ARCHIVED - 2020-2021 to 2022-2023 - Risk-Based Audit Plan

Archived - This content has been developed for the transition binder for the NRC Acting President, September 2020

Prepared by: Office of Audit and Evaluation

Approval: June 2020

Deputy Head Approval Note - Risk-Based Internal Audit Plan

I approve the Risk-Based Internal Audit Plan (RBAP) of the National Research Council Canada (NRC) for the fiscal years 2020-2021 to 2022-2023.

The RBAP will be submitted to the Office of the Comptroller General. Information about its implementation will be provided to the Office of the Comptroller General, as required.

As required per the Treasury Board Policy on Internal Audit, the NRC RBAP considers:

  • NRC areas of high risk and significance
  • Horizontal audits led by the Comptroller General
  • Planned audits led by external assurance providers and other departments as appropriate
  • Other oversight engagements

Iain Stewart
President, National Research Council Canada

Date: June 26, 2020

Executive summary

Each year, the National Research Council Canada's (NRC) Office of Audit and Evaluation (OAE) prepares a three-year Risk-based Audit Plan (RBAP). The RBAP identifies audit priorities based on an assessment of risk and potential exposure that may affect NRC's ability to accomplish its objectives.

This RBAP details internal audit priorities for fiscal years 2020-2021 to 2022-2023. Audit projects and priorities were identified based on a high-level analysis of all NRC programs, management activities, processes, policies and control functions. This process included consultations with Senior Executives, Corporate Director Generals, and the President. As well, planned audits led by external assurance providers (e.g. OCG / OAG), past audit coverage, specific requests from Senior Management and the President were also considered.

NRC-Internal Audit (NRC-IA) has adjusted the audit plan to reflect the new risks and programming at NRC, given COVID-19. In 2020-2021, the majority of NRC's Internal Audit efforts will be focused on advisory services. This will provide near-real time advice and guidance with regards to risk management, control and governance processes in response to the current situation.

The following internal audit projects constitute the main priorities of the audit function for fiscal year 2020-2021:

  • Complete the following projects started in 2019-2020:
    • Audit of Real Property Management
    • IRAP Data Analytics Support and Advice
    • Collaborative Science and Technology Innovation Program (CSTIP) – Advisory
    • Risk Assessment and Assurance Strategy for NRC-led Laboratories Canada Hubs (TerraCanada and Transportation Safety and Technology Science (TSTS))
    • Data Analytics Support and Advice Related to Travel Card Use and Travel Patterns
  • Launch the following:
    • Emergency Planning and Preparedness Follow-up Audit and Lessons Learned
    • Rapid Internal Control Assessment of the Industrial Research Assistance Program's (IRAP) Innovative Assistance Program (IAP)
    • Business Continuity Planning and Crisis Management – Advisory
    • Continuation of Multi-year Advice Related to the TerraCanada and TSTS Hubs
    • Data Analytics – Acquisition Cards / Procurement Services / Travel / Accounts Payable and Verification

Note that to remain agile under the current operating environment, the underlying risk assessment will be updated throughout the year and projects adjusted as required.

This RBAP is developed in accordance with the requirements of the Treasury Board of Canada (TB) Policy on Internal Audit, along with related directives, guidelines, and the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors (IIA).

1.0 Background and Context

The National Research Council Canada's Internal Audit function (NRC-IA) provides assurance and advice to the President, the Departmental Audit Committee (DAC), Senior Executive Committee (SEC) and Senior Management. NRC-IA undertakes various audits to:

  • Provide the President and senior management with objective, independent and credible information that can support informed decision making on policy, portfolios, expenditure management and allocation of resources
  • Provide assurance that controls, systems and practices are robust and functioning well
  • Determine compliance with government policies, standards, procedures and applicable laws and regulations
  • Determine whether significant risks for the organization have been identified and that steps have been taken to mitigate them.

In addition to audits, NRC-IA provides advisory services that provide advice and guidance to management. This Risk-Based Internal Audit Plan for the National Research Council Canada (NRC) details Internal Audit priorities for fiscal years 2020-2021 to 2022-2023. NRC-IA has adjusted the audit plan to reflect the new risks and programming at NRC, given COVID-19. The plan is aligned with key government-wide risks stemming from COVID-19. As well, the mandate, organizational structure, and resources for NRC-IA are described in the plan.

