Risk-Based Audit Plan 2021-2023

Office of the Chief Audit Executive

October 2021

FINAL

Table of Contents

1.0 Introduction

This updated two-year risk-based audit plan (2021 to 2023) provides a forward plan of third-line assurance activity for Global Affairs Canada.

Operating Context

The proposed audit coverage is framed by the external and internal context within which the department has and will continue to operate. The level and concurrence of different crises over the last few years has created significant uncertainty, a shift of global priorities, and, in some cases, driven change. This “new normal” is expected to continue for some time, and may result in further uncertainty and challenges. In addition to the impact of these external drivers on the policy priorities and operating context of the department, possible fiscal constraints and the need to maintain a state of perpetual agility will add further stresses to the department’s business model.

Despite these external pressures, and in direct response to them, the department continues to pursue a number of internal reforms that aim to improve the effectiveness and efficiency of the business model and supporting processes through the delivery of key transformations (such as climate finance, data, digital, and trade). When coupled with the external threat environment, this could result in exposure and/or unintended consequences. While governance committees, senior management, and project teams are working to manage these matters, second and third-line functions should continue to provide oversight, monitor, and assess these matters to provide early warning and/or independent insight into drivers or gaps that could lead to potentially undesirable scenarios or exposure.

Departmental Oversight

Internal Audit, together with the Evaluation, Inspection, Enterprise Risk and the other second-line areas such as Internal Controls, have an important role to play in ensuring that the department maintains strong systems of governance, risk management and internal controls. With the finite resources available, Internal Audit will work with other oversight providers to target its engagements and coordinate with existing efforts. Internal audit will also shift some services into the preventative space, through the provision of advisory services and in-flight health checks to assist department in its effort to design fit for purpose, integrated systems and controls through informed risk assessments.

Internal Audit Function

Internal Audit’s strategy is to create value for Global Affairs Canada by leveraging our expertise to drive improvements that support the department in achieving its mandate and contribute to management excellence. To better plan and organize the internal audit function, and in light of the pandemic impacts on departmental operations, the function has developed a Risk-Based Audit Plan (RBAP) for two years to allow for more flexibility to adjust the plan on a year-to-year basis.  

2.0 Purpose

The practice of internal audit, including the development of the audit plan, conforms to the Treasury Board Policy on Internal Audit and its Directive. This policy and directive are derived from the International Professional Practices Framework of the Institute of Internal Auditors. Internal Audit is primarily responsible for advising and providing assurance on governance, risk management and internal control issues, consistent with its Internal Audit Charter.

The audit plan identifies the engagements to be undertaken in 2021-2022 and 2022-2023. It establishes the foundation on which the Internal Audit function will add value to the department. The plan was designed to align engagements to reflect the department’s core responsibilities (see 3.2) while addressing areas of high risk and significance.  

3.0 Risk-Based Audit Planning

3.1 Methodology

The first step undertaken in the planning process was a review and update of the audit universe using the Departmental Results Framework, which is comprised of 53 programs under six core responsibilities (see Appendix A).

Senior management consultations and material from senior management committees were collected and analayzed. The results from the consultations, documentation review, facilitated risk discussions and a review of outstanding audit recommendations identified areas of significance and risk. This ongoing work allows Internal Audit to monitor new and emerging risks proactively.  For the purposes of this plan, the following areas of risk were identified:

  1. Ongoing COVID-19 Activities – as the pandemic moves into its second year, the department is maintaining critical functions, and resuming regular operations while moving towards new post-pandemic practices and hybrid working options.
  2. Program Design and Delivery – effective management and controls, and coherence in programming are essential to support the achievement of business objectives and maintain program integrity. 
  3. Transfer Payments – the control framework over transfer payments needs continued focus to support efficient and effective delivery especially given the new Climate Finance Delivery Plan.
  4. Internal Service Delivery – data and digital solutions must be prioritized to secure information, support program and service delivery. Internal services need to be aligned with policy development and operations. The reliance on internal partners and external partners should be managed to support the achievement of business objectives.
  5. Transformation – several large transformation initiatives are underway. Risks associated with these initiatives that may warrant oversight include business readiness, financial controls, business process controls, technical solutions, governance, and regulatory aspects. 

3.2 Risk Approach

The risk areas were analyzed in relation to departmental priorities, core responsibilities, enterprise risks, and government-wide risk areas. As well, three detailed risk assessements were completed to address mission network risks, Information Technology risks and remote work risks.

In particular, for the mission risk assessement thirteen risk indicators were applied to 178 missions such as hardship, volume of temporary duty assignments, corruption index, financial risk, cash account, spending trends and contracting including method of vendor payment.  Following this step, other filters were applied such as number of staff, operating budgets greater than $1.5M, whether previously audited or inspected. This analysis identified ten missions that could be audited over the next two years.  Conducting mission audits in the field will depend on ability to travel from a health perspective and country stability from a safety perspective. Currently, the audit plan has a placeholder for four mission audits which provides flexibility for internal audit to decide on the exact locations closer to the start date.

3.3 Other Assurance Providers

Internal Audit coordinates risk-based audit planning activities in consideration of other internal oversight functions (e.g. Evaluation and Inspector General) and external assurance providers (i.e. Office of the Auditor General, Office of the Comptroller General and the Public Service Commission) to align audit coverage of high-risk areas, and to minimize overlap and duplication, thus reducing the engagement burden on the department. 

At Parliament’s request, the Office of the Auditor General (OAG) is continuing to focus on selected COVID-19 emergency responses as well as more traditional performance audits. In that regard, the department is currently engaged with the OAG on a performance audit on COVID-19 Vaccine Expenditures. The OAG has not yet determined if the department will be officially scoped into this audit. The department has received official notification for a second OAG performance audit related to Protecting the North. This audit is focused on the implementation of the Arctic and Northern Policy Framework. The department is also involved in the Audit of Public Accounts 2020-2021 that is recurrent every year and continues to focus on pay stabilization as the Government of Canada manages the associated risks with the Phoenix pay system.

The Office of the Comptroller General has issued its two-year audit plan (2021-22 to 2022-23). The Chief Audit Executive, in consultation with senior management, will consider participating in the Horizontal Audit of Departmental Adoption of Digital Standards or will conduct a similar audit on its own to address risks associated with the digital adoption strategy. 

The National Security and Intelligence Committee of Parliamentarians (NSICOP) and the National Security and Intelligence Review Committee Agency (NSIRA) are reviewing matters of national security and intelligence activities in the department. More specifically, the department is engaged in two reviews that are expected to be completed by Fall 2021. Internal Audit has provided support to this unit as the work is being conducted and will rely on the results of the review to inform any future audit work in this area.

The methodological approach used to prepare the audit plan is illustrated in the process map below:

Figure 01
Alternative text
  1. Document Review
    • Corporate plans (departmental, investment, security, human resources), Enterprise Risk Profile, Human Resources information, Ministers' Mandate Letters, departmental priorities, Departmental Results Framework
    • Departmental Results Reports, Management Accountability Framework Assessment results
    • Reports prepared by other internal and external assurance providers
  2. Consultations
    • Ongoing senior management consultations
    • Mission operations and functional management
    • Internal audit staff and other government departments
    • Coordinate with internal oversight providers (Inspection, Evaluation, Internal Controls)
    • Coordinate with external assurance providers (OAG, PSC and OCG)
  3. Risk Identification/ Prioritization
    • Synthesize document review and update branch profiles. 
    • Review outstanding audit recommendations to identify potential risk areas
    • Extract relevant data related to missions, country programs and conduct analysis
    • Identify and assess risks based on results of analysis
    • Prioritize auditable entities based on risk
  4. Mapping Auditable Entities
    • Map auditable entities to OCG government-wide risks, core responsibilities, Enterprise Risk Profile, Ministers' Mandate Letters, and departmental priorities to ensure adequate coverage
    • Consider work conducted by other assurance providers
  5. Developing the RBAP
    • Prioritize auditable entities for each fiscal year
    • Ensure engagements are focused on areas of highest risk
    • Assess whether audit/advisory is the right tool
    • Document the plan and submit for approval

3.4 Prioritization and Finalization

Following this work, the list of potential topics was prioritized for each fiscal year and engagements were selected based on areas of highest risk. The Internal Audit team also assessed which tool, audit or advisory, would be best to support the program area and/or function.  The remaining document outlines the engagements to be undertaken. 

Figure 02
Alternative text

Core Responsibilities

  • International Advocacy and Diplomacy
  • Trade and Investment
  • Development, Peace and Security Programming
  • Help for Canadians Abroad
  • Support for Canada's Presence Abroad
  • Internal Services

Enterprise Risks

  • Health, Safety & Well-being
  • Digital Transformation
  • Resilience & Cyber/ Digital Security
  • Human Resources Capacity
  • Management & Security of Real Property

Audit Risks / 2021-2023 Engagements

Ongoing COVID-19 Activities

Year #1:

  • Remote Work Assessment
  • Follow-up on COVID-19 After Action Review

Program Design & Delivery

Year #1:

  • CSDP Procurement, Management of Honorary Consuls, Duty of Care

Year #2:

  • Country Program Audit, Mission Audits, CSDP – Procurement – Washington, Berlin, Brussels, Trade Regional Operations

Transfer Payments

Year #1:

  • Grants & Contributions, International Assistance Innovation Program, Feminist International Assistance Program

Year #2:

  • Repayable Contributions – climate finance

Internal Service Delivery

Year #1:

  • Costing Methodology, Mission Acquisition Cards, IT Risk Assessment , Privacy Practices, Real Property, Internal Controls, IT Application Portfolio Management, IT Project Management, and Departmental Sustainable Development Strategy

Year #2:

  • Real Property – minor capital projects and maintenance

Transformation

Year #2:

  • Costing S4Hana

4.0 Two-year Risk-Based Audit Plan

4.1 Overview

This section presents an overview of the 2021-2022 to 2022-2023 Risk-based Audit Plan. Descriptions of the planned engagements for the years are in Appendices B, C, and D respectively.  

Table 1: Risk-Based Audit Plan

Year 1: 2021-2022Year 2: 2022-2023
  1. Audit - Grants and Contributions Oversight and Monitoring
  2. Audit - Privacy Practices
  3. Audit - Real Property – Portfolio Management
  4. Audit - Mission Acquisition Cards (Data Analytics)
  5. Audit - Mexico Common Service Delivery Point - Procurement
  6. Audit - Costing Methodology
  7. Audit - Management of Honorary Consuls
  8. Audit - Internal Controls Over Financial Management
  9. Audit - IT Application Portfolio Management
  10. Audit - Trade Services  -  Regional Operations
  11. Advisory - Feminist International Assistance Policy  Implementation
  12. Advisory - Duty of Care – Governance and Spending
  13. Advisory - International Assistance Innovation Program
  14. Assessment - Mission Risks
  15. Assessment - IT Risks 
  16. Assessment - Remote Work Risk
  1. Follow-up on the Pandemic After Action Review
  2. Audit - Washington – Common Service Delivery Point – Procurement
  3. Audit - IT Project Management
  4. Audit - Departmental Sustainable Development Strategy
  5. Audit - Berlin – Common Service Delivery Point – Procurement
  6. Audit - Country Program*
  7. Audit - Brussels – Common Service Delivery Point – Procurement
  8. Follow-up Audit - Repayable Contributions
  9. Audit - Real Property – Minor Capital Projects and Maintenance
  10. Advisory - S4Hana Transformation
  11. Mission Audit #1**
  12. Mission Audit #2
  13. Mission Audit #3
  14. Mission Audit #4
Reserve List
  1. Audit of Common Service Delivery Point – Procurement (Manila, London, Delhi)
  2. Grants and Contributions Transformation (Advisory)
  3. Audit of Real Property - Major Capital Projects
  4. GAC Reno Health Check (Advisory)
  5. Audit of Key Financial Controls
  6. Audit on the Adoption of Digital Standards (in conjunction with OCG)
  7. Audit of Asset Management (including Fine Art Collection)
  8. Audit of Foreign Service Directives – Oversight and Administration
  9. Audit of Return from Post
  10. Audit of Locally Engaged Staff Benefits

*Based on the risk assessment, Tanzania, Mozambique or Ethiopia could be selected for the country program audit.

** Based on the mission risk assessment the following missions could be selected for the mission audits - Dar Es Salaam, Port au Prince, Kinshasa, Accra, Ouagadougou, Dakar, Dhaka, Havana, Colombo, Kyiv or Lima.   

4.2 Audit Coverage

The engagements deemed to be of high risk and high priority have been included in the two-year plan. The variety of engagements covered in the plan cover a broad spectrum of core responsibilities, departmental priorities, ministers’ mandate letters, enterprise risks, and government-wide risks (see Appendix E).

4.3 Changes to the Audit Plan

The audit plan is updated annually with adjustments made during the year based on an environmental scan of departmental context and emerging risks.  The following engagements have been affected by the prioritization exercise:

The six mission audits were postponed due to COVID-19 travel restrictions and have been replaced with a series of seven remote audits examining procurement delivery from the various Common Service Delivery Points. The points of delivery are from Mexico, Washington, Berlin, Brussels, London, Manila and Delhi. These hubs service the mission network in the delivery of commons services such as finance, HR, contracting and procurement.

4.4 Challenges in Implementing the Audit Plan

Internal audit has identified the following risk factors that could impede the successful implementation of the audit plan:

Given this context, the audit plan remains flexible to respond to emerging risks and policy/program changes. If these changes emerge and suggest higher priority audit activity, the plan will be adjusted, so that we respond accordingly.

Internal audit has adopted an approach whereby internal resources are supplemented with qualified contractors when specialized services are required or when the function is faced with a shortage of its own qualified auditors. The renewal of the Professional Audit Support Services Supply Arrangement (PASS) in 2021-2022 will provide the internal audit function with professional contract auditors from pre-qualified firms.  These resources allow the internal audit function to supplement audit teams with subject matter expertise and allows the function to continue to provide opportunites for its staff to take on departmental assignments abroad, within headquarters or with other organizations.

4.5 Internal Audit Services

Internal audit’s suite of services includes assurance, advisory, health checks, milestone-based funding validation and consulting. The type of service chosen is based on the best fit for the department. The services are carefully designed to add value and improve the department’s operations (see Appendix F).

4.6 Delivering the Audit Plan – Resources

Internal audit currently has a human resource allocation of 40 full-time equivalent (FTE) staff. Currently, the division supports six staff on various one to two-year assignments (1 with the Public Health Agency undertaking COVID support; 1 with the International Space Agency – Internal Audit; 2 staff on rotational assignments abroad; and one on a six-month assignment with the Peace and Stabilization Operations team in the department).  We also have four vacant positions at the auditor level.  

Overall, the remaining team of 30 staff are well positioned to deliver on the current two-year plan and have approximately 45,000 hours available each fiscal year to devote to engagements taking into consideration leave and professional development.  As mentioned, co-sourcing will be used as required to increase audit expertise and/or capacity. 

2021-2022 Budget
Salaries ($)Operating ($)Total ($)
Assurance & Advisory Services2,399,9522,399,952
Office of the Chief Audit Executive431,673350,624782,297
Professional Practices Unit895,280895,280
Departmental Audit Committee Activities55,00050055,500
Professional Services513,204513,204
Training80,50080,500
TravelTBD
Total3,781,905944,8284,726,733
Appendix A – 2021-2022 Departmental Results Framework and Program Inventory
International Advocacy and DiplomacyTrade and InvestmentDevelopment, Peace and Security ProgrammingHelp for Canadians AbroadSupport for Canada’s Presence AbroadInternal Services
  1. International Policy Coordination
    Prg Official: PFM/E. Golberg (IFM, JFM, KFM, PFM, DSMX, POD, PVD, IBMO, PBMO, DSMO, DSMP, DSMZ, PED)
  2. Multilateral Policy
    Prg Official: MFM/P. MacDougall (MFM, MED, MGD, MHD, MND, MSD, SID)
  3. International Law
    Prg Official: JLD/C.Knobel (JLD)
  4. The Office of Protocol
    Prg Official: XDD/S. Wheeler (XDD)
  5. Europe, Arctic, Middle East and Maghreb Policy & Diplomacy  Prg Official: EGM/S. McCardell
    (EGM, ECD, ELD, ESD, EUD, EBMO)
  6. Americas Policy & Diplomacy  
    7. Prg Official: NGM/M. Grant (NGM, NDD, NGD, NLD, NND)
  7. Asia Pacific Policy & Diplomacy
    Prg Official: OGM/P. Thoppil (OGM, OAD, OPD, OSD, OBMO)
  8. Sub-Saharan Africa Policy & Diplomacy
    Prg Official: WGM/M. Khanna (WGM, WED, WFD, WWD)
  9. Geographic Coordination and Mission Support
    Prg Official: NMD/S. Thissen (NMD, SID)
  10. International Assistance Policy
    Prg Official: MFM/P. MacDougall (MFM, MHD)
  11. International Security Policy and Diplomacy
    Prg Official: IFM/D. Costello (IFM, IGD)
  1. Trade Policy, Agreements, Negotiations, and Disputes
    Prg Official: TFM/S. Verheul (TFM, JLT, TFMA, TFMC, TMD, TND, TPD, TBMO)
  2. Trade Controls
    Prg Official: TID/S. Anand (TID, SED, SID, SWD)
  3. International Business Development
    Prg Official: BTD/S. Goodinson (BFM, BBD, BED, BPD, BTD, BSD, BFMA)
  4. International Innovation and Investment
    Prg Official: BID/E. Kamarianakis (BID, SID, BHB)
  5. Europe, Arctic, Middle East and Maghreb Trade
    Prg Official: EGM/S. McCardell (ECD, ELD, ESD, EUD, DWD)
  6. Americas Trade
    Prg Official: NGM/M. Grant (NDD, NGD, NLD, NND)
  7. Asia Pacific Trade
    Prg Official: OGM/P. Thoppil (OAD, OPD, OSD, (including APEC))
  8. Sub-Saharan Africa Trade
    Prg Official: WGM/M. Khanna (WED, WFD, WWD)
  1. International Assistance Operations
    Prg Official: DPD/E. Wega (DPD)
  2. Office of Human Rights, Freedom and Inclusion (OHRFI) Programming
    Prg Official: IOP/ G. Natale (IOD, IOP)
  3. Humanitarian Assistance
    Prg Official: MHD/S. Salewicz (MHD)
  4. Partnerships and Development Innovation
    Prg Official: KFM/C. Leclerc (KFM, KED, KGD, KSD, PFM, SGD)
  5. Multilateral International Assistance
    Prg Official: MFM/P. MacDougall (MFM, MED, MGD, MID, MND, MSD, PFM)
  6. Peace and Stabilization Operations
    Prg Official: IRC/J. Minns (IRG, IRD, IGD, OAD, OPD, NND, OSD, NLD, ECD, WWD, MID)
  7. Anti-Crime and Counter-Terrorism Capacity Building  
    Prg Official: ICC/C. Constantin (IDC, ICC, IDD, IGD)
  8.  Weapons Threat Reduction  
    Prg Official: IGA/A. Liao-Moroz (IGD, IGA)
  9. Canada Fund for Local Initiatives
    Prg Official: NMD/S. Thissen (NMD)
  10. Europe, Arctic, Middle East and Maghreb International Assistance
    Prg Official: EGM/S. McCardell (ECD, ELD, ESD, EUD)
  11. Americas International Assistance
    Prg Official: NGM/M. Grant (NDD, NLD)
  12. Asia Pacific International Assistance  
    Prg Official: OGM/P. Thoppil (OAD, OGMA- TRIGR, OPD, OSD)
  13. Sub-Saharan Africa International Assistance
    Prg Official: WGM/M. Khanna (WED, WFD, WWD)
  14. Grants and Contributions Policy and Operations  
    Prg Official: SGD/M. Collins (SGD)
  1. Consular Assistance and Services for Canadians Abroad
    Prg Official: CND/B. Szwarc (CFM, CND, CPD, ECD, ELD, ESD, EUD, NLD, NND, OAD, OPD, OSD, SID, WED, WWD, CBMO, OBMO, NDD, CSD, MISSION, MID)
  2. Emergency Preparedness and Response
    Prg Official: CSD/J. Sunday (CSD, SID)
  1. Platform Corporate Services
    Prg Official: AAD/D. Bélanger (ACM, AAD)
  2. Foreign Service Directives
    Prg Official: HED/M. Cameron (A) (HED, SID, MISSION)
  3. Client Relations and Mission Operations  
    Prg Official: AFD/L. Almond (AFD, CS Mission)
  4. Locally Engaged Staff Services
    Prg Official: HLD/P. Kitnikone (A) (HLD)
  5. Real Property Planning and Stewardship
    Prg Official: ARD/D. Schwartz (ARD)
  6. Real Property Project Delivery, Professional and Technical Services
    Prg Official: AWD/G. Stephens (A) (AWD)
  7. Mission Readiness and Security
    Prg Official: CSD/J. Sunday (CSD, IDD, CS Mission, SID)
  8. Mission Network Information Management / Information Technology  
    Prg Official: SID/J.P. Donoghue (A) (SID, IDD, CS Mission)
  1. Management & Oversight  
    Prg Official: DCD/C. Calvert (DCD, DMA, DME, DMT, MINA, MINE, MINL, MINT, PRD, SRD, VBD, USS, ZID, DBMO, DMX, SCM)
  2. Communications
    Prg Official: LDD/C. Brisebois (LCD, LCM, LDD, LBMO, LCC, LCA)
  3. Legal Services
    Prg Official: JUS/P. Hill (JLT, JUS, JFM)
  4. Human Resources
    Prg Official: HCM/F. Trudel (CFM, CFSI, HFD, HSD, HWD, Pools, SID, HBMO, Mission)
  5. Financial Management
    Prg Official: SCM/A. Ouellette (SCM, SID, SMD, SWD, SBMO)
  6. Information Management
    Prg Official: SID/J.P. Donoghue (A) (DCD, SID, SET)
  7. Information Technology  
    Prg Official: SID/J.P. Donoghue (A) (CSD, SID, SCM, SET)
  8. Real Property (Domestic)
    Prg Official: SPD/D. Pilon (CSD, SPD, SCM)
  9. Materiel Management
    Prg Official: SPD/D. Pilon (SPD)
  10. Acquisition Management
    Prg Official: SPD/D. Pilon (SPD, SCM)

Appendix B – Description of 2021-2022 Engagements

#Year #1 2021-2022Link to Program Inventory & Enterprise Risk  DescriptionTabling Date
1Carry Forward
Audit of Grants and Contributions – Oversight and Monitoring		International Advocacy and Diplomacy

Trade and Investment

Development Peace and Security Programming

Internal Financial Management		Objective: to assess whether appropriate grants and contributions oversight and program monitoring are in place and operating effectively to support the achievement of departmental objectives
Scope: The audit examined the management and operational practices and controls at headquarters and at the program and project levels, including both centralized and decentralized programs.
Background:
  • Grant and contribution payments represent over 65% of the department’s annual spending ($4.6B) and are key instruments in furthering the Government of Canada’s international policy objectives and priorities in foreign affairs, trade and development.
May 2021
2Carry Forward Audit of Privacy PracticesInternal Services

Operations		Objective: to provide assurance that the department has policies, procedures, processes and controls in place to ensure compliance with the Privacy Act and the effective delivery of programs and services
Scope: The audit examined the privacy-related policies, procedures, processes and systems.
Background:
  • Departments collect, use and manage the personal information of Canadians and staff to fulfill its mandate. Strong privacy practices (the proper use, disclosure, and protection of that information) is critical. 
June 2021
3Carry Forward Audit of Real Property – Portfolio ManagementSupport for Canada’s Presence Abroad

Management and Security of Real Property and Assets		Objective: to assess the management control framework in place to support effective real property portfolio planning and investment planning
Scope: The audit includes current planning processes and practices as well as modernization initiatives that are underway.
Background:
  • The department has property stewardship and project delivery responsibilities for more than 2,400 owned and leased facilities abroad, which includes 234 chanceries and 85 official residences.
November 2021
4Carry Forward Audit of Mission Acquisition Cards (Data Analytics)Internal Services

Internal Financial Management		Objective: to assess the effectiveness of controls in place to ensure that the department complies with legislative requirements and relevant policies on the use of acquisition cards at missions
Scope: The engagement examines acquisition card transactions across the 178 missions for calendar years 2019 and 2020.
Background:
  • Ongoing analytics is a cost-efficient approach to complement traditional audits.
  • It helps inform risk-based audit planning as well as the requirement for further examination through traditional audits and advisory services.
  • The methodology complements the monitoring function of departmental managers.
December 2021
5Audit of Mexico Common Service Delivery Point - ProcurementSupport for Canada’s Presence Abroad

Internal Financial Management		Objective: to determine whether effective controls are in place to support mission procurement activities are compliant with applicable regulations and policies
Scope: The audit will procurement activities through contracts and invoices in the 26 missions served by the CSDP in Mexico using data analytics.
Background:
  • The results of 20 mission audits have found that procurement is one of the high risk areas.  In lieu of doing mission audits due to pandemic travel restrictions, data analytics methodology is being employed to examine the procurement practices flowing through the common service delivery points (CSDP). 
  • All seven CSDPs will be covered over the course of the next few years.
January 2022
6Carry Forward Audit of Costing MethodologyInternal Services

Internal Financial Management		Objective: to determine whether departmental processes and frameworks are in place to provide costing information to support decision-making
Scope: The audit will examine financial and human resource components of costing projects/programs that are used to support attestation by the Chief Financial Officer.
Background:
  • All departments are required to comply with the new policies related to costing for the MC/TB submission process to allow ministers to make informed decisions.
  • Given the size and complexity of the department, reliable costing information is important to ensure investments are aligned with the departmental mandate.
  • Sufficient internal costing capacity and competencies are the foundation to the development of strong costing methodology.
March 2022
7Audit of Management of Honorary ConsulsSupport for Canada’s Presence Aboard

External Engagement		Objective: to examine the appointment, oversight and expenditures of operations related to Honorary Consuls
Scope: The audit will examine processes and procedures for appointing honorary consuls abroad for the last two fiscal years.
Background:
  • Honorary Consul program has proven an effective and cost-efficient means of delivering services and maintaining a Canadian presence overseas.
  • Honorary Consuls are not employees, they are paid honoraria as prescribed by the Order-in-Council on appointment.
March 2022
8Audit of Internal Controls Over Financial ManagementInternal Services

Internal Financial Management		Objective: examine the framework to manage, monitor, and report on key controls of selected business processes for compliance and operating effectiveness
Scope: The audit will focus on those selected business processes for the last two fiscal years and may exclude acquisition cards given recent audit work.
Background:
  • In 2017, Treasury Board introduced the Policy on Financial Management (PFM), requiring all departments to establish, monitor and maintain a risk-based system of ICFM.
  • The objective of the PFM is to ensure that “financial resources of the Government of Canada are well managed in the delivery of programs to Canadians and safeguarded through balanced controls that enable flexibility and manage risk.”
June 2022
9Audit of IT Application Portfolio ManagementInternal Services

Resilience & Cyber/Digital Security

IT Infrastructure		Objective: to assess the adequacy and effectiveness of processes in place to manage the portfolio of applications and platforms throughout their life cycle
Scope: The audit will include how the health of the applications and platforms is continuously monitored, how aging IT and application/platform security risks are managed, how enterprise architecture is considered to limit duplicate applications and platforms, and how the move to cloud or Shared Services Canada’s enterprise data centers is considered and aligned to the Government of Canada’s direction.
Background:
  • The audit was identified from the IT Risk Assessment
  •  Risks identified related to aging infrastructure; enterprise architecture misalignment; security and the containment of ongoing operational costs.
June 2022
10Audit of Trade Service – Regional OperationsTrade and Investment

External Engagement		Objective: to review and assess optimization and integration of regional activities within the overall Trade Commissioner Service (TCS) transformation initiative
Scope: The audit will examine the role of the regions vis-à-vis headquarters and mission operations, change management related to the transformation and privacy practices.
Background: 
  • The TCS has 161 offices around the world including five regional offices in Canada.
  • Canada’s regional offices provide the TCS’ global network with direct access to high-potential clients in proactive sectors and support initiatives. These offices engage with targeted SME clients in proactive sectors and provide sustained and customized support to foster their international expansion.
Fall 2022
11Carry Forward Feminist International Assistance Policy (FIAP) ImplementationInternational Advocacy and Diplomacy

Development Peace and Security Programming

Internal Financial Management		Objective: to provide advice to DME on the implementation of the FIAP and steps taken by the department to improve the effectiveness of international assistance
Scope: this review included the governance and accountability; planning strategies and policy guidance; and monitoring and reporting activities undertaken to support the department’s implementation of FIAP from April 2018 to March 2020.
Background:
  • In February 2020, the Deputy Minister of International Development (DME) requested that VBD assist the department in preparation for the upcoming audit by the Office of the Auditor General (OAG), which planned to start in the spring of 2020.
May 2021
12Carry Forward Duty of Care – Governance & Spending AdvisorySupport for Canada’s Presence Abroad

Management and Security of Real Property and Assets		Objective: to provide advice on the Duty of Care envelope as it relates to governance, how the department monitors progress, accounts for the money spent, and accurately reports to senior management and central agency
Scope: The engagement scope includes governance, spending, reporting and monitoring activities undertaken to support the delivery of Duty of Care initiatives.
Background:
  • Duty of Care funds (approximately $1B in funding was approved in 2017 to be spent over 10 years) were secured to protect staff at Canadian missions abroad through infrastructure, mission readiness and information security.
December 2021
13Carry Forward International Assistance Innovation Program AdvisoryInternational Advocacy and Diplomacy

Development Peace and Security Programming

Policy, Program and Service Delivery		Objective: to provide advice to management on the appropriate governance structure to support the implementation of the International Assistance and Innovation Program (IAIP)

Scope: This engagement focused on key aspects of the design framework for innovative programming initiatives including governance, roles, responsibilities and accountabilities and common blended finance practices.
Background:
  • In June 2019, this program was approved as a five-year pilot and is authorized to use unconditional and conditional repayable contributions, guarantees, sovereign loans, and equity in support of development financing.
  • The new program is intended to assist in growing markets by creating more opportunities to demonstrate that investing in support of the Sustainable Development Goals (SDGs) can yield both sustainable development and financial returns.
December 2021
14Carry Forward IT Risk Assessment AdvisoryInternal Services

IT Infrastructure		Objective: to define the department’s IT audit universe, conduct a risk assessment and identify potential audits to be included in the audit plan
Scope: The assessment defined the IT audit universe, identified the risks and prioritized areas requiring further examination.
Background:
  • As per the Policy on Internal Audit there is an expectation that internal audit will routinely evaluate risk exposures relating to the department’s information systems. 
  • The department has several hundred applications designed to support the delivery of foreign affairs, trade and development programs.
May 2021
15Carry Forward COVID-19 - Remote Work Assessment AdvisoryInternal Services

Operations – Health Safety and Well-being		Objective: to identify and assess the risks related to remote work practices to inform senior management and to prioritize areas that may require further examination
Scope: This advisory engagement assessed risk areas related to remote work such as governance and accountability, health and safety, IM/IT and cyber security as well as people management.
Background:
  • In Spring 2020 the department quickly moved to a remote work environment. 
  • Both public and private sector organizations have begun to examine the emerging risks related to work location, work policies and work procedures to support the future of work strategy.
June 2021

Appendix C – Description of 2022-2023 Engagements

#Year #2 – 2022-2023Link to Program Inventory & Enterprise RiskDescriptionTabling Date
1Follow-up audit - Pandemic After Action ReviewInternal Services

Health Safety and Well-being		Preliminary Objective: to determine progress towards addressing issues identified in the After Action Review. 
Preliminary Scope: This review will be limited to the areas identified in the After Action Report.
Background: This engagement will continue to support the department’s pandemic response by tracking implementation of recommendations derived from the lessons learned exercises.		March 2022
2Audit of Washington  Common Service Delivery Point – ProcurementSupport for Canada’s Presence Abroad

Internal Financial Management		Objective: to determine whether effective controls are in place to support mission procurement activities that are compliant with applicable regulations and policies
Scope: The audit will examine procurement activities through contracts and invoices in the missions served by the CSDP in Washington using data analytics.
Background:
  • The results of 20 mission audits have found that procurement is one of the high risk areas.  In lieu of doing mission audits due to pandemic travel restrictions, data analytics methodology is being employed to examine the procurement practices flowing through the common service delivery points (CSDP). 
June 2022
3Audit of IT Project ManagementIT InfrastructurePreliminary Objective: to assess the governance, risk management practices and internal controls in place to support the successful management of IT-enabled projects.
Preliminary Scope: The scope will encompass project management processes and the departmental project management framework. A sample of projects could be selected to assess if departmental processes are being followed and working as they were intended.
Background:
  • This risk area was identified as a priority following on the IT Risk Assessment.
  • IT enabled projects are critical to GAC’s success moving towards a hybrid environment.
  • The engagement will continue to support the department in its digital transformation.
January 2023
4Audit of Departmental Sustainable Development Strategy (DSDS)International Advocacy and Diplomacy

Trade and Investment

Development Peace and Security Programming

Internal Financial Management		Preliminary Objective: The audit will assess the progress made to implement the departmental Sustatinable Development Strategy 2020 to 2023.
Preliminary Scope: The scope will encompass the strategy and the three goals related to Greening government, Effective Action on Climate Change and Clean Growth as delivered by the Material Mangement, IT, Acquisition Management and Trade. 
Background:
  • The department is strongly committed to advancing sustainable development at home and abroad.
  • Through the DSDS, Global Affairs Canada contributes to the achievement of 3 goals through green acquisitions, green training, IT acquisition of ENERGY STAR devices; water management, energy consumption; climate finance; and clean energy investment.
January 2023
5Audit of Berlin Common Service Delivery Point – ProcurementSupport for Canada’s Presence Abroad

Internal Financial Management		Preliminary Objective: to determine whether effective controls are in place to support mission procurement activities that are compliant with applicable regulations and policies
Preliminary Scope: The audit will examine procurement activities through contracts and invoices in the missions served by the CSDP in Berlin using data analytics.
Background: The results of 20 mission audits have found that procurement is one of the high risk areas.  In lieu of doing mission audits due to pandemic travel restrictions, data analytics methodology is being employed to examine the procurement practices flowing through the common service delivery points (CSDP). 		January 2023
6Audit of Country Program*International Advocacy and Diplomacy

Trade and Investment

Development Peace and Security Programming

External Engagement Policy, Programs & Services		Preliminary Objective: to provide assurance that the management of the country program is well governed, risk managed with effective internal controls to achieve program objectives.  
Preliminary Scope: The audit will focus on the activities of a particular country program including a governance, risk practices, strategic and financial planning, HR, a review of projects, processes and practices. 
Background: Prior to amalgamation, CIDA provided development funding (international and humanitarian assistance) to countries that were determined to be “countries of focus.” Following amalgamation, DFATD continued the practice of country program audits with the Audit of Burkina Faso in 2014, and both the Colombia and Mali Development programs in 2015. Given the materiality of development funding in the department, specific Grants and Contributions programs have continued to be audited over the years, however, auditing an entire country program will provide a holistic assessment of all of the business lines and activities within that country (e.g. international assistance, humanitarian assistance, peace operations, trade activities, foreign policy strategies).  Based on the risk assessment, Tanzania, Mozambique or Ethiopia could be selected for the country program audit.		June 2023
7Audit of Brussels Common Service Delivery Point – ProcurementSupport for Canada’s Presence Abroad

Internal Financial Management		Preliminary Objective: to determine whether effective controls are in place to support mission procurement activities are compliant with applicable regulations and policies
Preliminary Scope: The audit will examine procurement activities through contracts and invoices in the missions served by the CSDP in Brussels using data analytics.
Background: The results of 20 mission audits have found that procurement is one of the high risk areas.  In lieu of doing mission audits due to pandemic travel restrictions, data analytics methodology is being employed to examine the procurement practices flowing through the common service delivery points (CSDP). 		January 2023
8Follow-up audit of Repayable ContributionsInternal Financial management

Policy, Programs & Services		Preliminary Objective: to provide reasonable assurance that an effective management framework supports the repayable contributions program in meeting its priorities and to follow-up on the recommendations from the 2018 Audit of Repayable Contributions
Preliminary Scope: The audit will focus on the key components of the management control framework.		June 2023
9Audit of Real Property – Minor Capital Projects and MaintenanceSupport for Canada’s Presence Abroad

Management and Security of Real Property & Assets		Preliminary Objective: to determine whether there are effective processes and structures in place to manage the delivery of minor capital projects and maintenance
Preliminary Scope: The audit will examine governance, risk management practices and internal controls related to the delivery of the minor capital projects and maintenance. The scope may  include investment decision-making and accountability. A sample of minor capital and maintenance projects will be reviewed.		June 2023
10S4Hana – Transformation AdvisoryInternal Services

IT Infrastructure

Project Management		Preliminary Objective: to provide on-going health checks for the implementation of the S4Hana project to support project delivery and assurance that may be required for funding decision points.
Preliminary Scope: The first health check will be focused on governance for the project.
Background:
  • S4Hana is a government-wide solution to replace older versions of SAP.
  • Currently the department uses a legacy system SAP ECC 6.0 as its Enterprise Resource Planning system. SAP has set a 2025 deadline, after which its transactional system will no longer be supported.
Ongoing reporting

11 12 13 14		Mission Audit
Mission 1
Mission 2
Mission 3
Mission 4		Support for Canada’s Presence Abroad

Financial & Asset Management:
- Mission Operations
- LES Workforce
- IM/IT Management		Preliminary Objective: to determine whether sound management practices and effective controls are in place to ensure good stewardship of resources at the mission in support of the achievement of GAC’s objectives.
Preliminary Scope: The audit will examine select elements of a mission’s common services, property, consular and readiness programs.  
Background:
  • Internal audit has been examining the business practices of high-risk missions since 2017.  Typically, 4 to 5 missions are selected (per fiscal year) based on a risk analysis, geographic dispersement and to complement/cooridnate the work of the Inspector General.
2022-2023

Appendix D – Reserve List of Engagements 2021-2023

#Year 1 & Year 2Link to Program InventoryFurther Information
1Audit of Common Service Delivery Point – Procurement (Manila or London or Delhi)Support for Canada’s Presence AbroadTo determine whether sound management practices and effective controls are in place to ensure good stewardship of resources at the mission in support of the achievement of Global Affairs Canada’s (GAC) objectives.
2Grants and Contributions Transformation (Advisory)Internal ServicesTo ensure that this large IT Transformation meets its stated objectives. Examine governance structures, roles, responsibilities, and accountabilities, as well as ensuring strong risk management practices and controls around change management and IT project management.
3GAC Reno Health Check (Advisory)Support for Canada’s Presence AbroadTo ensure that the GAC Reno is on track, within budget, and meeting business requirements, that risks have been identified and mitigated. This engagement may include the examination of specific projects to ensure the GAC Reno initiative will meet its stated objectives.
4Audit of Key Financial ControlsInternal ServicesTo examine the framework to manage, monitor, and report on key financial controls of selected business processes for compliance and operating effectiveness.
5Audit on the Adoption of Digital Standards (in conjunction with OCG)Internal ServicesOCG has issued its two-year audit plan (2021-22 to 2022-23). The CAE, in consultation with senior management, will consider participating in the Horizontal Audit of Departmental Adoption of Digital Standards or will conduct a similar audit of its own.
6Audit of Asset Management (including Fine Art Collection)Internal ServicesTo examine the management framework for compliance to the TB requirements, compliance with relevant departmental policies to purchase, dispose and track assets.
7Nexus – Transformation (Advisory)Development, Peace & Security programming; International Advocacy and Diplomacy; and Trade and InvestmentTo review the strategic direction, oversight/governance and risk management framework associated with this transformation.
9Audit of Return from PostSupport for Canada’s Presence AbroadTo examine the HR management practices and controls in place to support the continued development process of rotational staff so that meaningful positions are identified in a timely manner and staff have a positive work experience at headquarters.
10Audit of Real Property - Major Capital ProjectsSupport for Canada’s Presence AbroadTo examine the management control framework over major capital projects as it relates to governance, risk management and internal controls.
11Audit of Locally Engaged Staff BenefitsSupport for Canada’s Presence AboardTo examine the management control framework for Locally Engaged Staff benefits in support of the achievement of GAC’s objectives.

Appendix E – 2021-2023 Engagements Mapped to Priorities

2021-22 Departmental Priorities
Core ResponsibilitiesEngagementsContributing to a Rules-Based International System that advances Canadian interestsSupporting Canadian exporters and economic recovery, building economic resilience, and working toward the renewal of the rules-based multilateral trading systemDeepening Canada’s engagement in the worldEradicating
Poverty		Mandate LettersEnterprise RisksOCG RisksFootnote 1
International Advocacy and DiplomacyGrants & Contributions – Oversight & Monitoring
Feminist International Assistance Policy  Implementation  
International Assistance Innovation Program
Year #2:
Departmental Sustainable Development Strategy  
Trade and InvestmentGrants & Contributions – Oversight & Monitoring
Trade Commissioner Services Regional Operations    
Year #2:
Departmental Sustainable Development Strategy  
Development, Peace and Security Programming Grants & Contributions – Oversight & Monitoring
Feminist International Assistance Policy  Implementation   
International Assistance Innovation Program
Year #2
Country Program Audit
Repayable Contributions    
Departmental Sustainable Development Strategy  
Help for Canadians AbroadHonorary Consuls   
Support for Canada’s Presence AbroadDuty of Care – Governance & Spending 
Real Property – Portfolio Management     
Mission Acquisition Cards  
Mexico Common Service Delivery Point - Procurement   
Year #2:
Mission Audits (1 to 4) 
Washington Common Service Delivery Point - Procurement   
Berlin Common Service Delivery Point - Procurement  
Brussels Common Service Delivery Point - Procurement   
Real Property – Minor capital projects and maintenance    
Internal ServicesPrivacy Practices     
Costing Methodology     
Internal Controls Over Financial Management     
IT Application Portfolio Management     
IT Risk Assessment     
COVID-19 Remote Work Assessment     
 Pandemic After Action     
Year #2:
IT Project Management     
S4Hana – Transformation     

Appendix F – Internal Audit Suite of Services

Figure 03
Alternative text

Office of the Chief Audit Executive (OCAE)

Assurance and Advisory Services

Assurance

  1. Internal Audits – independent and objective assessments of governance, risk management and control processes against defined criteria
  2. Data Analytics – automated collection and analysis of data and indicators from IT systems to test the effectiveness of controls

Other Services

  1. Review Engagements are requested by management seeking independent advice on a matter of importance.
  2. Health Checks for transformation initiatives to provide formal structured quick reviews covering a specific program aspect
  3. Funding Milestone Assessments for transformation initiatives to provide formal, structured, and quick validation of milestone completion
  4. Risk Assessments – assessments of inherent and residual risks to inform management of risk exposure that may require further examination

Professional Practices

Risk-based Audit Plan

A multi-year plan that considers areas of highest risk and significance

Quality Assurance and Improvement Program

Systematic process to ensure IIA Standards are met relating to quality of engagements and internal audit activity

Management Action Plan Follow-Up

Status updates to Departmental Audit Committee of management action plans to address recommendations

External Assurance Liaison

Single point of contact to coordinate activities with external assurance providers

Departmental Audit Committee Secretariat

Coordination of essential part of internal audit governance that provides objective advice and recommendations to the Deputy Minister

Other Support

Contribution to corporate reports, and review and advice regarding Treasury Board submissions and audit reports of multilateral organizations.

Report a problem or mistake on this page
Date Modified: