2010-2013 Integrated Risk based Internal Audit and Evaluation Plan
Table of Contents
1.0 Introduction
1.1 The Risk-Based Audit Plan
2.0 Internal Audit at the OIC
2.1 Office of the Information Commissioner of Canada
2.2 The OIC’s Internal Audit Function
3.0 The Risk-Based Audit Planning Approach and Methodology
3.1 Planning Objectives
3.2 Goals and Priorities
3.3 Planning Methodology & Approach
4.0 Risks to the OIC Identified as Part of the Risk-Based Audit Planning Process
5.0 The OIC’s Proposed Audit Plan
5.1 Follow-up of Previous Audits
5.2 Resource Availability and Project Costs
6.0 Monitoring the Implementation of the Risk-Based Audit Plan
Appendix A: Risk Assessment
Appendix B: List of Interviewees
Appendix C: List of Documents Reviewed
List of Tables and Figures
Table 1 - Risks to the OIC Updated as Part of the Risk-Based Audit Planning Process
Table 2 – Proposed Audit Engagements at the OIC for 2010−2013
Table 3 - Summary of Estimated Cost by Year
Table 4 – Identified Risks for the 2010−2013 RBAP
1.0 Introduction
1.1 The Risk-Based Audit Plan
This document was developed by the Centre for Public Management Inc (CPM) for the Office of the Information Commissioner of Canada (OIC), and outlines a Risk-Based Audit Plan (RBAP) for 2010−2013. It describes a program of internal audits that supports the expectations of the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors (IIA) and the Treasury Board (TB) Policy on Internal Audit that came into effect on April 1, 2006 (amended July 2009). The Plan concentrates on the areas of highest risk as identified through management interviews and a document review.
In particular, the RBAP:
- Includes a list of key risks, which have been mapped to the Committee of Sponsoring Organizations (COSO) Financial Controls Framework Components that could be considered for audit;
- Demonstrates that areas considered to be of highest risk and significance are addressed by the internal audit plan;
- Provides, over a three-year period, assurance on important aspects of risk management, controls, and governance processes;
- Focuses audit resources primarily on the provision of assurance services; and
- Provides estimates of resources to meet the Plan.
2.0 Internal Audit at the OIC
2.1 Office of the Information Commissioner of Canada (OIC)
The OIC is an independent body, which was established in 1983 under the Access to Information Act to assist the Information Commissioner in her role as Officer of Parliament and Ombudsman. The raison d’être of the OIC, as described in its 2010–2011 Report on Plans and Priorities is to, “ensure that the rights conferred to information requestors by the Access to Information Act are respected, which ultimately enhances transparency and accountability across the federal government.”
Under the Access to Information Act, anyone who makes a request for information to a federal institution and is not satisfied with the response or the way it was handled has the right to file a complaint with the Information Commissioner. As a result, the OIC is heavily influenced by external forces, both from the way in which information requests are handled by federal institutions and the relative number of complaints filed in turn by individuals or entities. Given these external forces, OIC faces considerable challenges in controlling and forecasting its workload.
OIC recognises that its processes, systems, and controls must effectively and efficiently deal with varying volumes of complaints and requests. The OIC has also set ambitious targets in many aspects of its service delivery to Canadians (including the ultimate goal to limit its year-end inventory of new complaints to 200-500 cases by 2012–2013).
In response to the goal of resolving the complaints in inventory and increasing the efficiency and effectiveness of its intake process for new complaints, OIC has developed a new complaints intake procedure through recommendations and the supporting management action plan, documented as part of the 2009–2010 Audit of the Intake and Early Resolution Unit.
In the coming years, a number of OIC renewal initiatives are set for implementation as part of its Business Model renewal, Information Management (IM) and Information Technology (IT) strategy, and its Human Resources (HR) Plan. In summary, the organization will face considerable change going forward, up to and including 2013–2014.
2.2 The OIC’s Internal Audit Function
As per the Working Group of Officers of Parliament, a significant principle in the Officer of Parliament implementation of the Policy on Internal Auditis the inclusion of a strong internal audit regime. In the context of smaller Officer of Parliament organizations, this may involve significant contracting out to secure the appropriate qualified resources. In order to obtain independent, objective assurance, the OIC has contracted out the complete review and update of the 2010−2013 Risk-Based Audit Plan and the conduct of all of the audits in the revised RBAP to CPM.
In this context, CPM will take on the OIC’s internal audit function and provide independent, objective assurance designed to add value and improve the Office’s operations. It will assist the OIC in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, controls, and governance processes.
As noted by the Working Group of Officers of Parliament, it is not practical for the OIC to have a full-time Chief Audit Executive due to its size, risk profile, and resources. For this reason, the responsibilities normally assumed by the CAE will be split between CPM and the OIC Director for Strategic Planning, Finance, and Administration as follows:
- CPM will assume responsibility for preparing and presenting this revised RBAP, as well as the subsequent audits dictated by the Plan; and
- The Director, Strategic Planning, Finance, and Administration will assume administrative responsibility for the internal audit function and in this capacity will report directly to the Information Commissioner.
CPM and the Director, Strategic Planning, Finance, and Administration will jointly assume responsibility to ensure that the internal audit function at the OIC:
- Adheres to the Internal Auditing Standards for the Government of Canada and the TB Policy on Internal Audit;
- Establishes a follow-up monitoring system to ensure that management action plans are successfully implemented; and
- Publicly discloses internal audit reports to the extent authorized by the Access to Information Act and the Privacy Act.
The OIC’s Audit Committee (AC) includes two experienced, competent external members, one being Chair of the AC, plus the Commissioner of the OIC. The AC is an essential component of the governance structure and a critical aspect of a strong and credible internal audit regime.
In accordance with the Directive on Departmental Audit Committees, the AC (which has been in place since October 2008) ensures that the Information Commissioner has independent and objective advice, guidance, and assurance on the adequacy of the Office’s risk management, control, and accountability processes. To be able to do this, the Committee must exercise active oversight of core areas of institutional control and accountability in an integrated and systematic way.
The AC is required to review the risk assessment and the RBAP, ensuring it is designed to support the independent annual assurance report, if appropriate, and recommend the RBAP for approval by the Information Commissioner.
3.0 The Risk-Based Audit Planning Approach and Methodology
3.1 Planning Objectives
The primary objectives of the internal audit planning process are to:
- Align this process with the expectations of Treasury Board’s Policy on Internal Audit (2009), and other best practices, support a value-added audit process, and support the requirements for the eventual issuance of an independent annual assurance report on risk management, controls, and governance arrangements; and
- Position Audit as an effective underpinning of governance and management. Audits are a primary tool to demonstrate stewardship and accountability in spending of public funds, and play a key role in a strengthened comptrollership function. A stronger internal audit function across government is a key element of the current Strengthening Public Sector Management Initiative.
3.2 Goals and Priorities
The associated goals for the planning process are set out as follows:
- Support to the OIC’s Management Agenda: The RBAP supports the priorities of the OIC as reported in its 2010–2011 Report on Plans and Priorities, and reflects an understanding of the organization’s key risks.
- Coverage of the OIC’s Organizational/Activity Units: The OIC has a single program activity in addition to Internal Services, e.g. Compliance with Access to Information Obligations. In order to ensure coverage of the program activity, CPM held interviews with each Branch to review and update the understanding of key risks, as identified in the 2008−2010 RBAP. The updated key risks were then mapped to the COSO Financial Controls Framework Components to ensure coverage of internal controls. The RBAP delivers comprehensive audit coverage of the higher risk areas, by assessing this universe, in terms of its audit worthiness based on factors such as inherent risk, complexity, visibility or significance, and lack of previous coverage.
- Assurance on Internal Controls: As previously discussed, in order to ensure sufficient coverage of internal controls, the risks were mapped to the COSO Financial Controls Framework.
3.3 Planning Methodology & Approach
Four main phases were involved in the development of the RBAP, as described below:
-
Review Background Documentation – In order to gain an understanding of the OIC environment, risks contained in the 2008−2010 Risk-Based Audit Plan and the Branch Corporate Risk Profiles (presented to the AC in the fall of 2009) were reviewed and assessed. CPM also reviewed a number of other background documents to obtain an understanding of the OIC environment (see Appendix C).
-
Identify and Update Key Risks to the OIC – During May 2010, CPM interviewed members of the senior management team, including the Information Commissioner and the two Assistant Information Commissioners, to update the risks presented in the 2008−2010 RBAP and identify new ones. The results of the updated risks exercise are presented in Table 1 in Section 4.0., and a discussion of the current risks to the OIC is provided in Appendix A. Please refer to Appendix B for a list of interviewees.
-
Identify Potential Audit Projects – The results from the interviews were summarized and compiled in order to generate a list of potential audit engagements to address the higher risk areas of interest.
-
Prepare Plan, Projects, Budgeting, and Timing – The high priority audit projects were then assigned across the three years of the RBAP. The detailed Plan is located in Table 2.
4.0 Risks to the OIC Identified as Part of the Risk-Based Audit Planning Process
As discussed in the previous section, an updated list of risks was produced by CPM through document review and interview discussions held with OIC senior management in May 2010. The risks outlined in Table 1 below, were prioritized based upon an understanding of their levels of complexity, significance, and previous concern to the OIC. These factors, along with their perceived impact and likelihood of occurring, provided the basis for their assigned level of inherent risk, which is defined as the risk to the OIC before the application of controls.
A more detailed description of the rationale and reasoning for the identified risks has been included in Appendix A, along with a crosswalk of the previous risks identified in the 2008−2010 RBAP and their respective inclusion in the updated understanding of risks to the OIC.
Table 1 – Risks to the OIC Updated as Part of the Risk-Based Audit Planning Process
Risks |
Inherent Risk Level |
1. Efficiency and timeliness of complaints resolution |
High |
2. Ability to retain corporate memory and organizational momentum in the event of management turnover |
High |
3. Compliance with the Policy on Government Security |
High |
4. Effectiveness of information technology (IT) systems and information management (IM) practices |
Moderate |
5. Compliance with Treasury Board of Canada Secretariat Financial Management Policy Instruments |
Moderate |
5.0 The OIC’s Proposed Audit Plan
The schedule of proposed audit engagements presented in Table 2 below, responds to the high audit worthiness areas. In order to determine the audit worthiness, the new set of projects were assessed in terms of auditability (i.e. consideration of factors such as availability of information, clarity of audit criteria, recent major transitions, or complexity of the area), inherent risk level as indicated in Table 1, and management priority (which reflects the level of interest in an area expressed during interviews with the Commissioner and her senior management team, including meetings with senior management from each Branch).
Table 2 presents the schedule of audit engagements for the OIC’s audit plan. High audit worthiness areas were grouped into potential audit engagements and were allocated over the three-year planning horizon. The precise scope of each audit will be determined during the planning phase of each audit project.
Table 2 – Proposed Audit Engagements at the OIC for 2010−2013
Audit Activity |
Link to Identified Risk in the 2010−2013 OIC RBAP |
List of COSO Financial Controls Framework Components Related to the Audit |
Scheduling |
Proposed Audit Details |
|||
2 |
2 |
2 |
Preliminary Scoping Considerations (To be Confirmed/Amended During Audit Planning) |
Estimated Resources ($) |
|||
Audit of the Complaints Resolution and Compliance Branch |
Risks as identified in Table 1, which are included in the scope of this audit, are:
|
|
Preliminary audit objective and scope: This audit will look at business processes, performance metrics and information to support senior management decision making in the Complaints Resolution and Compliance (CRC) Branch to ensure that they support efficient and timely case management. Possible areas to be examined include:
|
34,000 |
|||
Audit of Compliance with Policy on Government Security and Follow-up on 2010–2011 Physical Security Threat and Risk Assessment (TRA). |
Risks as identified in Table 1, which are included in the scope of this audit, are:
|
|
|
|
Preliminary audit objective and scope: The objective of this audit is to assess compliance with the Policy on Government Security. As part of its compliance activities, the OIC has undertaken an internal compliance assessment, including a physical security Threat and Risk assessment, in 2010–2011. While this work was not yet complete during the development of this RBAP, it is likely an action plan will be required to achieve full compliance with the Policy. The audit will examine:
|
35,000 |
|
Post-implementation Audit of the Case Management System (CMS) |
Risks as identified in Table 1, which are included in the scope of this audit, are:
|
|
|
|
Preliminary audit objective and scope: This audit will look at risk management, controls, and governance processes supporting the OIC CMS. Recognizing that the scope of this audit will be influenced by the findings of the previous audit, this audit will examine:
|
36,000 |
|
Audit of Compliance with TBS Policies Related to Financial and Internal Controls |
|
|
Currently not scheduled. To be revisited in the 2011/12 and 2012/13 RBAP updates. |
Preliminary audit objective and scope: The key focus of this audit would be compliance with the Policy on Internal Controls. However, TBS has a wide range of policies and other guidance in the area of financial management. The scoping exercise for this audit will consist of a survey of the areas with highest risk of non-compliance, and include them within the scope of the audit. The audit would be limited to compliance with 2 or 3 policy or guidance instruments in order to achieve appropriate depth given the budgeted resources. |
35,000 |
5.1 Follow-up of Previous Audits
One audit was completed during the 2009/10 year, addressing the Intake and Early Resolution Unit. As per the table below, a follow-up review will be scheduled for 2011/12.
Description of Audit |
Scheduling |
Proposed Audit Details |
Estimated Resources ($) |
||
2010/11 |
2011/12 |
2012/13 |
|||
Follow-up |
|
|
|
Conduct a follow-up review covering the following 2009/10 audit:
|
10,000 |
5.2 Resource Availability and Project Costs
Funding Requirements for Audit Projects
The OIC has entered into a contract with CPM for the provision of the audit engagements presented in this plan. The cost of each audit is presented based upon estimates provided as part of the procurement process. The OIC will provide support in scheduling interviews and obtaining information as required.
This information is provided in detail in Table 3 below.
Table 3 - Summary of Estimated Cost by Year
Year |
Audit Activity |
Estimated Cost ($) |
Estimated Days |
2010–2011 |
|
34,000 |
60 |
2011–2012 |
|
45,000 |
72 |
2012–2013 |
|
36,000 |
60 |
6.0 Monitoring the Implementation of the Risk-Based Audit Plan
Plans continuously evolve due to new circumstances or events. The RBAP will be continuously monitored and updated throughout the year. In addition, the RBAP will be formally updated on an annual basis by CPM, in consultation with OIC management. The OIC Audit Committee will review the Plan on an annual basis and recommend it for approval to the Information Commissioner.
The internal audit function will also monitor progress in implementing the Plan, and report regularly on progress to the AC and to the Information Commissioner.
Appendices
Appendix A: Risk Assessment
Appendix B: List of Interviewees
Appendix C: List of Documents Reviewed
Appendix A: Risk Assessment
Table 4 – Identified Risks for the 2010−2013 RBAP
Identified Risk |
Rationale/Reasoning for Identified Risk |
Risk Level |
1. Efficiency and timeliness of complaints resolution |
The OIC has performed significant work in improving its complaints process through its triage of complaints criteria and through the implementation of the management response and action plans to the audit of the Intake and Early Resolution Unit (IERU). However, management reported that there are various factors which influence the timeliness and efficiency of complaints resolution and which still need improvements, including:
|
High Risk |
2. Ability to retain corporate memory and organizational momentum in the event of management turnover |
The OIC has recently introduced or plans to introduce key initiatives in order to improve its Human Resources practices through the introduction and implementation of its 2009−2014 HR Plan. Practices to support recruitment have been significantly improved and retention risks associated with junior and mid-level staff have been mitigated. However, the loss of management positions continues to pose the risk of loss of corporate memory because there is no career progression currently available for EX-1 positions within the organization and several directors are close to retirement age. Senior management positions at the OIC rely on unique skills and experience and support the Commissioner in meeting her mandate. In the event of turnover, it is important that appropriate succession plans be in place as well as systems to capture knowledge and enable it to be transferred. |
High Risk |
3. Compliance with the Policy on Government Security (All Branches) |
The security within the OIC has been divided in three components: Physical, Personnel and Information Technology. Effective July 1, 2009, the new TB Policy on Government Security replaced the 2002 Government Security Policy and the 2004 Policy for Public Key Infrastructure Management in the Government of Canada. Consequently, the OIC must implement a Departmental Security Plan by April 2012 in order to comply with the new policy. The Plan must be in accordance with the TBS Directive on Departmental Security Management. This represents a challenge as the plan must integrate all the components, the Business Continuity Plan and the Emergency Response Plan. The OIC has been working to develop the Departmental Security Plan and has implemented a number of initiatives, including a physical security TRA which is currently underway. Security is a risk for all departments and agencies. However, given the nature of the OIC and the information it holds, it has been ranked as a high risk. Although there is a risk of non-compliance with the TB policy and any associated consequences, this risk represents the inherent risk posed by insufficient or ineffective security, with the Policy on Government Security used as the security benchmark. |
High Risk |
4. Effectiveness of the OIC’s information technology (IT) systems and information management (IM) practices |
The OIC has developed an extensive five-year IM/IT strategy in order to mitigate this risk. It is currently in the second year of implementation and improvements will be made in many aspects of information technology. Main initiatives, which will be rolled out in the near future, include the implementation of RDIMS, replacement of the Legal case management system, and the replacement of the Investigations case management system. Although the OIC is making progress in this area, management interviews indicated that there is still the perception that IT is an area of risk due to the number of changes and systems updates to be performed. This risk includes the impact of technological change on the OIC and the importance of appropriate change management techniques. As per the OIC’s IM Division Corporate Risk Profile and management discussions, ineffective IM systems, processes, and practices could have negative impacts on the OIC’s core business, including: significant losses of knowledge and corporate memory in cases where undocumented knowledge is held with individuals who leave the OIC; accidental disclosure of sensitive information; and difficulties in locating and retrieving documents, which in turn could impact the OIC’s ability to deliver its ATIP program. In addition, the OIC’s reputation could be negatively affected if it was discovered that the organization did not have effective IM systems, processes, and practices. The Office is expected to have the best IM practices in order to provide leadership to other federal organizations. |
Moderate Risk |
5. Compliance with Treasury Board of Canada Secretariat Financial Management Policy Instruments |
Failure to comply with federal regulations and policies is a risk inherent to the OIC and all other federal departments and agencies. This risk should be constantly monitored due to ongoing changes made to these instruments. As an Officer of Parliament, there is an added complexity, as not all policies and regulations apply. The area of Financial Management Policy Instruments is complex and the recent Policy on Internal Controls requires Departments, Agencies and Officers of Parliament to ensure that risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting. The broad application of this policy increases the risk of non-compliance, and significant work will be required across government to implement it. |
Moderate Risk |
Table 5 - Summary of Risks Identified in the 2008−2010 RBAP and Explanation of their Inclusion in the 2010−2013 RBAP
Previously Identified Risk in 2008−2010 RBAP | Risk Inclusion in the 2010−2013 RBAP |
Effectiveness of: a) solutions to address inventory, and |
Since the 2008−2010 RBAP, significant improvements have been made or are planned to help improve the investigations process as part of the Management Response and Action Plan to the audit of the Intake Early and Resolution Unit. This risk will be monitored as part of the OIC’s audit follow-up process. |
Ability to recruit and retain staff |
Since the previous RBAP, the OIC has introduced key initiatives in order to improve its Human Resources practices through the introduction of its 2009−2014 HR Plan. Management interviews indicated that the new recruitment strategies have been relatively successful in acquiring the right staff for positions. However, it is perceived that retention is still a challenge for the organization. Therefore, the risk was carried forward as a risk to be included in the 2010−2013 RBAP but restated as:
|
Effectiveness of the OIC’s information management/ information technology (IM/IT) environment |
The OIC has developed an extensive five-year IM/IT strategy in order to mitigate some of this risk. It is currently in the second year of implementation and improvements will be made in many aspects of information management and information technology. However, due to the inherent risk with technology and the importance of information management to the OIC, this risk will be carried forward, and reworded as:
|
Appropriate information management practices |
To be included as part of the IM/IT Risk above. |
Ability to respond to Access to Information (ATI) requests |
|
Compliance with federal regulations and policies |
In 2008, when the previous RBAP was developed, the federal government approved new policies and regulations. It was unclear at first which regulations and policies would apply to the OIC and how the organization would ensure compliance with those regulations and policies. Areas of policy non-compliance were also identified in the areas of human resources and compensation through the OAG annual audit for the fiscal year 2006/07. Since then, significant initiatives and actions were put into place to mitigate the risk of non-compliance through the implementation of the OIC’s HR People Management Policy, which ensures compliance with supporting regulations from the Treasury Board (TB). In addition, to clarify the application of the Policy on Internal Audit to Officers of Parliament, a Working Group was formed to provide clarity and confirmation on how Officers of Parliament would comply with the policy.This risk has been carried forward as a risk to be included in the 2010−2013 RBAP and changed to specifically address financial management policies. |
Change management |
Removed as a risk from the 2010−2013 RBAP and included in the IM/IT risk. Change management will be included in specific risks as applicable, in order to improve auditability and provide it the profile it requires. |
Appendix B: List of Interviewees
Name |
Position |
Date |
Suzanne Legault | Information Commissioner | May 7, 2010 |
Andrea Neill | Assistant Information Commissioner, Complaints Resolution and Compliance Branch | May 7, 2010 |
Layla Michaud | Interim Assistant Information Commissioner, Policy, Communications and Operations Branch | May 7, 2010 |
Stephen Campbell | Acting Director, Strategic Planning, Finance and Administration | May 7, 2010 |
Thérèse Boisclair | Director, Communications and External Relations | May 10, 2010 |
Ginette Rochon | Director, Human Resources Branch | May 10, 2010 |
Stephen Campbell | Acting Director, Strategic Planning, Finance and Administration | May 10, 2010 |
Laurence Kearley | Acting Director, Legal Affairs Branch | May 10, 2010 |
Trish Boyd | Acting Senior Legal Advisor | May 10, 2010 |
Monica Fuijkschot | Director, Information Management | May 10, 2010 |
Ed Vandesande | Chief, Information Technology | May 10, 2010 |
Sandra George | Director, Intake and Early Resolution Unit | May 17, 2010 |
Muriel Korngold-Wexler | Director, Compliance Unit | May 17, 2010 |
Josée Villeneuve | Director, Systemic Issues, Policy and Parliamentary Relations | May 17, 2010 |
Appendix C: List of Documents Reviewed
- 2008−2010 Risk-Based Audit Plan for the Office of the Information Commissioner of Canada
- Internal Audit Committee Charter
- Internal Audit Committee Terms of Reference
- Working Group of Officers of Parliament and Interpretation of the Policy on Internal Audit
- Audit report on the Audit of the Intake and Early Resolution Unit and supporting Management Action Plan
- Office of the Information Commissioner of Canada A-Base Review Report, January 2009
- Office of the Information Commissioner of Canada “Bringing You Unprecedented Access” – IM/IT Strategic Plan: Annual Report 2009−2010
- Audit Committee Binder contents, meeting agendas, and records of decisions for Audit Committee meetings from October 2008−March 2010
- 2007−2008 Departmental Performance Report
- 2008−2009 Departmental Performance Report
- 2007−2008 Report on Plans and Priorities
- 2008−2009 Report on Plans and Priorities
- 2009−2010 Report on Plans and Priorities
- 2010−2011 Report on Plans and Priorities