk assessments, a self-assessment of PCO against a new government’s framework, and a required evaluation project that will use the output from a 2015-16 Performance Measurement Strategy project.  The table below outlines the PCO audits, reviews and other engagements proposed over the next three years.

Planned Internal Audit, Evaluation and Other Engagements
2016-2017
2017-2018
2018-2019
  • Risk Assessment of PCO’s Personal Information Holdings

  • Review of PCO’s Performance Management Framework for Employees

  • Audit of PCO’s Accounts Payable Function

  • Joint Audit of the Cabinet Confidence Disclosure Process4

  • Audit of PCO’s Parliamentary Returns Process
  • Self-Assessment of PCO Compliance to the New Staffing Framework

  • Joint Audit of PCO and Public Safety Canada’s Planning for the Continuity of Constitutional Government

  • Audit of Integrated Risk Management

  • Follow-up Audit of Information Technology Security

  • Review of Financial Forecasting
  • Preparation for the 2018-19 Practice Inspection of PCO’s Audit and Evaluation Division5

  • Evaluation of the Central Innovation Hub

  • Review of PCO’s Arrivals and Departures Processes

  • Audit of PCO’s Governor in Council Appointments Processes

  • Fraud Risk Assessment6

The “Planned Engagements After Priority Ranking of the Audit Universe” table on the next page depicts the results from the CAEE’s priority ranking process and indicates in which Auditable Entity the engagements identified above are planned within the overall audit universe over the next three‑year cycle.  Auditable Entities in which no engagements are contemplated will be reconsidered for coverage during successive annual audit planning exercises. Should circumstances change in a given Auditable Entity during a given year, audit resources can be reassigned as required.

Planned Engagements After Priority Ranking the Audit Universe
High Priority Audit Entities
Status
Planned Engagements
Information Technology
Follow-up Audit of Information Technology Security
Cabinet Papers and Confidences
Joint Audit - CABCONS Disclosure Process
Security and Emergency Management
Audit of Integrated Risk Management;
Joint Audit of PCO and Public Safety’s Planning for Continuity of Constitutional Government;
Human Resources Management
Self-Assessment of PCO Staffing Activities;
Review of PCO’s Arrival and Departure Processes;
Review - Performance Mgmt Framework for Employees;  
Governor-in Council Appointments of Senior Personnel
Audit of PCO’s Governor in Council Processes
Business Transformation & Public Service Renewal  
Evaluation of the Central Innovation Hub
Moderate Priority Audit Entities
Status
Planned Engagements
Financial Management
Audit of PCO’s Accounts Payable Function;
Review of Financial Forecasting
Parliamentary Returns
Audit of PCO’s Parliamentary Returns Process
Management and Oversight
Fraud Risk Assessment #2
Asset Management Services
Access to Information and Privacy
Prime Minister Advice and Support  
Integration Across Federal Government
Low Priority Audit Entities
Status
Planned Engagements
Results and Delivery
Operation of Cabinet Committees
Management of Senior Leaders
Communication Services
Orders-in-Council
Government-wide Communications
Support to Prime Minister and Portfolio Ministers’ Offices
Support to Commissions of Inquiry
Information and Records Management
Risk Assessment of Personal Information Holdings

In the following section 3.2 of this RBAP, each planned engagement (other than the Fraud Risk Assessment (which is a project being repeated) and the Preparation for the 2018-19 Practice Inspection (which is work internal to the Audit and Evaluation division) is presented in a separate “Project Profile” table that outlines the engagement’s preliminary objective(s) and scope, information on the rationale for selection, and additional relevant information. 

The objective(s) and scope are considered preliminary because they are based only on information gathered to date. Once an engagement is launched and AED staff are engaged both in gathering detailed information and documents and conducting project planning interviews, the objective(s) and/or scope of that engagement may be refined to target audit and evaluation resources to the areas of highest risk or significance.

3.2 Project Profiles

2016-2017

Risk Assessment of PCO’s Personal Information Holdings
Preliminary Objectives and Scope
  • The objectives of the risk assessment will be to:

    • Identify risks associated with protection and management of personal information under PCO’s control;
    • Assess the relative significance of the risks in terms of the likelihood of each risk occurring and its impact, should it occur; and
    • Determine, on a preliminary basis, whether management's assertions about controls are likely to prevent or mitigate the occurrence of the risks of greatest concern.

  • The scope of this risk assessment will be department wide in nature. It will identify and document PCO’s personal information holdings, including where these holdings exist, and will provide information on the practices PCO is using to manage these holdings. The scope will include consideration of the Personal Information Banks contained in Info Source, which describes categories of personal information collected by PCO including how that information is to be handled, used, retained, and disposed of. As this is a risk assessment, limited testing of controls over the management of these holdings is contemplated.

  • Results from the risk assessment will inform management decision making and annual audit planning.
Selection Rationale
  • Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act (the Act). The Government of Canada is committed to protecting the privacy of individuals with respect to the personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust in government.

  • Questions about the extent to which PCO has holdings of personal information and how these are managed have been raised during this and last year’s audit planning interviews. The Act and the associated Privacy Regulations will form the backdrop for this risk assessment as they provide the legal framework for the creation, collection, retention, use, disclosure, accuracy and disposition of personal information in the administration of programs and activities by government institutions.

  • The risk to PCO’s reputation from possible ineffective information management practices is considered high.

  • As a project newly proposed in this RBAP related to information management, this Risk Assessment complements the 2015-16 Audit of Recordkeeping Transformation.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Department-Wide Reputation/Public Opinion Risk – Reputational Risk

IM/IT Risk - Information Management Risk

Operational Risk Process Risk
Three month level of effort from PCO project lead with no budget for contractor support Risk Assessment
Expected Start: Q4 of 2015-2016 (Note - this project launched just prior to the start of the 2016-17 fiscal year).
Review of PCO’s Performance Management Framework for Employees
Preliminary Objectives and Scope
  • The objective of the review will be to provide assurance on the extent to which PCO has established an effective control framework for meeting the department’s obligations under Treasury Board’s 2014 Directive on Performance Management as it relates to non-Ex level PCO employees.

  • The scope of the review will include the control framework established to manage non-Ex level employee performance at PCO under the 2014 Directive, including management oversight of the PCO Performance Management Program.
Selection Rationale
  • The TB Directive on Performance Management which came into effect April 1, 2014 promotes a commitment to sustaining a culture of high performance in the public service. This dovetails well with the vision underlying Destination 2020. To the extent that the TB Directive represents a new and higher standard for the development and monitoring of performance objectives for all PCO employees, proactively providing assurance to the Clerk in 2016-17 on the extent to which PCO has an effective performance management framework in place and is meeting its obligations under the new Directive as they relate to non-Ex level employees is seen as both relevant and timely.

  • This project was approved in the last two RBAPs. As a project related to human resource management, this review complements the 2017-18 Self-Assessment of PCO Compliance to the New Staffing Framework and the 2018-19 Review of PCO’s Arrival and Departure Processes.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Internal Services – Human Resources Management Operational Risk – Process Risk Four month level of effort from PCO project lead with a budget of $30K for contractor support Assurance Review
Expected Start: Q2 of 2016-2017
Audit of PCO’s Accounts Payable Function
Preliminary Objectives and Scope
  • The objective of the audit will be to provide assurance on the adequacy of PCO’s control framework over the Department’s Accounts Payable function and the degree to which the function is operating as intended.

  • The scope of the audit will include the framework of financial and management oversight controls in place at PCO over the Accounts Payable function, including the alignment of Departmental processes, procedures and practices with Treasury Board policies and directives, and with other applicable authorities.
Selection Rationale
  • The Accounts Payable function at PCO has not been subjected to internal or external audit coverage for at least the last eight (8) years.

  • The new funding PCO is receiving pursuant to Budget 2016 will be invested in, among other things, the modernization of Information Technology systems. The expenditures associated with these investments will flow through PCO’s Accounts Payable function. It is therefore considered an opportune time to provide assurance on the Accounts Payable function.

  • This Audit was proposed by the Acting ADM-CSB during this year’s annual audit planning interviews - a proposal the CAEE fully supports.

  • The Accounts Payable function has a degree of inherent fraud risk associated with it, so this audit complements the 2018-19 Fraud Risk Assessment project presented later in this RBAP.

  • As a project related to financial management, this audit also complements the 2017-18 Audit of Integrated Risk Management and, to a degree, the 2017-18 Review of Financial Forecasting.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Internal Services –

Primary: Financial Management

Secondary: Asset Management Services
Operational Risk – Process Risk

Financial Risk – Financial Management Risk
Four month level of effort from PCO project lead with a budget of $40K for contractor support Assurance Audit
Expected Start: Q2 of 2016-2017
Joint Audit of the Cabinet Confidence Disclosure Process
Preliminary Objectives and Scope
  • The objective of this joint audit will be to provide assurance on the management control framework over the process for the review of Cabinet confidences for exclusion from disclosure.

  • The scope of this joint audit will include application of the procedures and consultation provisions established for the review of potential Cabinet confidence information for exclusion from disclosure in PCO and in other government institutions. The period of coverage will be from when the adjusted procedures were introduced to the time of the joint audit. The audit will not challenge determinations made by legal Counsel as to what is, or is not, a Cabinet confidence.

  • As this will be a joint audit with Justice Canada, PCO’s Audit and Evaluation Division will work in partnership with auditors from Justice Canada. The methodology will include working with officials in PCO and with Justice Canada lawyers in other government departments (OGDs) who apply the procedures established for (a) reviewing Cabinet confidence information for exclusion from disclosure and for (b) consulting the Office of the Counsel to the Clerk of PCO, as appropriate. The CAEs from both departments will jointly select the OGDs for inclusion in the joint audit after consulting with subject matter experts in the two participating departments.
Selection Rationale
  • Until 2013-14, per the TBS Policy on Access to Information, all government institutions had to consult PCO Counsel about the review of potential Cabinet confidence information for exclusion from disclosure pursuant to s.69 of the ATI Act and to s.70 of the Privacy Act on behalf of the Clerk as custodian of the Cabinet confidences of all Prime Ministers, past and present.  This Policy was changed in 2013-14 resulting in Justice legal counsel in client departments and agencies being given the authority to make exclusion decisions without having to consult PCO.

  • Under s.2.1.4 of the TBS ATI Manual, the Clerk is responsible for ensuring the integrity of the Cabinet process and the stewardship of the documents that support this process. As custodian of Cabinet confidences, the Clerk is responsible for policies on the administration of these confidences and for the ultimate determination of what constitutes such confidences, and must be consulted in a manner consistent with the guidance set out in Chapter 13 of the TBS Manual.

  • Under s.8.2 of the TBS Policy on ATI, the Clerk is responsible for policies on administration of Cabinet confidences and determines what information constitutes a Cabinet confidence. Under s.6.2.7 of the Policy, Deputy Heads must consult their departmental legal counsel, per established procedures, before excluding Cabinet confidences from disclosure.

  • Under s.13.4.5 b) of the TBS ATI Manual regarding procedures to follow in the review of records subject to subsection 69(1) of the ATI Act, if there is any doubt within a department whether a record is a Cabinet confidence in cases involving complex fact situations or when there is a disagreement between the department’s legal counsel and ATIP Office about the nature of the information, or when documents contain discussion papers, that department’s legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council.

  • This project was approved in each of the last two RBAPs. The merit of providing assurance on the adjusted Cabinet confidences review process was discussed and supported during this year’s and each of the last two year’s audit planning interviews.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Cabinet Papers and Confidences Operational Risk – Process Risk Six month level of effort from PCO project lead with no budget for contractor support Assurance Audit
Expected Start: Q2 of 2016-2017
Audit of PCO’s Parliamentary Returns Process
Preliminary Objectives and Scope
  • The objective of the audit will be to provide assurance on the adequacy of PCO’s control framework over, and the processes used to manage and coordinate, parliamentary returns.

  • The scope of the audit will include the management controls, processes and procedures that apply to the processing of Parliamentary returns, including those outlined in PCO’s Guide to Producing Parliamentary Returns. The audit will consider the extent to which the current process is capitalizing on the benefits of modern technologies.
Selection Rationale
  • In 2004, the Office of the Auditor General examined the Process for Responding to Parliamentary Order Paper Questions. In 2008, PCO conducted its Follow-up Audit of the Process for Responding to Parliamentary Order Paper Questions. These audits led to the creation of the Guide to Producing Parliamentary Returns and the Glossary of Terms for Parliamentary Returns. No further audit attention has been applied in this area since 2008.

  • Audit planning interviews conducted two years ago indicated a significant rise in the number of Parliamentary Returns had occurred. Given the potential sensitivity associated with processing parliamentary returns, this increases strategic, processing and reputational risks for PCO.

  • Modern technologies and their ability to improve PCO processes continue to advance, yet it has already been 8 years since this area was last audited, and it would be 9 years between audits if this audit is conducted when planned.

  • This audit was approved in each of the last two RBAPs. Audit planning interviews this year confirmed ongoing support for this audit.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Advice and Support to the Prime Minister and Portfolio Ministers – Parliamentary Returns Strategic Risk – risk to achieving PCO’s mandate

Operational Risk – Process Risk

Reputational Risk
Six month level of effort from PCO project lead with a budget of $30K for contractor support Assurance Audit
Expected Start: Q4 of 2016-2017

2017-2018

Self-Assessment of PCO Staffing Activities
Preliminary Objectives and Scope
  • The objectives of this self-assessment will be to determine the extent to which PCO staffing activities adhere to the Public Service Commission’s (PSC) new staffing framework and are compliant with PCO’s new Staffing Policy, each of which took effect April 1, 2016.

  • The scope of this project will include an assessment of a sample of completed staffing actions conducted by PCO under this new staffing framework.  This new staffing framework is seen to consist of the appointment authorities delegated by the PSC to the Clerk under the Public Service Employment Act, the PSC’s Appointment Policy, and applicable departmental policies such as PCO’s new Staffing Policy.
Selection Rationale
  • On April 1, 2016, the PSC implemented its new staffing framework.  In an earlier letter to the Clerk, the PSC noted that “….organizations will be required to conduct an assessment of their adherence to the requirements established in the delegation instrument, the Public Service Employment Act, other applicable statutory and regulatory instruments, the PSC’s Appointment Policy, and organizational staffing policies and sub-delegation instruments.”

  • The last major change of a similar nature occurred in 2005 during the implementation of the Public Service Employment Act (PSEA). As reported by PCO’s Executive Director, Human Resources to the PCO Audit Committee, after monitoring the results of the resulting framework for ten (10) years, the existing system is mature and needs a change.

  • PCO’s new staffing policy has been developed in light of the PSC’s new staffing framework. Prior to the introduction of this new staffing framework, a Review of PCO’s Staffing Activities had been approved in the last PCO RBAP. However, with the introduction of the new staffing framework, management decided, as had been recommended by the PSC to the Clerk, to cancel the planned Review of PCO’s Staffing Activities in favor of conducting this self-assessment project.

  • As a project related to human resource management, this self-assessment complements the 2016-17 Review of PCO’s Performance Management Framework for Employees and the 2018-19 Review of PCO’s Arrival and Departure Processes.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Internal Services – Human Resources Management Operational Risk – Human Resources Risk

Operational Risk – Process Risk
Four month level of effort from PCO project lead with a budget of $30K for contractor support Assurance Review
Expected Start: Q1 of 2017-2018
Joint Audit of PCO and Public Safety Canada’s Planning for Continuity of Constitutional Government
Preliminary Objectives and Scope
  • The objective of this joint audit will be to assess the effectiveness of the governance structures established and controls put in place to support PCO’s and Public Safety Canada’s roles and responsibilities in planning for the continued operation of the Executive Branch of the Government of Canada following a catastrophic disruption.

  • The scope of the audit will include each department’s planning roles and responsibilities, including mechanisms to coordinate relevant requirements between the departments.
Selection Rationale
  • Continuity of constitutional government (CCG) is the process of establishing plans and procedures for allowing the three branches of the constitutional Government of Canada, namely the executive, legislative and judicial branches, to continue operations in case of an emergency or catastrophic disruption. While Public Safety Canada bears statutory responsibility for CCG under Section 4.1 of the Emergency Management Act, in the event of a catastrophic disruption, PCO needs to be prepared and able to interface with Public Safety Canada to coordinate all aspects of CCG implementation.

  • PCO has conducted two internal audits of business continuity (2011 and a follow-up in 2014); however, CCG was excluded from the scope of these past audits.

  • In the event of a catastrophic disruption, PCO’s ability to meet its core mandate; i.e.: provide advice and support to the Prime Minister and portfolio Ministers and provide advice and support to Cabinet and Cabinet committees will be dependent on the effective functioning of established CCG plans and arrangements.

  • Aspects of the 2017-18 Audit of Information Technology Security proposed later in this RBAP will complement this joint audit.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Internal Services - Security and Emergency Management Strategic Risk - risk to achieving PCO’s mandate

Hazard / Security Risk
Six month level of effort from PCO project lead with a budget of $60K for contractor support Assurance Audit
Expected Start: Q27 of 2017-2018
Audit of Integrated Risk Management
Preliminary Objectives and Scope
  • The objective of the audit will be to provide assurance on the effectiveness of PCO’s approach to Integrated Risk Management and the degree to which it is consistent with applicable Treasury Board (TB) authorities.

  • The scope of the audit will focus on PCO’s Integrated Risk Management Framework including PCO systems, processes and practices used in the identification, mitigation and reporting of risks in PCO’s Enterprise Risk Profile.
Selection Rationale
  • Risk management is an essential element of an effective public administration framework.  To mitigate against possible losses and capitalize on opportunities, decision-makers must be aware of existing and emerging risks in a timely manner.

  • Treasury Board has issued several authority instruments for the effective management of risks including the TB Framework for the Management of Risk and the TB Guide to Integrated Risk Management.  These instruments, which will form part of the backdrop for this audit, outline a principles-based approach to risk management that re-affirms the Deputy Head responsibility for effective management of their organization, including risk management. These instruments, which are further supported by TB’s Guide to Corporate Risk Profiles, a Guide to Risk Taxonomies and a Risk Management Capability Model, describe expectations for an effective risk management practice in a government department.

  • PCO is continuing to evolve its approach to risk management.  As had been reported to PCO’s Audit Committee last year, Finance and Corporate Planning Division had updated PCO’s Enterprise Risk Profile and had improved the Risk Profile development process by integrating collection of risk information into the data gathering exercise of the Integrated Business Planning Process. Other changes included expanding the range of consultations on potential risks to include all PCO branches and secretariats, including directorates within Corporate Services Branch.

  • Risk management was included as a component of PCO’s 2011 Audit of Accounting Officer Responsibilities, Including Risk Management. However, an audit solely focussed on integrated risk management at PCO has not been conducted. Such an audit would, especially in light of changes to the integrated risk management process which have occurred since 2011, provide assurance on the extent to which PCO’s integrated risk management activities are consistent with TB authorities.

  • As a project related to (among other things) financial management, this audit complements the proposed 2016-17 Audit of PCO’s Accounts Payable Function and the 2017-18 Review of Financial Forecasting.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Finance and Corporate Planning Division – Corporate Services Operational Risk – Process Risk Six month level of effort from PCO project lead with a budget of $40K for contractor support Assurance Audit
Expected Start: Q2 of 2017-2018
Follow-up Audit of Information Technology Security
Preliminary Objectives and Scope
  • The objectives of this audit will be: (i) to provide assurance on PCO’s adherence to relevant Treasury Board policies; (ii) to provide assurance on the adequacy of PCO’s control framework to manage IT security elements in support of the department’s business requirements while coordinating IT security related requirements with Shared Services Canada (SSC) and the Communications Security Establishment Canada (CSEC); and (iii) to follow-up on the implementation of management action plans established in response to applicable audit recommendations from the 2009 PCO Audit of IT Security and the 2014 PCO Audit of Information Technology Management.

  • The scope of the audit will include PCO’s IT security function and its mechanisms to coordinate IT security related roles, responsibilities and activities with SSC and CSEC, but not PCO’s role as a Lead Security Agency under TB’s Policy on Government Security.
Selection Rationale
  • IT security remains an area of high risk for PCO and for the government as a whole. Roles and responsibilities for IT security are shared and must be coordinated between SSC and its client departments (including PCO). As SSC continues to evolve, so do the roles and responsibilities for IT security and mechanisms for interdepartmental coordination. This degree of change is accompanied by increasing risk and a need for ongoing risk management attention.

  • [ * ]

  • This audit was approved in each of the last two RBAPs.  Given that management is in the process of implementing its action plan in response to the 2014 PCO Audit of Information Technology Management, management decided this audit should be deferred to a later point in time. The audit is now planned for launch in the last quarter of the 2017-18 fiscal year, to be completed in 2018-2019.

  • As a project related to information management and information technology, this follow-up audit complements in some respects the proposed 2017-18 Joint Audit of Planning for Continuity of Constitutional Government and the 2018-19 Audit of PCO’s Governor in Council Appointments Processes.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Internal Services – Information Technology Operational Risks

– IT Risk
– Hazard / Security Risk
Six month level of effort from PCO project lead with a budget of $100K for contractor support Assurance Audit
Expected Start: Q4 of 2017-2018
Review of Financial Forecasting
Preliminary Objectives and Scope
  • The objective of the review will be to provide assurance on whether PCO is forecasting financial information appropriately to inform management decision making.

  • The scope of the review will include those financial forecasting processes and activities in place to inform management decision-making. It will include an assessment of the extent to which PCO is compliant with relevant TB policies and other authorities in place during the fiscal year preceding the year in which this review is undertaken.
Selection Rationale
  • The federal government is expected to manage public funds well by effectively planning, budgeting and making decisions on the allocation, reallocation and use of financial resources based on reliable information and sound analysis of that information. In this context, PCO must be able to demonstrate its financial forecasting processes and activities are compliant with requirements and that they support management decision-making.

  • This project was suggested by the CAEE two years ago and it was discussed at PCO’s Executive and Audit Committees at the time. Although the project was not originally retained in the approved PCO RBAP two years ago, the CAEE obtained Executive Committee’s concurrence at the time that the project would be brought forward for consideration again last year. Following last year’s discussions, this Review was retained in last year’s RBAP.

  • PCO was not one of the departments that participated in the OCG’s Horizontal Audit of Financial Forecasting in Large and Small Departments that was reported on in June 2014. However, using the Lines of Inquiry from the OCG’s audit as criteria, PCO’s Finance function conducted a self-assessment and reported the results to Audit Committee.

  • As a project related to financial management, this review complements the proposed 2016-17 Audit of PCO’s Accounts Payable Function. It also complements the 2017-18 Audit of Integrated Risk Management.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Internal Services –Financial Management – Financial Planning and Forecasting Financial Risk – Financial Management Risk Four month level of effort from PCO project lead with a budget of $30K for contractor support Assurance Review
Expected Start: Q4 of 2017-2018

2018-2019

Evaluation of the Central Innovation Hub
Preliminary Objectives and Scope
  • The objective of this evaluation will be to assess the relevance and performance of the Central Innovation Hub (The Hub). The evaluation will provide information on the results of The Hub that could inform a possible request to Treasury Board to access earmarked ongoing funding.

  • The evaluation will cover The Hub’s activities and performance from its launch to the time of the evaluation. The work will be guided by the Performance Measurement Strategy for the Central Innovation Hub project (the final report of which is was tabled at the June 2016 Audit Committee and, following the processing of updates that have been made within the report, is now with Senior Management for final acceptance. Once accepted, it will be recommended to the Clerk for formal approval).
Selection Rationale
  • In May 2014, the Clerk’s Destination 2020 report announced several initiatives intended to respond to challenges, modernize the public service and strengthen its capacity to develop innovative, effective solutions, including establishing the Central Innovation Hub.

  • The Hub has been established to support departments and agencies in adopting new and emerging approaches to policy and program challenges to provide a greater range of effective policy options to government.

  • The Hub is carrying out three key sets of activities:

    • first, the Hub acts as a central resource, providing easy access to a common set of information on best practices and new tools, approaches and techniques;
    • second, the Hub functions as a connector and convenor, establishing networks and partnerships between departmental project leads and key resources across the public service, as well as linkages to academics and external experts that can support departmental work; and  
    • third, the Hub is a direct innovation driver - members of the Hub work with interested departments to identify initiatives with potential for system-wide benefit, assist them as they test and implement new tools and approaches, and assess and document the results in order to draw on lessons learned in real time and transmit them across departments.

  • The evaluation will provide an evidence-based, neutral assessment of progress toward expected outcomes (including immediate, intermediate and ultimate outcomes) with reference to performance targets and program reach and design.

  • As the second of two Hub related projects at PCO, this Evaluation will build on outputs of the 2015-16 Performance Measurement Strategy for the Central Innovation Hub project and will inform any 2018-19 TB Submission that will seek earmarked funding for The Hub beyond 2018-19.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Public Service Leadership & Direction - Business Transformation and Public Service Renewal Transformation / Change Management Risk

Process Risk
Six month level of effort from PCO project lead with a budget of $60K for contractor support Evaluation
Expected Start: Q1 of 2018-2019
Review of PCO’s Arrival and Departure Processes
Preliminary Objectives and Scope
  • The objective of the review will be to provide assurance on the adequacy of PCO’s arrival and departure controls and activities and the degree to which they respect the responsibilities, guidelines and procedures outlined in the department’s Policy for Arrival and Departure of Personnel.

  • The scope of the review will include an assessment of a sample of arriving personnel files and a sample of departing personnel files against the requirements outlined in the Department’s Policy for Arrival and Departure of Personnel, including the return of departmental assets.
Selection Rationale
  • PCO is not generally considered to be a large department, but for its size, PCO can at times experience significant staff turnover. This adds to the rationale for reviewing the department’s arrival and departure activities.

  • After this review was suggested by the ADM-CSB during audit planning interviews two years ago, the review was included in each of the last two RBAPs.  However, when last discussed with the ADM-CSB, given that these processes were being changed, the ADM-CSB suggested deferring the review project until 2018-19 to allow for completion of the changes to the process and for a reasonable amount of time during which the new processes would have been in effect.

  • Feedback received from management during this year’s RBAP planning process noted a concern with the time it takes for new staff to be granted access to PCO’s Top Secret Network within the overall arrivals process - this will be considered during the project.

  • As a project related to human resource management, this review complements the 2016-17 Review of PCO’s Performance Management Framework for Employees and the 2017-18 Self-Assessment of PCO Compliance to the New Staffing Framework.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Internal Services – various including:
  • Human Resources Management
  • Asset Management Services
  • Security and Emergency Management
Operational Risk – Process Risk

IM/IT Risk – IM Risk
Four month level of effort from PCO project lead with no budget for contractor support Assurance Review
Expected Start: Q3 of 2018-2019
Audit of PCO’s Governor in Council Appointments Processes
Preliminary Objectives and Scope
  • The objective of the audit will be to provide assurance that PCO has an adequate control framework in place over the Department’s Governor in Council appointment processes and that these processes are compliant with applicable policies, directives and authorities.

  • The scope of the audit will focus on completed Governor in Council appointments processes conducted during the period from when the new approach went into effect in May 2016 to the start of the audit. It will consider the adequacy of the processes, practices and information systems in place to support this new approach to Governor in Council appointments. Final appointment decisions, which are not made by PCO, are excluded from audit consideration.
Selection Rationale
  • On February 25, 2016, the Prime Minister announced a “new approach” consistent with the Government’s commitment for an open, transparent and merit-based selection process that will help fill Governor in Council appointments.  Appointments will be expected to achieve gender parity and reflect Canada’s diversity. This new approach took effect in May 2016.

  • This new approach is merit-based and it calls for the majority of available Governor in Council positions to be advertised on a government website, providing Canadians with the opportunity to submit applications online.

  • This new approach is in line with the Government’s overall objective and the Prime Minister’s public commitment to raising the bar on openness and transparency in government to make sure it remains focussed on serving Canadians as effectively and efficiently as possible.

  • The idea of conducting this audit was raised and discussed during some of this year’s annual audit planning interviews, including with the Deputy Secretary to the Cabinet, Senior Personnel and Public Service Renewal who indicated support for the audit to be conducted in 2018-2019.

  • As this audit includes consideration of the information systems that will be used during the conduct of Governor in Council appointments processes, the audit complements the 2017-18 Follow-up Audit of Information Technology Security.
Alignment with PCO Audit Universe
Alignment to Risk Factors
Expected Project Cost
Project Type
Governor-in-Council Appointments Operational Risk -

Operational Risk – Process Risk
Six month level of effort from PCO project lead with a budget of $40K for contractor support Assurance Audit
Expected Start: Q4 of 2018-2019

Appendix A – Risk Factors

Risk Description Potential Risk Events
Operational Risks
Human Resource Risk Risk associated with acquiring and consistently maintaining a sufficient and representative workforce with the appropriate experience, competencies and skill-mix.
  • Insufficient human resource capacity
  • Reduced ability to attract and maintain necessary human resources
  • Experience lacking in critical areas
  • Misalignment of skills to job requirements
  • Low retention rate
Legal/Compliance Risk Risk of violation of laws, regulations and international treaties / agreements and non‑compliance with government policies.
  • Legal liability that may result from violations
  • Increased or unsustainable litigation
  • Increased Treasury Board Secretariat oversight and specific consequences as described in various TB Policies
Process Risk Risk from business processes, management practices, and supporting policies and procedures that are not well-designed, are inefficient or ineffective, or are not well documented, clearly communicated or implemented.
  • Non-compliant or inconsistent delivery of products
  • Inefficient operations
  • Diminished confidentiality
IM/IT Risks
IT Risk Risk arising from inadequate IT infrastructure, technological and other capital assets.
  • Business delivery compromised by inadequate support from existing systems infrastructure or technology, including total system failure
  • System security breaches
  • System virus penetration
  • Diminished data integrity
IM Risk Risk associated with loss or failure to manage information, including intellectual property, organizational or operational information, and personal information of citizens.
  • Slow response time, repeated mistakes, slow competency development
Financial Risks
Financial Management Risk Risk that expenditures are inappropriate and / or that internal or external financial reports are based on inappropriate policies or include material misstatement or omit material facts making them misleading.
  • Expenditures not properly authorized or recorded
  • Budget misalignment
  • Program opportunities lost
  • Citizens / stakeholders misled
Fraud Risks
Fraud Risk from intentional misrepresentation by an employee or a third-party for the purpose of personal gain.
  • Intentional circumventions of policies / procedures for personal gain
  • Unauthorized disclosure or corruption of personal or other significant information with the intention of gain
Strategic Risks8
Political / Economic Risk Risk that a change of government, bureaucracy, political or policy direction, and economic changes may negatively affect the achievement of established objectives.
  • Loss of momentum or business progress
  • Removal of funding for ongoing operations or new initiatives
Transformation / Change Management Risk Risk associated with the inability to initiate, manage or sustain significant organizational change initiatives - encompasses both cultural and process dimensions of change management.
  • Failure to advance towards new goals, i.e. project management risk
  • Poor adaptability to new business strategies or processes and erratic business delivery
  • Reduced engagement of staff or public in change initiatives, i.e. engagement risk
Environmental Risk Risks outside the scope of government’s control that impact priorities.
  • Significant domestic events
  • Significant world events
Reputation/Public Opinion Risks
Reputation / Public Opinion Risk Risk of loss of reputation or change of public opinion that either directly or indirectly influences negatively the execution of the organization’s mandate.
  • Reduced credibility and influence
  • Lack of public support for major initiatives
Third Party Risk Risk that actions (or inactions) taken by partners or suppliers may negatively affect the achievement of objectives - can include other stakeholder government departments.
  • Non-compliance with legislation, regulations or policy
  • Non-delivery from third parties
  • Quality of products sub-standard
Hazard/Security Risk
Hazard / Security Risk Risk from all types of natural, chemical, biological, nuclear or other hazards, including unintentional of pre-meditated activities.
  • Injury or loss of life
  • Property damages
  • Compromised business continuity
  • Information breaches
Report a problem or mistake on this page
Please select all that apply:

Privacy statement

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: