Risk-Based Audit Plan 2018-2019

April 2018

1.0 Introduction
- 1.1 Purpose
- 1.2 The Role and Scope of Internal Audit
2.0 Risk-Based Audit Planning Approach
3.0 Risk-Based Audit Plan 2018-2019
- 3.1 Overview
- 3.2 Audit Coverage
Appendix A – Global Affairs Canada Audit Universe
Appendix B – Crosswalk between Departmental Results Framework Core Responsibilities and Planned Audits for 2018-2020
Appendix C – Crosswalk of Ministerial Mandate Letters to Planned Audits

Introduction

The Treasury Board of Canada Policy on Internal Audit seeks to contribute to the improvement of public sector management by ensuring a strong, credible, effective and sustainable internal audit function within departments as well as government-wide. In response to this requirement, Global Affairs Canada has developed this two-year Risk-Based Audit Plan. This plan details the assurance and advisory services that the Office of the Chief Audit Executive (OCAE) will provide, independent of line management, to sustain a strong, credible internal audit regime that contributes directly to sound risk management, control and governance.

The mandate of Global Affairs Canada^{Footnote 1} is to manage Canada's diplomatic and consular relations, to encourage the country's international trade and to lead Canada’s international development and humanitarian assistance. Global Affairs Canada was renamed in 2015 from the Department of Foreign Affairs, Trade and Development which brought together the portfolios of Foreign Affairs, Trade and Development under a single organization for greater cohesion in conducting Canada’s external affairs.

The Department administers a broad array of funding programs to protect Canadians and advance Canada’s priorities, interests and leadership abroad, including funding to international organizations. In addition, services are provided to Canadian businesses, Canadians travelling or living abroad, Canadian citizens, and foreign representatives and their dependents in Canada.

In Canada, Global Affairs Canada operates its headquarters in the National Capital Region and has regional offices in eight locations across the country. Global Affairs Canada also manages 178 missions in 110 countries^{Footnote 2}. These missions house departmental employees who carry out the Global Affairs Canada mandate abroad, as well as 37 partner departments, agencies and co-locators. For 2018-2019, there is $6.49 billion in planned spending^{Footnote 3} and as of June 30, 2017 there were 9,990 active Global Affairs Canada Employees, of which 6,238 were Canada Based Staff while 3,752 were Locally Engaged Staff positions at missions abroad.^{Footnote 4}

1.1 Purpose

The Office of the Chief Audit Executive of Global Affairs Canada prepared this document for the Deputy Minister to outline the 2018-19 to 2019-20 Risk-Based Audit Plan (RBAP or the Plan) for the Department. The Plan is designed to support the allocation of audit resources to those areas that represent the most significant risks to the achievement of Global Affairs Canada’s objectives and to respond to the requirements of the Treasury Board Policy on Internal Audit (April 1, 2017). In considering the appropriateness of the Plan, the Deputy Minister is advised by an independent Departmental Audit Committee (DAC) comprised of four external members.

1.2 The Role and Scope of Internal Audit

Internal auditing in the Government of Canada is a professional, independent and objective appraisal function.^{Footnote 5} As per the Financial Administration Act, the Department is required to have an internal audit capacity, designed to add value to departmental operations by using a disciplined, evidence-based approach to assessing and improving the effectiveness of risk management, control and governance processes.

Internal audit provides oversight over management systems and practices, including emerging risks in an ever-changing environment. In order to ensure internal audit's organizational independence, the Chief Audit Executive reports directly to the Deputy Minister of Foreign Affairs who is the Department’s accounting officer. This enables the provision of independent and objective advice on performance regarding operations, safeguarding of assets, reliability and integrity of reporting and compliance with laws and policies.

The practice of internal audit at Global Affairs Canada, including the development of the RBAP, is in line with the International Professional Practices Framework from the Institute of Internal Auditors (IIA), the suite of internal audit policies from the Treasury Board, and guidance from the Office of the Comptroller General (OCG) within the Treasury Board of Canada Secretariat.

The Institute of Internal Auditors^{Footnote 6} endorses the 'Three Lines of Defence in Effective Risk Management and Control' model as a way of explaining the relationship between these functions and as a guide to how responsibilities should be defined:

First line of defence - Functions that own and manage risk. Operational management has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.
Second line of defence - Functions that oversee risk and compliance. Consists of activities covered by several components of internal governance (compliance, risk management, quality, information technology and other control functions). This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk related information up and down the organization.
Third line of defence - Functions that provide independent assurance. An independent internal audit function will, through a risk-based approach to its work, provide assurance to the organization’s Executive Board and senior management. This assurance will cover how effectively the organization assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defence. It encompasses all elements of an institution’s risk management framework (from risk identification, risk assessment and response, to communication of risk related information) and all categories of organizational objectives: strategic, ethical, operational, reporting and compliance.

Exhibit 1 below outlines the three lines of defence in effective risk management and control at Global Affairs Canada. Internal audit is considered to be the third line of defence within the Department and as such plays a key role in the corporate governance structure to provide assurance in the areas of risk management, control and governance processes.

At Global Affairs Canada, the Executive Board provides direction to senior management by setting the organization’s risk appetite. The Executive Board also seeks to identify the principal risks facing the organization. Thereafter, the Executive Board assures itself on an ongoing basis that senior management is responding appropriately to these risks.

Management exercises primary ownership and responsibility for operating risk management and control. As such, management provides leadership and direction to the employees in respect of risk management, and controls the organization’s overall risk-taking activities in relation to the agreed levels of risk.

To ensure the effectiveness of an organization’s risk management framework, the Executive Board needs to be able to rely on adequate line functions – including monitoring and assurance functions – within the organization.

In addition to the provision of oversight services, the OCAE acts as the secretariat for the DAC which is comprised of four independent external members as well as two internal Deputy-level ex-officio members. The DAC provides objective advice and recommendations regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the Department's risk management, control and governance framework and processes (including accountability and auditing systems).

Text version

The diagram outlines the three lines of defence in effective risk management and control at Global Affairs Canada.

The first line of defence consists of Management Controls and Internal Controls over Financial Reporting.

The second line of defence consists of Monitoring Financial Controls (SMO), Recipient Auditing (SGF), Development Evaluation (PRA), Foreign Affairs and Trade Evaluation (PRE), Mission Inspections (ZIV), Risk Management, Planning and Reporting (SRD), Contracting Policy, Monitoring and Operations (SPP), and Special Investigations (ZIU).

The third line of defence consists of Internal Audit (VBD).

While the three lines of defence report to Senior Management, only the third line of defence also reports to the Executive Board/Departmental Audit Committee.

Additionally, residing outside Global Affairs Canada’s structure, there are international oversight bodies (e.g. United Nations Office of Internal Oversight Services, World Bank Internal Audit Vice Presidency). There are also external audits (Office of the Auditor General, Public Service Commission and Office of the Comptroller General) and other external oversight providers (Commissioner of the Environment and Sustainable Development, Commissioner of Official Languages, Privacy Commissioner, Procurement Ombudsman).

Source: Adapted from IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, January 2013.

Risk-Based Audit Planning Approach

To meet the requirement of the Treasury Board of Canada Directive on Internal Audit for the establishment of a multi-year plan for internal audit, an assessment of Global Affairs Canada’s areas of risk was conducted by the OCAE’s Risk-Based Audit Plan (RBAP) project team and OCAE management. The RBAP was then updated to ensure that internal audit resources continue to be targeted to the areas of highest risk and significance.

The engagements included in this plan were identified as a result of a comprehensive planning process, which is outlined below.

2.1 Development of the Audit Universe

The Global Affairs Canada audit universe is revised at the outset of the RBAP process in order to ensure a clear relationship with the Departmental Results Framework (DRF) while allowing for maximum flexibility in designing engagements that target areas of risk (see Appendix A – Global Affairs Canada Audit Universe). The audit universe is comprised of auditable elements organized on the basis of the DRF as well as the Department’s internal services. This approach includes elements at the program delivery, service delivery or internal service level, and facilitates the consideration of in-depth vertical or horizontal organization-wide engagements.

The DRF program inventory and the organizational chart were considered in the development of the universe as well as recognized finance, audit and IT frameworks such as COBIT^{Footnote 7} and COSO^{Footnote 8}. Stemming from the Treasury Board of Canada Policy on Results, the audit universe has undergone a significant transformation for 2018-2019 to realign it with the Departmental Results Framework from the previous Program Alignment Architecture (PAA).

2.2 Senior Management Consultations and Documentation Review

The RBAP process included consultations and risk assessment sessions with management (Directors and Directors General) representing key branches and areas of activity in the Department. An additional range of senior management consultations were undertaken in support of the RBAP, with selected Assistant Deputy Ministers, the Programs Committee and the Departmental Audit Committee all of which contributed to the development of the Plan. As a final step, the RBAP was presented to the Executive Board for further validation.

The objective of the consultations was to obtain input and assessment of risk, proposed audit engagements and upcoming changes and challenges in the operating environment. Senior managers were encouraged to share information on their specific areas of responsibility and horizontal risks across the Department, based on their experience and knowledge of operations.

An extensive review of corporate and external documents was also carried out. This included various internal and external plans, operational reports, and information on monitoring, performance, upcoming initiatives and priorities. The objective of this review was to gain knowledge on the internal and external operating environments.

2.3 Risk Assessment and Prioritization

A focused and structured analysis of the audit universe for operational, strategic, security, and financial risks was conducted by the OCAE using the risk assessment scale outlined in Table 1 below. The assessment also considered the risks identified as part of the annual corporate risk planning exercise. It is important to note that estimates of materiality of programs and operations were considered in the assessment of risk.

Table 1 – Risk assessment scale
Risk Level	Description
VERY HIGH	A major event that will require Global Affairs Canada to make large scale, long term realignment to its operations, objectives or finances.
HIGH	A critical event that, with proper management, can be endured by Global Affairs Canada.
MEDIUM	A significant event that can be managed under normal circumstances by Global Affairs Canada. The consequences could mean that the activity could be subject to significant review or changed ways of operations.
LOW	An event, the consequences of which can be absorbed through normal activity or minimal management effort.

This analysis resulted in the auditable elements being prioritized based on inherent risk and past and future assurance engagements (including internal and external audits) to provide a comprehensive base for selecting the engagements to be included in this plan.

2.4 Consideration of Other Assurance Provider Activities

Further to the OCAE’s role as liaison between the Department and external assurance providers, the OCAE aims to coordinate its risk-based audit planning activities with these entities with a view to: 1) ensuring audit coverage of high risk areas; and 2) minimizing overlap and duplication, thus reducing the audit burden on auditees.

Risk-Based Audit Plan 2018-2019

3.1 Overview

This section presents an overview of the Global Affairs Canada 2018-2019 Risk-Based Audit Plan (see Table 2).

Table 2 – Overview of engagements planned to start in 2018-2019

Continuous Auditing

Foreign Service Directives
Contracting
Vehicle Operations & Maintenance
Property Operations & Maintenance Overtime
Overtime

New Engagements

G7 Summit Management Office
Human Resources Delivery
Branch Management Offices
Occupational Health and Safety
IT Security Threat & Vulnerability Management
Trade Commissioner Services
Continuous Audit Assessment
Common Service Delivery Points
International Humanitarian Assistance
Grants and Contributions Monitoring & Oversight
Climate Change Initiatives

Management Practices at Selected Missions -

Bogota, Colombia
Pretoria, South Africa
Addis Ababa, Ethiopia
Beijing, China
Guatemala City, Guatemala
Singapore (control mission)

3.2 Audit Coverage

This section describes how the RBAP addresses areas of higher risk and significance. There is coverage of all ‘Very High’ and ‘High’ risk auditable entities for which it was determined that audit work is a priority. These entities derive from the audit universe detailed in Appendix A.

In support of the Chief Audit Executive’s annual report to the Deputy Minister and the Departmental Audit Committee, the RBAP also endeavours to address all Core Responsibilities under the Departmental Results Framework). Appendix B - Crosswalk between Departmental Results Framework Core Responsibilities and Planned Audits for 2018-2019 summarizes the extent to which the elements of this framework are covered in the planned audits for 2018-2019.

In addition, the RBAP also sought to ensure coverage of the Global Affairs Canada Ministers’ mandate letters as reflected in their policy and programming priorities. For a crosswalk linking these priorities to relevant planned engagements, please refer to Appendix C – Crosswalk of Ministerial Mandate Letters to Planned Audits.

Appendix A – Global Affairs Canada Audit Universe

Core Responsibility	Program Element
1. International Advocacy and Diplomacy	1. International Policy Coordination
	2. Trade, Investment and International Economic Policy
	3. Multilateral Policy
	4. International Law
	5. Diplomatic Services and Protocol
	6. Europe, Middle East and Maghreb Policy & Diplomacy
	7. Americas Policy & Diplomacy
	8. Asia Pacific Policy & Diplomacy
	9. Sub-Saharan Africa Policy & Diplomacy
	10. Geographic Coordination and Mission Support
	11. Gender Equality and the Empowerment of Women and Girls
	12. Humanitarian Action
	13. Human Development: Health & Education
	14. Growth that Works for Everyone
	15. Environment and Climate Action
	16. Human Rights, Governance, Democracy & Inclusion
	17. Peace and Security Policy
2. Trade and Investment	18. Trade Policy, Agreements Negotiations, and Disputes
	19. Trade Controls
	20. International Business Development
	21. International Innovation and Investment
	22. Europe, Middle East and Maghreb Trade
	23. Americas Trade
	24. Asia Pacific Trade
	25. Sub-Saharan Africa Trade
3. Development, Peace and Security Programming	26. International Assistance Operations
	27. Humanitarian Assistance
	28. Partnerships and Development Innovation
	29. Multilateral International Assistance
	30. Peace and Stabilization Operations
	31. Anti-Crime and Counter-Terrorism Capacity Building
	32. WMD Threat Reduction
	33. Canada Fund for Local Initiatives
	34. Europe, Middle East and Maghreb International Assistance
	35. Americas International Assistance
	36. Asia Pacific International Assistance
	37. Sub-Saharan Africa International Assistance
	38. Grants and Contributions Policy and Operations
4. Help for Canadians Abroad	39. Consular Assistance and Administrative Services for Canadians Abroad
4. Help for Canadians Abroad	40. Emergency Preparedness and Response
5. Support for Canada’s Presence Abroad	41. Platform Corporate Services
	42. Foreign Service Directives
	43. Client Relations and Mission Operations
	44. Locally Engaged Staff Services
	45. Real Property Planning and Stewardship
	46. Real Property Project Delivery, Professional and Technical Services
	47. Mission Readiness and Security
	48. Mission Network Information Management / Information Technology
6. Internal Services	49. Management & Oversight
	50. Communications
	51. Legal Services
	52. Human Resources 52.1 Organizational Design, Human Resources Planning, and Reporting 52.2 Job and Position Management 52.3 Staffing and Employee Integration 52.4 Compensation 52.5 Employee Performance, Learning, Development, and Recognition 52.6 Permanent and Temporary Separation 52.7 Workplace Management
	53. Financial Management 53.1 Resource Management 53.2 Reporting 53.3 Corporate accounting 53.4 Transfer payment programs 53.5 Costing 53.6 Internal Controls over Financial Reporting
	54. Information Management
	55. Information Technology
	56. Real Property (Domestic)
	57. Materiel Management
	58. Acquisition Management
	59. Occupational Health and Safety
-	60. Security (Other) 60.1 Business Continuity Planning 60.2 Domestic Security 60.3 IT Security (Domestic and Abroad)

Appendix B – Crosswalk between Departmental Results Framework Core Responsibilities and Planned Audits for 2018-2020

Audit Projects 2018-2019	International Advocacy and Diplomacy	Trade and Investment	Development, Peace and Security	Help for Canadians Abroad	Support for Canada’s Presence Abroad	Internal Services
Continuous Auditing
1. Foreign Service Directives	-	-	-	-	✔	-
2. Contracting	-	-	-	-	-	✔
3. Vehicle Operations & Maintenance	-	-	-	-	✔	-
4. Property Operations & Maintenance	-	-	-	-	✔	-
5. Overtime	-	-	-	-	-	✔
Planned Projects
6. G7 Summit Management Office	✔	-	-	-	-	✔
7. Human Resources - Delivery	-	-	-	-	-	✔
8. Business Management Offices	-	-	-	-	-	✔
9. Occupational Health and Safety (Duty of Care)	-	-	-	-	✔	✔
10. IT Security Threat & Vulnerability Management	-	-	-	-	✔	✔
11. Trade Commissioner Service	-	✔	-	-	-	-
12. Continuous Audit Assessment	-	-	-	-	-	✔
13. Common Service Delivery Points	-	-	-	-	✔	-
14. International Humanitarian Assistance	-	-	✔	-	-	-
15. Grants and Contributions Monitoring and Oversight	-	-	✔	-	-	✔
16. Climate Change Initiatives	✔	-	✔	-	-	-
17. Mission Audit 1 – Bogota, Colombia	-	-	-	-	✔	✔
18. Mission Audit 2 – Pretoria, South Africa	-	-	-	-	✔	✔
19. Mission Audit 3 – Addis Ababa, Ethiopia	-	-	-	-	✔	✔
20. Mission Audit 4 – Beijing, China	-	-	-	-	✔	✔
21. Mission Audit 5 – Guatemala City, Guatemala	-	-	-	-	✔	✔
22. Mission Audit 6 – Singapore (control mission)	-	-	-	-	✔	✔

Appendix C – Crosswalk of Ministerial Mandate Letters to Planned Audits

The following table outlines the Risk-Based Audit Plan’s audit coverage against Global Affairs Canada’s Ministers’ mandate letters^{Footnote *}.

Priority	2018-2019 Engagements	2019-2020 Engagements
Foreign Affairs
Reduce Impediments to Trade and Commerce (with the United States)	-	Trade: Dispute Settlement and Litigation
Clean Energy / Environment / Climate Change	Climate Change Initiatives	-
Defence and Foreign Policy / National Security	-	Peace and Stabilization Operations Program (formerly Global Peace and Security Fund)
Public Diplomacy / Stakeholder Engagement (Canada/abroad)	-	Diplomacy – Bilateral/Regional/Multilateral Digital Diplomacy / Social Media
International Trade
Implement / Consult on Trade Agreements	-	Trade: Dispute Settlement and Litigation
Trade and Export Strategy (promotion / investment / implementation)	Trade Commissioner Service	-
Invest in Clean Technology / Energy	Climate Change Initiatives	-
International Development
Development Assistance	International Humanitarian Assistance	Bilateral Development Assistance Authorized Programming Process
Governance / Human Rights	-	Development and/or humanitarian programming aspects of Canada’s response to the Middle East crises and violent extremism (Iraq, Syria, Jordan and Lebanon) Peace and Stabilization Operations Program (formerly Global Peace and Security Fund)
Development Innovation Climate / Development Financing	Climate Change Initiatives	-

Footnotes

Footnote 1

http://pco.gc.ca/index.asp?lang=eng&page=docs&doc=mog-ag-eng.htm

Return to footnote 1 referrer

Footnote 2

@ A Glance – Global Affairs Canada, June 30, 2017

Return to footnote 2 referrer

Footnote 3

Global Affairs Canada Departmental Plan 2018-19, p.34

Return to footnote 3 referrer

Footnote 4

@ A Glance – Global Affairs Canada, June 30, 2017. The LES figure does not include the 1,247 employees whose salaries are cost recovered from the partners and co-locators to which these LES provide service.

Return to footnote 4 referrer

Footnote 5