2.0 Planning Process and Methodology

The audit planning process ensures that all internal audit activities are relevant, timely, and strategically aligned to support the achievement of the NRC's objectives. The recommendations and input from the NRC's DAC along with the NRC's senior management is sought and taken under advisement in setting internal audit priorities.

The following Figure 1 shows the overview of the process for the update of this risk-based audit plan.

Figure 1: Overview 2020 RBAP Update Process
Long description of Figure 1: Overview 2020 RBAP Update Process

The Figure 1 shows the overview of the process for the update of this risk-based audit plan. Audit planning begins with an environmental scan to identify key organizational changes, priorities, and risk areas, followed by audit universe re-evaluation and discussions with NRC management to reflect the NRC's most relevant and current priorities. Audit team then to prioritize preliminary projects based on analysis and evaluation results. The preliminary projects are re-assessed under the COVID 19 and NRC response. Audit team to prepare the draft plan and share with Senior Executive Committee and Departmental Audit Committee for consultation and recommendation. Audit team to finalize the plan based on the comments and recommendation received for the President's approval.

For detailed information on the annual RBAP update process, see Appendix A. In summary, audit projects are identified and prioritized based on interviews with senior management and a thorough review of the NRC environment, priorities and risks. More detail on project priorities is provided in Appendix B.

3.0 Internal Audit Plan

Based on the audit planning process, a three-year risk-based audit plan has been developed and is presented on the next page. In FY2020-2021, the majority of NRC's Internal Audit efforts will be focused on advisory services. This will provide near-real time advice and guidance with regards to risk management, control and governance processes in response to the current situation.

The different types of projects conducted by Internal Audit are shown in Figure 2 below.

Figure 2: NRC Types of Audit Projects
Long description of Figure 2: NRC Types of Audit Projects

Figure 2 shows the different types of projects conducted by Internal Audit.

  • Assurance
  • Advisory/Reviews/Consulting
  • Data Analytics
  • External Assurance

Each audit project contained in the 2020-2021 to 2022-2023 RBAP was selected for its high potential to add value to NRC's operations. The audit plan is summarized in Table 1. Please see Appendix C for the detailed timeline of each proposed audit project.

NRC-IA will assess the timeliness, relevance and added value of projects throughout the year and will recommend adjustments to senior management and the DAC, if and when necessary. Any management requests or unplanned audit activities of central government agents that have budget implications will be considered following consultation with NRC's senior management and the DAC.

Appendix D presents details for each planned project.

Table 1: NRC Proposed Three-year Audit Plan
NRC Proposed Three-year Audit Plan
2020-2021 2021-2022 2022-2023
Audits

Real Property Management (carry-over)

Professional Services Procurement and Contracting

Accounts Payable

Emergency Planning and Preparedness Follow-up and Lessons Learned

Integrated Enterprise Risk Management

Vacation and Compensatory Leave Management

 

Environmental Stewardship Governance and Practice

Budgeting and Forecasting

 

OCG Horizontal Audit of Departmental Performance Measurement

International Activities Management

Advisory / Reviews /  Consulting

IRAP Data Analytics Support and Advice (carry-over)

TerraCanada and Transportation Safety and Technology Science Hubs

TerraCanada and Transportation Safety and Technology Science Hubs

Collaborative Science and Technology Science Clusters (carry-over)

TBD

TBD

Risk Assessment and Assurance Strategy for NRC-led Laboratories Canada Hubs (carry-over)

   

Rapid Internal Control Assessment of the IRAP Innovative Assistance Program

   

Business Continuity Planning and Crisis Management

TerraCanada and Transportation Safety and Technology Science Hubs

Projects In Reserve

IRAP Business Application Transformation Initiative AdviceFootnote * (special request)

Audit of Data GovernanceFootnote *

Cloud Services Management AdviceFootnote *

IT Security Follow-up AuditFootnote *

Audit of Employment Diversity and Inclusion

Audit of Asset Management (Scientific Equipment)

Audit of Hazard Prevention Program

Audit of Workplace Wellness

Fraud Risk Assessment

Data Analytics

Data Analytics Support – Acquisition Cards / Procurement Services / Travel / Accounts Payable and Verification

Data Analytics – Upon Request

Data Analytics – Upon Request

Follow-up on Previous Audit Recommendations

As per the TB Policy on Internal Audit and International Standards for the Professional Practice of Internal Auditing, the Chief Audit Executive must establish a follow-up process and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

The follow-up is conducted twice per year in Q1 and Q3. Each time, management (or recommendation owners) are asked to provide their own assessment of the level of implementation of each recommendation and to include a brief progress update for each recommendation. For implementation of recommendations reported as "completed", recommendation owners must provide sufficient evidence which is validated by IA. Once the recommendation is validated by IA as fully implemented, it is closed.

Internal Audit had initially planned to prepare and present reports on the Follow-up of Management Action Plans at both the June 2020 and December 2020 DAC meetings. Currently, the follow-up on management action plans is on hold due to COVID-19 impacts; As such, NRC-IA is proposing to provide a management action plan status report at the September 2020 and December 2020 DAC meetings.

4.0 Capacity and Resource Planning

This section of the RBAP provides an overview of the resources available to Internal Audit as well as how these resources have been allocated to audit priorities. Projects undertaken will depend on the availability of financial and human resources, the estimated timelines and resource requirements for small, medium, and large projects have been provided to reflect current resources.

4.1 Capacity of the Internal Audit Function

At full strength, NRC-IA includes the Director General, Audit and Evaluation, one Director, three Audit Managers, three Senior Auditors, three Auditors and one co-op student. A team of two individuals provides the administrative as well as audit committee support for both the audit and evaluation functions. Internal Audit has recently launched two competitions to backfill one Senior Auditor and one Audit Manager.

The HR model of the Office of Audit and Evaluation is presented in Figure 3 below.

Figure 3: Office of Audit and Evaluation (OAE) Organizational Chart
Long description of Figure 3: Office of Audit and Evaluation (OAE) Organizational Chart

At full strength, NRC-IA includes the Director General, Audit and Evaluation, one Director, three Audit Managers, three Senior Auditors, three Auditors and one co-op student. A team of two individuals provides the administrative as well as audit committee support for both the audit and evaluation functions.

An estimate of total resource capacity available was determined and allocated to all internal audit projects using metrics based on past experience. Approximately 1,650 person days of capacity will be available for FY2020-2021 (i.e. direct audit and advisory services, excluding leave provisions and time for administration, professional development and language training). NRC-IA is expecting that approximately 16% of its project time would be directly related to the NRC's COVID-19 response.

Figure 4: Distribution of Audit Resources for FY2020-2021
Long description of Figure 4: Distribution of Audit Resources for FY2020-2021

An estimate of total resource capacity available was determined and allocated to all internal audit projects using metrics based on past experience. Approximately 1,650 person days of capacity will be available for FY2020-2021.

65% of available audit time will be allocated to project time, 16% will be governance and admin related, 7% for function which including QAIP, external liaison, and another 7% is related to Departmental Audit Committee meetings, and 5% is estimated for professional development.

In determining the audit capacity, the anticipated level of effort required to complete each proposed audit project within the fiscal year is taken into account. Audit projects fall into one of three size categories: Small, Medium, and LargeFootnote 1.

4.2 Resources to Deliver Projects in 2020-2021

The Office of Audit and Evaluation has the capacity to deliver the proposed Risk-Based Audit Plan within the resources allocated to it, as well as the capacity to engage in other branch activities such as the preparation of the RBAP itself, follow-up on the implementation of recommendations, performance reporting, along with external audit liaison. However, should be the additional capacity available for projects in reserve.

The estimated budget for internal audit in FY2020-2021 is:

  • $1.32 M for audit salaries
  • $121K for operations and maintenance
  • $67 K for DAC salaries and expenses.

The budget will be adjusted and amounts reallocated based on need and the situation going forward.

Appendix D provides the estimated level of effort and timelines for each planned audit project contained within the RBAP. In addition, should other priorities arise throughout the year, NRC Office of Audit and Evaluation will seek the approval of DAC (for internal audit projects) to undertake necessary adjustments or request additional resource on a contingency basis.

Appendix A: Annual RBAP Update Process

A1. Environmental Scanning and Analysis

Audit planning begins with an environmental scan to identify key organizational changes, priorities, and risk areas in which internal audit could add the most value in supporting the achievement of organizational objectives. Environmental scanning includes an analysis of:

  • Government of Canada priorities
  • Departmental plan and NRC priorities
  • Corporate risk profile
  • Senior management consultations
  • NRC Dialogue action plans
  • Management accountability framework results
  • External assurance functions
  • Internal and external audit project results / reviews / surveys.

A2. Audit Universe Re-evaluation

The audit universe is reviewed annually to reflect the NRC's most relevant and current priorities. The audit universe represents the auditable entities at NRC within which audit activities takes place. The current audit universe entities are grouped under three main headings:

  • Research programs
  • IRAP and other transfer payments
  • Internal services.

It should be noted that internal services is made up of six further groupings which include:

  • Management and oversight
  • Human resources management
  • Financial and procurement management
  • Assets and acquired services
  • Information management (IM) and IT management
  • Security management.

The audit universe is shown below in Figure 5.

Figure 5: NRC's Audit Universe
Long description of Figure 5: NRC's Audit Universe

The audit universe represents the auditable entities at NRC within which audit activities takes place. The current audit universe entities are grouped under three main headings:

  • Research programs
  • IRAP and other transfer payments
  • Internal services

It should be noted that internal services is made up of six further groupings under Internal Services which include:

  • Management and oversight
  • Human resources management
  • Financial and procurement management
  • Assets and acquired services
  • Information management (IM) and IT management
  • Security management

A3. Audit Project Prioritization, Consultation and Approval

Prioritization of the proposed audit projects includes consultations with the Vice Presidents, corporate DGs, audit team, and consideration of horizontal factors such as senior management requests, the DAC's advice and recommendations, past audit coverage, audits by the Office of the Comptroller General, and planned audits by other external assurance providers. Based on the results of this process, all potential high priority auditable entities are discussed with the President and the DAC. Particular emphasis is placed on the projects planned for 2020-2021, given that future year projects will be re-assessed on an annual basis. The outcome is a list of proposed audit projects that are directed towards priorities presenting the highest levels of risk from an internal audit perspective to be conducted over the three-year audit horizon.

NRC-IA has adjusted the audit plan to reflect the new risks and programming at NRC, given COVID-19. The plan is aligned with key government-wide risks stemming from the COVID-19 identified by the Office of the Comptroller General.

A focused and structured analysis and prioritization of the audit projects for inherent risk, financial significance, strength controls, public visibility, fraud risk, and other key risks was conducted by the NRC-IA using the priority assessment scale outlined in Figure 6 below.

Figure 6: Assessment of Audit Priority
Long description of Figure 6: Assessment of Audit Priority

Figure 6 outlines the priority assessment scale which including very high, high, moderate and low. NRC-IA analyses and prioritizes the audit projects based on inherent risk, financial significance, strength controls, public visibility, fraud risk, and other key risks by using the priority assessment scale.

This analysis resulted in the auditable entities being prioritized to provide a comprehensive base for selecting the engagements to be included in the three-year audit plan. Once the audit priorities were determined, the timing of each audit was reviewed, taking into account the following planning considerations:

  • current staff capacity and operating budget
  • sufficient coverage of NRC's risk management, control and governance processes
  • timing of OAG, OCG and other central agency audits, and evaluation plan
  • other considerations such as system and program renewals to avoid duplication of effort.

For further details regarding the audit priority assessment, please refer to Appendix B.

Appendix B: Audit Priority Assessment [REDACTED]

Appendix C: Proposed Three-year Audit Plan Timelines

It should be noted that NRC Internal Audit continues to reassess the timeliness, relevance and added value of projects throughout the year and will recommend adjustments to the SEC and the DAC if and when necessary. It is likely that if a project in reserve is not addressed, it could be carried over to a subsequent year. Any management requests or unplanned audit activities of central government agents that have budget implications will be considered consultation with NRC's senior management and the DAC.

A: Assurance
ARC: Advisory / Reviews / Consulting
DA: Data Analytics
Revised NRC Audit Plan – Proposed Schedule
  2020-2021 2021-2022 2022-2023
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2020-2021 Audit of Real Property Management (carry-over) A A                    
Advisory - IRAP Data Analytics Support and Advice (carry-over) ARC ARC                    
Advisory - Collaborative Science and Technology Innovation Program (carry-over) ARC ARC ARC                  
Risk Assessment and Assurance Strategy for NRC-led Labs Canada Hubs (carry-over) ARC ARC                    
Emergency Planning and Preparedness Follow-up Audit and Lessons Learned   A A A                
Advisory – Business Continuity Planning and Crisis Management   ARC ARC                  
Rapid Internal Control Assessment of the IRAP Innovative Assistance Program ARC ARC ARC                  
Continuation of Multi-year Advisory Work on TerraCanada and Transportation Safety and Technology Science Hubs     ARC ARC                
Data Analytics – Acquisition Cards / Procurement Services / Travel / Accounts Payable and Verification       DA DA              
2021-2022 Audit of Professional Services Procurement and Contracting       A A A            
Audit of Integrated Enterprise Risk Management         A A            
Audit of Environmental Stewardship Governance and Practice         A A A          
OCG Horizontal Audit of Departmental Performance Measurement               A        
Continuation of Multi-year Advisory Work on TerraCanada and Transportation Safety and Technology Science Hubs           ARC ARC          
Data Analytics – Upon Request               DA DA      
2202-2023 Audit of Accounts Payable               A A      
Audit of Vacation and Compensatory Leave Management                 A A    
Audit of Budgeting and Forecasting                 A A    
Audit of International Activities Management                   A A  
Continuation of Multi-year Advisory Work on TerraCanada and Transportation Safety and Technology Science Hubs                   ARC ARC  
Data Analytics – Upon Request                     DA DA

Appendix D: Audit Projects Details

This section provides information on internal audit projects included in the 2020-2021 to 2022-2023 Risk-Based Audit Plan. The order of implementation is subject to change to accommodate resource availability. The plan also includes a preliminary risk register to assist auditors in preparing the audit project risk assessment.

During the planning phase of the audits, both the audit objective and scope will be finalized based on an initial review and understanding of the audit entity, which will include linking audit criteria to core management controls.

Internal Audit Projects for FY2020-2021

Audit Project 1. Audit of Real Property Management (carry-over)

Audit Universe Internal Services – Assets and Acquired Services
Audit Service Assurance
Audit Size Large

Proposed quarter: Start Q2 2019-2020 │End Q2 2020-2021

Rationale: NRC owns and operates for the most part its land and buildings which includes 6,920 acres of land and more than 183 buildings totaling more than 5 million square feet of space and representing an estimated current replacement value of more than $1 billion with a book value of $280 million as of March 31, 2018. NRC is responsible for ensuring the physical integrity of the real property holdings and ensuring compliance with the related real property policies.

Objective: The objective of the audit is to provide assurance that NRC's real property management framework demonstrates sound stewardship practices and aligns with the TB Policy on Management of Real Property.

Resources:

  • Person days: 180
  • NRC internal auditors
  • Project cost: $105,595

Audit Project 2. Emergency Planning and Preparedness Follow-up Audit and Lessons Learned

Audit Universe Internal Services – Security Management
Audit Service Assurance
Audit Size Small

Proposed quarter: Start Q2 2020-2021 │End Q4 2020-2021

Rationale: Federal departments and agencies are mandated to develop emergency management plans with respect to the risks that are within their areas of responsibility. In addition, departments and agencies are responsible for preparing, maintaining, testing, and implementing emergency management plans, as well as conducting exercises and training in relation to those plans.

Objective: The objective of the follow-up audit is to determine whether the implementation of the management action plan has been effective in addressing the recommendations made in 2018-19 Management Letter for Emergency Planning and Preparedness.

Resources:

  • Person days: 90
  • NRC internal auditors
  • Estimated project cost: $75,000

Audit Project 3. IRAP Data Analytics Support and Advice (carry-over)

Audit Universe IRAP and Other Transfer Payments
Audit Service Advisory
Audit Size Small

Proposed quarter: Start Q3 2019-2020 │End Q2 2020-2021

Rationale: NRC's Industrial Research Assistance Program (IRAP) provides a comprehensive suite of innovation services and funding to Canadian organizations and small and medium-sized enterprises in an effort to accelerate growth and stimulate wealth creation. To enable IRAP to support business research and development for projects up to a new threshold of $10 million, the Government of Canada's Budget 2018 proposes to invest $700 million over five years, starting in 2018-2019, and $150 million per year ongoing.

Objective: This advisory service is intended to provide support to NRC's Vice President, IRAP on leveraging data analytics to gain insight into IRAP's operations, risks, internal control design, and available information for decision-making.

Resources:

  • Person days: 120
  • NRC internal auditors
  • Project cost: $75,136

Audit Project 4. Collaborative Science and Technology Innovation Program (CSTIP) (carry-over)

Audit Universe Research Programs
Audit Service Advisory
Audit Size Small

Proposed quarter: Start Q4 2019-2020 │End Q3 2020-2021

Rationale: In effort to better support Canadian innovators, NRC recently has launched two new collaborative programs: supporting clusters and collaborative science, technology and innovation program. These programs target high-risk and high-reward research with the potential for game changing scientific discoveries and technological breakthroughs. However, because of the tight timelines and the unique and high-risk nature of the programs, there is a need to ensure proper due diligence is being executed.

Objective: The objective of this consultation engagement is to assess:

  • The due diligence in selection and approval processes, including whether there is an effective challenge function
  • Whether there is appropriate documentation of the rationales for selection and approval decisions
  • Whether desired program outcomes and metrics of success have been clearly articulated

Resources:

  • Person days: 120
  • NRC internal auditors
  • Project cost: $92,278

Audit Project 5. Risk Assessment and Assurance Strategy for Laboratories Canada: TerraCanada and Transportation Safety and Technology Science Hubs (carry-over)

Audit Universe Research Programs
Audit Service Advisory
Audit Size Small

Proposed quarter: Start Q4 2019-2020 │End Q2 2020-2021

Rationale: Lessons learned from recent large-scale government transformation initiatives have highlighted the importance of effective early and ongoing risk assessment and management. The Office of the Comptroller's (OCG) vision for Internal Audit for transformation programs such as Laboratories Canada is to take an active role during the development and delivery of the program.

Objective: The objective of this consulting engagement is to provide an independent and objective assessment of the risks related to governance, risk management and controls for the TerraCanada and Transportation Safety and Technology Science (TSTS) Hubs of Laboratories Canada. The risk assessment will then be used to develop a multi-year assurance strategy for each hub.

Resources:

  • Person days: 120
  • NRC internal auditors
  • Project cost: $105,965

Audit Project 6. Rapid Internal Control Assessment of the IRAP Innovative Assistance Program (IAP)

Audit Universe IRAP and Other Transfer Payments
Audit Service Advisory
Audit Size Small

Proposed quarter: Start Q1 2020-2021 │End Q3 2020-2021

Rationale: The IAP has been created to assist Canada's industrial and innovation sectors during the COVID-19 pandemic with an envelope of $250 Million for grants and contributions. This newly established program is being delivered with unprecedented speed and delivering unprecedented volumes of funding assistance within an extremely short period of time.

Objective: The objective of the advisory work is to provide a rapid review and assessment of business controls established to deliver the Innovative Assistance Program.

The project includes a rapid review and assessment of the governance, risk management, and internal control processes that have been established since the approval of the program. There will continue to be periodic check-ins with IAP staff once the initial assessment is complete, to ensure that any opportunities for improvement initially identified are implemented.

Resources:

  • Person days: 90
  • NRC internal auditors
  • Estimated project cost: $75,000

Audit Project 7. Business Continuity Planning and Crisis Management

Audit Universe Internal Services – Security Management
Audit Service Advisory
Audit Size Small

Proposed quarter: Start Q2 2020-2021 │End Q3 2020-2021

Rationale: As part of Treasury Board's policy instruments related to government security, departments and agencies must establish Business Continuity Planning (BCP) Programs, in order to plan for the continued availability of services and associated assets that are critical to the health, safety, security or economic well-being of Canadians, or to the effective functioning of government. BCP is a preventive control that builds resiliency before disaster strikes. As per Treasury Board's Operational Security Standard on BCP Program, business continuity plans are required for all services that, if interrupted, would result in a high degree of injury to Canadians or the working of government.

Preliminary Objective: To provide senior management with assurance that:

  • NRC has established a business continuity planning program framework for business continuity is adequate, effective and efficient
  • NRC's business continuity plan is align with the TB Policy on Government Security and Operational Security Standard-Business Continuity Planning Program and NRC policies.

Resources:

  • Person days: 90
  • NRC internal auditors
  • Estimated project cost: $75,000

Summary of Internal Audit Projects for Fiscal Year 2021-22 to 2022-2023

  1. Audit of Professional Services Procurement and Contracting

    Rationale: NRC's financial statement year ended March 31, 2018 reports $92 million in expenditures for professional services which increased by $9 million from the prior year.

    Preliminary Objective: To provide senior management with assurance that:

    • NRC's use of professional service contracted resources are cost-effective and in compliance with the TB Contracting Policy, Government Contract Regulations, and NRC contracting policies, directives and procedures.
  2. Audit of Integrated Enterprise Risk Management

    Rationale: Risk management when integrated with strategic priority setting, decision-making, policy development, project management, business planning, resource allocation, financial stewardship, operations, performance reporting, and external requirements, supports organizational resilience and predictability in achieving its strategic objectives.

    Preliminary Objective: To provide senior management with assurance that:

    • Business processes, guidance, monitoring and reporting are adequate, efficient and effective to support the management of risk at NRC.
  3. Audit of Environmental Stewardship Governance and Practice

    Rationale: NRC is currently working to further enhance its processes for ensuring sound environmental stewardship including implementation of its organization-wide Environmental Management System to enable proactive assessment and management of environmental issues and to meet compliance obligations.

    Preliminary Objective: To provide senior management with assurance that:

    • Governance, business processes, guidance, monitoring and reporting activities are adequate, efficient and effective in promoting and managing Environmental Stewardship at NRC.
  4. Audit of Departmental Performance Measurement (OCG Horizontal Audit)

    Rationale: Having complete, reliable, and timely departmental performance measurement information is critical to adequately demonstrate that departmental strategic results are achieved. This is a horizontal audit involving multiple departments that will be led by the Office of the Comptroller General (OCG). NRC may be included in the audit and, if so, audit fieldwork will be conducted by the Internal Audit team.

    Preliminary Objective: To provide senior management with assurance that:

    • Processes and frameworks are in place to provide complete, reliable, and timely departmental performance measures and targets
    • These processes and frameworks are aligned with TB Policies and guidance.
  5. Audit of Accounts Payable

    Rationale: The accounts payable function is an essential element of financial services. The Accounts Payable section in the Finance Branch processes invoices and issues payments for goods and services purchased by the NRC. The management of Accounts Payable is related to NRC's reputation and relationships with suppliers by providing accurate and timely payment to suppliers.

    Preliminary Objective: To provide senior management with assurance that whether controls over accounts payable transactions are adequately designed and operating effectively.

  6. Audit of Vacation and Compensatory Leave Management

    Rationale: All employees in the NRC are held accountable for the accurate recording of their leave. NRC must ensure that the recording and approving of vacation and compensatory leave is in accordance with relevant Collective Agreements and Terms and Conditions of employment.

    Preliminary Objective: The objective of this audit is to determine whether controls are in place working as intended to allow for accurate and consistent management of vacation and compensatory leave.

  7. Audit of Budgeting and Forecasting

    Rationale: Budgeting and forecasting are the processes in conjunction with the NRC's Finance and Procurement Branch, direct and allocate financial resources to meet strategic goals and objectives. Effective budgeting and forecasting should be supported by structured processes with clearly defined roles and responsibilities, consistent timelines and guidance, and appropriate training for all staff involved.

    Preliminary Objective: The objective of the audit is to assess whether the governance over the budgeting and forecasting processes is effective in supporting the achievement of NRC's strategic outcomes and priorities.

  8. Audit of International Activities Management

    Rationale: Global collaboration has become a competitive necessity for small and medium-sized enterprises in Canada. NRC plays a key role in ensuring that our clients are knowledgeable about and suitably prepared to address global challenges. NRC works with Canadian organizations and other government departments such as Global Affairs Canada to collaborate on international activities and programs designed to help assist firms in Canada to compete in the global marketplace.

    Preliminary Objective: To provide senior management with assurance that:

    • Governance, business processes, guidance, monitoring and reporting activities are adequate for the management of international activities at NRC.