ARCHIVED - CAE Annual Report 2011-12
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
1.0 EXECUTIVE SUMMARY
The purpose of this report is to summarize the 2011-2012 planned and completed work of the National Research Council (NRC) Internal Audit function and provide an overview of the effectiveness of NRC's governance, risk management and control processes based on the results of internal audit activitiesFootnote 1. This report also addresses the effectiveness of NRC's Internal Audit function in relation to the Treasury Board's Management Accountability Framework (MAF). The findings presented in the report are based on findings arising from internal and external audits conducted and reported as per the 2011-12 to 2013-14 Risk-Based Audit Plan (RBAP). The findings presented in this report also touch on themes and issues that have carried over from 2010-2011.
Governance: Audit results noted that NRC has appropriate oversight and accountability at the strategic and operational levels. Business and operational plans at the corporate and former institute/branch/program (IBP) levels consider risks and human resource (HR) details. However, it was noted that policies and procedures related to HR planning should be renewed for alignment to NRC's new strategy. While some functional areas of the organization have clearly defined and communicated authorities and responsibilities, management attention in terms of accountability was required in others. Performance measurement is one control area where NRC took steps forward in 2011-12, including the establishment of program-level measures, real property measures, and occupational health and safety performance monitoring.
Risk Management: Progress was also made towards the formal documentation and implementation of an integrated risk management framework (IRMF). Risk management training that will accompany the implementation of the IRMF will not only ensure the consistent application of risk assessment tools and guidance, but will also raise managers' awareness and understanding of risk management.
Controls: Internal Audit results have generally identified strong financial management controls. These findings are reinforced by the observations of other assurance providers, including the OAG financial statements audits. Noted areas of improvement identified by Internal Audit include the inconsistent use of mandatory standing offers for procurement across NRC, along with the varying application of the financial control framework in revenue management. Corporately managed IT security functions were noted as strong with opportunities for improvement pertaining to risk management functions and the implementation of an agency-wide business continuity plan. Management has recently mandated the use of the SAP Project Systems (PS) module to ensure consistent reporting of project costs and revenues under the new NRC financial model to support the reliability and accuracy of information for decision making. With exception to first claim validation, the continuous audit and Follow-Up Audit of IRAP identified high compliance with applicable policies and procedural requirements.
Going forward, NRC's Risk-Based Audit Plan has been updated to align with the new organizational structure and priorities. Control areas that will be given consideration in the future audit planning process include training frameworks, IT application and general controls, performance measurement, budgeting, policy and program development and monitoring, and communications. Moreover, as NRC transitions to a program-based organization, Internal Audit will remain appropriately informed and sufficiently flexible to ensure assurance activities continue to add value to the organization.
The implementation of management action plans has been consistently monitored by NRC Internal Audit and reported to the Departmental Audit Committee (DAC) semi-annually. Management has proven commitment in responding to audit findings. 29 percent of the audit recommendations made during 2011-12 were implemented by management within 6 months of tabling of the audit reports. The majority of recommendations that are still outstanding are primarily attributed to management's effort and redirection of resources in support of NRC's transformation to a program-based management model.
Internal Audit's project completion rate of the 2011-12 RBAP was high. This can be attributed to the sustainability and inherent knowledge of the audit function resulting from robust professional development and training tools as well as the leveraging of electronic audit tools for greater cost efficiency in the execution of audit activities. Furthermore, given NRC's current reorganization, the audit universe was updated this fiscal year to ensure alignment of the annual RBAP development process with the new organizational structure and priorities.
NRC Internal Audit's quality assurance and improvement program includes an internal and external Quality Assurance and Review (QAR) process to ensure that audits are conducted in accordance with the Institute of Internal Auditors (IIA) and Treasury Board auditing standards. In 2011-12, NRC Internal Audit obtained QAR certificates from independent external quality assurance reviewers for 7 of 9 completed audits. Moreover, a full external practice inspection is planned for 2012-13. Going forward, NRC Internal Audit will continue improving its practices through leveraging results obtained from the QAR process and upcoming practice inspection for the planning and execution of future audits. NRC Internal Audit will also continue to explore opportunities to strengthen the linkages between the RBAP and the Corporate Risk Profile to ensure consistency across NRC.
- Footnote 1
This report is not intended to be an audit and is not intended to introduce new audit findings or include all internal audit findings.
Report a problem or mistake on this page
- Date modified: