2007-2008 Annual Report

Corporate Audit and Evaluation Branch

May 2008


Table of Contents

Introduction

Canada Revenue Agency (CRA) Internal Audit and Program Evaluation policies require the head of the Corporate Audit and Evaluation Branch (CAEB) to periodically report to senior management and the audit committee on authority, responsibility and performance relative to an established plan. This is met through in-year reports, a follow-up report, an annual business plan, as well as this annual report that provides an overview of the branch’s performance and development for the 2007-2008 fiscal year. Information is presented on program delivery results as measured against the objectives set out in the 2007-2008 portion of the CAEB 2007-2010 Business Plan, as well as branch developments and accomplishments and, in particular, challenges that are inherent with the evolving role of both the internal audit and program evaluation functions.

Governance

The Director General (DG) of Corporate Audit and Evaluation Branch is accountable to both the CRA Commissioner and the Agency’s Board of Management (BoM) Audit Committee. The DG is responsible for the Branch’s Internal Audit, Program Evaluation, Professional Practices, Corporate Services, and Office of the Auditor General (OAG) Liaison functions.

CAEB operates within a well-defined governance framework that includes: an Internal Audit Management Committee (IAMC) chaired by the Commissioner and made up of CRA executives; the BoM Audit Committee comprised of external members that are independent of the Agency; and DG participation as a member of the Agency Management Committee (AMC). The DG is also a member of the Agency’s Resource and Investment Management Committee (RIMC) and has linkages to other CRA senior management and BoM committees.

The IAMC is the reporting committee for Internal Audit; AMC is the reporting committee as well as the governance body responsible for providing strategic direction for the Program Evaluation function.

Appendix A provides a list of CAEB contacts.

Mandate

The CAEB mandate is to support the achievement of the Agency's strategic goals by providing the Commissioner and senior management with independent and objective information, advice and assurance on the soundness of the Agency's management framework and on the effectiveness, efficiency and economy of its strategies, programs and practices.

The work of the Branch supports the oversight role played by the Board of Management, through its Audit Committee, for those Agency activities falling within the Board’s sphere of responsibility in accordance with the Canada Revenue Agency Act. CAEB provides BoM with regular and timely assurance and information on Agency activities through presentations of IAMC and AMC approved reports in addition to progress-to-plan status reports and briefings on work being conducted in key risk areas.

Internal Audit contributes to management and cost effectiveness of program delivery, and to strengthening accountability by providing information on the adequacy and effectiveness of the Agency’s internal control systems and the quality of performance.

Information provided by Program Evaluation is intended to support decision-making related to program relevance, design, resourcing and performance and, in addition, supports improved management accountability. Program Evaluation also serves as a centre of expertise providing advice and guidance to program areas on evaluation methodologies, results‑based management and accountability frameworks and performance measurement.

Audits and evaluations are identified using a risk-based approach that includes consideration of Agency-wide risks and Corporate Business Plan priorities as well as CAEB’s risk assessment of the Agency’s activities. The risk assessment includes environmental scanning and consultation in regions and headquarters. Consultation with the Commissioner, senior management, BoM Audit Committee, and the OAG facilitates the identification of key stakeholder needs when developing the business plan. Risks are examined through an analysis of the Agency’s Corporate Risk Inventory (CRI) that is maintained by the Enterprise Risk Management (ERM) area within Finance and Administration Branch, Corporate Business Plan (CBP), and the Branch’s understanding of CRA risks.

The CAEB OAG Liaison function provides ongoing support and guidance to Agency management and staff regarding OAG audit activity including:  working with branches and OAG representatives to ensure that CRA results are fairly and accurately reported; ensuring CRA responds appropriately to recommendations; preparing material for CRA executive and ministerial briefings on Auditor General (AG) reports; and providing CRA senior management with assistance with Public Accounts Committee appearances pertaining to AG reports, observations and recommendations.

Financial Resources

CAEB delivered its mandate in 2007-2008 within the 5% variance tolerance level from an operating budget of approximately $9.9 million representing 115 full-time equivalents (FTE). Program evaluators, professional practices, corporate services and OAG Liaison staff are located in the National Capital Region (NCR), while internal auditors are located in both the NCR and the regions (Pacific, Ontario, Quebec, Atlantic).

  Budget FTEs
  ($M) (%) (#) (%)
NCR (HQ) 6.7 68 80 70
Regions 3.2 32 35 30
Total 9.9 100 115 100

Branch Performance

The Corporate Audit and Evaluation Branch 2007-2010 Business Plan was aligned with the 2007-2008 to 2009-2010 CRA Corporate Business Plan that emphasized three themes: maintain a strong and modern core business; mature the governance model; and expand business opportunities.

The Agency's core business capacity relies on a robust financial infrastructure as well as responsible tax administration.

Internal Audit Division (IAD) continued to perform transaction flow-through audits this fiscal year to provide assurance on the accuracy and appropriateness of the flow of tax information through CRA's financial reporting systems. A second phase of T2 (corporation taxes) Transaction Flow-Through audit was completed this fiscal year to build upon the results of the first phase completed in 2006-2007 and expanded the coverage of federal, provincial and territorial revenues. A T3 (trust income tax) Transaction Flow-Through audit was completed this fiscal year as well.

Two key information technology (IT) related audits completed this year were Local Solutions and Business Intelligence Decision Support (BIDS). These audits received extensive review and discussion within the Agency. Indeed, senior management demonstrated a strong commitment to ensuring the success of these large and complex IT projects.

Local Solutions refer to applications or systems developed by employees or local information technology staff for use at the local level in CRA branches and regions. These solutions are developed outside of headquarters development processes for national systems.

BIDS is an Information Technology Branch (ITB) sponsored Agency-wide initiative designed to create a responsive environment and architecture within the Agency to support tactical and strategic decision support requirements.

In order to assess the functions responsible for tax administration, IAD also conducted an audit of the Non-Filer/Non-Registrant Program, an audit of the Excise Duty Program, and a full follow-up audit of the GST Credit Returns Prepayment Program.

To support a governance model that blends delegated authorities and accountability, IAD conducted a review of the Internal Fraud Control Framework and an MG Time Utilization Study business advisory service. Program Evaluation Division (PED) completed a HQ-Region Managers Exchange Program Evaluation Study.

IAD also completed two separate Memoranda of Understanding (MOU) audits – one with the Royal Canadian Mounted Police (RCMP) and another with the Canadian Security Intelligence Service (CSIS). These audits were conducted to provide assurance that the CRA is compliant with the terms and conditions governing the use, communication to others and security of information received from these organizations.

Further information on CAEB final reports is available at this link to the CRA website:

Internal Audit and Program Evaluation

Appendix B provides a rationale for each audit or evaluation planned for 2007-2008 that was deferred or cancelled.

The OAG Liaison function continued to work closely with the OAG and with the branches/regions of the CRA to facilitate the fulfilment of the Auditor General’s responsibility as Parliament’s auditor. As such, CAEB contributed to the dissemination of performance information on the CRA by ensuring that, in the reports made by the Auditor General of Canada to Parliament, the information concerning the CRA was presented fairly and accurately.

OAG Liaison was involved in a number of key 2007-2008 OAG reports such as CRA Technical Training and Learning (October 2007 – Chapter 7) and government-wide audits of Federal Loans and Grants for Post-Secondary Education (May 2007 – Chapter 2) and Managing the Delivery of Legal Services to Government (May 2007 – Chapter 5) 

Further information on OAG reports to Parliament is available at this link: to the OAG website:

OAG Reports to Parliament

Highlights of Key Individual Reviews Completed

The objective of the Non-Filer/Non-Registrant Program audit was to assess the adequacy of management controls in place to achieve program goals and objectives.

The audit concluded that, overall, the management controls in place are adequate for the program to achieve its key objectives. Some aspects of program management do require further attention:  Headquarters and regional communication and collaboration between programs; measurement of program performance; and quality assurance.

The objective of the Local Solutions audit was to assess the extent to which elements of governance of local solutions are in place, and to determine whether local solutions are in compliance with existing policies, procedures, and guidelines, or with generally accepted development methodology.

The audit concluded that the governance framework used in the Agency to manage the development and use of local solutions is not complete and requires significant improvements. Compliance with existing policies, procedures and guidelines and accepted development methodology is low in areas including functional approval, registration, technical security reviews, and development and testing in a non-production environment.

The objective of the Business Intelligence Decision Support (BIDS) audit was to determine whether adequate project management practices, and effective communication and coordination processes are in place to ensure successful implementation of BIDS.

The audit concluded that Information Technology Branch has made progress on the development, implementation and maintenance of the Agency Data Warehouse (ADW) – the ADW is a single source of tactical and strategic decision support systems in the Agency that is expected to be populated with data from all key operational and corporate administrative systems within CRA by 2009. However, the audit revealed a need for clearer and more effective program governance and sponsorship. A strong business-driven “BIDS vision” and buy-in from stakeholders is required to maintain the tactical and strategic support solution that BIDS can offer.

The audit noted some aspects of project management have been defined and implemented but weaknesses were noted in processes for approval and review (i.e. project charter and business cases), risk and issue management, and communication.

The objective of the T2 Phase 2 and T3 Transaction Flow-Through audits was to provide assurance with respect to the accuracy and appropriateness of the automated flow of revenue data, from source documents to the relevant CRA processing systems through to CRA’s corporate accounting system – the Revenue Ledger (RL).

The audits concluded that the data for both types of transactions flowed accurately and appropriately through CRA’s automated systems, from the source documentation of the selected returns through to the respective RL accounts. While some inconsistencies were found in the mapping of some T3 returns line items to RL accounts, the amounts were minor and the mapping was corrected.

The objective of the Protection of Information:  MOU with RCMP and MOU with CSIS audits was to determine whether the CRA is in compliance with the conditions governing the receipt, use, protection, storage, and destruction of information received from these organizations in accordance with the respective Memorandum of Understanding (MOU with RCMP signed on May 30, 2005 and MOU with CSIS signed on May 31, 2005).

Both audits concluded that the CRA has appropriate security controls in place for safeguarding the information received from the RCMP and CSIS. The audits found the CRA to be in compliance with the conditions governing the receipt, use, protection, and storage of information received from each organization in accordance with the respective MOU. Both audits determined that information received was handled in compliance with relevant legislation, policies and procedures.

Evolving Roles of Internal Audit and Program Evaluation

In the wake of management failures over the past several years in both the public sector and the private sector, citizens began to lose their trust in institutions, in the government and in the public service. In response, the federal government made transparent management a key priority and has taken a number of steps to modernize and strengthen public sector management. Concrete examples of this renewed emphasis on good government include the Gomery Commission, TBS Policy on Internal Audit, Federal Accountability Act, and the renewed focus on Program Evaluation.

The underlying theme in these initiatives is strengthening accountability in government and restoring Canadians’ trust in their public institutions. Public reporting requirements, independence of audit committees, and adherence to IIA professional internal auditing standards are key outcomes derived from the federal government initiatives taken to modernize and strengthen its internal audit and evaluation community.

In response to this broader government environment, CAEB management continues to evolve the internal audit function and the program evaluation function. For example, a conscious effort was made to place less focus on outputs (what we produce) and more focus on outcomes (the benefits that result from internal audits and program evaluations). The focus is not the number of reports published; the focus is identifying opportunities for improvements in the delivery of CRA’s progams and services. As such, the number of internal audits reported to IAMC has declined when compared to the immediately preceding 2 fiscal years (8 reports this year compared to 14 over each of 2005-2006 and 2006-2007).

CAEB management continues to make every effort to evolve the internal audit function away from the traditional (and outdated) view as that of an adversary. Internal audits and evaluations are management tools that should add value to an organization. Working closely with CRA’s management in a constructive manner has resulted in audits and evaluations that are more in-depth in terms of the complexity of issues examined and the scope of the review. CAEB frequently presents reports that highlight concerns in horizontal management of CRA programs to a number of CRA corporate committees including IAMC, AMC, RIMC and Operations Committee. Audit reports often result in a comprehensive list of recommendations supported by detailed action plans developed by management. While the audits may take longer to complete, the provision of more comprehensive and quality assurance adds more value to the Agency in both the short and long term. Moreover, by working closely with management in a constructive manner, the probability increases that their commitments regarding action plans developed in response to audit and evaluation findings will be completed in a timely and complete manner.      

With the public demanding greater accountability and better management of tax dollars, there is a greater need than ever to have qualified internal auditors and evaluators. Indeed, qualifications are becoming an increasingly important part of accountability. As the audit and evaluation landscape becomes more complex, CAEB needs to ensure it has professionals on board with the right expertise and credentials. However, recruitment and retention of such professionals is an ongoing challenge. In the wake of corporate and public-sector embarrassments in the past few years, IT auditors, accountants and finance professionals are in demand in both the private and public sectors. For example, in the National Capital Region (HQ) in particular, there are currently some challenges in finding and retaining specialists in the financial management (FI) group. Indeed, the Canada Public Service Agency (CPSA) recently identified a target of 131 FI-03s and FI-04s yet was only able to recruit 53. CAEB is experiencing similar challenges.

CAEB has made a conscious effort to recruit and hire staff that have significant experience working in CRA programs and services. As a result, the composition of audit teams includes some operational staff without internal audit experience or professional designations. This provides an excellent opportunity to develop these employees by instilling the discipline and rigour normally associated with internal audit, as well as experience in CRA’s unique governance structure (i.e. Board of Management). Further, CAEB has made a concerted effort to rebuild and strengthen regional relationships, which were limited previously, through increased visibility of internal audit managers with Regional Assistant Commissioners and senior staff.

Issues around hiring and retention of new evaluators and the impact of the retirement of experienced evaluators remains an ongoing challenge. CAEB senior management remain engaged with CRA senior management in an effort to raise the profile of evaluation and educate the senior management team about its crucial role – to provide objective, third-party information for decision-making (and independent oversight – that is different than internal audit).

There has been an increased demand on the program evaluation function to provide advice and guidance to program areas on results measurement issues. This demand is being driven both externally (e.g. TBS – Results Based Management and Accountability Framework requirements) and internally (e.g. RIMC – a greater emphasis on ensuring that project objectives and expected outcomes are clearly articulated at the outset of a project and that an approach to reporting back on the extent to which expected results have been achieved). Over 2007-2008, program evaluation provided advice for 13 different initiatives spanning 8 different branches.

Although RMAFs and performance measurement strategies are program management responsibilities, the program evaluation function is seen as a centre of expertise for results measurement and is typically asked to provide assistance. Responding to program areas for assistance should enhance the perceived value and credibility of the evaluation function. Moreover, the evaluation function has a vested interest in ensuring program areas develop performance measurement frameworks that have a high likelihood of implementation and that result in credible performance data as it will ultimately improve the quality of evaluation studies. At the same time, providing advice and support to program areas allows evaluation staff to gain more in-depth knowledge and understanding of key CRA initiatives and programs.

These conscious efforts made by CAEB management to evolve the evaluation function create a need to balance the advisory role with delivering on the evaluation plan. Moving forward, the challenge is to find the right balance in order to provide meaningful support to program areas while effectively delivering core evaluations.  

PROTECTED

Appendix B

Rationale for Deferral*/Cancellation of Planned 2007-2008 Engagements

Engagement
Title
Action Taken
(Deferred or Cancelled)
Rationale
Retention of Audit Documentation – Tax Assessments Cancelled This medium risk audit was superseded by engagements with greater risk and through the 2008-2011 planning exercise did not rank high enough to be included in inventory..
Compliance System Redesign Deferred This IT project has not yet evolved to the point where CRA internal audit can provide assurance on potential improvements.
Technical Advisors Program Cancelled This was a request from Compliance Programs Branch. The program subsequently decided that they would undertake an internal program review so the evaluation was cancelled.

* Audits that are deferred for more than 12 months

Page details

Date modified: