ARCHIVED - Chief Audit Executive's Annual Assurance Overview Report 2010-2011
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
This document contains the Chief Audit Executive’s Annual Assurance Overview Report for 2010-11 that was approved by the President for NRC upon the recommendation of NRC’s Departmental Audit Committee on November 4, 2011.
1.0 Executive Summary
The Treasury Board Policy on Internal Audit requires that Chief Audit Executives provide an “independent annual assurance report” to deputy heads on the effectiveness and adequacy of departmental risk-management, governance and control processes. Recent guidance provided by the Office of the Comptroller General states, “CAEs are expected to provide deputy heads with an overview resulting from the execution of the Risk-Based Audit Plan in the context of the mandate, priorities, and risk profile of the organization.” As it was the case for the first annual report for the National Research Council produced last year, this report places emphasis on the observations and conclusions obtained from individual risk-based audits and linking them to core management controls. Where possible, analyses of themes, systemic issues and best practices are identified.
It should be noted, however, that the perspectives presented herein do not represent a comprehensive summary of the findings of individual audit reports and related management action plans. The individual audit reports themselves should therefore be consulted for a more thorough understanding of the findings and management action plans in response to audit recommendations. It is understood those associated management action plans at the time of the audit were deemed to be adequate to mitigate the risks identified in the individual assurance engagements. Nothing has come to my attention that indicates that significant unmitigated risks will remain after their implementation as they relate to NRC’s risk management, governance and control processes for those audit universe elements audited.
Within the limitations of the audit procedures performedFootnote 1to confirm their implementation, good progress is being made by management in implementing their action plans in response to audit recommendations for continuous improvement in accordance with the agreed upon timelines. Within this reporting period, 82 percent of management action plans have been identified as either substantially or fully implemented.
This Annual Assurance Overview Report for the National Research Council is based on relevant assurance work undertaken by NRC Internal Audit, including the work of other assurance providers comprising the Office of the Auditor General (OAG), the Office of the Comptroller General (OCG) and Finance Branch, completed within the three year period 2008-09 to 2010-11. This includes audit activities only pertaining to the following elements of NRC’s audit universe: the Industrial Research Assistance Program, Intellectual Property Management, Planning and Performance Management, Values and Ethics, Integrated Risk Management, Occupational Safety and Health, Real Property Management, Travel, Hospitality, Financial Management Control Framework, Procurement and Contracting, Construction Contracts and Acquisition Cards. Future annual assurance reports will include other elements of the audit universe as indicated in this report.
With respect to risk management, NRC overall has established many of the risk management elements identified in the Treasury Board policy and its associated directives and guidelines. Over the three year period, Internal Audit during the course of its audit activities has been able to observe concrete examples where risk management practices have been employed including Finance Branch verification and monitoring practices, the management of Industrial Research Assistance Program (IRAP) contributions, IT security assessments and most recently capital planning and investment decision making. As part of the development of NRC’s new Strategy introduced in Fall 2010, IBPs have been advised of the importance of identifying risks and risk mitigating strategies in making business cases consistent with the organization-wide strategic and operational plans. This emphasis, in addition to recent training efforts, will be helpful in addressing the wide variability of risk management practices across NRC that was observed during the audit. More importantly, this could be largely addressed by the ongoing development of a comprehensive integrated risk management framework that will be approved and monitored by NRC’s senior executive.
With respect to governance, NRC conforms with many of the OCG’s core management controls for good governance including having oversight bodies such as NRC’s Council (and its subcommittees), the Departmental Audit Committee and the Senior Executive Committee – each with clearly defined roles and responsibilities. As part of the implementation of NRC’s new Strategy, significant changes were introduced in 2010-11 and continue to be ongoing with respect to the organization-wide business planning process for making financial and non-financial resource allocation decisions. While it presents a number of challenges, nothing has come to my attention which suggests it will not be successful. As with previous years it is expected to take into consideration the Corporate Risk Profile and that both the Strategic and Operational Plans will have clearly defined business objectives. Senior management in response to an audit of occupational safety and health completed last year has rigorously adopted and prioritized changes to address areas requiring improvement. Finally, our review of NRC’s management framework for values and ethics indicates overall, it reflects the core management controls for fostering public service values. More recently, revisions have been made to NRC’s values which allow us to move forward in realizing our vision to become the world's most effective research and technology organization; they are also consistent with public service values and have been widely communicated across the organization.
With respect to the controls examined during the three-year period, numerous audit assurance engagements have been undertaken by Internal Audit which demonstrates overall that most areas of practice / process are compliant with Government of Canada and NRC policies and directives. Continuous auditing activities have largely confirmed that within this reporting period, significant progress (approximately 93 percent) has been made by management in implementing their action plans in response to audit recommendations for continuous improvement. These findings are reinforced by the observations of other assurance providers including the OAG financial statements audits which from 2005-06 up until 2009-10 have provided unqualified, clean opinions for the first two years of the three year period covered by this overview report. For 2010-11, the audit of NRC’s Financial Statements has been delayed by the availability of sufficient and appropriate audit evidence that NRC’s deferred revenue account is free of material risks. This audit and the ongoing internal audit of the financial management control framework for revenue have made it increasingly apparent that the differing revenue practices of NRC’s IBPs need to be addressed organization-wide as part of implementing NRC’s new Strategy which is increasingly dependent upon the generation of revenue.
In my professional judgment, sufficient and appropriate procedures were conducted and evidence gathered to support the accuracy of the perspectives provided in this report. The conclusions contained in this report are based on a comparison of the conditions, as they existed at the time of the engagements, against pre-established criteria. These perspectives are only applicable to the entities examined and for the scope and time periods covered by the engagements completed in the three-year period 2008-09 to 2010-11 except where continuous auditing activities and / or limited follow-up assurance work pertaining to the implementation of management action plans are noted.
Jayne Hinchliff-Milne, CMA, Chief Audit Executive
National Research Council Canada
- Footnote 1
Recently NRC Internal Audit has begun verifying their implementation as management asserts they have been completed.
Report a problem or mistake on this page
- Date modified: