Follow-Up Report
Final Report
Corporate Audit and Evaluation Branch
October 2010
Table of Contents
Introduction
Internal audit professional standards require the Chief Audit Executive to establish a follow-up process to monitor and ensure that management action plans have been implemented or that senior management has accepted the risk of not taking action. This report summarizes the results of the Corporate Audit and Evaluation Branch (CAEB) annual follow-up process which this year was focused on recommendations made in the 2007-2008 internal audit reports as well as any action plans outstanding from prior year audits.
At the recommendation of the Canada Revenue Agency (CRA) Chief Executive Officer/Chief Financial Officer (CEO/CFO) Certification Steering Committee [Footnote 1], the Corporate Audit and Evaluation Branch (CAEB) 2010 follow-up process includes, for the first time, recommendations from the Office of the Auditor General (OAG) audits of the CRA's financial statements and of the CRA's reports on controls. At its October 5, 2009 meeting, the Steering Committee endorsed this expansion of the follow-up process in response to an observation from the assessment of CRA's entity level controls led by Finance and Administration Branch (F&A) from February to September 2009 as part of the CEO/CFO certification process. The assessment was based on the principles and attributes set out in the Committee of Sponsoring Organizations (COSO) framework and revealed an opportunity for the CRA to enhance monitoring of internal control performance by including outstanding OAG recommendations relating to financial reporting in CAEB's annual follow-up on progress against management action plans. The CAEB coordinated this addition to the follow-up process while the Internal Controls Division (ICD) of the Finance and Administration Branch performed the technical assessment of the Branches self-assessment of progress in implementing action plans. As a consequence the 2010 follow-up reviewed CRA management's progress in implementing action plans related to the following OAG audits:
- CRA's Controls relating to the Corporate Income Tax (T2) Program, as at November 30, 2008;
- CRA Financial Statements for 2008-2009; and
- Statement of Income and Capital Taxes Payable to the Provinces and Territories in Respect of the 2007 and Prior Taxation Years.
To provide CRA management with an annual consolidated follow-up report, action plans from Program Evaluations and all other OAG reports will also be included in the 2011 CAEB follow-up report.
Follow-up Methodology
The follow-up process was based on self-assessments by Canada Revenue Agency (CRA) management, supplemented by more in-depth procedures where warranted. CRA management is responsible for reporting progress made in implementing their action plans. For areas of high risk, CAEB requests additional supporting information or documentation to ensure an accurate conclusion is drawn. When recommendations for corrective action in a prior internal audit relate to areas considered being at risk, more in depth follow-up audits are included in subsequent CAEB annual business plans. The follow-up report is presented to the Management Audit and Evaluation Committee (MAEC) and to the Audit Committee of the Board of Management (Board).
The internal audit follow-up process was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.
Summary of Results - Internal Audit
Covered in this year's self-assessment process for internal audit were 103 management action plans resulting from 8 internal audit reports that were approved by the MAEC in 2007-2008 and 40 action plans from prior years. A listing of all of the audits and status of the action plans for each are set out in APPENDIX A - INTERNAL AUDITS.
Of the total 143 action plans, 74 (52%) were reported by CRA management as implemented. These were considered to be completed by CAEB. The remaining 62 (43%) had satisfactory progress and 7 (5%) were no longer relevant.
Summary of results - Office of the auditor general (OAG) audits on the CRA's financial statements and reports on controls
The 2010 self-assessment process covered 36 management action plans resulting from the three audits listed above. ICD concluded that 22 action plans (61%) were implemented in full, 7 (19%) were progressing satisfactorily, 6 (17%) were no longer relevant and 1 (3%) needed renewed attention by management. Details on the results of the follow-up are provided in APPENDIX B - OAG AUDITS.
The item requiring renewed attention pertains to a weakness in the monitoring of key user activities involving T2 mainframe applications that was observed during the assessment and audit of CRA's controls relating to the T2 program. F&A, in response to the results of a recent internal audit on Audit Trails - Mainframe Access to Taxpayer Information, has started implementation of a series of measures that will result in the needed improvements to the monitoring program. Through these measures F&A intends to have in place by December 31, 2011, a governance process and policy instruments to ensure a consistent and effective national approach to monitoring user activities on the mainframe.
Appendix A - Internal Audits
| Office(s) of Primary Interest (OPI)* |
Audit Title
|
Number of Action Plans Prior to 2007-2008 Still Being Monitored |
Number of Action Plans 2007-2008 |
Completed |
Low Risk or No Longer Relevant or Applicable |
Satisfactory Progress |
Requires Attention |
|
| CPB |
Use of Legislative Enforcement Provisions (May 2006) |
7 |
|
2 |
|
5 |
|
|
| CPB |
Large Business Audit Program (October 2006) |
1 |
|
1 |
|
|
|
|
| F&A |
Contracting Follow-up (November 2006) |
2 |
|
1 |
|
1 |
|
|
| HRB |
Internal Staffing (March 2007) |
4 |
|
1 |
|
3 |
|
|
| ABSB |
Benefits Program (November 2006) |
4 |
|
1 |
|
3 |
|
|
| ABSB, CSBDB, Atlantic |
GST / HST Visitor and Domestic Rebate Programs (Feb 2006) |
1 |
|
|
1 |
|
|
|
| LPRAB |
Charities Directorate (April 2005) |
1 |
|
1 |
|
|
|
|
| APPEALS CPB |
National Audit of Implementation of the Appeals Timeliness Action Plan (April 2005) |
1 |
|
1 |
|
|
|
|
| CPB |
Scientific Research & Experimental Development (Dec 2005) |
1 |
|
|
|
1 |
|
|
| CSBDB, Quebec |
Memorandum of Understanding on Tax Information Exchange with Revenu Québec (Feb 2006) |
5 |
|
3 |
2 |
|
|
|
| F&A |
CAS Utilization Audit (Oct 2005) |
2 |
|
2 |
|
|
|
|
| F&A |
Business Continuity Planning (Oct 2005) |
1 |
|
|
|
1 |
|
|
| HRB |
Occupational Health & Safety (Sept 2004) |
1 |
|
|
|
1 |
|
|
| CSBDB |
Memorandum of Understanding on Information Exchange with HRDC (Jan 2005) |
5 |
|
1 |
|
4 |
|
|
| CSBDB, F&A, Atlantic, ITB |
Controls over Confidentiality of Client Information (Dec 2004) |
1 |
|
|
1 |
|
|
|
| CPB |
Leads Management and Workload Development (Jun 2004) |
1 |
|
|
|
1 |
|
|
| TSDMB |
Review of the Management of Accounts Receivable (Jan 2005) |
2 |
|
|
|
2 |
|
|
| LPRAB |
Excise Duty Program |
|
42 |
22 |
2 |
18 |
|
|
| TSDMB |
Non-filer/Non-registrant Program |
|
9 |
3 |
|
6 |
|
|
| ITB, F&A |
Local Solutions |
|
22 |
18 |
|
4 |
|
|
| ABSB, ITB |
Business Intelligence Decision Support (BIDS) |
|
12 |
5 |
|
7 |
|
|
| F&A |
Cyclical Audits - T2 Phase 2/T3 Transaction Flow-through |
|
1 |
1 |
|
|
|
|
| HRB |
Compensation Management |
|
15 |
9 |
1 |
5 |
|
|
| LPRAB |
Memorandum of Understanding on Protection of Information with the RCMP |
|
1 |
1 |
|
|
|
|
| LPRAB |
Memorandum of Understanding on Protection of Information with the CSIS |
|
1 |
1 |
|
|
|
|
| |
TOTALS |
40 |
103 |
74 |
7 |
62 |
|
|
| |
|
|
|
52% |
5% |
43% |
|
|
Appendix B - OAG Audits
| OPI Branch |
Audit Title |
Number of |
Action Plan Completed |
Low Risk or No Longer |
Satisfactory Progress of Action Plan |
Action Plan Requires Attention |
| ABSB |
Financial Statement 2008-2009 |
1 |
|
1 |
|
|
|
|
Tax Collection Agreement Statement (2007) |
3 |
2 |
1 |
|
|
|
|
Report on Controls relating to T2 (s.5970) November 2008 |
2 |
2 |
|
|
|
| CSBDB |
Report on Controls relating to T2 (s.5970) November 2008 |
1 |
|
|
1 |
|
| F&A |
Financial Statement 2008-2009 |
5 |
3 |
2 |
|
|
|
|
Tax Collection Agreement Statement (2007) |
3 |
2 |
1 |
|
|
|
|
Report on Controls relating to T2 (s.5970) November 2008 |
11 |
7 |
|
3 |
1 |
| ITB |
Report on Controls relating to T2 (s.5970) November 2008 |
9 |
5 |
1 |
3 |
|
| LPRAB |
Report on Controls relating to T2 (s.5970) November 2008 |
1 |
|
|
1 |
|
| Totals |
Financial Statement 2008-2009 |
6 |
3 |
3 |
0 |
0 |
|
|
Tax Collection Agreement Statement (2007) |
6 |
4 |
2 |
0 |
0 |
|
|
Report on Controls relating to T2 (s.5970) November 2008 |
24 |
15 |
1 |
7 |
1 |
|
|
Totals |
36 |
22 |
6 |
7 |
1 |
|
|
|
|
61 % |
17 % |
19 % |
3 % |
*Office of Primary Interest (OPI) Legend
Appeals - Appeals Branch
ABSB - Assessment and Benefit Services Branch
TSDMB - Taxpayer Services and Debt Management Branch
CPB - Compliance Programs Branch
LPRAB - Legislative Policy and Regulatory Affairs Branch
CSBDB - Corporate Strategies and Business Development Branch
PAB - Public Affairs Branch
ITB - Information Technology Branch
CAEB - Corporate Audit and Evaluation Branch
F&A - Finance and Administration Branch
HRB - Human Resources Branch
Atlantic - Atlantic Region
Québec - Québec Region
Ontario - Ontario Region
Prairie - Prairie Region
Pacific - Pacific Region
Footnotes
Page details
- Date modified: