ARCHIVED - 2009-10 to 2011-12 Risk-Based Internal Audit Plan

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Foreword

This document contains the three-year audit plan from 2009-10 to 2011-12 for the National Research Council. It was approved by the President for NRC upon the recommendation of NRC's Audit Committee on April 21, 2009. The Plan will be updated annually based on an assessment of current risks and therefore the timing of some projects in future years may change.

ARCHIVED - 2009-10 to 2011-12 Risk-Based Internal Audit Plan (PDF, 391 KB)

1.0 Introduction

1.1 Plan Content

This document outlines an abbreviated version of National Research Council (NRC) of Canada Risk-Based Internal Audit Plan for 2009-10 to 2011-12.

1.2 NRC Internal Audit Mission

The mission of Internal Audit at NRC is to provide assessments, independent from line management, on the effectiveness of the NRC's risk management, control and governance processes and to report on these results. Specifically, Internal Audit is tasked with the responsibility of assessing NRC's integrated risk management of its programs and initiatives and for providing assurance to clients and stakeholders that internal NRC operations and other joint initiatives are managed and controlled with due regard to compliance with authorities, financial probity, protection of assets, economy, efficiency and effectiveness of controls. Clients and stakeholders include corporate management, central agencies, other government departments and industrial partners. Internal Audit also provides expert and authoritative functional advice, information and guidance to the President and senior NRC management on best practices and controls, on corrective measures required at the program and corporate level and on the integration and harmonization of national / international audit processes and standards.

These responsibilities are consistent with the TB Policy on Internal Audit which requires the Chief Audit Executive to provide an annual holistic opinion on risk management, control, and governance processes.To adequately discharge its responsibilities in this area and to support reliable reporting, oversight and governance, NRC's Internal Audit plans its audits on the basis of risk. Risk-based audit planning provides a systematic method for identifying, prioritizing and scheduling audits while at the same time providing a means by which scarce audit resources can be targeted to areas of highest risk within NRC's entire audit universe. This approach to planning and conducting audits ensures appropriate audit coverage is obtained, and that sufficient, competent and relevant audit evidence is gathered in support of the CAE's holistic annual opinion.

1.3 NRC Internal Audit Organization, Resources and Services

Internal Audit Organization and Resources:

The Director Internal Audit reports directly to the President of NRC and serves as the Chief Audit Executive for NRC. There are two Audit Managers and a Senior Auditor that report directly to the Director Internal Audit; they are responsible for: (1) conducting internal audits on their own or with the assistance of contracted audit professionals; and (2) the supervision of consultants contracted to complete an audit in its entirety. All of these positions are staffed with experienced and professionally accredited audit professionals. An Internal Audit Office Coordinator undertakes all administrative tasks of the office including secretariat support for NRC's Audit Committee. Hence, the full staff complement for NRC Internal Audit is 5 FTE's as represented below.

NRC Internal Audit has in addition to its salary budget, an operational budget of $444,000 the majority of which will be used to contract expert audit resources. An additional allocation of $135,000 will be used to compensate external audit committee members and related committee expenses.

Internal Audit Organization and Resources
NRC Internal Audit Organization 2010-11

This is an accessible version of the Revised NRC Internal Audit Organization 2010-11.

NRC President

NRC Council (Advisory)

NRC Audit Committee (Advisory)

Chief Audit Executive

Office coordinator

Audit Manager

Audit Manager

Senior Auditor

Internal Audit Services:

The majority of Internal Audit's services will be directed towards providing assurance that NRC's network of risk management, control and governance processes, as designed and represented by management, is adequate and functioning in a manner that ensures:

  • risks are appropriately identified and managed;
  • interaction with the various governance groups occurs as needed;
  • significant financial, managerial, and operating information is accurate, reliable, and timely;
  • activities and actions are in compliance with policies, standards, procedures, and applicable laws and regulations;
  • resources are acquired economically, used efficiently, and adequately protected;
  • quality and continuous improvement are fostered in the NRC's control process;
  • significant legislative or regulatory issues impacting the NRC are recognized and addressed properly; and
  • opportunities for improving management control, sound resource stewardship, and the NRC's image are communicated to the appropriate level of management.

As directed by the Internal Auditing Standards for the Government of Canada, the majority of engagements presented in this plan will provide a high level of assurance by designing procedures and following standards that reduce the risk of an inappropriate conclusion to a low level. Other work will be completed as resources permit.

To gather sufficient and appropriate evidence on NRC's risk management, controls and governance processes, Internal Audit will undertake a variety of audits, including the following:

Audit Surveys:

The goal of an audit survey is to document the processes associated with a particular audit entity and to identify and assess the risks and controls associated with them. In most cases, audit surveys are applied as the first phase of more complete audits; however, this is not always the case. Often, preliminary surveys are conducted simply to gain insight into whether a more detailed audit is required at present or whether it will be better placed in the future.

Management Control Framework Assurance Audits:

Management Control Framework (MCF) audits are conducted to assess the appropriateness and effectiveness of the risk management, control and governance frameworks in place to achieve management's objectives. These audits will focus primarily on corporate and management processes both at the national and Institute, Branch and Program (I/B/P) levels. Some examples of such audits include but are not limited to, financial management, integrated risk management and occupational safety and health.

Compliance Audits:

Compliance audits provide reasonable assurance to management that operations conform to established government and NRC guidelines, policies and procedures as well as legislation and government regulations. All audit work will to some degree comprise compliance testing. However, some audits such as those pertaining to contracts, travel, hospitality and acquisition card purchases will consist primarily of compliance audit procedures.

Continuous Auditing Procedures:

In 2009-10 continuous auditing procedures will be formally introduced as part of NRC Internal Audit's regular auditing activities. The adoption of these procedures is being made in response to two factors: (1) heightened risks presented by Budget 2009 economic stimulus funds that must be spent quickly; and (2) the requirement for CAEs to begin providing annual holistic opinions on departmental risk management, control and governance processes. These procedures will comprise highly localized sets of audit criteria of only the most essential controls that must work well. Data mining audit techniques will be used to identify areas of high risk from which transactions will be randomly selected for review. Where potential concerns are identified, management will be immediately alerted for correction. Formal reports can occur but will only be produced on an exception basis.

Follow-Up Reviews:

Follow-up reviews are conducted to ascertain the degree to which the recommendations made in previous audits have been successfully implemented and to determine whether any issues of risk are outstanding that may require more comprehensive audit procedures. The TB Policy on Internal Audit requires that deputy heads ensure management action plans adequately address the findings and recommendations arising from internal audits. These reviews will normally take place two years following the completion of an audit to give NRC management sufficient time to implement their action plans.

Other Services:

While the responsibility for reviewing transfer program terms and conditions is the responsibility of program management, NRC Internal Audit will provide functional advice on appropriate monitoring activities of recipients and frequency and types of required internal audits. From time to time, Internal Audit will be asked to undertake unplanned audit work that may comprise reviews of specific transactions.

2.0 Risk-Based Audit Planning

2.1 NRC Internal Audit Plan Objectives and Process Employed

The objectives of NRC's Risk-Based Internal Audit Plan are to:

  • identify the priorities of Internal Audit, consistent with the objectives of NRC and NRC's Audit Charter;
  • identify the priorities of Internal Audit based on an assessment of risk and potential exposure that may affect the NRC's ability to accomplish its objectives;
  • to set out the audit universe for NRC and timeframe needed for the provision of the annual holistic opinion on risk management, control and governance processes;
  • to share and coordinate activities with other internal and external providers of relevant assurance services to ensure proper coverage and minimize duplication of efforts;
  • to present Internal Audit's plans and resource requirements to the Audit Committee and President for review and approval respectively; and
  • to provide measures of success to previous year's internal audit activities.

This year's plan presents an update of the 2008-09 to 2010-11 Risk-Based Audit Plan that was approved by NRC's President upon the recommendation of NRC's Audit, Evaluation and Risk Management Committee in March 2008.

The audit planning methodology that was used in 2006 to identify NRC's audit universe and its components (i.e., audit entities) is still relevant for this year's plan. The approach has four main phases, each of which is described below. Throughout 2008-09, senior management and the members of the audit committee were consulted on changes to NRC priorities and corporate risks and their impact on the identification and timing of this year's and future years' audits. A more rigorous risk assessment session such as the one undertaken in 2006 will be undertaken when it is identified by Internal Audit that NRC's audit universe is no longer relevant but, in any case, will be undertaken no less than every five years.

Phase One: Risk Identification

A series of interviews with NRC's Vice Presidents and a selected number of Directors General have been interviewed periodically with a view to identifying the key sources of risk to which their operations are exposed. This risk information not only provides important insight into the concerns of management, but also provides risk exposure data which is used, as part of Phase Three, to prioritize and rank potential audit projects. Ultimately it has led to the ongoing reaffirmation of NRC's audit universe and revisions to audit priorities.

Phase Two: Identification of the Audit Universe

The audit universe defines the potential scope of an organization's internal audit activity by segmenting its operations into individual "audit entities" that may be subjected to audit. Using the information provided by senior management in phase one, the audit entities were identified and categorized according to the function they serve within NRC. As depicted in Figure 1: NRC Audit Universe, there are 24 audit entities categorized by: Scientific and Innovation Activities; Corporate Administrative Practices; and Corporate Governance Practices. Early in 2009, both NRC's Senior Executive Committee and the Audit Committee confirmed the continued relevance of the audit universe with only minor changes from the previous year. This included the elimination of CISTI and Communications as distinguishable auditable entities.

The audit universe has been designed to reflect NRC's key functions, as opposed to its structures in order to ensure the key risks to the achievement of NRC's objectives are addressed. As a result, the individual Institutes, Branches and Programs (I/B/Ps) that make up NRC's organization are not directly identified as auditable entities in and of themselves. In recognition of the importance and materiality associated with them, Internal Audit will ensure that audit activities take place in all I/B/Ps over the five-year audit planning horizon. This will be done through the inclusion of a sample of I/B/Ps for each audit undertaken based on the degree of risk posed and the necessity to reflect regional and technical differences. As of March 31, 2009, audit activities have been undertaken or are in the process of being undertaken in 30 of 32 I/B/Ps or 94 percent since 2006-07.

In selecting entities for inclusion in NRC's audit universe, three main criteria were applied. First, the entities must be auditable, i.e., they must be definable and have discrete objectives. Second, the entities must be significant and material in the context of the organization. Third, the entities must be relevant to NRC and/or NRC's broader context. In other words, each entity must relate to, and support, the achievement of NRC's objectives.

Phase Three: Risk Assesmement

In June 2006, a full day workshop was held with a group of Directors General and Vice-Presidents to rank each audit entity that made up NRC's audit universe using the following three criteria, each of which was weighted to reflect its relative importance:

Risk Exposure of the Audit Entity: Using the risks identified in phase one, specific risks to each audit entity were identified and an aggregate risk score was developed. This criterion was assigned a weighting of 50%.

Significance of the Audit Entity: Each audit entity was then assessed in terms of its significance which considered both overall importance of the entity to NRC and the materiality associated with it. This criterion was assigned a weighting of 30%.

Public Profile of the Audit Entity: Finally, the entity's public profile was examined and rated. This criterion was assigned a weighting of 20%.

Taken together, these criteria were applied to derive a total weighted priority score which was used to generate a management assessment of the likelihood and impact of risks facing the NRC.

Following this ranking which occurred early in 2006-07 and each year thereafter, a number of other risk determinants were used to identify the final risk rating and audit priority assigned to each of the entities. These comprised:

  • an assessment vis-à-vis the most recent NRC corporate risk profile;
  • changes to the materiality or monetary value of each audit entity;
  • time lapsed since the audit entity was last audited and the results of recent audits (both internal audits and those completed by the OAG) and monitoring activities;
  • the frequency and results of evaluation reports; and
  • senior management's most recent assessment of the viability of the audit universe and each audit element's risk rating.

The overall risk ratings assigned to each audit entity are shown in Appendix A: NRC Audit Universe for 2009-2010 – Risk Factors for Consideration in Audit Planning and Audit Priority. Descriptions of the components that make up each audit entity are shown in Appendix B: NRC Audit Universe for 2009-10 – Descriptions of Audit Entities.

Phase Four: Formulation of the Audit Plan and Consultation

Taking into consideration the audit universe and risk rankings, audit projects are defined and plotted on a seven-year planning cycle to reflect the following planning decisions:

  • all high and medium ranked audit entities would be audited at least once on a seven-year audit cycle;
  • higher risk audit entities would be audited more frequently than seven years some of which may have continuous audits scheduled in intervening years;
  • low risk audit entities would not be audited but would be continued to be assessed for higher risk and hence the necessity for audit;
  • each year would represent a body of work that could be reasonably achieved by the current complement of audit resources;
  • mandated audits (i.e., the renewal of grants and contributions terms and conditions) would be scheduled on a priority-basis;
  • the management action plans derived from the observations and recommendations made in audits would be followed-up by Internal Audit within a reasonable period of time, usually two years, to determine the degree to which the management actions plans have been implemented;
  • each year an allocation would be made to take into account OCG-directed audit work as well as management directed audits;
  • the timing of audit projects would take into account program evaluations or OAG audits so as not to place an unreasonable burden on any one audit entity / responsibility centre or risk duplication of effort; and finally
  • the overall plan would ensure sufficient coverage of NRC's risk management, control and governance processes on an annual basis to collectively support the Chief Audit Executive's holistic opinion, as required by TBS policy.

The results of this exercise can be found in Appendix C: NRC Seven-Year Audit Planning Cycle for 2010-2016 of which discussions were held with the following on its appropriateness:

  • NRC Audit Committee;
  • NRC Senior Executive Committee (comprising the President, the Secretary General, Vice President Corporate Management and Chief Financial Officer, Vice President Engineering, Vice President Technology and Industry Support, Vice President Physical Sciences, Vice President Life Sciences, and Vice President Human Resources Branch);
  • Administrative Services and Property Management Branch; and
  • Strategy and Development Branch (responsible for both the evaluation and risk identification functions).

Also consulted were the OAG and OCG regarding their audit plans as well as their concerns for heightened risks associated with Budget 2009 economic stimulus funds which are required by their nature to be spent quickly.

In summary this planning process ultimately led to NRC's revised audit universe for 2009-10 and schedule of audits as depicted below in Figure 2: Risk Assessment, Audit Selection and Priority.

Figure 2: Risk Assessment, Audit Selection
Figure 2: Risk Assessment, Audit Selection

This is an accessible version of the Risk Assessment, Audit Selection

Scientific & Innovation Activities

This category groups the audit entities that directly support the pursuit of science and innovation – a central aspect of NRC's raison-d'être. Included here are programs, activities and investments that support entrepreneurship, commercialization and the planning, conduct and management of leading-edge research.

Audit activities Risk Ranking
Partnership with Industry & Universities
IRAP 2009-10 NRC internal audits completed since 2006-07.
High audit risk
Contributory Partnership TRIUMF, Gemini, JCMT,CFHT Audit work not yet commenced Low audit risk / no audits planned
Horizontal Initiatives & Collaboration Partnerships 2010-11 Audit work not yet commenced Moderate audit risk
Commercialization
Intellectual Property Management 2015-16 OAG performance audits High audit risk
Partnership Enablers & Entrepreneurship (Technology Clusters) 2010-11 Audit work not yet commenced High audit risk

Corporate Governance Processes

This category of the audit universe encompasses those practices that are in place to support open, transparent and appropriate decision-making at a corporate level.

Audit activities Risk Ranking
Planning & Prioritization 2012-13 OAG performance audits High audit risk
Values & Ethics 2008-09 Ongoing NRC internal audits

Continuous audit activities (annual).
High audit risk
IM / IT Governance Audit work not yet commenced Low audit risk / no audits planned
Integrated Risk Management 2008-19 Ongoing NRC internal audits

Continuous audit activities (annual).
Moderate audit risk
Capital Planning & Investment 2010-11 Audit work not yet commenced High audit risk

Corporate Administrative Practices

Entities within this category include those management practices, control frameworks and business processes that are in place to support effective and efficient-to-day operations. These practices also provide important – albeit indirect –support to the scientific and innovation activities.

Audit activities Risk Ranking
Real Property Management 2008-09 Ongoing NRC internal audits High audit risk
IT Security 2010-11 NRC internal audits completed since 2006-07 Moderate audit risk
Human Resources Management 2010-11 OAG performance audits High audit risk
Operational Security 2014-15 Audit work not yet commenced Moderate audit risk
Research Project Managament 2011-12 Audit work not yet commenced Moderate audit risk
Access to Information Audit work not yet commenced Low audit risk / no audits planned
Information Management Audit work not yet commenced Low audit risk / no audits planned
Financial Management
Travel & Hospitality 2009-10 NRC internal audits completed since 2006-07.

Continuous audit activities (annual)
Moderate audit risk
Control Framework 2009-10 Audit work not yet commenced High audit risk
Procurement & Contracting 2009-10 NRC internal audits completed since 2006-07.

Continuous audit activities (annual)
High audit risk
Financial Systems Audit work not yet commenced Low audit risk / no audits planned
Construction Contracts 2011-12 NRC internal audits completed since 2006-07.

Continuous audit activities (annual)
High audit risk
Acquisition Cards 2008-2009 Ongoing NRC internal audits

Continuous audit activities (annual)
High audit risk

2.2 Strategy for Providing Annual Holistic Opinions on Risk Management, Control and Governance Processes

Commencing with 2009-10 fiscal year, Chief Audit Executives will be required by the TB Policy on Internal Audit to render annual, holistic opinions on the adequacy of departmental risk management, control and governance processes. In support of this opinion, NRC's Internal Audit planning process explicitly aims to have sufficient coverage of these three functional areas. The next three figures below depicting NRC's audit universe demonstrate how each audit is intended to support the annual holistic opinion as well as their relationship to the Management Accountability Framework (MAF) elements and NRC's Program Activity Architecture.

In 2009-10 continuous auditing procedures will be formally introduced as part of NRC Internal Audit's regular auditing activities, in large part, due to the necessity to ensure audit results obtained in previous years are still relevant for the current annual holistic opinion. These procedures will comprise highly localized sets of audit criteria of only the most essential controls that must work well and data mining audit techniques that will be used to identify areas of high risk from which transactions will be randomly selected for review. Where potential concerns are identified, management will be immediately alerted for correction. Formal reports can occur but will only be produced on an exception basis.

2.3 Co-ordination / Reliance with Other Assurance Providers

In order to ensure proper coverage and minimize duplication of efforts, NRC Internal Audit regularly shares information and coordinates activities with the Office of the Auditor General as well with NRC Finance Branch which is responsible for conducting ongoing recipient audits for NRC's grants and contributions programs and coordinating financial statement audits. In our meetings with them, we discuss: audit coverage, exchange of audit reports and management letters.

On an ongoing basis, as part of its risk assessment process, NRC Internal Audit will examine the results of NRC Finance Branch directed recipient audits and follow-up action to determine if further internal audit work is necessary. As well, the annual audited financial statements for NRC completed by the OAG and those prepared for the various telescope programs by external auditors will be reviewed as a matter of course to assess their risk and hence the need for further internal audit work.

3.0 Audit Plan

In accordance with accepted professional practice, this year's audit plan is a continuation of the previous year's plan in that it includes the continuation of audits that commenced last year. The resulting audit plan for the next three years 2009-10 to 2011-12 is summarized below in the tables presented in section 3.3. For each audit, a preliminary objective and scope has been provided. It should be noted, however, that the final scope and objectives may be modified depending on the results of the planning phases for each of the respective projects.

3.1 Global Priorities

One of the major priorities for NRC Internal Audit over the past three years has been the full implementation of the TB Policy on Internal Audit by April 1, 2009. With the exception of providing annual holistic opinions, this has been largely accomplished including the Treasury Board appointment of three external members to NRC's Audit Committee. This year's challenges will be directed at completing sufficient and appropriate audit work to base NRC's first annual holistic opinion on fiscal year 2009-10 while at the same time responding to risks associated with Budget 2009 economic stimulus funds and reduced funds available for audit.

3.2 Detailed Changes from Last Year's Internal audit plan

A number of significant changes from last year's plan too numerous to list individually have been incorporated in the 2009-10 – 2011-12 Risk-Based Audit Plan. Most noteworthy is the change from a five-year audit planning cycle to seven-years. This is consistent with changes to NRC's audit risk profile resulting in some audit entities being reduced from high-risk to moderate-risk thereby decreasing the necessity to audit them as frequently as previously identified. This revised audit profile is largely based on the results of numerous auditsFootnote 1 conducted over the past 3 years which have demonstrated adequate control management frameworks are in place or have been improved as a result of the implementation of management action plans. As more audit experience is gained, further reductions to NRC's audit risk profile can be expected. Regardless, audit entities assessed as higher risk will be audited on much shorter audit cycles ranging between three to five years and supplemented with the adoption continuous audit activities to monitor whether assessed risks should be revised.

There was only one audit that was planned to be undertaken in 2008-09 that did not occur:

  • Annual Limited Assurance Audit of 2007-08 Contracts under $25,000 (high risk audit priority): The President and the Audit, Evaluation and Risk Management Committee accepted the recommendation of the CAE that this audit not commence as planned given that three audits pertaining to contracts had been undertaken since 2006-07 which provided overall assurance that the management control framework for contracts is adequate. Furthermore, it was not anticipated that this audit would yield significantly different recommendations for improvement and that time is needed by management to implement their action plans to address them.

Also noteworthy, detailed audit survey work was undertaken to determine whether immediate internal audit work is required in regard to Planning and Prioritization. While identified as a high priority risk in June 2006, it was observed that the OAG undertook considerable audit work in this area as part of its follow-up status report of its 2004 performance audit of NRC Management of Leading Edge Research. Subsequently NRC undertook changes to its business planning processes which continue to take place. As such it is recommended that an audit not be undertaken in 2010-2011 as indicated in last year's plan; rather, it has subsequently been rescheduled to begin in 2012-13.

3.3 Planned Audit Activities

The following table provides a summary of the detailed audit projects that will be undertaken between 2009-10 and 2011-12. Including, resource estimates, both in terms of NRC FTEs (in Auditor Weeks) and contracting dollars required.

The planning assumption was made that each Audit Manager and Senior Auditor would have a total of 40 audit weeks available annually taking into consideration vacation, other types of leave, training and professional accreditation requirements. The CAE is expected to have 20 audit weeks available each year with the remainder devoted to management activities to ensure the full implementation of the TB Policy on Internal Audit which include, among others, planning, liaison with central agencies to ensure the appropriateness and coordination of audit activities, quality assurance as well as reporting and recruitment efforts. Hence, a total of 140 Auditor Weeks is assumed for each planning year.

It's also assumed that NRC-wide management control framework audits will cost on average $100,000 for professional audit services and 30 Auditor Weeks. More resources will be needed for more complex audits requiring unique qualifications (for example, OSH and Facilities Management and Related Equipment audits) and less for straight forward compliance audits (for example, travel and hospitality). For straight forward follow-up audits, it is assumed that $50,000 for professional audit services and 15 Auditor Weeks will be sufficient. However, more complex follow-up audits requiring specialized knowledge (for example, IT security) or more on-site visits to regions (for example, Industry Partnership Facilities) will likely cost as much as the original audit. An additional cost of $12,000 is assumed for each published audit report for quality assurance review, translation and HTML-web conversion.

Costs for continuous auditing activities are only an estimate at best and will be adjusted as more experience is gained. While some contracted professional audit services will be used initially, it's intended that once the data-scripts have been defined and the audits commenced in 2008-09 have been completed, NRC Internal Audit staff will be available to take on this responsibility exclusively.

The amount of total available contract dollars is based on an operational budget of $444,000 of which $30,000 will be used for expenses such as staff and non-staff travel, translation, software licences and hardware purchases, etc. and $20,000 for professional audit staff accreditation and other training requirements. A separate budget of $135,000 has been set aside for audit committee remuneration and expenses. Salary expenditures will remain at the same levels for 2008-09.

Experience gained has shown that more time in terms of Auditor Weeks and in some cases more contract dollars are needed to complete internal audits in addition to unplanned audit activities than estimated in previous years. Hence, estimates for this year's plan and subsequent years have been increased accordingly leaving much lower reserves to address Management Directed Audits for unplanned audit activities. These unplanned activities have included among others: conducting preliminary investigations to determine if audit work is required in response to management concerns for compliance; responding to client questions on appropriate interpretation of government policies and directives; following up with management on progress made in implementing their management action plans in response to audit recommendations; and drafting and finalizing management letters on other observations made during the course of an audit that have significance for management but were outside the audit's scope. Any management requests that exceed these funding limits will have to be cost recovered from the respective programs.

Finally, it's important to note that the presence of OCG directed audits and their corresponding demand for NRC resources will impact whether the audit plan as set out is achievable. Potential risks presented can be offset by delaying some audits to future years following consultation with NRC's senior management and the Audit Committee.

Timing and Resources of Audit Plan Projects for 2009-10 to 2011-12 by Audit Priority

The following table provides a three-year summary of the audit projects and their expected start and completion dates (by quarters: Spring, Summer, Fall or Winter) as well as their expected costs by contracted ($xx) and internal audit resources (Auditor Weeks). Estimated operational costs also include expenditures related to NRC Internal Audit's Quality Assurance Review activities which use external professional auditors to verify the quality of audit results. See Section 3.3 Planned Audit Activities for the planning assumptions used.

Audit Entity Risk 2009-2010 2010-2011 2011-2012
Réalisation de vérifications en 2008-2009
Values and Ethics
High
Audit Survey of Values and Ethics

Spring 2009
$12,000 ; 8 Auditor Weeks

Continuous Auditing: transaction and MCF verification

4 Auditor Weeks

Continuous Auditing: transaction and MCF verification

4 Auditor Weeks
Acquisition Cards
High
MCF and Compliance Audit of Acquisition Cards

Fall 2009
$40,000 ; 8 Auditor Weeks

Continuous Auditing: transaction and MCF verification

3 Auditor Weeks

Continuous Auditing: transaction and MCF verification

3 Auditor Weeks
Real Property Management
High
Audit of Facilities Management and Equipment

Summer 2009
$70,000 ; 10 Auditor Weeks
MCF Audit of Occupational Safety and Health

Fall 2009
$103,000 ; 10 Auditor Weeks
Integrated Risk Management
Moderate
MCF Audit of Enterprise Risk Management

Fall 2009
$67,000 ; 8 Auditor Weeks

Continuous Auditing:

MCF verification


3 Auditor Weeks

Continuous Auditing:

MCF verification


3 Auditor Weeks
Planning and Prioritization
High
Audit Survey concluded sufficient audit work completed in prior years to delay full audit until 2012-13
High Priority Audits Resulting from Budget 2009 Economic Stimulus Funds:
Partnerships with Industry: Industrial Research Assistance Program (IRAP)
High

Continuous Auditing: transaction and MCF verification

$50,000 ; 30 Auditor Weeks

Continuous Auditing: transaction and MCF verification

$50,000 ; 20 Auditor Weeks

Spring 2010 Winter 2011
Formal assurance engagement report

$40,000; 10 Auditor Weeks

Continuous Auditing: transaction and MCF verification

$0 ; 5 Auditor Weeks
Capital Planning and Investment – Construction Contracts
High

Continuous Auditing: transaction and MCF verification
6 Auditor Weeks


Continuous Auditing: transaction and MCF verification

6 Auditor Weeks
Follow-up to 2008-09 Audit of Construction Contracts

Spring 2011 Fall 2011
$62,000; 15 Auditor Weeks
Other Planned Audits:
Commercia-
lization: IP Management
High
MCF Audit of IP Management (OAG Audit)

Spring 2009

$0; 3 Auditor Weeks
Follow-up Audit of IP Management (OAG Audit)

$0; 6 Auditor Weeks
Financial Management Control Framework
High
MCF Audit of Financial Management and Controls

Fall 2009
$40,000 ; 30 Auditor Weeks
Summer 2010
$42,000;5 Auditor Weeks
Procurement and Contracting – Goods and Professional Services
High

Continuous Auditing: transaction and MCF verification

5 Auditor Weeks

Continuous Auditing: transaction and MCF verification

5 Auditor Weeks
MCF and Compliance Audit of Contracts (except Construction)

Winter 2012
$0 ; 5 Auditor Weeks
Financial Management – Hospitality
Moderate

Continuous Auditing: transaction and MCF verification

3 Auditor Weeks

Continuous Auditing: transaction and MCF verification

3 Auditor Weeks

Continuous Auditing: transaction and MCF verification

3 Auditor Weeks
Financial Management – Travel
Moderate

Continuous Auditing: transaction and MCF verification

3 Auditor Weeks

Continuous Auditing: transaction and MCF verification

3 Auditor Weeks

Continuous Auditing: transaction and MCF verification

3 Auditor Weeks
Human Resources Management
High
MCF Audit of Human Resources

Spring 2010 Winter 2011
$112,000 ; 30 Auditor Weeks
Capital Planning and Investment
High
MCF Audit of Capital Investment and Planning

Summer 2010
$50,000 ; 10 Auditor Weeks
Spring 2011
$62,000 ; 20 Auditor Weeks
Commercia-
lization: Partnership Enablers and Entrepreneurship – Technology Clusters
High
MCF Audit of Industry Partnership Facilities -

Summer 2010
$45,000 ; 15 Auditor Weeks
MCF Audit of Industry Partnership Facilities

Spring 2011
$67,000 ; 15 Auditor Weeks
Horizontal Initiatives and Collaborative Partnerships
Moderate
  MCF Audit of

Horizontal InitiativesFall 2011
$35,000 ; 10Auditor Weeks
MCF Audit of Horizontal Initiatives

Spring 2012
$77,000 ; 20Auditor Weeks
RBAF for Renewal of Class Grants for International Affiliations Terms and Conditions

1 Auditor Week
RBAF for Renewal of TRIUMF Terms and Conditions

1 Auditor Week
IT Security
Moderate
Follow-up to 2006-07 IT Security Management Audit

Fall 2010
$50,000 ; 12 Auditor Weeks
Summer 2011
$62,000; 18 Auditor Weeks
Operational Security
Moderate
Research Project Management
Moderate
MCF Audit of Research Project Management

Winter 2012
$25,000 ; 10 Auditor Weeks
Total Estimated Costs of Planned Audit Activities $382,000; 125 Auditor Weeks $384,000; 130 Auditor Weeks $385,000; 130 Auditor Weeks
Total Operational Resources Available for Audit Activities $394,00; 140 Auditor Weeks $394,00; 140 Auditor Weeks $394,00; 140 Auditor Weeks
Available Resources for Unplanned Audit Activities (including OCG Horizontal Audits) $12,000 ; 15 Auditor Weeks $10,000 ; 10 Auditor Weeks $9,000 ; 10 Auditor Weeks

Appendix A: NRC Audit Universe for 2009-2010 – Risk Factors for Consideration in Audit Planning and Impact on Audit Priority

The following table presents an update from the risk factors identified in last year's plan based on new information including ongoing revisions to the corporate risk profile and results from ongoing monitoring, audit and evaluation activities. The elements of the NRC audit universe are ranked in order of risk priority. As described earlier in this planning document, the individual audit entities were ranked initially by senior management according to three criteria: risk, significance and public profile. Audit entities were then examined for other considerations that might affect the overall priority for Internal Audit. Based on these considerations, which are listed in the table below, an overall priority ranking was assigned which indicates the timing of the audits.

Table of Risk Factors for Consideration in Audit Planning and Impact on Audit Priority Part 1
Audit Entity Management's Assessment of PriorityFootnote 2 Corporate Risk Profile – Jan. 2009 MaterialityFootnote 3 Audit Activity
Partnerships with Industry: Industrial Research Assistance Program (IRAP) High: 0.896
(Ranked 1st)
Moderate: Client Relationship Management, Technology Transfer & IP Management; and Accountability High: $86.1 million plus Budget 2009 economic stimulus funds Moderate-High: recent audit identified overall assurance management control framework is adequate with some areas requiring improvement
Construction contracting / contracts and agreements with industry partners Moderate: 0.53
(Ranked 18th)
Moderate: Re: Contracts & Agreements; and Accountability

Low: Financial Management
Moderate: $20.4 million plus $20 million Budget 2009 economic stimulus funds Moderate-High: recent audit identified overall assurance management control framework is adequate with some areas requiring improvement
Financial Management Control Framework High: 0.71
(Ranked 9th)
High: Funding & Financial Pressures

Moderate: Accountability

Low: Financial Management
High: all NRC expenditures and revenues Moderate: recent compliance audits provide overall assurance management control framework is adequate with some areas requiring improvement
Human Resources Management Moderate-High: 0.66
(Ranked 10th)
High: Attracting & Retaining Highly Qualified Personnel; Aging Staff / Workforce Renewal; Workload Capacity

Moderate: NRC Culture

Low: Diversity Issues
Moderate: $11.2 million Low-Moderate: 2007 OAG audit recommendations implemented fully
Acquisition Cards Low: 0.32
(Ranked 26th)
Moderate: Re: Contracts & Agreements; and Accountability

Low: Financial Management
Moderate: $12 million Moderate: recent compliance audits provide overall assurance management control framework is adequate with some areas requiring improvement
Values and Ethics High: 0.774
(Ranked 4th)
High: Promotion, Image & Reputation of NRC

Moderate: NRC culture; Accountability; workplace safety and environment
Not applicable: horizontal activity Moderate: Ongoing audit indicates most core management controls are addressed
Integrated Risk Management Moderate: 0.592
(Ranked 12th)
Not applicable – not identified as a corporate risk Not applicable: horizontal activity High: no recent audit coverage
Commercialization: Partnership Enablers and Entrepreneurship – Technology Clusters High: 0.796
(Ranked 3rd)
High: NRC Strategy Implementation

Moderate: NRC Client Relationship; Technology Transfer & IP Management; External Collaboration

Low: Industry Collaboration
High: $40.7 million High: no recent audit coverage
Capital Planning and Investment High: 0.742
(Ranked 5th)
Moderate: Facilities Infrastructure & Investment High: $34.8 million High: no recent audit coverage
Procurement and Contracting: Goods & Professional Services Moderate: 0.584
(Ranked 13th)
Moderate: Contracts & Agreements; and Accountability

Low: Financial Management
High: $181 million Moderate: recent compliance audits provide overall assurance management control framework is adequate with some areas requiring improvement
Financial Management: Travel and Hospitality High:
(Ranked 9th)
Footnote 4
High: Promotion, Image & Reputation

Moderate: Accountability

Low: Financial Management
Moderate-High: Travel: $22 million Hospitality: $1.4 million Moderate: recent compliance audits provide overall assurance management control framework is adequate with some areas requiring improvement
Horizontal Initiatives and Collaborative Partnerships Moderate: 0.548
(Ranked 17th)
High: NRC Strategy Implementation

Moderate: Client Relationship Management; External Collaboration

Low: Industry Collaboration
Moderate: $22.4 million High: no recent audit coverage
Research Project Management Low: 0.45
(Ranked 24th)
High: Strategy Implementation

Moderate: Client Relationship Management
Not applicable: horizontal activity Moderate: recent OAG audits identified areas for improvement
Planning and Prioritization High: 0.85
(Ranked 2nd)
High: NRC Strategy Implementation

Moderate: Business Processes
Not applicable: horizontal activity Moderate: recent monitoring activities identified improvements as well as areas requiring attention in response to 2007 OAG audit
IT Security Moderate: 0.584
(Ranked 14th)
Moderate: IT Security & Service Delivery

Low: Workplace Safety and Environment
Moderate: IMSB $0.5 million plus Moderate: recent compliance audits provide overall assurance management control framework is adequate with some areas requiring improvement
Commercialization: IP Management High: 0.74
(Ranked 6th)
High: Client Relationship Management

Moderate: External Collaboration; Technology Transfer & IP Management

Low: Industry Collaboration
Moderate: $1.2 million plusFootnote 5 Low: Recent OAG audit acknowledges satisfactory management of IP
Real Property Management High: 0.74
(Ranked 7th)
Moderate: Facilities Infrastructure & Maintenance

Low: Workplace Safety & Environment
High: $14.7 million High: partial audit coverage
Operational Security Moderate: 0.568
(Ranked 15th)
Moderate: IT Security & Service Delivery Not applicable: horizontal activity Moderate-High: minimal recent audit coverage
Contributory Partnerships (TRIUMF, Gemini, JCMT, CFHT) Medium-High: 0.6
(Ranked 11th)
Moderate: External Collaboration

Low: Industry Collaboration
High: $50.3 million Low: annual recipient audits by independent auditors
IM/IT Governance Low: 0.482
(Ranked 21st)
Moderate: IT Security & Service Delivery Not applicable: horizontal activity Moderate: recent audit identified areas for improvement
Financial Systems Low: 0.456
(Ranked 23rd)
Not applicable – not identified as a corporate risk Moderate: $11.2 million Low-Moderate: partial audit coverage
Information Management Low: 0.422
(Ranked 25th)
Not applicable – not identified as a corporate risk Not applicable: horizontal activity High: no recent audit coverage
Access to Information and Privacy Act Low: 0.314
(Ranked 27th)
Not applicable – not identified as a corporate risk Not applicable: horizontal activity High: no audit coverage
Table of Risk Factors for Consideration in Audit Planning and Impact on Audit Priority Part 2
Audit Entity Evaluation Activity Overall Risk Audit Priority
Partnerships with Industry: Industrial Research Assistance Program (IRAP) Low:
recent evaluation
High
High: Budget 2009 economic stimulus funds of $100M for the next two years make this a high audit priority.
Construction contracting / contracts and agreements with industry partners Not applicable
High
High: Budget 2009 economic stimulus funds of $20 M over the next two years make this a high audit priority.
Financial Management Control Framework Not applicable
High
High: An assessment of the overall financial management control framework for NRC is critical for the annual holistic opinion for 2009-10.
Human Resources Management Not applicable
High
High: Ability to attract and retain highly qualified personnel, pending retirements and need for succession planning make this a high audit priority.
Acquisition Cards Not applicable
High
Moderate-High: High public visibility requires continued auditing surveillance followed up by periodic audits.
Values and Ethics Not Applicable
High
Moderate-High: The TB Directive on Departmental Audit Committees requires the annual review of ethical arrangements by the Audit Committee.
Integrated Risk Management Not applicable
Moderate
Moderate-High: Identified as a key component of corporate governance and therefore critical for generating the annual holistic opinions. However, risk management principles are audited as part of other audit universe elements such as planning and prioritization and research project management.
Commercialization: Partnership Enablers and Entrepreneurship – Technology Clusters Low:
frequent and recent evaluations
High
Moderate-High: The effectiveness of IBP financial management controls is integral to NRC's success.
Capital Planning and Investment Not applicable
High
Moderate-High: Identified as key component of corporate governance.
Procurement and Contracting: Goods & Professional Services Not applicable
High
Moderate-High: High public visibility requires continued auditing surveillance followed up by periodic audits.
Financial Management: Travel and Hospitality Not applicable
Moderate
Moderate-High: High public visibility requires continued auditing surveillance followed up by periodic audits.
Horizontal Initiatives and Collaborative Partnerships Low:
frequent and ongoing coverage
Moderate
Moderate-High: The effectiveness of IBP financial management controls and its impact on collaborative arrangements is integral to NRC's success.
Research Project Management Not applicable
Moderate
Moderate-High: The effectiveness of research project management controls is integral to NRC's success.
Planning and Prioritization Not applicable
High
Moderate: Recent audit survey work undertaken concluded that enough progress had been made recently to make this a lower audit priority that can be delayed.
IT Security Not applicable
Moderate
Moderate: Public visibility and importance to collaborative partnerships requires continued auditing surveillance followed up by periodic audits.
Commercialization: IP Management Low:
frequent and recent evaluations
High
Moderate-Low: While an important element of NRC's core business, recent audit results demonstrate a strong management control framework.
Real Property Management Not applicable
High
Moderate-Low: Research facilities and equipment are an important element of attracting research talent.
Operational Security Not applicable
Moderate
Moderate-Low: Safety of staff and other resources are key elements of NRC's Audit Universe
Contributory Partnerships (TRIUMF, Gemini, JCMT, CFHT) High:
nil
Low
Not Applicable: Audit universe elements assessed as low risk are not audited.
IM/IT Governance Not applicable
Low
Not Applicable: Audit universe elements assessed as low risk are not audited.
Financial Systems Not applicable
Low
Not Applicable: Audit universe elements assessed as low risk are not audited.
Information Management Not applicable
Low
Not Applicable: Audit universe elements assessed as low risk are not audited.
Access to Information and Privacy Act Not applicable
Low
Not Applicable: Audit universe elements assessed as low risk are not audited.

Appendix B: NRC Audit Universe for 2009-2010 – Descriptions of Audit Entities

Partnerships with Industry: Industrial Research Assistance Program (IRAP)

  • Management control framework, including governance and due diligence practices over transfer payments (inc. IRAP-TPC contributions)
  • Compliance with FAA and TB Policy on Transfer Payments
  • SONAR system (inc. linkages to other NRC systems)
  • Client Portal (currently in Beta testing - linked to SONAR)
  • Intranet, Internet
  • Extranet (to be completed in 2006)

Planning and Prioritization

  • Renewal Strategy and its implementation
  • Integrated Business Planning and Performance Management; including: priority setting, alignment of research with NRC priorities
  • Inter-institute planning and collaborations (Portfolio management)
  • Issues identification, project selection and resource allocation in institutes
  • Information for decision-making (including risk, performance information, etc.)

Commercialization: Partnership Enablers and Entrepreneurship – Technology Clusters

Management Control Framework of the Technology Clusters [which include the following]:

  • Fuel Cells and Hydrogen Technology
  • Nanotechnology
  • Agriculture Biotechnology, Nutraceuticals and Bio-products
  • Life Sciences and Medical Devices
  • Photonics
  • Aerospace
  • Aluminium Technologies
  • Information Technology – e-business
  • Bioresources
  • Ocean Technologies
  • Compliance with NRC Policies associated with equity licensing
  • IRC e.g., standards and codes
  • Industry Partnership Facilities (Incubators and Spin-ins)

Values and Ethics

  • NRC's Management Control Framework related to Values and Ethics
  • Compliance with Conflict of Interest and Post-Employment Code for NRC Employees
  • Policy on ethical standards in research involving animal subjects
  • Policy on ethical standards in research involving human subjects
  • Fundamental controls

Capital Planning and Investment

  • Capital planning
  • Expenditure approval process for capital investment
  • Lifecycle management
  • Acquisition and disposal of capital assets policies and practices

Commercialization: Intellectual Property Management

  • Activities of Business Relations Office and other business processes
  • CRM – Client Relationship Management
  • IPMC Strategy, Planning and Implementation and coordination Process
  • Licensing Revenue Practices (including management information systems)
  • IP, License and Agreement Management Software Solution
  • Linkages with Business Development Offices (within institutes)
  • Compliance with NRC Policies associated equity and licensing practices.
  • Bilateral alliances with key innovation partners in Europe, Asia, Latin America and the US [Global Reach]
  • Management of spin-offs/spin-outs

Real Property Management

  • Leasing and real property transactions
  • Facilities management
  • Environmental management
  • Compliance with Occupational Health and Safety requirements Management control framework around the management of deleterious substances and other OSH requirements
  • Management control framework for the Occupational Health and Safety requirements

Financial Management Control Framework

  • Financial Service delivery model and service standards (new centralized model)
  • Policies and practices for making entries to the General Ledger and for preparing financial statements
  • Expenditure Management: management of commitments, accounts payable, financial reporting
  • Revenue Management (costing, cost recovery, accounts receivable)
  • Advisory Services (inc. Transfer Payment Advisory Services, activities in support of entrepreneurship, linkages with institutes and travel management)
  • Budget planning and management
  • Processes and information to support CFO attestation requirements

Financial Management: Travel and Hospitality

  • Management controls over travel and hospitality practices

Procurement and Contracting: Professional Services

  • Includes other contracting (including Advertising / Sponsorship / Public Opinion)

Human Resources Management

HR Service Delivery

  • HR Planning
  • Staffing
  • Compensation / Salary Administration
  • Classification
  • Training and Development
  • Management of employee severance benefits and pension benefits
  • Performance Management
  • Succession Planning / Knowledge management
  • Grievance management and other employee – employer negotiations

HR Branch Management Control Framework

  • Integration of HR Branch management control framework with the remainder of NRC

Employment Equity and Official Languages

HR Systems inc (Sigma, Lotus Notes, and web-based applications)

Integrated Risk Management

  • Management control framework over IRM
  • Integration of risk management into business practices

IT Security

  • Compliance with IT Security Standard
  • Compliance with Government Security Policy
  • Emergency preparedness
    N.B. Major systems, including Exchange would be examined as part of this scope.
  • Configuration of Audit Logs
  • Physical Security of computer room
  • IT security for research

Operational Security

  • Compliance with Government Security Policy
  • Departmental exit procedures
  • Compliance with Security and Contract Management Standard
  • Compliance with Physical Security Standard
  • Compliance with Operational Security Standard – Business Continuity Planning Program
  • Emergency response planning
  • Disaster recovery planning

Horizontal Initiatives and Collaborative Partnerships

  • Genomics and Health Initiative
  • Fuel Cells & Hydrogen Technologies
  • Nanotechnology

Construction contracting / contracts and agreements with industry partners

  • Follow-up to 2002 Internal Audit

Acquisition Cards

  • Management controls over use of acquisition cards

Contributory Partnerships and Grants

  • Contributions to TRIUMF (management of contributions) (note: RBAF not required at this time. TRIUMF is audited annually by external auditors)
  • Contributions to Canada-France-Hawaii Telescope (CFHT) Corporation (note: audited externally, RBAF development subject to negotiation with TBS)
  • Contributions to Astronomy Research Council of the UK (note: no RBAF requirement- subject to external audit)
  • Contributions to NSF for the Gemini Telescopes (note: external audits done for Board)
  • James Clark Maxwell Telescope (JCMT)
  • Graduate Student Program at the Herzberg Institute of Astrophysics
  • Grants for International Affiliations
  • Grants for Enhancing Canadian Science and Technology Capacity

Information Management / Information Technology Governance

  • Compliance with the policy governing the use of NRC IT resources
  • Compliance with TBS Enhanced Management Framework (EMF)
  • IT investment analysis and management
  • NRC Information Council
  • Policy Framework Committee (PFC)
  • Technology Committee
  • Policy Coordinators' Network
  • Accountability Framework for IT/IM
  • Compliance with the Enhanced Framework for the Management of IT in Government (EMF)

Financial Systems

  • Policy and Business unit of Finance Branch (responsible for planning, developing and maintaining NRC's financial systems and policies)
  • Sigma (Integrity, security and reliability of data)
  • Security profiles and management
  • Program table and data maintenance
  • Documentation of approved changes

Project Management

  • PM practices within institutes and compliance with Project Management policy (TBS), including use of PM tools (Sigma and others)

Information Management

  • Management control framework around IT/IM service delivery
  • Records management and information delivery of the right information, to the right person, in time.
  • Compliance with Management of Government Information Policy
  • Electronic Document Management System

Access to Information and Privacy Act

  • Management controls in place to ensure compliance with ATIP Act and Privacy Act

Appendix C: NRC Seven-Year Audit Planning Cycle for 2010-2016

This table represents a seven-year summary of the audit projects that will be undertaken by NRC Internal Audit and the OAG. It should be understood has that this plan will be updated each year to reflect new priorities identified as part of the ongoing assessment of audit risks as well as take into account any revisions to timings due to unforeseen circumstances (e.g., staffing, availability of experts). All audit entities rated high or medium risk will be audited on a 7-year cycle or less as indicated; those rated low-risked are monitored for the necessity to audit. Audits are identified by the approximate quarters they will commence and be completed. See Section 3.3 for the planning assumptions used.

Table of NRC Seven-Year Audit Planning Cycle for 2009-2016 Part 1
Audit Entity Overall Risk 2009-2010 2010-2011 2011-12 2012-13
Partnerships with Industry: Industrial Research Assistance Program (IRAP)
High

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification

Spring 2010 Winter 2011
Formal MCF assurance engagement

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
Planning and Prioritization
High
MCF Audit of Planning and Prioritization

Fall 2012
Commercia- lization: Partnership Enablers and Entrepreneur- ship – Technology Clusters
High
MCF Audit of Industry Partnership Facilities

Summer 2010
Spring 2011
Values and Ethics
High
Audit Survey of Values and Ethics 2007-08

Spring 2009

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
Audit Survey of Values and Ethics

Spring Fall 2012
Capital Planning and Investment
High
MCF Audit of Capital Investment and Planning

Summer 2010
Spring 2011

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
Follow-up to 2008-09 Compliance and MCF Audit of Construction Contracting


Spring 2011 Winter 2012

Continuous Auditing: transaction and MCF verification
Commercia- lization: IP Management
High
MCF Audit of IP Management (OAG Audit)

Spring 2009
Follow-up to 2008-09 MCF IP Management Audit (OAG)

Summer 2011 Winter 2012
Real Property Management
High
MCF Audit of Facilities Management and Equipment

Summer 2009
MCF Audit of Occupational Health and Safety


Fall 2009
Follow-up to 2009-10 MCF Audit of Occupational Health and Safety Audit

Winter 2013
Financial Management Control Framework
High
MCF Audit of Financial Management

Fall 2009
Summer 2010
Procurement and Contracting – Goods and Professional Services
High

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
MCF and Compliance Audit of Contracts (except Construction)

Winter 2012
Fall 2012
Acquisition Cards
High
MCF and Compliance Audit of Acquisition Cards

Fall 2009

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
MCF and Compliance Audit of Acquisition Cards

Winter 2013
Human Resources Management
High
MCF Audit of Human Resources Management

Summer 2010 Winter 2011
Financial Management – Hospitality
Moderate

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
MCF and Compliance Audit of Hospitality

Winter 2013
Financial Management – Travel
Moderate

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
MCF and Compliance Audit of Travel

Winter 2013
Horizontal Initiatives and Collaborative Partnerships
Moderate
MCF Audit of Horizontal Initiatives

Fall 2010
Summer 2011
Renewal of TRIUMF Terms and Conditions Renewal of Class Grants for International Affiliations Terms and Conditions
Integrated Risk Management
Moderate
MCF Audit of Integrated Risk Management

Fall 2009

Continuous Auditing:
MCF verification

Continuous Auditing:
MCF verification
Follow-up to 2009-10 Integrated Risk Management Audit

Spring 2012 Winter 2013
IT Security
Moderate
Follow-up to 2006-07 Audit of IT Security Management

Fall 2010
Summer 2011
Continuous Auditing:
MCF verification
Operational Security
Moderate
Research Project Management
Moderate
MCF Audit of Research Project Management

Winter 2012
Fall 2012
Table of NRC Seven-Year Audit Planning Cycle for 2009-2016 Part 2
Audit Entity Overall Risk 2013-14 2014-15 2015-16
Partnerships with Industry: Industrial Research Assistance Program (IRAP)
High
Follow-up to 2010-11 MCF Audit of IRAP

Fall 2013
Spring 2014
Continuous Auditing: transaction and MCF verification
Planning and Prioritization
High
Spring 2013
Commercialization: Partnership Enablers and Entrepreneurship – Technology Clusters
High
Follow-up to 2010-11 Industry Partnership Facilities Audit

Spring Fall 2014
Values and Ethics
High

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
Audit Survey of Values and Ethics

Spring Fall 2015
Capital Planning and Investment
High
Follow-up to 2011-12 MCF Audit of Capital Investment and Planning

Summer 2014
Spring 2015

Continuous Auditing: transaction and MCF verification
MCF and Compliance Audit of Construction Contracts

Spring Fall 2014

Continuous Auditing: transaction and MCF verification
Commercialization: IP Management
High
MCF Audit of IP Management

Winter 2016
Real Property Management
High
Follow-up to 2009-10 MCF Audit of Facilities Management and Equipment

Fall 2013
Spring 2014
Summer 2013
Financial Management Control Framework
High
Follow-up to 2010-11 MCF Audit of Financial Management

Summer 2013 Winter 2014
Procurement and Contracting – Goods and Professional Services
High

Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
MCF and Compliance Audit of Contracts (except Construction)

Winter 2016
Acquisition Cards
High
Fall 2013
Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
Human Resources Management
High
Follow-up to 2010-11 MCF Audit of Human Resources Management

Fall 2014
Summer 2015
Financial Management – Hospitality
Moderate
Fall 2013
Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
Financial Management – Travel
Moderate
Fall 2013
Continuous Auditing: transaction and MCF verification

Continuous Auditing: transaction and MCF verification
Horizontal Initiatives and Collaborative Partnerships
Moderate
Follow-up to 2010-11 MCF Audit of Horizontal Initiatives

Fall 2014
Spring 2015
Renewal of IRAP Terms and Conditions Renewal of International Telescope Program – CFHT, JMT, Gemini Terms and Conditions
Integrated Risk Management
Moderate

Continuous Auditing:
MCF verification

Continuous Auditing:
MCF verification

Continuous Auditing:
MCF verification
IT Security
Moderate

Continuous Auditing:
MCF verification

Continuous Auditing:
MCF verification
MCF Audit of IT Security Management

Fall 2015
Operational Security
Moderate
MCF and Compliance Audit of Operational Security

Fall 2014
Summer 2015
Research Project Management
Moderate

Footnotes

Footnote 1

These audits included 10 internal audits, 2 performance audits completed by the Office of the Auditor General, and three successive, positive audit opinions respecting NRC's financial statements also audited by the OAG.

Return to footnote 1 referrer

Footnote 2

See Section 2.1 NRC Internal Audit Planning Phase 3 Risk Assessment

Return to footnote 2 referrer

Footnote 3

Materiality refers only to an estimate based on an analysis of actual 2007-08 expenditures. As these estimates are not aligned to NRC's financial coding, they are neither auditable nor broken down in this manner for NRC's financial statements. A risk rating of High was given to cumulative expenditures greater than $25 million, Moderate for expenditures greater than $1 million but less than $25 million, and Low for expenditures less than $1 million.

Return to footnote 3 referrer

Footnote 4

Considered as part of Financial Management Control Framework.

Return to footnote 4 referrer

Footnote 5

Plus" denotes the fact that not all Institutes, Branches and Programs segregate costs in the same manner, therefore, the materiality should be considered higher than that identified.

Return to footnote 5 referrer

Date modified: