ARCHIVED - 2007-08 to 2009-10 Risk-Based Internal Audit Plan

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Foreword

This document contains the three-year audit plan from 2007-08 to 2009-10 for the National Research Council. It was approved by the President for NRC upon the recommendation of NRC's Audit, Evaluation and Risk Management Committee on June 27, 2007. The Plan will be updated annually based on an assessment of current risks and therefore the timing of some projects in future years may change.

Executive Summary

2007-2008 Audits

The following chart depicts audits that will commence or will be completed in 2007-08; others may be completed in the following year. Some audits will be completed entirely by Internal Audit staff; the remainder will be undertaken in conjunction with contracted resources. The chart indicates the approximate level of effort based on NRC Auditor weeks only.

2007-2008 Audits

Impact of Resource Limitations:

All audits will be funded by NRC resources levels augmented with new Office of the Comptroller General (OCG) incremental funds including provisions that have been made for OCG directed audits, NRC management directed audits and the coordination of ongoing Office of the Auditor General audits. There is an anticipated shortfall in resources of 12 Auditor weeks and $25,000 contract dollars; however these could be offset by lower than budgeted demands for OCG or NRC management directed audits. On the other hand, resource limitations greater than estimated could result if recruitment is delayed for the junior auditor position or if there are more OCG or NRC management directed audits than planned for.

Introduction

1.1 Plan Content

This document outlines the mandate, organizational structure and resources for Internal Audit at the National Research Council (NRC) of Canada, and the risk-based strategy and process employed in developing the Risk-Based Internal Audit Plan for 2007-08 to 2009-10. It also provides details of individual audit engagements planned for the three years 2007-08 to 2009-10, together with analyses of resource allocations for the plan overall.

1.2 Applicable Policies, Professional Standards and Context

The Treasury Board Secretariat (TBS) Policy on Internal Audit requires that Chief Audit Executives (CAEs) establish risk-based audit plans to set out the priorities of the internal audit function, consistent with the organization's strategic and operational objectives. Internal audit plans must be based on a comprehensive risk assessment, conducted at least annually, and should consider the input of senior departmental management, the audit committee and TBS – Office of the Comptroller General (OCG).

NRC's Internal Audit function will meet the Government of Canada's Policy on Internal Audit and related Directives, Standards and Guidelines. The Government of Canada has adopted the Institute of Internal Auditors (IIA) Professional Practices Framework and departments are required to meet the IIA Standards in undertaking their internal auditing responsibilities, unless the standards are in conflict with the policy or any related directives or guidelines provided by the Comptroller General or Treasury Board.

1.3 NRC Internal Audit Mission

The mission of Internal Audit at NRC is to provide assessments, independent from line management, on the effectiveness of the NRC's risk management, control and governance processes and to report on these results. Specifically, Internal Audit is tasked with the responsibility of assessing NRC's integrated risk management of its programs and initiatives and for providing assurance to clients and stakeholders that internal NRC operations and other joint initiatives are managed and controlled with due regard to compliance with authorities, financial probity, protection of assets, economy, efficiency and effectiveness of controls. Clients and stakeholders include corporate management, central agencies, other government departments and industrial partners. Internal Audit also provides expert and authoritative functional advice, information and guidance to the President and senior NRC management on best practices and controls, on corrective measures required at the program and corporate level and on the integration and harmonization of national / international audit processes and standards.

These responsibilities are consistent with the TBS Policy on Internal Audit which requires the Chief Audit Executive to provide an annual holistic opinion on risk management, control, and governance processes.To adequately discharge its responsibilities in this area and to support reliable reporting, oversight and governance, NRC's Internal Audit plans its audits on the basis of risk. Risk-based audit planning provides a systematic method for identifying, prioritizing and scheduling audits while at the same time providing a means by which scarce audit resources can be targeted to areas of highest risk within NRC's entire audit universe. This approach to planning and conducting audits ensures appropriate audit coverage is obtained, and that sufficient, competent and relevant audit evidence is gathered in support of the CAE's holistic annual opinion.

1.4 NRC Internal Audit Organization, Resources and Services

Internal Audit Organization and Resources:

The Director Internal Audit reports directly to the President of NRC, on a functional basis, and to the Vice President Corporate Services on an administrative basis. The Director serves as the Chief Audit Executive of the NRC. There are two Audit Managers that report directly to the Director Internal Audit; they are responsible for: (1) conducting internal audits on their own or with the assistance of contracted audit professionals; and (2) the supervision of consultants contracted to complete an audit in its entirety. Both of these positions were staffed late in 2006 with experienced and professionally accredited audit professionals. An Administrative Assistant reports directly to the Director Internal Audit on a half-time basis. Hence, the full staff complement for NRC's Internal Audit is at present 3 ½ Full-Time Equivalents (FTE's) as represented below. A junior auditor position will be staffed later in 2007 that will be funded in part with OCG incremental funds. Training will be made available to support professional accreditation.

Internal Audit Organization

NRC Internal Audit has in addition to its salary budget, a regular $500,000 operational budget which will be supplemented this fiscal year with $100,000 rolled over from 2006-07 and $212,300 OCG incremental funds Footnote1. In addition to staffing a junior auditor position, OCG incremental funds will be used to compensate external audit committee members and professional audit training. The majority of 2007-08 funds will be used to contract expert audit resources as well as pay for regular auditor training and professional accreditation and travel expenses for national audits.

Internal Audit Services:

The majority of Internal Audit's services will be directed towards providing assurance that NRC's network of risk management, control and governance processes, as designed and represented by management, is adequate and functioning in a manner that ensures:

  • risks are appropriately identified and managed;
  • interaction with the various governance groups occurs as needed;
  • significant financial, managerial, and operating information is accurate, reliable, and timely;
  • activities and actions are in compliance with policies, standards, procedures, and applicable laws and regulations;
  • resources are acquired economically, used efficiently, and adequately protected;
  • quality and continuous improvement are fostered in the NRC's control process;
  • significant legislative or regulatory issues impacting the NRC are recognized and addressed properly; and
  • opportunities for improving management control, sound resource stewardship, and the NRC's image are communicated to the appropriate level of management.

As directed by the Internal Auditing Standards for the Government of Canada, the majority of engagements presented in this plan will provide a high level of assurance by designing procedures and following standards that reduce the risk of an inappropriate conclusion to a low level. Other work will be completed as resources permit.

To gather sufficient and appropriate evidence on NRC's risk management, controls and governance processes, Internal Audit will undertake a variety of audits, including the following:

Audit Surveys:

The goal of an audit survey is to document the processes associated with a particular audit entity and to identify and assess the risks and controls associated with them. In most cases, audit surveys are applied as the first phase of more complete audits; however, this is not always the case. Often, preliminary surveys are conducted simply to gain insight into whether a more detailed audit is required at present or whether it will be better placed in the future.

Management Control Framework Assurance Audits:

Management Control Framework (MCF) audits are conducted to assess the appropriateness and effectiveness of the risk management, control and governance frameworks in place to achieve management's objectives. These audits will focus primarily on corporate and management processes both at the national and Institute, Branch and Program (I/B/P) levels. Some examples of such audits include but are not limited to, financial management, capital investment and planning and management of intellectual property.

Limited Assurance Annual Compliance Audits:

Compliance audits provide reasonable assurance to management that operations conform to established government and NRC guidelines, policies and procedures as well as legislation and government regulations. Limited assurance compliance audits will be undertaken annually on sample transactions of procurement and professional contracts, acquisition cards, travel and hospitality. These audits will be limited in the sense that risk will be the primary determinant of the sampling parameters and that testing will be restricted to compliance.

Follow-Up Reviews:

Follow-up reviews are conducted to ascertain the degree to which the recommendations made in previous audits have been successfully implemented and to determine whether any issues of risk are outstanding that may require more comprehensive audit procedures. The TBS Policy on Internal Audit requires that deputy heads ensure management action plans adequately address the findings and recommendations arising from internal audits. These reviews will normally take place two years following the completion of an audit to give NRC management sufficient time to implement their action plans.

Other Services:

While the responsibility for developing Risk-Based Audit Frameworks (RBAF) is the responsibility of program management, NRC Internal Audit will provide functional advice on appropriate monitoring activities of recipients and frequency and types of required internal audits. For each transfer payment program as a condition of their renewal, the RBAF will identify the primary sources of risk to its success, an assessment of the likelihood and impact of those risks, including the underlying assumptions made, and a discussion of the risk mitigation actions (including management controls) taken and planned.

2.0 Risk Based Audit Planning

2.1 NRC Internal Audit Plan Objectives and Process Employed

The objectives of NRC's Risk-Based Internal Audit Plan are to:

  • identify the priorities of Internal Audit, consistent with the objectives of NRC and NRC's Audit Charter;
  • identify the priorities of Internal Audit based on an assessment of risk and potential exposure that may affect the NRC's ability to accomplish its objectives;
  • to set out the audit universe for NRC and timeframe needed for the provision of the annual holistic opinion on risk management, control and governance processes;
  • to share and coordinate activities with other internal and external providers of relevant assurance services to ensure proper coverage and minimize duplication of efforts;
  • to present Internal Audit's plans and resource requirements to the Audit Committee and President for review and approval respectively; and
  • to provide measures of success to previous year's internal audit activities.

This year's plan presents an update of the 2006-07 to 2008-09 Risk-Based Audit Plan that was approved by NRC's President upon the recommendation of NRC's Audit, Evaluation and Risk Management Committee in September 2006.

The audit planning methodology that was used in 2006 had four main phases, each of which is described below. In order to get the current plan on the right reporting track (i.e., the beginning of the fiscal year), senior management and the members of the audit committee were consulted on changes to NRC priorities and corporate risks and their impact on the identification and timing of this year's and future years' audits. A more rigorous risk assessment session such as the one undertaken in 2006 will be undertaken early in 2008 for next year's audit plan.

Phase One: Risk Identification

The project team conducted a series of interviews with NRC's Vice Presidents and a selected number of Directors General with a view to identifying the key sources of risk to which their operations are exposed. This risk information not only provided important insight into the concerns of management, but also provided risk exposure data which was used, as part of Phase Three, to prioritize and rank potential audit projects. Ultimately it led to the identification of NRC's audit universe and audit project priorities.

Phase Two: Identification of the Audit Universe

The audit universe defines the potential scope of an organization's internal audit activity by segmenting its operations into individual "audit entities" that may be subjected to audit. Using the information provided by senior management in phase one, the project team identified and categorized the audit entities according to the function they serve within NRC. As depicted in Figure 1 below, the audit universe is comprised of some 26 audit entities, categorized by: Scientific and Innovation Activities; Corporate Administrative Practices; and Corporate Governance Practices. In March 2007, the Audit, Evaluation and Risk Management Committee confirmed the continued relevance of the audit universe.

The audit universe has been designed to reflect NRC's key functions, as opposed to its structures in order to ensure the key risks to the achievement of NRC's objectives are addressed. As a result, the individual Institutes, Branches and Programs (I/B/Ps) that make up a large part of NRC's organization have not been directly identified as auditable entities in and of themselves. In recognition of the importance and materiality associated with them, Internal Audit will ensure that audit activities take place in all I/B/Ps over the five-year audit planning horizon. This will be done through the inclusion of a sample of I/B/Ps for each audit undertaken based on the degree of risk posed and the necessity to reflect regional and technical differences. As of June 1, 2007 audit activities have been undertaken or are in the process of being undertaken in 23 of 31 I/B/Ps or 74 percent in the last 12 months. Audit coverage is even higher at 26 of 31 I/B/Ps or 84 percent if the activities of the Office of the Auditor General (OAG) are included.

In selecting entities for inclusion into the universe, three main criteria were applied. First, the entities must be auditable, i.e., they must be definable and have discrete objectives. Second, the entities must be significant and material in the context of the organization. Third, the entities must be relevant to NRC and/or NRC's broader context. In other words, each entity must relate to, and support, the achievement of NRC's objectives.

Figure 1: NRC Audit Universe

Scientific & Innovation Activities
Corporate Governance Processes
Corporate Administrative Practices

Phase Three: Risk assesmement and audit selection

Once the audit universe was defined, a full day workshop was held with a group of Directors General and Vice-Presidents to rank each audit entity using the following three criteria, each of which was weighted to reflect its relative importance:

Risk Exposure of the Audit Entity: Using the risks identified in phase one, specific risks to each audit entity were identified and an aggregate risk score was developed. This criterion was assigned a weighting of 50%.

Significance of the Audit Entity: Each audit entity was then assessed in terms of its significance which considered both overall importance of the entity to NRC and the materiality associated with it. This criterion was assigned a weighting of 30%.

Public Profile of the Audit Entity: Finally, the entity's public profile was examined and rated. This criterion was assigned a weighting of 20%.

Taken together, these criteria were applied to derive a total weighted priority score which was used to generate a management assessment of the likelihood and impact of risks facing the NRC. Following this ranking which occurred early in 2006-07, a number of other risk determinants were used to identify the final risk rating assigned to each of the entities. These comprised:

  • an assessment vis-à-vis ongoing revisions to the corporate risk profile;
  • the materiality or monetary value of each audit entity;
  • time lapsed since the audit entity was last audited and the results of recent audits (both internal audits and those completed by the OAG) and monitoring activities identified in Risk-Based Audit Frameworks for grants and contributions programs;
  • the frequency and results of evaluation reports; and
  • the requirement for audit vis-à-vis the TBS Policy for Internal Audit and other policies as applicable.

The overall risk ratings assigned to each audit entity are shown in Appendix A: NRC Audit Universe for 2007-2008 – Risk Factors for Consideration in Audit Planning. Descriptions of the components that make up each audit entity are shown in Appendix B: NRC Audit Universe for 2007-2008 – Descriptions of Audit Entities. Both the audit universe and risk priorities identified in last year's plan were monitored for changes by NRC Internal Audit throughout 2006-07 and communicated to senior management for their input. These changes are reflected in this year's plan.

Phase Four: Formulation of the audit plan and consultation

Taking into consideration the audit universe and risk rankings, the project team plotted the audit entities on a five-year planning cycle to reflect the following planning decisions:

  • all high and medium ranked audit entities would be audited at least once on a five-year audit cycle;
  • low ranked audit entities would be continued to be assessed for higher risk and hence the necessity for audit;
  • each year would represent a body of work that could be reasonably achieved by the current complement of audit resources;
  • mandated audits (i.e., RBAF obligations, OAG/TBS obligations) would be scheduled on a priority-basis;
  • the management action plans derived from the observations and recommendations made in audits would be followed-up by Internal Audit within two years to determine the degree to which the management actions plans have been implemented;
  • each year would include a sample of non-high risk areas;
  • each year an allocation would be made to take into account OCG-directed audit work as well as management directed audits;
  • the timing of other review activities would take into account program evaluations or OAG audits so as not to place an unreasonable burden on any one audit entity / responsibility centre or risk duplication of effort; and finally
  • the overall plan would ensure sufficient coverage of risk management, controls and governance processes on an annual basis to collectively support the Chief Audit Executive's holistic opinion, as required by TBS policy.

Other planning considerations of interest included the decision as noted above to not audit by NRC organizational structure, i.e., by I/B/P, but by management function hence the decision to drop CITSI from the audit planning cycle. It will be included in the samples of I/B/Ps selected for each audit entity early in the audit cycle. Communications, identified as a high risk, will be included as an audit criterion for all audits undertaken as appropriate and as such will not be audited as a separate management function. The results of this exercise can be found in Appendix C: NRC Five-Year Audit Planning Cycle for 2007-2012.

Finally, a detailed list of audit projects to be conducted during the coming three-year planning horizon was prepared. It includes a description of each audit product, the nature of the audit engagement (e.g., preliminary survey, follow-up review, full assurance audit, etc.), preliminary audit objectives Footnote2, its rationale, and estimated resources including both auditor weeks and contract dollars. These projects listed in section 2.2, are described in further detail in Section 3.0 of this document. A three-year time horizon was selected as an appropriate period of time in which to plan in detail with a degree of certainty as well provide Internal Audit with insight into all facets of the functional areas of the organization within a reasonable period of time.

These documents were used to further consult with NRC management on the validity of the final risk assessments of each audit entity and the appropriateness of the identification and scheduling of audits. Discussions were held with the following:

  • NRC Audit, Evaluation and Risk Management Committee;
  • NRC Senior Executive Committee (comprising the President, the Secretary General, Vice President Corporate Services, Vice President Engineering, Acting Vice President Technology and Industry Support, Vice President Physical Sciences, Vice President Life Sciences, Director General Finance Branch and Director General Human Resources Branch);
  • Director General Administrative Services and Property Management;
  • Director General NRC Strategy and Development Branch (responsible for both the evaluation and risk identification functions); and
  • Office of the Auditor General of Canada Audit Principals.

The plan was also reviewed by numerous NRC Directors for their input and feedback. Consideration was given to all input received, and accommodated to the extent it was practical.

2.2 Strategy for Providing Annual Holistic Opinions on Risk Management, Control and Governance Processes

Beginning in 2009, the Chief Audit Executive will be required by the TBS Policy on Internal Audit to render an annual, holistic opinion on risk management, controls and governance processes. In support of this opinion, NRC's Internal Audit planning process explicitly aims to plan for sufficient coverage of these three functional areas. The following table demonstrates for senior management, the Audit, Evaluation and Risk Management Committee and the OCG how Internal Audit intends to provide the coverage necessary to build the foundation for this holistic opinion. This includes activities that have been completed or were underway in 2006-07 and those activities planned for 2007-08 until 2009-10. More detailed descriptions of the audits' scopes can be found in the detailed project descriptions provided in Section 3.0 of this plan.


Legend
R
Risk Management
C
Controls
G
Governance

Year Audit Activity Coverage
R C G
06-07 Audit of IRAP
Audit of IT Security Management
Limited Assurance Compliance Audit of Hospitality 2006-07 Transactions
Limited Assurance Compliance Audit of Travel 2006-07 Transactions
Limited Assurance Compliance Audit of Procurement and Contracting 2006-07 Transactions
Limited Assurance Compliance Audit of Acquisition Card 2006-07 Transactions
07-08 Audit Survey of Values and Ethics
Audit of Facilities Management and Equipment
Audit of Occupational Health and Safety
Limited Assurance Compliance Audit of Hospitality 2007-08 Transactions
Limited Assurance Compliance Audit of Travel 2007-08 Transactions
Limited Assurance Compliance Audit of Procurement and Contracting 2007-08 Transactions
Limited Assurance Compliance Audit of Acquisition Card 2007-08 Transactions
Audit of Integrated Risk Management
Follow-up Audit to 2002 Construction Contracting Audit
RBAF for Renewal of Class Grants to Enhance S&T Capacity
RBAF for Renewal of IRAP Terms and Conditions
08-09 Audit Survey of Planning and Prioritization
Audit of Industry Partnership Facilities
Audit of Capital Planning and Investment
Audit of Intellectual Property Management
Audit of Financial Management
Limited Assurance Compliance Audit of Hospitality 2008-09 Transactions
Limited Assurance Compliance Audit of Travel 2008-09 Transactions
Limited Assurance Compliance Audit of Procurement and Contracting 2008-09 Transactions
Limited Assurance Compliance Audit of Acquisition Card 2008-09 Transactions
Follow-up to the 2006-07 Audit of IT Security Management
09-10 Audit Survey of Values and Ethics
Audit Survey of Human Resources
Audit of Horizontal Initiatives
Limited Assurance Compliance Audit of Hospitality 2009-10 Transactions
Limited Assurance Compliance Audit of Travel 2009-10 Transactions
Limited Assurance Compliance Audit of Procurement and Contracting 2009-10 Transactions
Limited Assurance Compliance Audit of Acquisition Card 2009-10 Transactions
Follow-up Audit to 2006-07 IRAP Audit
Follow-up to the 2007-08 Audit of Facilities Management and Equipment Audit
Follow-up to the 2007-08 Audit of Occupational Health and Safety
Follow-up to the 2007-08 Audit of Integrated Risk Management
RBAF for Renewal of TRIUMF Terms and Conditions

2.3 Co-ordination / Reliance with other Assurance Providers

In order to ensure proper coverage and minimize duplication of efforts, NRC Internal Audit regularly shares information and coordinates activities with the Office of the Auditor General as well with NRC Finance Branch which is responsible for conducting ongoing recipient audits and coordinating financial statement audits for NRC's grants and contributions programs. In our meetings with them, we discuss: audit coverage, access to each other's audit programs and working papers Footnote3, exchange of audit reports and management letters and the common understanding of audit techniques, methods and terminology.

For the current planning cycle for 2007-2008, NRC Internal Audit will look to the work completed by the OAG in the areas of:

  • Planning and Prioritization; and
  • Human Resources Management; and
  • Commercialization: Intellectual Property Management.

The audit work completed by the OAG in 2006-2007 for its follow-up to the 2004 performance audit of NRC's Management of Leading-Edge Research focussed, in part, on the areas of business planning and human resources management. Whereas satisfactory progress in implementing the 2004 recommendations made by the OAG in these two areas was assessed as satisfactory, a number of further recommendations for action were made. NRC Internal Audit will continue to monitor the progress made in these two areas in order to both ensure their implementation as well as to determine what further audit work would be useful. Hence, audit surveys have been scheduled for these two areas in the internal audit plan – business planning next year which will also incorporate performance measurement and reporting and human resources management later in 2009-10 to give them sufficient time to implement their management action plans given in response to the new OAG recommendations. Finally, the Management Control Framework Audit of Intellectual Property Management will take into the account the OAG's ongoing government-wide performance audit of Research and Innovation which has as one of its three lines of enquiry the management of intellectual property.

On an ongoing basis, as part of its risk assessment process, NRC Internal Audit will examine the results of NRC Finance Branch directed recipient audits and follow-up action to determine if further internal audit work is necessary. As well, the annual audited financial statements for NRC completed by the OAG and those prepared for the various telescope programs by external auditors will be reviewed as a matter of course to assess their risk and hence the need for further internal audit work.

As it will be the case for every audit plan, this year's audit plan is a continuation of the previous year's plan in that it will include the continuation of audits that commenced last year but not finalized as well as the carry over of some audits that were delayed. While explained on a case by case basis below, these delays are due to a number of factors including: the emergence of unforeseen audit activities which prolonged the duration of some audits; external audit activity undertaken by central agencies which provided partial coverage thereby lessening the requirement to conduct an internal audit at that time; and staffing delays which resulted in some audits being rescheduled to 2007-08.

The resulting audit plan for the three years 2007-08 to 2009-10 is summarized below in the tables presented in section 3.3. For each audit, a preliminary objective and scope has been provided. It must be noted that the final scope and objectives may be modified depending on the results of the planning phases for each of the respective projects.

3.0 Audit Plan

3.1 Global Priorities

As noted earlier in this document, in direct response to the new TBS Policy on Internal Audit that came into effect April 1, 2006, the Internal Audit function at NRC has undergone considerable reorganization. In addition to the new position of Director Internal Audit who serves as the Chief Audit Executive, two professionally accredited and experienced Audit Managers were recruited and in place by December 2006. Some delays in implementing last year's plan were experienced due to the necessity to ensure appropriate recruitment and orientation of new staff as well as time taken away from conducting audits in order to respond to some of the new requirements of the new government audit policy, e.g., audit committees and the Management Accountability Framework (MAF) assessment. This year's plan presented below therefore identifies new timelines (and their rationales) for some audits.

Over the next two years, one of the major priorities for NRC Internal Audit will be the full implementation of the TBS Policy on Internal Audit by April 1, 2009. This will be undertaken while simultaneously implementing this year's audit plan. As it was the case for the implementation of last year's plan, this will be contingent upon being able to recruit appropriate staff. This year's plan assumes the recruitment of a junior auditor on an assignment basis by October 1, 2007.

3.2 Detailed Changes from Last Year's Internal Audit Plan

The following is a list of the audits that did not commence as planned in 2006-07 and their rationales:

  • Audit Survey of Human Resources Management – moderate risk audit priority: the survey was not completed due to the unforeseen depth of audit work that was undertaken by the Office of the Auditor General as part of its follow-up to the 2004 performance audit on NRC Management of Leading-Edge Research. While their work determined that satisfactory progress had been made in the 2004 recommendations pertaining to human resource management, the OAG recommended that NRC align and integrate its human resource management regime with its strategic priorities as expressed in the NRC Strategy. The approved management action plan is being monitored by NRC's Audit, Evaluation and Risk Management Committee for implementation. In order to give the necessary time to implement these actions, the NRC Internal Audit survey and audit have been rescheduled to 2009-2010 and 2010-2011, respectively.
  • Audit of Facilities Management and Equipment – high risk audit priority: the work necessary to undertake the validation of this 2004 draft internal audit report did not commence due to staffing delays and unforeseen audit activities pertaining to the ongoing audit of the Industrial Research Assistance Program (IRAP). The scope of the IRAP audit was expanded to include an examination of management improvements made in 2006-07. Audit work pertaining to Facilities Management and Equipment has been rescheduled to 2007-08.
  • Follow-up MCF Assurance Work for Intellectual Property (IP) Licensing – high risk audit priority: the audit recommendations concerning IP management that arose from a management review completed in 2005 were factored into the broader Business Review that was undertaken by NRC in 2006. The Business Review was a significant study that took eight months to complete and involved employees at all levels across the organization. The recommendations and resulting management action plans from this review were far reaching, but included measures to address the concerns raised in the earlier management review. This work has therefore been rescheduled to 2008-09 as part of the Management Control Framework Audit of Intellectual Property.

The following is a list of the audits that were planned for 2007-08 but have been rescheduled to future years and their rationales:

  • Preliminary Survey of Planning and Prioritization – high risk audit priority: the survey has been rescheduled to 2008-09 due to the unforeseen depth of audit work that was undertaken by the Office of the Auditor General as part of its follow-up to the 2004 audit on NRC Management of Leading-Edge Research. Recommendations were made with respect to business planning and performance information and reporting for which an approved management action plan has been put in place and is being monitored by NRC's Audit, Evaluation and Risk Management Committee for implementation. By rescheduling this survey to future years, NRC management will be given sufficient time to implement these recommendations.
  • Preliminary Survey of Operational Security – moderate risk audit priority: the audit survey and subsequent audit have been rescheduled to 2010-11 and 2011-12 respectively, due to available audit resources and its commensurate level of risk for NRC.
  • MCF Audit of Capital Planning and Investment – high risk audit priority: this audit has been rescheduled to 2008-09 due to available audit resources and its commensurate level of risk for NRC.
  • MCF Audit of Financial Management – high risk audit priority: this audit has been rescheduled to 2008-09 due to available audit resources and its commensurate level of risk for NRC. It should be noted that a significant portion of the management and control framework for financial management is examined each year as part of the limited assurance compliance audits for hospitality, travel, acquisition cards and contracts as well as by the annual financial statement audits completed by the OAG.
  • Management of Horizontal Initiatives – moderate risk audit priority: this audit has been rescheduled to 2008-09 due to available audit resources and its commensurate level of risk for NRC.

For 2008-09, only follow-up audits have been rescheduled to future years in order to meet the planning assumption that management will be given two years to implement their management action plans in response to audit recommendations. These include the following follow-up audits to be completed in 2008-09 instead of the previous year as originally planned: IRAP, Facilities Management and Equipment, Capital Planning and Investment, and Management of Information Technology Security.

Finally, the remaining significant change that has been made to the previous year's plan concerns Values and Ethics. Through subsequent discussion with OCG officials, NRC's Audit, Evaluation and Risk Management Committee and NRC senior management it was determined that an audit survey would be conducted every other year to verify that relevant and appropriate policies exist and limited testing be undertaken to ensure they are respected as planned. The first audit survey for Values and Ethics will commence in the latter half of 2007-08.

3.3 Planned Audit Activities

The following tables provide a summary of the audit projects that will be undertaken between 2007-08 and 2009-10. For each project, a description of the planned objective and scope has been provided with a rationale for why the project should be conducted. As well, resource estimates are provided, both in terms of NRC FTEs (in weeks) and contracting dollars required. The planning assumption was made that each of the Audit Manager FTE's would have a total of 40 audit weeks available each year taking into consideration vacation, other types of leave, training and professional accreditation requirements. This will be the same for the junior auditor position once it is in place. For this year, the planning assumption is made that it will be staffed as of October 1, 2007 thus allowing for an additional 20 auditor weeks. The CAE is expected to have 20 audit weeks available each year with the remainder devoted to management activities to ensure the full implementation of the TBS Policy on Internal Audit which include, among others, planning, liaison with central agencies to ensure the appropriateness and coordination of audit activities, quality assurance as well as reporting and recruitment efforts. Experience gained in 2006-07 has shown that more time in terms of Auditor Weeks and in some cases more contract dollars are needed complete internal audits than originally estimated for 2006-07. Hence, estimates for this year's plan and subsequent years have been increased accordingly.

2007-08 Audit Plan Projects

The following table provides a summary of the audit projects that will be undertaken by NRC Internal Audit. It is important to note that in 2006-07, the OAG conducted a range of assurance work, including a follow-up to their 2004 Audit of Management of Leading Edge-Research and their April 2007 Audit of Research and Innovation. This year's plan takes into account this body of work in order to ensure Internal Audit's scarce resources are used efficiently. See Appendix C for how these OAG audits are expected to some provide audit coverage that need not be duplicated.

Audit Project Audit Objective Rationale
Audit Surveys
1. Audit Project: Audit Survey of Values and Ethics

High Risk Audit Priority
An audit survey was completed early in fiscal year 2006-07 but was placed on hold pending further clarification from the OCG. The objective will be to conduct a survey of NRC's values and ethics framework which will include an identification of the key practices in place to fulfill NRC's objectives as outlined in the Management Accountability Framework (MAF). For this exercise, we will be guided by the "Public Service Values" controls identified in the draft TBS Fundamental Control Framework. Upon identifying the key controls in NRC, we will also identify areas of risk to which NRC is exposed in relation to values and ethics and will, on that basis determine limited testing necessary to test that the controls are functioning as intended. The MAF requires that all federal departments and agencies continually reinforce the importance of public service values – including those that touch upon professional, ethical and people values. This is achieved through NRC's overall control environment which itself is comprised of a range of internal control practices, including but not limited to managerial operating philosophy, communications, policy framework, and training and development. Identified by the OCG as an integral element of an organization's fundamental control framework, NRC's values and ethics regime is critical in preventing conflict of interest and other improper or illegal behaviour, such as fraud.
Nature of the Engagement:
Audit Survey
Resource Estimates:
4 Auditor weeks; $25,000 contracts
Assurance Audit Engagements
2. Audit Project: Management Control Framework (MCF) Audit of IRAP – ongoing

High Risk Audit Priority
The broad objective of this audit, nearing completion, was to assess the extent to which NRC-IRAP is managed according to sound management principles. Specific objectives were to assess NRC-IRAP's management control and accountability frameworks; measure compliance with applicable legislation, policies and guidelines; assess the status of management's Program Improvement Plan; and follow up on NRC-IRAP-related recommendations in Industry Canada's September 2003 audit of Technology Partnerships Canada. The ongoing audit of IRAP which was identified in the 2004-2007 Internal Audit Plan was recognized by the Senior Executive Committee as important due to the public nature of the program and the high level of scrutiny that exists for transfer payments. The audit's scope was expanded to include additional limited testing to verify management improvements in force in 2006-07.
Nature of the Engagement:
MCF Audit
Resource Estimates:
12 Auditor weeks; $10,000 contracts
3. Audit Project: Audit of Facilities Management and Equipment - draft 2004 report pending review

High Risk Audit Priority
In 2004, an audit of NRC's Facilities Management and Equipment was conducted and a preliminary report was drafted. Due to unforeseen audit priorities elsewhere and the declining capacity of audit staff resources, this report was not finalized. Analysis will be undertaken to identify the current relevance of the report and its findings vis-à-vis new systems and procedures that have been adopted by NRC subsequent to the time of the audit. If the report is not considered relevant to the current situation, limited audit work will be undertaken to update the audit findings or, at a minimum, inform audit planning for future years. It is important that S&T organizations manage wisely their investments in facilities / equipment, particularly in times of financial strain, to continuously attract research talent to their organization and to stay at the leading edge of the research agenda. Studies, such as those conducted by CSTA - Building Excellence in Science and Technology (BEST) (1999), have referred to a "rust-out" problem for Federal R&D facilities and platforms. According to the study, some evidence was found of long-term failure to maintain S&T facilities and equipment. These concerns were echoed in the audit planning consultations and provide the rationale for the conduct of this audit.
Nature of the Engagement:
MCF Audit
Resource Estimates:
10 Auditor weeks; $50,000 contracts
4. Audit Project: Audit of Occupational Health and Safety

High Risk Audit Priority
The objective of this audit will be to assess the adequacy and effectiveness of the management controls in place to ensure compliance with occupational health and safety requirements of the NRC. The scope will include those risk management, controls and governance processes in place at the Corporate level and at the Institutes selected on a sample basis. NRC's real property management practices – particularly those related to occupational health and safety were viewed to be high risk and highly significant to the achievement of NRC's objectives. In conducting its scientific activities, a number of Institutes use dangerous substances, thus exposing staff to hazards, which may result in damage or threats to safety. In recognition of this, NRC has implemented a new Occupational Health and Safety Policy, which is being deployed in a decentralized fashion (i.e., by Institute). This audit will provide assurance that the Occupational Health and Safety Policy is being applied consistently and rigorously across Institutes.
Nature of the Engagement:
MCF / Compliance Audit
Resource Estimates:
15 Auditor weeks; $75,000 contracts
5. Audit Project: Limited Assurance Annual Compliance Audit of Hospitality Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which a sample of NRC hospitality transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of randomly selected hospitality transactions based on dollar-unit sampling and drawn from the various I/B/Ps. By their nature, hospitality transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
Compliance Audit
Resource Estimates:
6 Auditor weeks; $45,000 contracts
6. Audit Project: Limited Assurance Annual Compliance Audit of Travel Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which a sample of NRC travel transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of randomly selected travel transactions based on dollar-unit sampling and drawn from the various I/B/Ps. By their nature, travel transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
Compliance Audit
Resource Estimates:
6 Auditor weeks; $45,000 contracts
7. Audit Project: Limited Assurance Compliance Audit of Procurement and Contracting Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which NRC's procurement contracting (e.g. professional services and goods) transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of randomly selected procurement transactions based on dollar-unit sampling and drawn from the various I/B/Ps. The risks presented by procurement and contracting were rated as moderate by senior management. However, by their nature, these types of transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
Compliance Audit
Resource Estimates:
10 Auditor weeks; $60,000 contracts
8. Audit Project: Limited Assurance Compliance Audit of Acquisition Card Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which NRC's acquisition card transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of both high value and randomly selected acquisition card transactions drawn from the various regions and I/B/Ps. The risks presented by acquisition cards were rated as moderate by senior management. However, by their nature, these types of transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
Compliance Audit
Resource Estimates:
8 Auditor weeks; $25,000 contracts
9. Audit Project: MCF of Integrated Risk Management

Moderate Risk Audit Priority
The objective of this Audit will be to assess the adequacy and effectiveness of NRC's Integrated Risk Management (IRM) practices with the goal of providing reasonable assurance that the practices: are consistently defined and applied; are integrated into and inform decision-making, including planning decisions; and comply with the expectations of TBS, as defined by the TBS IRM Framework and the draft TBS Fundamental Control Framework. The scope of this audit will comprise the range of NRC IRM processes including the policies, tools, documentation and reporting activities at both the Corporate level and Institute level selected on a sample basis. As well, the audit may examine other related management practices to determine the degree to which the IRM processes and methods are integrated into existing management activities and the degree to which they support management decision-making. Internal Audit is obligated, under the TBS Policy on Internal Audit, to report on the state of risk management, controls and governance processes in place to support the mandate of NRC. While an examination of risk management is embedded in some audit projects, this audit will provide a global assessment of Corporate and Institute risk management processes and practices – coverage which is necessary to support Internal Audit's assertions to the OCG. An area of interest to the OAG and OCG, IRM is an integral element of the NRC's overall control framework, a key element of the TBS MAF and a key enabler of good management. For these reasons, an audit of IRM is appropriate at this time.
Nature of the Engagement:
MCF Audit
Resource Estimates:
15 Auditor weeks; $75,000 contracts
10. Audit Project: Allowance for OCG-Directed Horizontal Audits The OCG, Internal Audit Sector (IAS), is mandated by the new TBS Internal Audit Policy with the conduct of horizontal audits, conducted across federal departments and agencies. The goal of these audits will be to provide assurance that the risks to government-wide objectives are being managed in specific departments and agencies. Annually, the OCG will be conducting its own risk assessment exercise and will, on that basis, be identifying the topics for such audits and the departments and agencies that will be included in this scope. NRC may or may not be subject to such reviews; however, if it is identified as being within the scope, NRC Internal Audit will be directed by the OCG to conduct the audit on its behalf. NRC Internal Audit is obligated by the TBS IA Policy to conduct OCG-directed horizontal audits, as and when required by the OCG.
Nature of the Engagement:
MCF / Compliance Audit
Resource Estimates:
20 Auditor weeks; $50,000 contracts
Follow-up Reviews
11. Audit Project: Follow-up to 2002 Audit of Construction Contracting

High Risk Audit Priority
The objective of the work will be to follow-up on the progress made in implementing the recommendations for the 2002 Audit of Construction Contracting. Follow-up reviews by Internal Audit are important accountability mechanisms as they permit independent verification that the control weaknesses identified in the original audit have been satisfactorily remedied and that any areas of unacceptable risk have been managed appropriately.
Nature of the Engagement:
Follow-up Review
Resource Estimates:
12 Auditor weeks; $75,000 contracts
Other Activities
12. Audit Project: RBAF for Renewal of Class Grants to Enhance S&T Capacity

Moderate Risk Audit Priority
The objective of this work will be to assist in the development of an RBAF which will identify the primary sources of risk to the program's success, an assessment of the likelihood and impact of those risks, including the underlying assumptions made, and a discussion of risk mitigation actions (including management controls) taken and planned. The RBAF will also present an assessment as to how these risks will be used to inform decisions on the nature and extent of monitoring, recipient and internal audits and evaluation. The Class Grants to Enhance Science and Technology Capacity (i.e., supplements to scholarship recipients and the Hertzberg Memorial Price and Fellowships), will expire August 31, 2008. TBS submissions for program approval of terms and conditions for grants to a class of recipients or for contributions require a risk-based framework for the audit of recipient contributions, an internal audit plan and evaluation plan of the transfer payment program, including expected funds to be budgeted for costs related to these requirements.
Nature of the Engagement:
RBAF Development
Resource Estimates:
2 Auditor weeks
13. Audit Project: RBAF for Renewal of IRAP Terms and Conditions

High Risk Audit Priority
The objective of this work will be to assist in the development of an RBAF which will identify the primary sources of risk to the program's success, an assessment of the likelihood and impact of those risks, including the underlying assumptions made, and a discussion of risk mitigation actions (including management controls) taken and planned. The RBAF will also present an assessment as to how these risks will be used to inform decisions on the nature and extent of monitoring, recipient and internal audits and evaluation. The Terms and Conditions for IRAP will expire March 31, 2008. TBS submissions for program approval of terms and conditions for contributions require a risk-based framework for the audit of recipient contributions, an internal audit plan and evaluation plan of the transfer payment program, including expected funds to be budgeted for costs related to these requirements.
Nature of the Engagement:
RBAF Development
Resource Estimates:
2 Auditor weeks
14. Audit Project: NRC Management Directed Audits

High Risk Audit Priority
The TBS Policy on Internal Audit directs that the majority of resources should be devoted to providing assurance audits and as such, this is the focus of the NRC Audit Plan. This allocation, however, is made in response to the need to provide in the plan for unexpected events requiring investigation to determine potential risks to the NRC's control and governance processes.
Nature of the Engagement:
MCF / Compliance Audit
Resource Estimates:
10 Auditor weeks; $50,000 contracts
Total Internal Audit Resources Required
132 Auditor weeks; $595,000 contracts
Total Internal Audit Resources Available
120
Table footnote1Auditor weeks; $570,00 Table footnote2contracts
Total Internal Audit Resources Surplus (Deficit)
(12) Auditor weeks; ($25,000) contracts
Conclusion: It is important to note that the presence of OCG or NRC Management Directed Audits will largely impact the occurrence of a surplus or deficit on Internal Audit resources. Potential risks presented by the projected Auditor Weeks deficit and contracts deficit could be worsened by a delay in the recruitment of a junior auditor and the necessity to coordinate the NRC's response to the ongoing OAG government-wide audit of Research and Innovation. These risks can be mitigated by delaying some audits to future years following consultation with the Audit, Evaluation and Risk Management Committee.

Notes for Table:

notes for Table 1

The planning assumption is made that NRC Internal Audit will be successful in its recruitment efforts to bring on board a junior auditor by October 1, 2007 thus providing an additional 20 Auditor weeks to the existing 100 available.

Return to Table footnote1 referrer

notes for Table 2

Surplus (Deficit) is calculated based on an available operational budget of $500,000 less $30,000 for staff and non-staff travel and $100,000 rolled over from the previous year's unused contract budget; additional funds allocated by the OCG have been set aside for professional audit accreditation training and other training requirements as noted in section 3.2.

Return to Table footnote2 referrer

2008-09 Audit Plan Projects

Audit Project Audit Objective Rationale
Assurance Audit Engagements
1. Audit Project: Preliminary Survey of Planning and Prioritization

High Risk Audit Priority
The work completed by the OAG in 2006-07 provided a degree of adequate audit coverage. Therefore, it is our intention to leverage, to the extent possible, the work conducted by the OAG to avoid duplication of audit effort. The objective will be to conduct a preliminary audit survey of NRC's planning and prioritization practices and to document the controls in place to manage this risk. On the basis of this risk assessment, which will be focused at the Corporate and the Institute levels, Internal Audit will determine the net or residual risks associated with planning and prioritization and, on that basis, will determine if further, more detailed assurance work is needed. The scope of the survey will include the NRC's business planning, priority-setting and resource allocation practices at the corporate level and at selected Institutes on a sample basis. It will also include an examination of the timeliness and sufficiency of performance information and other management information used to develop these plans and to support decision-making. In 2004, Strategic Planning was identified as a priority during the audit planning exercise; it was similarly highlighted in the 2004 OAG audit of NRC. Once again, during the 2006 audit planning exercise, planning and prioritization was highlighted as an area of risk and great significance – particularly as the NRC embarks on its New Strategy. In response to these priorities, in 2005-06, NRC implemented a new approach to integrated planning, designed to ensure better, more systematic and risk-based planning at the Institute level. Pilots were completed in 2006 and extended to other Institutes. In light of these developments, the importance of integrated planning at NRC and the priority that is being placed on integrated planning by TBS, a risk-based preliminary survey in this area should be conducted in 2008-09.
Nature of the Engagement:
Audit Survey
Resource Estimates:
6 Auditor weeks; $25,000 contracts
2. Audit Project: MCF Audit of Industry Partnership Facilities

High Risk Audit Priority
The objective of this audit will be to assess the adequacy and effectiveness of the risk management, controls and governance processes in place to achieve the NRC's objectives related to Industry Partnership Facilities (IPF). The scope will include those risk management, controls and governance processes in place at the Corporate level and at the Institutes selected on a sample basis. Successful partnership with industry through IPFs is a critical element underpinning the new NRC Strategy. At the same time, such arrangements are inherently exposed to a variety of risks that, if not managed well, may negatively affect not only NRC's reputation, but also the achievement of NRC's strategic goals. The considerable financial investment being made in such facilities and the intrinsic difficulty in exiting from such arrangements should the benefits not materialize may also expose NRC to considerable risk. While NRC's Program Evaluation function has conducted numerous evaluations of Technology Clusters (another key element of NRC's partnership enablers), no reviews have yet been conducted of IPFs. In light of these circumstances, a comprehensive management control framework audit of the management of IPFs is appropriate at this time.
Nature of the Engagement:
MCF Audit
Resource Estimates:
15 Auditor weeks; $75,000 contracts
3. Audit Project: MCF Audit of Capital Planning and Investment

High Risk Audit Priority
The objective of this audit will be to assess the adequacy and effectiveness of the management control framework in place to support capital planning and investment - specifically to ensure that capital investment decisions are made on the basis of adequate information, with due diligence, that value for money is pursued, and that NRC's capital priorities are appropriately addressed. Capital planning and investment were identified as a high priority in the 2004 and 2006 audit planning exercises, yet has not been audited to date. The aging research infrastructure and challenges associated with recapitalization were identified throughout the risk identification exercise. Therefore, the risk levels associated with this area was considered to be high.
Nature of the Engagement:
MCF Audit
Resource Estimates:
15 Auditor weeks; $75,000 contracts
4. Audit Project: MCF Audit of Intellectual Property Management

High Risk Audit Priority
The objective of this audit will be to assess the adequacy and effectiveness of the risk management, controls and governance processes in place to support effective and efficient management of intellectual property (IP) at NRC. The scope will include those risk management, controls and governance processes in place at the Corporate level and at the Institutes selected on a sample basis. As well, the audit will follow-up on recommendations made in an earlier body of work completed in 2006 on IP licencing. The management of NRC's IP is a foundational element of the new NRC Strategy. IP management was noted as a priority in the 2004 audit plan and again in the 2006 planning exercise. To date, no audit has been conducted, due in part to the recent management review of this function. This study, completed in early 2006, resulted in a number of recommendations aimed at strengthening NRC's management of its IP. By conducting the audit in 2008-09, management will have had sufficient time to implement these recommendations.
Nature of the Engagement:
MCF Audit
Resource Estimates:
15 Auditor weeks: $75,000 contracts
5. Audit Project: MCF Audit of Financial Management

High Risk Audit Priority
The objective of this audit will be to independently assess the effectiveness and adequacy of the financial management control framework across NRC with a view to ensuring that financial transactions are carried out with due diligence, that financial information is reliable and has integrity and that there is compliance with the Financial Administration Act. The scope of this audit will place emphasis on the activities and practices of NRC Finance Branch but also the financial management practices of I/B/Ps selected on a sample basis. Internal Audit will place as much reliance as possible on the assessment of controls completed by the OAG for the purposes of the annual financial statements. The effectiveness and adequacy of financial controls were identified as concerns during the 2006 risk identification process. Beginning in 2005, the Finance Branch underwent a restructuring of its management control framework – moving to a centralization of accountabilities for the delivery of financial management practices. The NRC has also recently undergone an OAG audit of its financial statements which identified some areas in need of reinforcement. The conduct of a full audit of financial management is expected to yield valuable insight into the adequacy and effectiveness of these recent developments and their impact on financial management controls across NRC. The importance of such an audit is heightened by the priority that is being placed on matters of financial management and stewardship by central agencies. The fact that many of the fundamental financial management controls will be tested on an annual basis through the completion of the annual limited assurance compliance audits make it reasonable to undertake this audit in 2008-09.
Nature of the Engagement:
MCF Audit
Resource Estimates:
20 Auditor weeks; $75,000 contracts
6. Audit Project: Limited Assurance Annual Compliance Audit of Hospitality Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which a sample of NRC hospitality transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of randomly selected hospitality transactions based on dollar-unit sampling and drawn from the various I/B/Ps. By their nature, hospitality transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
MCF Audit
Resource Estimates:
6 Auditor weeks; $25,000 contracts
7. Audit Project: Limited Assurance Annual Compliance Audit of Travel Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which a sample of NRC travel transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of randomly selected travel transactions based on dollar-unit sampling and drawn from the various I/B/Ps. By their nature, travel transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
MCF Audit
Resource Estimates:
6 Auditor weeks; $25,000 contracts
8. Audit Project: Limited Assurance Compliance Audit of Procurement and Contracting Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which NRC's procurement contracting (e.g. professional services and goods) transactions are compliant with established government and NRC policies and procedures.
The scope will include a sample of randomly selected procurement transactions based on dollar-unit sampling and drawn from the various I/B/Ps.
The risks presented by procurement and contracting were rated as moderate by senior management. However, by their nature, these types of transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
MCF Audit
Resource Estimates:
10 Auditor weeks; $40,000 contracts
9. Audit Project: Limited Assurance Compliance Audit of Acquisition Card Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which NRC's acquisition card transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of both high value and randomly selected acquisition cards transactions drawn from the various regions and I/B/Ps. The risks presented by acquisition cards were rated as moderate by senior management. However, by their nature, these types of transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
MCF Audit
Resource Estimates:
8 Auditor weeks; $25,000
10. Audit Project: Allowance for OCG-Directed Horizontal Audits

High Risk Audit Priority
The OCG, Internal Audit Sector (IAS), is mandated by the new TBS Policy on Internal Audit with the conduct of horizontal audits, conducted across federal departments and agencies. The goal of these audits will be to provide assurance that the risks to government-wide objectives are being managed in specific departments and agencies. Annually, the OCG will be conducting its own risk assessment exercise and will, on that basis, be identifying the topics for such audits and the departments and agencies that will be included in this scope. NRC may or may not be subject to such reviews; however, if it is identified as being within the scope, NRC Internal Audit will be directed by the OCG to conduct the audit on its behalf. NRC Internal Audit is obligated by the TBS IA Policy to conduct OCG-directed horizontal audits, as and when required by the OCG.
Nature of the Engagement:
MCF / Compliance Audit
Resource Estimates:
20 Auditor weeks; $50,000 contracts
Follow-up Reviews
11. Audit Project: Follow-up to the 2006-07 Audit of IT Security Management

High Risk Audit Priority
The objective of this review will be to follow-up on the progress made in implementing the recommendations from the 2006-07 audit of the Management of IT Security. Follow-up reviews by Internal Audit are important accountability mechanisms as they permit independent verification that the control weaknesses identified in the original audit have been satisfactorily remedied and that any areas of unacceptable risk have been managed appropriately.
Nature of the Engagement:
MCF Audit
Resource Estimates:
8 Auditor weeks
12. Audit Project: NRC Management Directed Audit

High Risk Audit Priority
The TBS Policy on Internal Audit directs that the majority of resources should be devoted to providing assurance audits and as such, this is the focus of the NRC Audit Plan. This allocation, however, is made in response to the need to provide in the plan for unexpected events requiring investigation to determine potential risks to the NRC's governance and internal controls.
Nature of the Engagement:
MCF Audit
Resource Estimates:
10 Auditor weeks; $50,000 contracts
Total Internal Audit Resources Required
139 Auditor weeks; $540,000 contracts
Total Internal Audit Resources Available
140
Table 2 footnote1- Surplus Auditor weeks; $470,000 Table 2 footnote2contracts
Total Internal Audit Resources Surplus (Deficit)
1 Auditor week; ($70,000) contracts
Conclusion: It's important to note that the presence of OCG or NRC Management Directed Audits will largely impact the occurrence of a surplus or deficit on Internal Audit resources. Potential risks presented by the projected contract budget deficit can be offset by delaying some audits to future years following consultation with the Audit, Evaluation and Risk Management Committee.

Notes for Table:

notes for Table 2

The planning assumption is made that NRC Internal Audit will have in addition to its current complement of 31/2 FTEs, a junior auditor that will bring the total available Auditor weeks up to 140.

Return to Table footnote1 referrer

notes for Table 2

Surplus (Deficit) is calculated based on an available budget of $500,000 less $30,000 for staff and non-staff travel; additional funds allocated by OCG have been set aside for professional audit accreditation training and other training requirements as noted in section 3.2.

Return to Table footnote2 referrer

2009-10 Audit Plan Projects

Audit Project Audit Objective Rationale
Audit Surveys
1. Audit Project: Audit Survey of Values and Ethics

High Risk Audit Priority
The audit survey will be a continuation of the survey completed in fiscal year 2007-08. The objective will be to conduct a survey of NRC's values and ethics framework which will include an identification of the key practices in place to fulfill NRC's objectives as outlined in the Management Accountability Framework (MAF). For this exercise, we will be guided by the "Public Service Values" controls identified in the draft TBS Fundamental Control Framework. Upon identifying the key controls in NRC, we will also identify areas of risk to which NRC is exposed in relation to values and ethics and will, on that basis determine limited testing necessary to test that the controls are functioning as intended. The MAF requires that all federal departments and agencies continually reinforce the importance of public service values – including those that touch upon professional, ethical and people values. This is achieved through NRC's overall control environment which itself is comprised of a range of internal control practices, including but not limited to managerial operating philosophy, communications, policy framework, and training and development. Identified by the OCG as an integral element of an organization's fundamental control framework, NRC's values and ethics regime is critical in preventing conflict of interest and other improper or illegal behaviour, such as fraud.
Nature of the Engagement:
Audit Survey
Resource Estimates:
4 Auditor weeks; $25,000 contracts
2. Audit Project: Audit Survey of Human Resources

Moderate Risk Audit Priority
The objective will be to conduct a preliminary survey and risk assessment of the human resource (HR) management function of NRC. This will be a scoping exercise to determine areas of risk and further define the approach and criteria to audit. The scope will be broad and extend to all HR functions including but not limited to the activities of the HR Branch. HR systems will also be examined as enablers of effective and efficient service delivery. Finally, the HR practices in place within other I/B/Ps will also be examined. Within this broad scope, the survey will focus on those controls in place to support the "People" and "Learning, Innovation and Change Management" and "Accountability" elements of the MAF, including:
  • HR planning
  • Classification
  • Recruitment, hiring and promotion practices
  • Performance evaluation
  • HR policy framework (including clarity, comprehensiveness, currency and accessibility of policies)
  • Communications
  • Clarity of authority, responsibility and accountability
  • Professional development and training
NRC's new model for HR service delivery has been in place for some time and warrants an independent review of the adequacy and effectiveness of HR practices. HR services are key enablers to NRC's success and are heightened in importance in light of the renewal strategy and the challenges of recruiting highly qualified personnel. HR services are also considered fundamental controls in the draft TBS Fundamental Control Framework. There is therefore an expectation from the OCG that such controls and management practices will be examined.
Nature of the Engagement:
MCF Audit
Resource Estimates:
6 Auditor weeks; $80,000 contracts
Assurance Audit Engagements
3. Audit Project: MCF of Horizontal
Initiatives
Moderate Risk Audit Priority
The objective of this audit will be to assess the adequacy and effectiveness of the controls in place to support the effective and efficient management of horizontal initiatives. The scope of this audit will encompass those controls that support clear accountability, effective financial management, and information sharing, and, planning and reporting both at the Corporate level and at the Institutes (selected on a sample basis). The move to horizontal initiatives and collaborative partnerships is a key element of NRC's Renewal Strategy that relates to inter-Institute collaboration and the move to a Portfolio approach to the conduct of science, as well as increased partnerships with industry. The importance of these horizontal initiatives is considered to be very high as they will provide a test of the broader strategy being pursued by NRC. At the same time, while the importance of these arrangements is high, so also is the risk that is inherently associated with them. As the NRC moves to implement its renewal, and seeks to manage the risk to which horizontal initiatives are exposed, we envision that this audit will yield important insight into the management control practices that must be applied broadly to facilitate the effective and sustainable renewal of NRC.
Nature of the Engagement:
MCF Audit
Resource Estimates:
12 Auditor weeks; $90,000 contracts
4. Audit Project: Limited Assurance Annual Compliance Audit of Hospitality Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which a sample of NRC hospitality transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of randomly selected hospitality transactions based on dollar-unit sampling and drawn from the various I/B/Ps. By their nature, hospitality transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
MCF Audit
Resource Estimates:
6 Auditor weeks; $25,000 contracts
5. Audit Project: Limited Assurance Annual Compliance Audit of Travel Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which a sample of NRC travel transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of randomly selected travel transactions based on dollar-unit sampling and drawn from the various I/B/Ps. By their nature, travel transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
Compliance Audit
Resource Estimates:
6 Auditor weeks; $25,000 contracts
6. Audit Project: Limited Assurance Compliance Audit of Procurement and Contracting Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which NRC's procurement contracting (e.g. professional services and goods) transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of randomly selected procurement transactions based on dollar-unit sampling and drawn from the various I/B/Ps. The risks presented by procurement and contracting were rated as moderate by senior management. However, by their nature, these types of transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
MCF Audit
Resource Estimates:
10 Auditor weeks; $40,000 contracts
7. Audit Project: Limited Assurance Annual Compliance Audit of Travel Transactions

High Risk Audit Priority
The objective of this annual audit work will be to assess the degree to which NRC's acquisition card transactions are compliant with established government and NRC policies and procedures. The scope will include a sample of both high value and randomly selected procurement and contracting transactions drawn from the various regions and I/B/Ps. The risks presented by procurement and contracting were rated as moderate by senior management. However, by their nature, these types of transactions are perceived to be inherently vulnerable to the risk of wrong doing. Hence, the high degree of scrutiny that is being placed on such transactions by the OCG, the OAG, parliamentarians and the public. In recognition of this, limited compliance verification by Internal Audit is warranted to ensure a minimum level of coverage of these transactions is provided.
Nature of the Engagement:
MCF Audit
Resource Estimates:
8 Auditor weeks; $25,000
8. Audit Project: Allowance for OCG-Directed Horizontal Audits

The OCG, Internal Audit Sector (IAS), is mandated by the new TBS Policy on Internal Audit with the conduct of horizontal audits, conducted across federal departments and agencies. The goal of these audits will be to provide assurance that the risks to government-wide objectives are being managed in specific departments and agencies. Annually, the OCG will be conducting its own risk assessment exercise and will, on that basis, be identifying the topics for such audits and the departments and agencies that will be included in this scope. NRC may or may not be subject to such reviews; however, if it is identified as being within the scope, NRC Internal Audit will be directed by the OCG to conduct the audit on its behalf. NRC Internal Audit is obligated by the TBS Internal Audit Policy to conduct OCG-directed horizontal audits, as and when required by the OCG.
Nature of the Engagement:
MCF / Compliance Audit
Resource Estimates:
20 Auditor weeks; $50,000 contracts
Follow-up Reviews
9. Audit Project: Follow-up to the 2006-07 Audit of IRAP

High Risk Audit Priority
The objective of this review will be to follow-up on the progress made in implementing the recommendations from the 2006-07 audit of IRAP as well as comprise detailed compliance testing of contributions to examine whether the management action plan to address the recipient audit review completed by Finance Branch has been successful. Follow-up reviews by Internal Audit are important accountability mechanisms as they permit independent verification that the control weaknesses identified in the original audit have been satisfactorily remedied and that any areas of unacceptable risk have been managed appropriately.
Nature of the Engagement:
Follow-up Review
Resource Estimates:
20 Auditor weeks; $75,000
10. Audit Project: Follow-up to the 2007-08 Facilities Management and Equipment Audit

High Risk Audit Priority
The objective of this review will be to follow-up on the progress made in implementing the recommendations from the 2007-08 audit of Facilities Management and Equipment. Follow-up reviews by Internal Audit are important accountability mechanisms as they permit independent verification that the control weaknesses identified in the original audit have been satisfactorily remedied and that any areas of unacceptable risk have been managed appropriately.
Nature of the Engagement:
Follow-up Review
Resource Estimates:
8 Auditor weeks; $25,000
11. Audit Project: Follow-up to the 2007-08 Occupational Health and Safety Audit

High Risk Audit Priority
The objective of this review will be to follow-up on the progress made in implementing the recommendations from the 2007-08 audit of Occupational Health and Safety. Follow-up reviews by Internal Audit are important accountability mechanisms as they permit independent verification that the control weaknesses identified in the original audit have been satisfactorily remedied and that any areas of unacceptable risk have been managed appropriately.
Nature of the Engagement:
Follow-up Review
Resource Estimates:
8 Auditor weeks; $25,000
12. Audit Project: MCF Audit of Integrated Risk Management

Moderate Risk Audit Priority
The objective of this review will be to follow-up on the progress made in implementing the recommendations from the 2007-08 audit of Integrated Risk Management. Follow-up reviews by Internal Audit are important accountability mechanisms as they permit independent verification that the control weaknesses identified in the original audit have been satisfactorily remedied and that any areas of unacceptable risk have been managed appropriately.
Nature of the Engagement:
Follow-up Review
Resource Estimates:
20 Auditor weeks; $75,000
Other Activities
13. Audit Project: Renewal of TRIUMPH Terms and Conditions
High Risk Audit Priority
The objective of this work will be to assist in the development of an RBAF which will identify the primary sources of risk to the program's success, an assessment of the likelihood and impact of those risks, including the underlying assumptions made, and a discussion of risk mitigation actions (including management controls) taken and planned. The RBAF will also present an assessment as to how these risks will be used to inform decisions on the nature and extent of monitoring, recipient and internal audits and evaluation. Terms and conditions will expire March 31, 2010. TBS submissions for program approval of terms and conditions for contributions require a risk-based framework for the audit of recipient contributions, an internal audit plan and evaluation plan of the transfer payment program, including expected funds to be budgeted for costs related to these requirements.
Nature of the Engagement:
MCF Audit
Resource Estimates:
2 Auditor weeks
14. Audit Project: NRC Management Directed Audits

The TBS Policy on Internal Audit directs that the majority of resources should be devoted to providing assurance audits and as such, this is the focus of the NRC Audit Plan. This allocation, however, is made in response to the need to provide in the plan for unexpected events requiring investigation to determine potential risks to the NRC's governance and internal controls.
Nature of the Engagement:
MCF / Compliance Audit
Resource Estimates:
10 Auditor weeks; $50,000 contracts
Total Internal Audit Resources Required
133 Auditor weeks; $515,000 contracts
Total Internal Audit Resources Available
140
 Table 3 footnote1Auditor weeks; $470,000Table 3 footnote2contracts
Total Internal Audit Resources Surplus (Deficit)
(7) Auditor weeks; ($45,000) contracts
Conclusion: It's important to note that the presence of OCG or NRC Management Directed Audits will largely impact the occurrence of a surplus or deficit on Internal Audit resources. Potential risks presented by the projected contract budget deficit can be offset by delaying some audits to future years following consultation with the Audit, Evaluation and Risk Management Committee.

Notes for Table:

notes for Table 1

The planning assumption is made that NRC Internal Audit will be successful in its recruitment efforts to bring on board a junior auditor by October 1, 2007 thus providing an additional 20 Auditor weeks to the existing 100 available.

Return to Table footnote1 referrer

notes for Table 2

Surplus (Deficit) is calculated based on an available operational budget of $500,000 less $30,000 for staff and non-staff travel and $100,000 rolled over from the previous year's unused contract budget; additional funds allocated by the OCG have been set aside for professional audit accreditation training and other training requirements as noted in section 3.2.

Return to Table footnote2 referrer

4.0 Performance Measures for NRC Audit Activities

NRC Internal Audit has developed the following performance measures with respect to the previous year's audit plan that will be reported out as part of this annual planning exercise. These will include the following measures:

  1. Costs of completing internal audits vis-à-vis budgeted estimates;
  2. Number of audit recommendations made by NRC Internal Audit that have been implemented by NRC management;
  3. Number of audit recommendations made by the Office of the Auditor General of Canada that have been implemented by NRC management;
  4. Number of audits commenced in the timeframe indicated by the NRC Internal Audit Plan; and
  5. Management Accountability Assessment (MAF) rating determined by the Office of the Comptroller General.

Listed below are the performance measures relevant to 2006-07:

  1. Costs Footnote4 of completing internal audits vis-à-vis budgeted estimates – under estimated

    MCF Audit of Industrial Research Assistance Program (IRAP)- ongoing

    Estimated budget: 6 Auditor Weeks; $16,550 contracts
    Actual cost as of June 1, 2007: 18 Auditor Weeks; $26,550 plus ongoing work to finalize the draft audit report
    Reason for variance: The audit scope was expanded to include limited testing to verify management improvements in place for 2006-07.

    Audit of Management of IT Security
    Estimated budget: 8 Auditor Weeks; $78,000 contracts
    Actual cost as of June 1, 2007: 9 Auditor Weeks; $84,550 plus ongoing work to finalize the draft audit report
    Reason for Variance: Additional contract dollars were expended to cover the costs of professional writer as well as greater than planned Auditor weeks to finalize the report.

    Annual Limited Assurance Compliance Audits for Hospitality and Travel
    Estimated budget: 8 Auditor Weeks: $0 contracts
    Actual cost as of June 1, 2007: 2.5 Auditor weeks; $22,000 contracts
    Reason for Variance: Contract dollars were used to supplement smaller than available Auditor weeks.

    Annual Limited Assurance Compliance Audits for Contracts and Procurement including Acquisition Cards- ongoing
    Estimated budget: 8 Auditor Weeks: $0 contracts
    Actual cost as of June 1, 2007: 3 Auditors weeks (contracts) and 1.5 Auditors weeks (acquisition cards); $63,217 (contracts) and $13,000 (acquisition cards)
    Reason for Variance: Contract dollars were used to supplement smaller than available Auditor weeks. In addition, contract and procurement transactions were found to be more complex than anticipated thus requiring more time.

  2. Number of audit recommendations made by NRC Internal Audit that have been implemented by NRC management – not applicable

    Not applicable; there were no follow-up audits that were completed in 2006-07 by NRC Internal Audit.

  3. Number of audit recommendations made by Office of the Auditor General that have been implemented by NRC management – 70 percent

    In its follow-up audit to the 2004 performance report of NRC Management of Leading-Edge Research reported to Parliament in February 2007, the OAG identified satisfactory progress in seven of 10 recommendations made or 70 percent. These included areas involving corporate governance, corporate strategic direction, and human resources management. Further progress was identified with respect to documenting decisions at the Institute level and in performance measurement and reporting.

  4. Number of audits commenced in the timeframe indicated by the NRC Internal Audit Plan – 67 percent

    In 2006-07, the NRC Internal Audit Plan identified eight audit projects in addition to OCG directed and NRC management directed audit projects. In 2006-07, two of the eight projects are in their final stages of completion and are expected to be tabled with the Audit, Evaluation and Risk Management Committee in June 2007 (Management of IT Security) and September 2007 (IRAP). In addition, the audit projects pertaining to annual limited assurance compliance testing for hospitality, travel and contract and procurement (including acquisition cards) are well underway and are also expected to report to the Audit, Evaluation and Risk Management Committee in September 2007. As noted in section 3.2, two of the audit projects (Audit Survey for Human Resource Management and Follow-up to MCF Assurance Work for Intellectual Property Licencing) have been rescheduled to future years due to unforeseen operational considerations that were beyond NRC Internal Audit's control. The remaining two audit projects (verification of the 2004 Audit of Facilities Management and Equipment and the Follow-up to the 2002 Audit of Construction Contracting) were not started due to delays in staffing the two Audit Manager positions with professionally accredited and experienced staff. Therefore an overall implementation rate of 67% (4 of 6 projects) was achieved at the same that Internal Audit provided limited internal consulting services where requested including functional advice provided with respect to Risk-Based Audit Frameworks for Class Grants to Enhance S&T Capacity and IRAP.

  5. Management Accountability Assessment (MAF) rating determined by the Office of the Comptroller General - Opportunity for Improvement

    An overall rating of "Opportunity for Improvement" was assessed by the OCG:

    "The National Research Council (NRC) is developing an implementation plan for the new Internal Audit Policy and some initiatives are under way. Progress has been made through the recent creation of new positions and hiring of qualified professionals, an internal increase in operational funds, and the development of a risk-based internal audit plan to ensure that key internal audit elements are in place to support the internal audit function. While increased audit activity has begun, attention must be given to completing and reporting on internal audit assurance work.

    To comply with the new Internal Audit Policy, a Chief Audit Executive position has been created and staffed and reports to the Deputy Head. NRC has an Audit Committee that consists entirely of four external members, one of which is chairperson, and the Deputy Head, who is an ex-officio member.

    NRC will seek Treasury Board approval for each member's appointment.

    The Chief Audit Executive is eligible, but has not yet applied, to write the Certified Internal Auditor examinations.

    The agency has an approved risk-based internal audit plan, but delays in staffing late in the fiscal year resulted in it not being produced in a timely manner. No internal audit reports have been submitted for the past two years; however, resource levels have recently increased."

Appendix A: NRC Audit Universe for 2007-2008 – Risk Factors for Consideration in Audit Planning

The following table presents an update from the risk factors identified in 2006-2007 based on new information including ongoing revisions to the corporate risk profile, updated budget / expenditure data and results from ongoing monitoring, audit and evaluation activities. The elements of the NRC audit universe are ranked in order of risk priority. As described earlier in this planning document, the individual audit entities were ranked initially by senior management according to three criteria: risk, significance and public profile. Audit entities were then examined for other considerations that might affect the overall priority for Internal Audit. Based on these considerations, which are listed in the table below, an overall priority ranking was assigned which influenced the timing of the audits.

Audit Entity Risk Factors Overall Risk
Partnerships with Industry: Industrial Research Assistance Program (IRAP) Management's Assessment of Priority Table Appendix A footnote1 High: 0.896
(Ranked 1st)
High
Corporate Risk Profile High: Client Relationship Management Moderate:
Technology Transfer and IP Management; and Accountability
Materiality Table Appendix A footnote2 High: $116.6 million
Audit Activity Moderate: frequent and ongoing audits reveal improvements as well as areas requiring improvement
Evaluation Activity Low: frequent and ongoing evaluations
Requirement for Audit High: TBS Policy on IA to audit areas of higher risk and significance
Planning and Prioritization Management's Assessment of Priority Table Appendix A footnote1 High: 0.85 (Ranked 2nd) High
Corporate Risk Profile High: NRC Strategy Implementation Moderate:Business Processes
Materiality Table Appendix A footnote2 Not applicable – horizontal activity
Audit Activity Moderate: recent OAG audit identified areas in need of improvement
Evaluation Activity Not applicable
Requirement for Audit High: TBS Policy on IA to audit areas of higher risk and significance
Commercialization: Partnership Enablers and Entrepreneurship – Technology Clusters Management's Assessment of Priority Table Appendix A footnote1 High: 0.796
(Ranked 3rd)
High
Corporate Risk Profile High: Client Relationship Management Moderate: Technology Transfer and IP Management; and Major Initiative & Project Delivery Low: Collaboration
Materiality Table Appendix A footnote2 High: $38.6 million
Audit Activity High: partial audit coverage
Evaluation Activity Low: frequent and recent evaluations
Requirement for Audit High: TBS Policy on IA to audit areas of higher risk and significance and to follow-up previous audits
Values and Ethics Management's Assessment of Priority Table Appendix A footnote1 High: 0.774
(Ranked 4th)
High
Corporate Risk Profile High :Promotion, Image and Reputation of NRC
Materiality Table Appendix A footnote2 Not applicable – horizontal activity
Audit Activity High: no direct audit coverage
Evaluation Activity Not Applicable
Requirement for Audit High: TBS Directive on Departmental Audit Committees - requirement for "annual reviews"
Capital Planning and Investment Management's Assessment of Priority Table Appendix A footnote1 High: 0.742
(Ranked 5th)
High
Corporate Risk Profile High: Facilities Infrastructure & Investment
Materiality Table Appendix A footnote2 High: $47 million
Audit Activity High: no recent audit coverage
Evaluation Activity Not Applicable
Requirement for Audit High: TBS Policy on IA to audit areas of higher risk and significance
Commercialization: IP Management Management's Assessment of PriorityTable Appendix A footnote1 High: 0.74
(Ranked 6th)
High
Corporate Risk Profile High: Client Relationship Management Moderate: Technology Transfer and IP Management
Materiality Table Appendix A footnote2 Moderate: $4.2 million plus Table Appendix A footnote3
Audit Activity Moderate- High: partial audit coverage
Evaluation Activity Low: frequent and recent evaluations
Requirement for Audit High: TBS Policy on IA to audit areas of higher risk and significance
Real Property Management Management's Assessment of Priority Table Appendix A footnote1 High: 0.74
(Ranked 7th)
High
Corporate Risk Profile High: Facilities Infrastructure & Maintenance Low: Workplace Safety and Environment
Materiality Table Appendix A footnote2 High: $58.1 million
Audit Activity High: partial audit coverage
Evaluation Activity Not applicable
Requirement for Audit High: TBS Policy on IA to audit areas of higher risk and significance and to follow-up previous audits
NRC Communications Management's Assessment of Priority Table Appendix A footnote1 High: 0.722
(Ranked 8th)
High
Corporate Risk Profile High: For Promotion, Image & Reputation
Materiality Table Appendix A footnote2 Moderate: $5.8 million plus Table Appendix A footnote3
Audit Activity High: no recent audit coverage
Evaluation Activity Not applicable
Requirement for Audit High: TBS Policy on IA to audit areas of higher risk and significance
Financial Management Control Framework Management's Assessment of Priority Table Appendix A footnote1 High: 0.71
(Ranked 9th)
High
Corporate Risk Profile High: Funding & Financial Pressures Moderate: Financial Management; and Accountability
Materiality Table Appendix A footnote2 High: all NRC expenditures and revenues
Audit Activity Medium-High: partial audit coverage
Evaluation Activity Not applicable
Requirement for Audit High: TBS Policy on IA to audit areas of higher risk and significance; pending TBS Policy on Internal Controls and Accountability Act
Financial Management: Travel and Hospitality Management's Assessment of Priority Table Appendix A footnote1 High:
(Ranked 9th)
Table Appendix A footnote4
High
Corporate Risk Profile High: Promotion, Image & Reputation Moderate: Financial Management; and Accountability
Materiality Table Appendix A footnote2 Moderate-High: Travel: $22 million Hospitality: $1.4 million
Audit Activity High: no recent audit coverage
Evaluation Activity Not applicable
Requirement for Audit High: TBS Policy on IA to audit areas of higher risk and significance; probable links to annual reports on Values and Ethics
Procurement and Contracting: Goods & Professional Services Management's Assessment of Priority Table Appendix A footnote1 Moderate: 0.584
(Ranked 13th)
High
Corporate Risk Profile Moderate: Contracts & Agreements; Financial Management; and Accountability
Materiality Table Appendix A footnote2 High: $181 million
Audit Activity High: no recent coverage
Evaluation Activity Not applicable
Requirement for Audit High: TBS Policy on IA requires annual holistic opinions on governance and controls; and origin of the Federal Accountability Act
Acquisition Cards Management's Assessment of Priority Table Appendix A footnote1 Low: 0.32
(Ranked 26th)
High
Corporate Risk Profile Moderate: Re: Contracts & Agreements; Financial Management; and Accountability
Materiality Table Appendix A footnote2 Moderate: $12 million
Audit Activity High: no recent audit coverage
Evaluation Activity Not applicable
Requirement for Audit High: TBS Policy on IA requires annual holistic opinions on governance and controls; and origin of the Federal Accountability Act
Human Resources Management Table Appendix A footnote5 Management's Assessment of Priority Table Appendix A footnote1 Moderate-High: 0.66
(ranked 10th)
Moderate
Corporate Risk Profile High: Attracting & Retaining Highly Qualified Personnel Moderate: Cultural Issues; and Aging Staff Profile / Workforce Renewal
Materiality Table Appendix A footnote2 Moderate: $12.1 million
Audit Activity Moderate: recent OAG audit noted areas for improvement
Evaluation Activity Not applicable
Requirement for Audit Moderate: TBS Policy on IA to audit areas of higher risk and significance
Integrated Risk Management Management's Assessment of Priority Table Appendix A footnote1 Moderate: 0.592
(Ranked 12th)
Moderate
Corporate Risk Profile Not applicable – not identified as a corporate risk
Materiality Table Appendix A footnote2 Not applicable: horizontal activity
Audit Activity High: no recent audit coverage
Evaluation Activity Not applicable
Requirement for Audit High: TBS Policy on IA requires annual holistic opinions on integrated risk management
IT Security Management's Assessment of PriorityTable Appendix A footnote1 Moderate: 0.584
(Ranked 14th)
Moderate
Corporate Risk Profile Moderate: IT Security and Service Delivery
Materiality Table Appendix A footnote2 Moderate: IMSB $1.1 million plus
Audit Activity Moderate: recent audit reveals areas for improvement
Evaluation Activity Not applicable
Requirement for Audit Moderate-High: requirement to assess compliance with GSP and MITS standards; TBS Policy on IA to follow-up previous audits
Operational Security Management's Assessment of Priority Table Appendix A footnote1 Moderate: 0.568
(Ranked 15th)
Moderate
Corporate Risk Profile Moderate: IT Security and Service Delivery
Materiality Table Appendix A footnote2 Not applicable: horizontal activity
Audit Activity Moderate: recent audit coverage
Evaluation Activity Not applicable
Requirement for Audit Moderate: TBS Policy on IA to follow-up previous audits
CISTI Management's Assessment of Priority Table Appendix A footnote1 Moderate: 0.554
(Ranked 16th)
Moderate
Corporate Risk Profile Not applicable – not identified as a corporate risk
Materiality Table Appendix A footnote2 Moderate-High: $30.7 million
Audit Activity High: no audit recent coverage
Evaluation Activity Moderate-Low: recent coverage
Requirement for Audit Moderate: TBS Policy on IA to audit areas of higher risk and significance
Horizontal Initiatives and Collaborative Partnerships Management's Assessment of Priority Table Appendix A footnote1 Moderate: 0.548
(Ranked 17th)
Moderate
Corporate Risk Profile High: Client Relationship Management Moderate: Major Initiative & Project Delivery Low: Collaboration
Materiality Table Appendix A footnote2 High: $42 million
Audit Activity High: partial audit coverage
Evaluation Activity Low: frequent and ongoing coverage
Requirement for Audit Moderate-High:
TBS Policy on IA to audit areas of higher risk and significance
Construction contracting / contracts and agreements with industry partners Management's Assessment of Priority Table Appendix A footnote1 Moderate: 0.53
(Ranked 18th)
Moderate
Corporate Risk Profile Moderate: Re: Contracts & Agreements; Financial Management; and Accountability
Materiality Table Appendix A footnote2 Moderate: $17.1 million
Audit Activity Moderate-High: recent audit coverage identified areas in need of improvement
Evaluation Activity Not applicable
Requirement for Audit Moderate: TBS Policy on IA to follow-up previous audits
Project Management Management's Assessment of Priority Table Appendix A footnote1 Low: 0.45
(Ranked 24th)
Moderate
Corporate Risk Profile Moderate: Major Initiative and Project Delivery
Materiality Table Appendix A footnote2 Not applicable: horizontal activity/span>
Audit Activity Moderate: recent OAG audits identified areas for improvement
Evaluation Activity Not applicable
Requirement for Audit Moderate: TBS Policy on IA to audit areas of higher risk and significance
Contributory Partnerships and Grants (TRIUMF, Gemini, JCMT, CFHT) Management's Assessment of Priority Table Appendix A footnote1 Medium-High: 0.6
(Ranked 11th)
Low
Corporate Risk Profile Moderate: Major Initiative and Project Delivery Low: Collaboration
Materiality Table Appendix A footnote2 High: $58.1 million
Audit Activity Low: annual recipient audits by independent auditors
Evaluation Activity High: nil
Requirement for Audit Low: Risk-Based Audit Frameworks approved by TBS identify risks as low
IM/IT Governance Management's Assessment of Priority Table Appendix A footnote1 Low: 0.482
(Ranked 21st)
Low
Corporate Risk Profile Moderate: IT Security and Service Delivery
Materiality Table Appendix A footnote2 Not applicable: horizontal activity
Audit Activity Moderate: recent audit identified areas in need of improvement
Evaluation Activity Not applicable
Requirement for Audit Low: TBS Policy on IA to audit areas of higher risk and significance
Financial Systems Management's Assessment of Priority Table Appendix A footnote1 Low: 0.456
(Ranked 23rd)
Low
Corporate Risk Profile Not applicable – not identified as a corporate risk
Materiality Table Appendix A footnote2 Moderate: $12.7 million
Audit Activity Low-Moderate: partial audit coverage
Evaluation Activity Not applicable
Requirement for Audit Low-Moderate:
TBS Policy on IA to audit areas of high risk and significance
Information Management Management's Assessment of Priority Table Appendix A footnote1 Low: 0.422
(Ranked 25th)
Low
Corporate Risk Profile Not applicable – not identified as a corporate risk
Materiality Table Appendix A footnote2 Not applicable: horizontal activity
Audit Activity High: no recent audit coverage
Evaluation Activity Not applicable
Requirement for Audit Low: TBS Policy on IA to audit areas of higher risk and significance
Access to Information and Privacy Act Management's Assessment of Priority Table Appendix A footnote1 Low: 0.314
(Ranked 27th)
Low
Corporate Risk Profile Not applicable – not identified as a corporate risk
Materiality Table Appendix A footnote2 Not applicable: horizontal activity
Audit Activity High: no audit coverage
Evaluation Activity Not applicable
Requirement for Audit Low: TBS Policy on IA to audit areas of higher risk and significance

Notes for Table:

notes for Table 1

At a meeting of senior managers in 2006-2007 auditable entities were assessed for risk along the following lines: risk (50%), significance (30%) and public profile (20%); a score of 1:00 represents the highest risk and 0.00 the lowest risk.

Return to Table Appendix A footnote1 referrer

notes for Table 2

Materiality refers only to estimate based on an analysis of actual expenditures, budgets or plans. As these estimates are not aligned to NRC's financial coding, they are neither auditable nor broken down in this manner for NRC's financial statements. A risk rating of High was given to cumulative expenditures greater than $25 million, Moderate for expenditures greater than $1 million but less than $25 million, and Low for expenditures less than $1 million.

Return to Table Appendix A footnote2 referrer

notes for Table 3

"Plus" denotes the fact that not all Institutes, Branches and Programs segregate costs in the same manner, therefore, the materiality should be considered higher than that identified.

Return to Table Appendix A footnote3 referrer

notes for Table 4

Considered as part of Financial Management Control Framework.

Return to Table Appendix A footnote4 referrer

notes for Table 5

Other aspects of HR were assessed and ranked by management along the following lines: HR Management Control Framework (0.528; ranked 19th); Employment Equity and Official Languages (0.51; ranked 20th); and HR Systems (0.464; ranked 22nd).

Return to Table Appendix A footnote5 referrer

Appendix B: NRC Audit Universe for 2007-2008 - Descriptions of Audit Entries

Partnerships with Industry: Industrial Research Assistance Program (IRAP)
  • Management control framework, including governance and due diligence practices over transfer payments (inc. IRAP-TPC contributions)
  • Compliance with FAA and TB Policy on Transfer Payments
  • SONAR system (inc. linkages to other NRC systems)
  • Client Portal (currently in Beta testing - linked to SONAR)
  • Intranet, Internet
  • Extranet (to be completed in 2006)
Planning and Prioritization
  • Renewal Strategy and its implementation
  • Integrated Business Planning and Performance Management; including: priority setting, alignment of research with NRC priorities.
  • Inter-institute planning and collaborations (Portfolio management)
  • Issues identification, project selection and resource allocation in institutes
  • Information for decision-making (including risk, performance information, etc.)
Commercialization: Partnership Enablers and Entrepreneurship – Technology Clusters
Management Control Framework of the Technology Clusters [which include the following:]
  • Fuel Cells and Hydrogen Technology
  • Nanotechnology
  • Agriculture Biotechnology, Nutraceuticals and Bio-products
  • Life Sciences and Medical Devices
  • Photonics
  • Aerospace
  • Aluminium Technologies
  • Information Technology – e-business
  • Bioresources
  • Ocean Technologies
  • Compliance with NRC Policies associated with equity licensing
  • IRC e.g., standards and codes
  • Industry Partnership Facilities (Incubators and Spin-ins)
Values and Ethics
  • NRC's Management Control Framework related to Values and Ethics
  • Compliance with Conflict of Interest and Post-Employment Code for NRC Employees
  • Policy on ethical standards in research involving animal subjects
  • Policy on ethical standards in research involving human subjects
  • Fundamental controls
Capital Planning and Investment
  • Capital planning
  • Expenditure approval process for capital investment
  • Lifecycle management
  • Acquisition and disposal of capital assets policies and practices
Commercialization: Intellectual Property Management
  • Activities of Business Relations Office and other business processes
  • CRM – Client Relationship Management
  • IPMC Strategy, Planning and Implementation and coordination Process
  • Licensing Revenue Practices (including management information systems)
  • IP, License and Agreement Management Software Solution
  • Linkages with Business Development Offices (within institutes)
  • Compliance with NRC Policies associated equity and licensing practices.
  • Bilateral alliances with key innovation partners in Europe, Asia, Latin America and the US [Global Reach]
  • Management of spin-offs/spin-outs
Real Property Management
  • Leasing and real property transactions
  • Facilities management
  • Environmental management
  • Compliance with Occupational Health and Safety requirements
  • Management control framework around the management of deleterious substances and other OSH requirements
  • Management control framework for the Occupational Health and Safety requirements
NRC Communications
  • Inter- and intra-institute communication
  • Media relations
  • Internal Communications:
    • Communication of NRC renewal strategy and implementation approaches, challenges, and status to employees – change management
    • Communication of corporate policies and other compliance procedures
    • Information for use in decision-making (e.g. committees' use of information)
  • External communications:
    • Internet, Intranet, Common Look and Feel
Financial Management Control Framework
  • Financial Service delivery model and service standards (new centralized model)
  • Policies and practices for making entries to the General Ledger and for preparing financial statements
  • Expenditure Management: management of commitments, accounts payable, financial reporting
  • Revenue Management (costing, cost recovery, accounts receivable)
  • Advisory Services (inc. Transfer Payment Advisory Services, activities in support of entrepreneurship, linkages with institutes and travel management)
  • Budget planning and management
  • Processes and information to support CFO attestation requirements
Financial Management: Travel and Hospitality
  • Management controls over travel and hospitality practices
Procurement and Contracting: Professional Services
  • Includes other contracting (including Advertising / Sponsorship / Public Opinion)
Human Resources Management
HR Service Delivery
  • HR Planning
  • Staffing
  • Compensation / Salary Administration
  • Classification
  • Training and Development
  • Management of employee severance benefits and pension benefits
  • Performance Management
  • Succession Planning / Knowledge management
  • Grievance management and other employee – employer negotiations
HR Branch Management Control Framework
  • Integration of HR Branch management control framework with the remainder of NRC

Employment Equity and Official Languages

HR Systems (Incl. Sigma, Lotus Notes, and web-based applications)

Integrated Risk Management
  • Management control framework over IRM
  • Integration of risk management into business practices
IT Security
  • Compliance with IT Security Standard
  • Compliance with Government Security Policy
  • Emergency preparedness
N.B. Major systems, including Exchange would be examined as part of this scope.
  • Configuration of Audit Logs
  • Physical Security of computer room
  • IT security for research
Operational Security
  • Compliance with Government Security Policy
  • Departmental exit procedures
  • Compliance with Security and Contract Management Standard
  • Compliance with Physical Security Standard
  • Compliance with Operational Security Standard – Business Continuity Planning Program
  • Emergency response planning
  • Disaster recovery planning
CISTI
  • Management control framework for CISTI including document delivery (including Canadian LINK Service), Federal Science e-library (GOL component) (in proposal stage), NRC Research Press including publishing information system
  • CISTI systems including management of Acquisitions, including acquisition system and sales and billing systems
  • Provide access to Canadians to science information
Horizontal Initiatives and Collaborative Partnerships
  • Genomics and Health Initiative
  • Fuel Cells & Hydrogen Technologies
  • Nanotechnology
Construction contracting / contracts and agreements with industry partners
  • Follow-up to 2002 Internal Audit
Acquisition Cards
  • Management controls over use of acquisition cards
Contributory Partnerships and Grants
  • Contributions to TRIUMF (management of contributions) (note: RBAF not required at this time. TRIUMF is audited annually by external auditors)
  • Contributions to Canada-France-Hawaii Telescope (CFHT) Corporation (note: audited externally, RBAF development subject to negotiation with TBS)
  • Contributions to Astronomy Research Council of the UK (note: no RBAF requirement- subject to external audit)
  • Contributions to NSF for the Gemini Telescopes (note: external audits done for Board)
  • James Clark Maxwell Telescope (JCMT)
  • Graduate Student Program at the Herzberg Institute of Astrophysics
  • Grants for International Affiliations
  • Grants for Enhancing Canadian Science and Technology Capacity
Information Management / Information Technology Governance
  • Compliance with the policy governing the use of NRC IT resources
  • Compliance with TBS Enhanced Management Framework (EMF)
  • IT investment analysis and management
  • NRC Information Council
  • Policy Framework Committee (PFC)
  • Technology Committee
  • Policy Coordinators' Network
  • Accountability Framework for IT/IM
  • Compliance with the Enhanced Framework for the Management of IT in Government (EMF)
Financial Systems
  • Policy and Business unit of Finance Branch (responsible for planning, developing and maintaining NRC's financial systems and policies)
  • Sigma (Integrity, security and reliability of data)
  • Security profiles and management
  • Program table and data maintenance
  • Documentation of approved changes
Project Management
  • PM practices within institutes and compliance with Project Management policy (TBS), including use of PM tools (Sigma and others)
Information Management
  • Management control framework around IT/IM service delivery
  • Records management and information delivery of the right information, to the right person, in time.
  • Compliance with Management of Government Information Policy
  • Electronic Document Management System
Access to Information and Privacy Act
  • Management controls in place to ensure compliance with ATIP Act and Privacy Act

Appendix C: NRC Five-Year Audit Planning Cycle for 2007-2012

Notes: The following table is a five-year summary of the audit projects that will be undertaken by NRC Internal Audit. It should be understood has that this plan will be updated each year to reflect new priorities as well as take into account any revisions to timings due to unforeseen circumstances (e.g., staffing, availability of experts). All audit entities rated high or medium risk will be audited on a 5-year cycle; those rated low-risked are monitored for the necessity to audit. Audits are shown in the year they will commence; some audits will be completed in the following fiscal year. See Section 2.1 Phase Four: Formulation of the Audit Plan and Consultation for the complete set of planning decisions.

Audit Entity 07
08
08
09
09
10
10
11
11
12
Legend
Partnerships with Industry: Industrial Research Assistance Program (IRAP)
Overall Risk:
High
i iii i - MCF Table Appendix C footnote1 Audit of IRAP - ongoing
ii- RBAF Table Appendix C footnote2 for renewal of IRAP Contribution Agreement - ongoing
iii- Follow-up to 2006-07 IRAP Audit
ii
Planning and Prioritization
Overall Risk:
High
i ii i - Audit Survey of OAG work completed in 2006-2007 to determine what further work is required
ii
- MCF Audit of Planning and Prioritization
Commercialization: Partnership Enablers and Entrepreneurship – Technology Clusters
Overall Risk:
High
i ii i - MCF Audit of Industry Partnership Facilities
ii - Follow-up to 2008-09 Industry Partnership Facilities Audit
Values and Ethics
Overall Risk:
High
i i i i - Audit Survey of Values and Ethics
Capital Planning and Investment
Overall Risk:
High
i ii iii iv i - Follow-up Audit to 2002 Construction Contracting Audit
ii - MCF Audit of Capital Investment and Planning
iii - Follow-up to 2007-08 Capital Investment and Planning Audit
iv - MCF Audit of Construction Contracts
Commercialization: IP Management
Overall Risk:
High
i ii i - MCF Audit of IP Management
ii
- Follow-up to 2008-09 IP Management Audit
Real Property Management
Overall Risk:
High
i ii i - Audit of Facilities Management and Equipment – draft report pending quality assurance review
ii - Follow-up to 2007-08 Facilities Management and Equipment Audit
iii - MCF Audit of Occupational Health and Safety
iv - Follow-up to 2007-08 Occupational Health and Safety Audit
iii iv
Financial Management Control Framework
Overall Risk:
High
i ii i - MCF Audit of Financial Management
ii - Follow-up to 2008-09 Financial Management Audit
Financial Management – Hospitality
Overall Risk:
High
i ii ii ii ii i - Limited Annual Compliance Audits - ongoing
ii - Limited Annual Compliance Audits
Financial Management – Travel
Overall Risk:
High
i ii ii ii ii i - Limited Annual Compliance Audits - ongoing
ii - Limited Annual Compliance Audits
Procurement and Contracting – Goods and Professional Services
Overall Risk:
High
i ii ii ii ii i - Limited Annual Compliance Audits - ongoing
ii
- Limited Annual Compliance Audits
Acquisition Cards
Overall Risk:
High
i ii ii ii ii i - Limited Annual Compliance Audits - ongoing
ii - Limited Annual Compliance Audits
Human Resources Management
Overall Risk:
Moderate
i ii i - Audit Survey of Human Resources
ii - MCF Audit of Human Resources
Horizontal Initiatives and Collaborative Partnerships
Overall Risk:
Moderate
i ii iii i - RBAF for renewal of Class Grants to Enhance S&T Capacity - ongoing
ii - MCF Audit of Horizontal Initiatives
iii - Follow-up to 2008-09 Horizontal Initiatives Audit
iv
- RBAF for renewal of TRIUMF Contribution Agreement

v - RBAF for renewal of Class Grants for International Affiliations
iv v
Integrated Risk Management
Overall Risk:
Moderate
i ii i - MCF Audit of Integrated Risk Management
ii - Follow-up to Integrated Risk Management Audit
IT Security
Overall Risk:
Moderate
i i - Follow-up to 2006-07 IT Security Management Audit
Operational Security
Overall Risk:
Moderate
i ii i - Audit Survey of Operational Security
ii - MCF Audit of Operational Security
Project Management
Overall Risk:
Moderate
i i - Review progress made in implementing the 2007 OAG recommendation to determine if further audit work required

Notes for Table:

notes for Table 1

MCF – Management Control Framework

Return to Table footnote1 referrer

notes for Table 2

Risk-Based Audit Frameworks (RBAFs) must be completed as part of the TBS submission documents for renewal.

Return to Table footnote2 referrer

Footnotes

Footnote 1

For 2007-08, incremental audit resources have been provided as follows: $135,000 for external Audit Committee members, $54,800 for additional personnel and $22,500 for auditor training and accreditation.

Return to footnote 1 referrer

Footnote 2

Audit objectives will be reviewed in depth at the time of the planning phase for each audit to ensure the currency of the objectives as well as to take into account any special management requests that could increase the usefulness of the audit for NRC.

Return to footnote 2 referrer

Footnote 3

Unfortunately OAG policy doesn't permit sharing of their audit programs and working papers.

Return to footnote 3 referrer

Footnote 4

It should be noted that actual costs incurred in 2006-07 are only estimates as the time reporting system for accurately determining the actual number of Auditor Weeks was put in place effective April 1, 2007.

Return to footnote 4 referrer

Date modified: