ARCHIVED - 2010-11 to 2012-13 Risk-Based Internal Audit Plan

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

ARCHIVED - 2010-11 to 2012-13 Risk-Based Internal Audit Plan (PDF, 313 KB)

Foreword

This document contains a summary of three-year audit plan from 2010-11 to 2012-13 for the National Research Council. The entire plan was approved by the President of NRC upon the recommendation of the NRC Departmental Audit Committee on April 29, 2010. It is updated annually based on a formal assessment of current risks and therefore the timing of some audits in future years may change.

1.0 Introduction

NRC's Internal Audit function is organized to meet the Government of Canada's Policy on Internal Audit and related Directives, Standards and Guidelines. The Government of Canada has adopted the Institute of Internal Auditors (IIA) Professional Practices Framework and departments are requires to meet the IIA Standards in undertaking their internal auditing responsibilities, unless the standards are in conflict with the policy or any related directives or guidelines provided by the Comptroller General or Treasury Board.

The mission of Internal Audit at NRC is to provide assessments, independent from line management, on the adequacy and effectiveness of the NRC's risk management, control and governance processes and to report on these results. Specifically, Internal Audit is tasked with the responsibility of assessing NRC's integrated risk management of its programs and initiatives and for providing assurance to clients and stakeholders that internal NRC operations and other joint initiatives are managed and controlled with due regard to compliance with authorities, financial probity, protection of assets, economy, efficiency and effectiveness of controls. Clients and stakeholders include corporate management, central agencies, other government departments and industrial partners. Internal Audit also provides expert and authoritative functional advice, information and guidance to the President and senior NRC management on best practices and controls, on corrective measures required at the program and corporate level and on the integration and harmonization of national / international audit processes and standards.

These responsibilities are consistent with the Treasury Board Policy on Internal Audit which requires the Chief Audit Executive to plan and perform risk-based internal audits necessary to provide an annual assurance statement on the adequacy and effectiveness of the department's risk management, control, and governance processes. To adequately discharge its responsibilities in this area and to support reliable reporting, oversight and governance, NRC's Internal Audit plans its audit on the basis of risk. Risk-based audit planning provides a systematic method for identifying, prioritizing and scheduling audits while the same time providing a means by which scarce audit resources can be targeted in areas of highest risk within NRC's entire audit universe.

In 2009-10, NRC Internal Audit had in addition to its salary budget comprising 5 FTEs, an operational budget of $444,000 – the majority of which was used to contract expert audit resources. An additional allocation of $135,000 was used to compensate external audit committee members and related committee expenses. For 2010-11, the operational budget will be reduced to $339,000 and in future years $264,000 to finance two new Auditor positions. The allocation for Departmental Audit Committee expenses will remain the same.

Revised NRC Internal Audit Organization 2010-11

Revised NRC Internal Audit Organization 2010-11

As with previous years, the majority of Internal Audit's services will be directed towards providing assurance that NRC's network of risk management, control and governance processes, as designed and represented by management, is adequate and functioning in a manner that ensures:

  • risks are appropriate indentified and managed;
  • interaction with the various governance groups occurs as needed;
  • significant financial, managerial and operating information is accurate, reliable, and timely;
  • activities and actions are in compliance with policies, standards, procedures, and applicable laws and regulations;
  • resources are acquired economically, used efficiency and adequately protected;
  • quality and continuous improvement are fostered in NRC's control process;
  • significant legislative or regulatory issues impacting NRC are recognized and addressed properly; and
  • opportunities for improving management control, sound resource stewardship, and the NRC's image are communicated to the appropriate level of management.

As directed by the Internal Auditing Standards for the Government of Canada, the majority of engagements presented in this plan will provide a high level of assurance by designing procedures and following standards that reduce the risk of an inappropriate conclusion to a low level. Other work will be completed as resources permit.

2.0 Risk-Based Audit Planning

The objectives of NRC's Risk-Based Internal Audit Plan are to:

  • identify the priorities of Internal Audit, consistent with the objectives of NRC and NRC's Audit Charter;
  • identify the priorities of Internal Audit based on assessment of risk and potential exposure that may affect the NRC's ability to accomplish its objectives;
  • to set out the audit universe for NRC and timeframe needed for the provision of the annual assurance statement on the adequacy and effectiveness of risk-management, control and governance processes;
  • to share and coordinate activities with other internal and external providers of relevant assurance services to ensure proper coverage and minimize duplication of efforts; and
  • to present Internal Audit's plans and resource requirements to the Audit Committee and President for review and approval respectively.

The audit planning approach has four main phases: identification of audit risk across NRC; confirmation and update of NRC's audit universe; risk assessment of the individual audit entities; and formulation of the detailed audit plan and consultation.

Throughout 2009-10, senior management and the members of the Audit Committee were consulted on changes to NRC priorities and corporate risks and their impact on the identification and timing of this year's and future years' audits. The audit universe defines the potential scope of an organization's internal audit activity by segmenting its operations into individual "audit entities" that may be subjected to audit. As depicted later in this plan, NRC's activities and practices can be categorized into three sections or tiers as follows: Scientific and Innovation Activities, Corporate Governance Processes and Corporate Administrative Practices.

Within each of these tiers, auditable entities have been identified and reviewed by senior management and the Audit Committee. In selecting entities for inclusion in NRC's audit universe, three main criteria were applied. First, the entities must be auditable, i.e., they must be definable and have discrete objectives. Second, the entities must be significant and material in the context of the organization. Third, the entities must be relevant to NRC and/or NRC's broader context. In other words, each entity must relate to, and support the achievement of NRC's objectives.

The audit universe has been designed to reflect NRC's key functions, as opposed to its structures in order to ensure the key risks for achieving NRC's objectives are addressed. As a result, the individual Institutes, Branches and Programs (IBPs) that make up NRC's organization are not directly identified as auditable entities in and of themselves. In recognition of the importance and materiality associated with them, Internal Audit planning activities ensure that audit activities take place in all IBPs over the entire audit planning horizon. This is done through the inclusion of a sample of IBPs for each audit undertaken – the selection of which is based on the degree of risk posed and the necessity to reflect regional and technical differences. As of March 31, 2010, audit activities have been undertaken in all 32 IBPs or 100 percent since 2006-07.

The detailed risk ratings assigned to each audit entity are shown in Appendix A: NRC Audit Universe for 2010-11 - Risk Factors for Consideration in Audit Planning and Impact on Audit Priority; and the descriptions of the components that make up each audit entity are shown in Appendix B: NRC Audit Universe for 2010-11 – Descriptions of Audits Entities.

Taking into consideration the audit universe and audit entity risk ratings, audits were defined and plotted on a seven-year planning cycle (see Appendix C: NRC Seven-Year Audit Planning Cycle for 2010-2017) to reflect the following planning decisions:

  • higher risk audit entities are audited more frequently than seven years – some of which may have continuous audits scheduled in intervening years;
  • all high and medium ranked audit entities are audited at least once on a seven-year audit cycle;
  • low risk audit entities are not audited but continue to be assessed for higher risk and hence the necessity for future audit;
  • each year represents a body of work that can be reasonably achieved by the current complement of audit resources while leaving a small reserve in order to address management directed audits and / or participation in Office of the Comptroller General horizontal audits;
  • mandated audits (i.e., the renewal of grants and contributions terms and conditions) are scheduled on a priority-basis;
  • progress made by management in implementing their action plans in response to audit observations and recommendations are followed-up by Internal Audit within a reasonable period of time based on risk;
  • the timing of audits within a given planning year and selection of IBPs are based on risks as well as program evaluations and audits undertaken by other agencies (e.g., the Office of the Auditor General) so as not to place an unreasonable burden on any one audit entity / responsibility centre or risk duplication of effort; and
  • the overall plan ensures sufficient coverage of NRC's risk management, control and governance processes on an annual basis to collectively support the Chief Audit Executive's annual assurance statement as required by the Treasury Board Policy on Internal Audit.

In summary this planning process ultimately led to NRC's revised audit universe for 2010-11 and schedule of audits as depicted on the following page NRC Audit Universe Risk Ranking and Audit Activities.

NRC Audit Universe Risk Ranking and Audit Activities

Graphical representation of NRC Audit Universe Risk Ranking and Audit Activities

3.0 Audit Plan

Planned audits for 2010-11 to 2012-13 and estimated resources

The following table provides a three-year summary of the audit projects and their expected start and completion dates (by quarters: Spring, Summer, Fall or Winter) as well as their expected cost by contracted ($xx) and internal audit resources (Auditor Weeks). Estimated operational costs also include expenditures related to NRC Internal Audit’s Quality Assurance Review activities, translation and HTML conversion cost.

Audit Entity Risk 2010-11 2011-12 2012-13
NRC Audit Universe: Scientific and Innovation Activities
Partnership with Industry: Industrial Research Assistance Program (IRAP) High Icon indicating continuous audit activities (annual)Continuous Auditing:
transaction and MCF verification plus Canada Economic Action Plan Funds testing

$30,000; 10 Auditor Weeks
Icon indicating continuous audit activities (annual)Continuous Auditing:
transaction and MCF verification

$0; 2 Auditor Weeks
Icon indicating continuous audit activities (annual)Continuous Auditing:
transaction and MCF verification

$0; 2 Auditor Weeks
Follow-up to 2007-08 MCF IRAP audit
$7,500; 10 Auditor Weeks
Spring 2010►Winter 2011
   
Commercialization: Partnership Enablers and Entrepreneurship – Technology Clusters High MCF Audit of Technology Clusters

Fall 2010►►►►
$25,000 ; 8 Auditor Weeks
 
 
►► Fall 2011
$87,000 ; 32 Auditor Weeks
 
Horizontal Initiatives and Collaborative Partnerships Moderate   MCF Audit of Horizontal Initiatives

Fall 2011►►►►
$25,000 ; 22 Auditor Weeks
 

►►Spring 2012
$87,000 ; 18 Auditor Weeks
Research Project Management Moderate   MCF Audit of Research Project Management

Winter 2012►►►►
$25,000 ; 22 Auditor Weeks
 


Fall 2013►►►► $87,000 ; 18 Auditor Weeks
Commercialization: Intellectual Property Management Moderate   Potential OAG Follow-up to 2008-09 MCF IP Management Audit

Summer 2011 ►Winter 2012
$0; 2 Auditor Weeks
 

NRC Audit Universe – Corporate Governance Processes

Occupational Safety and Health High MCF Audit of OSH

►►Summer 2010
$35,000 ; 8 Auditor weeks
   
Capital Planning and Investment High Icon indicating continuous audit activities (annual)Continuous Auditing:
Transaction and MCF verification
$0; 2 Auditor Weeks
MCF Audit of Capital Investment and Planning

Fall 2011►►►►
$45,000 ; 15 Auditor Weeks
►► Summer 2012
$12,000 ; 40 Auditor Weeks
Integrated Risk Management Moderate MCF Audit of Integrated Risk Management

►►Summer 2010
$12,000 ; 4 Auditor weeks
Icon indicating continuous audit activities (annual)Continuous Auditing: MCF verification

$0; 2 Auditor Weeks
Icon indicating continuous audit activities (annual)Continuous Auditing:
MCF verification

$0; 2 Auditor Weeks
Planning and Prioritization Moderate     MCF Audit of Planning and Prioritization

Fall 2012►►►►
$25,000; 20 Auditor Weeks
Values and Ethics Moderate Icon indicating continuous audit activities (annual)

Continuous Auditing: MCF verification

$0; 2 Auditor Weeks

Follow-up to Values and Ethics MCF Review

Spring ►Fall 2011
$7,500; 10 Auditor Weeks
Icon indicating continuous audit activities (annual)Continuous Auditing:
MCF verification

$0; 2 Auditor Weeks

NRC Audit Universe – Corporate Administrative Practices

Human Resources Management High MCF Audit of Human Resources Management

Summer 2010►►►►
$100,000; 25 Auditor Weeks
►►Spring 2011
$12,000; 5 Auditor Weeks
 
Construction Contracts High Icon indicating continuous audit activities (annual)Continuous Auditing:
transaction and MCF verification plus Canada Economic Action Plan funds testing

$20,000; 8 Auditor Weeks
Follow-up to 2008-09 Compliance and MCF Audit of Construction Contracts

Spring 2011►Winter 2012

$17,500 ; 25 Auditor Weeks
Continuous Auditing:
transaction and MCF verification

$0; 2 Auditor Weeks
Financial Management Control Framework Moderate MCF Audit of Financial Management Control Framework

►►Fall 2010
$32,000 ; 35 Auditor Weeks
   
Financial Management – Travel and Hospitality Moderate Icon indicating continuous audit activities (annual)Continuous Auditing:
transaction and MCF verification

$0; 2 Auditor Weeks
Icon indicating continuous audit activities (annual)Continuous Auditing:
transaction and MCF verification

$0; 2 Auditor Weeks

Follow-up to 2008-09 MCF and Compliance Audits of Travel and Hospitality

Winter 2013►►►►
$10,000; 20 Auditor Weeks

Professional Services and Goods Contracts Moderate Icon indicating continuous audit activities (annual)

Continuous Auditing:
transaction and MCF verification

$0; 2 Auditor Weeks

Follow-up to 2006-07 and 2007-08 MCF and Compliance Audit s of Contracts

Winter 2012►►►►
$20,000 ; 20 Auditor Weeks
Icon indicating continuous audit activities (annual)

►►Fall 2012
$7,500; 20 Auditor Weeks

Acquisition Cards Moderate Icon indicating continuous audit activities (annual)

Continuous Auditing:
transaction and MCF verification

$0; 2 Auditor Weeks

Icon indicating continuous audit activities (annual)

Continuous Auditing:
transaction and MCF
verification

$0; 2 Auditor Weeks

Follow-up to 2009-10 MCF and Compliance Audit of Acquisition Cards

Fall 2012►►►►
$15,000 ; 25 Auditor Weeks

IT Security Moderate

Follow-up to 2006-07 IT Security Management

Fall 2010Winter 2011
$57,500 ; 10 Auditor Weeks

 

 

Operational Security Moderate Icon indicating continuous audit activities (annual)

Continuous Auditing:
transaction and MCF verification

$0; 2 Auditor Weeks

Icon indicating continuous audit activities (annual)Continuous Auditing:
transaction and MCF
verification

$0; 2 Auditor Weeks

Icon indicating continuous audit activities (annual)

Continuous Auditing:
transaction and MCF
verification

$0; 2 Auditor Weeks

Total Estimated Costs of Planned Audit Activities  

$319,000 ; 130 Auditor Weeks

 

$239,500 ; 163 Auditor Weeks

$243,500 ; 171 Auditor Weeks

Total Operational Resources Available for Audit Activities

 

$339,000 ; 140 Auditor Weeks

$264,000 ; 180 Auditor Weeks

$264,000 ; 180 Auditor Weeks

Available Resources for Unplanned Audit Activities
(including OCG Horizontal Audits)

 

$20,000 ; 10 Auditor Weeks

$25,000 ; 17 Auditor Weeks

$20,500 ; 9 Auditor Weeks

Appendix A: NRC Audit Universe for 2010-11 - Risk Factor for Consideration Audit Planning and Impact on Audit Priority

Appendix A: NRC Audit Universe for 2010-11 - Risk Factor for Consideration Audit Planning and Impact on Audit Priority

Appendix B: NRC Audit Universe for 2010-11 - Description of Audit Entities

NRC Audit Universe: Scientific and Innovation Activities
Partnerships with industry: Industrial Research Assistance Program (IRAP)
  • Management control framework including governance and due diligence practices over transfer payments
  • Compliance with FAA and TB Policy on Transfer Payments
  • Canada Economic Action Plan funds
  • Follow-up to recommendations made in the 2007-08 Internal Audit Report
Commercialization: Partnership Enablers and Entrepreneurship – Technology Clusters

Management Control Framework of the Technology Clusters which include the following:

  • Fuel Cells and Hydrogen Technology
  • Nanotechnology
  • Agriculture Biotechnology, Nutraceuticals and Bio-products
  • Life Sciences and Medical Devices
  • Photonics
  • Aerospace
  • Aluminum Technologies
  • Information Technology – e-business
  • Bio-resources
  • Ocean Technologies
  • Compliance with NRC Polices associated with equity licensing
  • Institute for Research in Construction e.g., standards and codes
  • Industry Partnership Facilities (Incubators and Spin-ins)
Horizontal Initiatives and Collaborative Partnerships
  • Genomics and Health Initiative
  • Fuel Cells & Hydrogen Technologies
  • Nanotechnology
Research Project Management
  • PM practices institutes and compliance with Project Management policy (TBS), including use of PM tools (Sigma and others)
  • Follow-up to OAG 2007 performance audit recommendations from NRC Management of Leading-Edge Research
Commercialization - Intellectual Property Management
  • Activities of the Central Business Support office and other business processes
  • CRM-Client Relationship Management
  • Licensing Revenue Practices (including management information systems)
  • IP, License and Agreement Management
  • Linkages with Business Development Offices (within institutes)
  • Compliance with NRC Policies associated equity and licensing practices
Contributory Partnerships
  • Contributions to TRIUMF (management of contributions)
  • Contributions to Canada-France-Hawaii Telescope (CFHT) Corporation
  • Contributions to Astronomy Research Council of the UK
  • Contributions to NSF for the Gemini Telescopes
  • James Clark Maxwell Telescope (JCMT)
  • Graduate Student Program at the Herzberg Institute of Astrophysics
  • Grants for International Affiliations
  • Grants for Enhancing Canadian Science and Technology Capacity
NRC Audit Universe: Corporate Governance Processes
Occupational Safety and Health
  • Management Control Framework
  • Compliance with the Canada Labor Code Part II, Treasury Board and NRC policies and directives
  • Workplace safety
  • Management control framework around the management of deleterious substances and other OSH requirements
Capital Planning and Investment
  • Capital Planning
  • Expenditure approval process for capital investment
  • Implementation of links to facilities management audit
  • Implementation of new Treasury Board Policy on Investment Planning - Assets and Acquired Services and the Policy on the Management of Projects
Integrated Risk Management
  • Management control framework over IRM
  • Integration of risk management into business practices
Planning and Prioritization
  • Integrated Business Planning and Performance Management reflected in the Corporate Business Plan including: priority setting, alignment of research with NRC priorities
  • Inter-institute planning and collaborations
  • Links to audits of facilities management and risk management
  • Issues identification, project selection and resource allocation in institutes, and alignment with the corporate plan and provided in annual business planning processes
  • Information for decision-making (including risk, performance information, etc.)
Values and Ethics

  • NRC’s Management Control Framework related to Values and Ethics
  • Compliance with Conflict of Interest and Post-Employment Code for NRC Employees
  • Policy on ethical standards in research involving animal subjects
  • Policy on ethical standards in research involving human subjects
  • Updated Core Values
  • Employee ability to report potential wrongdoing
Information Management / Information Technology Governance
  • Compliance with the policy governing the use of NRC IT resources
  • Compliance with TBS Enhanced Management Framework (EMF)
  • IT investment analysis and management
  • Governance arrangements including oversight committees
  • Policy Coordinators’ Network
  • Accountability Framework for IT/M
  • Compliance with the Enhanced Framework for the Management of IT in Government (EMF)
NRC Audit Universe: Corporate Administrative Practices
Human Resources Management

HR Service Delivery

  • HR planning
  • Staffing
  • Compensation / salary administration
  • Classification
  • Training and development
  • Management of employee severance benefits and pension benefits
  • Performance management
  • Succession planning / knowledge management
  • Grievance management and other employee – employer negotiations

HR Branch Management Control Framework

  • Integration of HR Branch Management control framework with the remainder of NRC

Employment Equity and Official Languages

 

HR Systems including Sigma, Lotus Notes, and web-based applications

Financial Management Control Framework (includes Contracts, Travel, Hospitality, and Acquisition Cards)
  • Financial Control Environment - policies and tools, governance, training, risk management, financial signing authorities / compliance (FAA), systems controls / IT environment and segregation of duties
  • Financial Management Activities - acquisitions and payment (travel, hospitality, contracts , acquisition cards, EDP purchases, account payable, prepaid expenses, payments in lieu of taxes), grants and contributions (IRAP, TRIUMF), revenue and receivables (revenue and accounts payable), capital assets (facilities management, assets), compensation (HR), Canada Economic Action Plan, Financial Planning, Forecasting & Budgeting, and Financial Statements Reporting
  • Compliance with Treasury Board and NRC policies, directives and guidelines (contracts, travel, hospitality and acquisition cards)
IT Security
  • Compliance with IT Security Standard
  • Compliance with Government Security Policy
  • Emergency preparedness
  • Configuration of Audit Logs
  • Physical security of hardware and software
  • IT security for research
  • Emergency response and disaster recovery planning
Real Property Management
  • Leasing and real property transactions
  • Facilities management
  • Environmental management
Operational Security
  • Compliance with Government Security Policy and NRC policies
  • Departmental exit procedures
  • Compliance with security and contract management standard
  • Compliance with physical security standard
  • Compliance with operational security standard – Business Continuity Planning Program
  • Emergency response planning
  • Disaster recovery planning
Financial Systems
  • Policy and business unit of Finance Branch (responsible for planning, developing and maintaining NRC’s financial systems and policies)
  • Sigma (integrity, security and reliability of data)
  • Security profiles and management
  • Program table and data maintenance
  • Documentation of approved changes
Information Management
  • Management control framework around IT/IM service delivery
  • Records management and information delivery of the right information, to the right person, in time.
  • Compliance with Management of Government Information Policy
  • Electronic Document Management System
Access to Information and Privacy Act
  • Management controls in place to ensure compliance with ATIP Act and Privacy Act

Appendix C: NRC Seven-Year Audit Planning Cycle for 2010-2017

This table represents a seven-year summary projects that will be undertaken by NRC Internal Audit except where noted. It should be understood has that this plan will be updated each year to reflect new priorities identified as part of the ongoing assessment of audit risks as well as take into account any revisions to timings due to unforeseen circumstances (e.g. availability of experts or unanticipated changes in resources). All audit entities rated high or medium risk will be audited on a 7-year cycle or less as indicated; those rated low-risked are not audited unless ongoing risk surveillance indicates the necessity to audit. Audits are identified by the approximate quarters they will commence and be completed.

Appendix C: NRC Seven-Year Audit Planning Cycle for 2010-2017

Date modified: