Health Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Home > About Health Canada > Reports & Publications > Audit Reports > Audit of the Healthy Environments and Consumer Safety Branch's Quality Assurance Process Related to Recipient Auditing

Institutional links

About Health Canada

Audit of the Healthy Environments and Consumer Safety Branch's Quality Assurance Process Related to Recipient Auditing

April 2008

Help on accessing alternative formats, such as Portable Document Format (PDF), Microsoft Word and PowerPoint (PPT) files, can be obtained in the alternate format help section.

Portable Document Format(PDF Version - 73 K)

Management Response and Action Plan

Table of Contents

Executive Summary

This report sets out the observations, conclusions, and recommendations from the Audit and Accountability Bureau's (AAB) audit of the Healthy Environments and Consumer Safety Branch (HECSB) Quality Assurance Process related to Recipient Auditing.  HECSB enters into contribution agreements through two programs - the Tobacco Control Program (TCP) and the Drug Strategy and Controlled Substances Program (DSCSP).  Together, approximately $45 million are funded annually to recipients through contribution agreements.

The objectives of the audit were to assess the level of compliance of the Branch's monitoring activities to Treasury Board policies and guides regarding auditing recipients of contributions, as well as to assess the adequacy of the Branch's recipient audit planning exercise, including the risk criteria used, and its compliance to policies, guidelines, and standards.

The audit found that the Branch has some useful components within its audit regime. However, program management for each of the two programs has developed its own recipient monitoring and auditing process.  Therefore, they plan, initiate and undertake their own contribution audit activities separately. In addition, the current audit framework lacks components related to planning, undertaking audits, reporting, records retention, and follow-up procedures. This creates the risk of inconsistent monitoring across the Branch.

The examination indicated that the audit reports adhered only to limited audit standards, are still in draft form, focus primarily on the financial aspects related to the contribution agreements and do not comment on whether the recipient meets all the terms and conditions of the contribution agreement.  Furthermore, there is inconsistency throughout the reports regarding the level of assurance provided on the financial or management controls implemented by the recipients.  Reports were not clearly linked to risk areas identified by the Branch, and could have presented a broader auditor's opinion and proposed recommendations pertaining to the recipient's management controls.

Until these areas of concern are addressed, the Chief Audit Executive will not be able to rely on the work conducted by HECSB for his holistic opinion on Health Canada's controls.

Introduction

Background

The Healthy Environments and Consumer Safety Branch (HECSB) enters into contribution agreements with provincial/territorial governments, associations, research institutions, and academic institutions through two programs - the Tobacco Control Programme (TCP) and the Drug Strategy and Controlled Substances Programme (DSCSP). HECSB funds approximately $45 million to recipients through approximately 160 contributions agreements ongoing at any time within the TCP and the DSCSP programs. HECSB provides funding to recipients to undertake prevention, protection, or promotion initiatives related to the dangers of tobacco and drug use.

This audit was undertaken by the Audit and Accountability Bureau (AAB) in accordance with the Health Canada Multi-Year Risk-Based Audit Plan approved at the October 4th, 2006 Departmental Audit and Evaluation Committee meeting. The audit was conducted in accordance with the Government of Canada's Policy on Internal Audit.

Objectives

The objectives of AAB's audit were to provide assurance to the Deputy Minister and the Departmental Audit Committee that HECSB is conducting recipient monitoring in an effective and adequate manner, by:

  • Assessing the level of compliance of the Branch's monitoring activities to Treasury Board policies and guides regarding auditing recipients of contributions, and to internal audit standards; and
  • Assessing the adequacy of the Branch's recipient audit planning exercise, including the risk criteria used, and its compliance to policies, guidelines, and standards.

The objectives of the audit were consistent with the AAB's responsibility to assess Health Canada's strategy and practices relating to risk management, control, and governance processes.

Scope and Approach

The scope of the audit included the planning, undertaking, reporting, and follow-up to all contribution audits conducted by HECSB between the fiscal years 2003-2004 and 2006-2007. The criteria used to examine the contribution audits were derived directly from the Institute of Internal Auditors' (IIA) standards and are detailed in Appendix B.

The audit was undertaken from October 2007 to January 2008. The audit methodology included:

  • Discussions with staff from the Office of Accountability and Planning (OAP), Policy and Planning Directorate (PPD), regarding their oversight activities and guidance provided to HECSB programs' staff related to recipient audits;
  • Discussions with staff from the Tobacco Control Program (TCP) and the Drug Strategy and Controlled Substances Program (DSCSP) regarding audit planning, activities undertaken during an audit engagement, audit reporting, and follow-up procedures as a response to the audit;
  • Assessment of audit planning and procedures documentation provided by staff from the OAP, TCP, and DSCSP;
  • Assessment of substantiation evidence from eight audits conducted by HECSB (see Appendix A); and
  • Review of eleven Financial Monitoring Visit reports provided by staff from DSCSP.

Six contribution audits were undertaken by the TCP and two contribution audits were undertaken by the DSCSP. The DSCSP recipient audits were the only ones undertaken by this program during the timeframe set out in the scope of this audit. However, during this timeframe, DSCSP had asked Audit Services Canada to undertake twenty-six "Financial Monitoring Visits" as an oversight exercise over recipients. The audit team reviewed a sample of eleven of the twenty-six Financial Monitoring Visit reports.

Findings, Recommendations, and Management Responses

The audit found that HECSB's recipient audit monitoring activities would benefit from a coordinated and more comprehensive approach. Furthermore, improvements are needed to HECSB's monitoring practice related to management led audits in order to comply with the Treasury Board policy on Transfer Payments and to adhere to strict professional audit standards.

Branch-Wide Recipient Audit Framework

A Best Business Practice requires a Branch-Wide Recipient Audit Framework to assess risks related to recipients and select individual contribution audit engagements. The audit team found several inconsistencies across the Branch in how contribution audits are planned and undertaken. These inconsistencies relate to risk-based audit planning and selecting individual audit engagements.

The TCP and DSCSP programs monitor their recipients differently. Program management for each of the two programs has developed their own recipient monitoring and auditing process. For each program, recipient audit activities are undertaken, managed, or triggered by program personnel. TCP and DSCSP program managers have received some guidance from the Office of Accountability and Planning (OAP) of the Policy and Planning Directorate (PPD) of HECSB related to selecting auditees using a risk-based process.

Program personnel for each of the programs select and determine the recipients to audit each year. Each program utilizes a risk-based survey provided by OAP, along with other tools and criteria, when selecting auditees. The number of audits conducted each year by the programs varies. Each program sets aside a percentage of its annual budget to conduct recipient audits. The amount set aside largely determines how many audits will be conducted in a year. Once auditees are selected, both programs contract Audit Services Canada (ASC) to conduct all audit engagements. However, the risk assessment survey was not recently updated and it is not utilized systematically, but rather used at the discretion of program managers. This uncoordinated approach to selecting recipient audits understates the risk they represent to HECSB.

During the period under review, $180 million in funding was provided to recipient organizations. Recipient audits examined $3.6 million of this funding which represents 2% of the funding provided. This is considered a low level of assurance.

Recommendation No. 1

It is recommended that the ADM HECSB establish a comprehensive contribution audit framework whereby a risk-based approach is applied for the selection of individual recipient audits.

Management Response

In consultation with Program Managers, the Office of Accountability and Planning will continue to improve the Risk-Based Audit Questionnaire (RBAQ) as part of the establishment of a comprehensive and coordinated Branch Audit Framework. The following are the deliverable and the expected completion dates:

  • Creation of Branch Audit Framework on or before the end of June 2008
  • Completion of the HECSB 2008-09 RBAQ on or before the end of May 2008
  • Commitment by Program Managers to utilize the new RBAQ in identifying contribution projects to be audited on or before the end of May 2008
  • Creation of HECSB's Multi-Year Audit Plan (2008-09 to 2010-11) on or before the end of June 2008

Aligning to Audit Standards

Audit reports need to be consistent with strict professional audit standards when performing contribution audits. The audit team found that the audit reports did not include a consistent level of assurance and did not provide clear linkages between objectives, scope, criteria and audit results. The audit team did not have access to the working papers and was therefore not able to assess whether all areas of risks were considered during the course of the recipient audits. In addition, follow-ups on corrective actions were not consistently carried out.

Of the eight audit reports reviewed, five were in draft form dating back to March 2005. Without a final version, it is not known whether these audits were ever finalized. Audit reports are considered final only when all audit procedures have been completed. Only final audit reports should be used for decision making on necessary actions to be taken.

The audit reports focus primarily on the financial aspects of the contribution agreements, i.e. eligibility of costs claimed by the recipient. The audit reports are written in short form and do not provide HECSB with key information such as clear audit objectives, criteria, scope, methodology and linkages to audit results. In the absence of the audit working papers, the audit team was unable to determine if all risks areas were considered and if all the terms and conditions of the contribution agreements were assessed. This information is required for program managers to make informed decisions based on the risks identified in the report.

Furthermore, there is inconsistency throughout the eight audit reports regarding the level of assurance being provided on the financial and management controls implemented by the recipient. As recipient audits are conducted with the intent to add value, the audit team found that the reports reviewed should have clearly addressed all risk areas identified on related risk assessment forms, presented a broader auditor's opinion and proposed recommendations pertaining to the recipient's management controls. This is necessary to highlight to program managers key weaknesses that can potentially contribute to reoccurring audit adjustments and amounts to be recovered.

The TCP and DSCP enter into Memorandum of Agreements (MOA) with Audit Services Canada (ASC) for conducting recipient audits. In terms of individual components of recipient auditing such as the planning, conducting, reporting, follow-up and record retention, the audit team identified the following weaknesses:

  • TCP and DSCSP program managers retain the responsibility to plan individual contribution audits. A risk assessment survey tool is available to assess the risk level, but it is not consistently used and has not been recently updated to reflect the Branch's highest risk areas involving recipients. In the past, the DSCSP conducted some financial monitoring of recipients. These monitoring visits would eventually trigger a recipient audit, but this type of monitoring is now discontinued and was not consistently applied across the programs;
  • Recipient audits were being conducted in a variety of ways, primarily dictated by ASC;
  • The audit reports were not held in a central registry. Further, when working papers and evidence to substantiate findings were requested, ASC was not able to provide the documents in a timely manner. ASC was the sole audit service provider and retained all documents supporting the audits at their offices. The MOU between ASC and HECSB clearly indicates that audit reports and working papers are the property of Health Canada. There is no formal mechanism in place to request and obtain audit records from ASC;
  • The audit found that there is no Branch-wide tracking system in place to follow-up and monitor the progress of the implementation of any actions included as part of a management response and action plan.

Recommendation No. 2

It is recommended that the Assistant Deputy Minister, Healthy Environments and Consumer Safety Branch ascertain that recipient audits are conducted in line with the audit standards from a recognized professional body.

Management Response

In consultation with AAB and managers, OAP will review current Audit Standards to ensure all audits conducted by contractors conform with Department standards.

The following are the deliverable and the expected completion dates:

  • Establishing Audit Standards. Revised Audit Standards aligned with Department Standards for Audit on or before the end of June 2008.
  • Review best practices to ensure Audits meet contemporary criteria on or before the end of June 2008.

Holistic Opinion on Health Canada's Controls

The current audit regime in place within HECSB is not sufficiently rigorous to enable Health Canada's Chief Audit Executive to rely on the observations and conclusions from that practice.

The above sections outline the areas that need improvement within the Branch's contribution audit function. Until these areas of concern are addressed, the Chief Audit Executive will not be able to rely on the work conducted by HECSB for his holistic opinion on Health Canada's controls.

Appendices

Appendix A: Audit Reports Reviewed

Fiscal Year Program Recipient Status of Report Agreement Number (s) Amount Reported
2007-08 TCP Canadian Council for Tobacco Control Final 6549-15-2005/3530017 $375,008
2004-05 TCP University of Waterloo, Centre for Behavioural Research and Program Evaluation Draft 6549-15-2002/1580009 $386,063
2004-05 TCP Department of Health, Province of Nova Scotia Draft 6549-15-2002/5410001 $767,540
2006-07 TCP Info-tabac Draft 6549-05-2003/5390006 $185,512
2006-07 TCP Canadian Cancer Society, New Brunswick Division Draft 6549-04-2002/1460022 & 6549-04-2006/7650053 $428,479
2007-08 TCP Ontario Tobacco Research Unit Draft 6549-15-2003/6470001 $624,456
2006-07 DSCSP Canadian Public Health Association Final 6558-15-2004/6710004 $721,515
2006-07 DSCSP Centre for Addiction and Mental Health Final 6558-15-2004/6710003 $115,707
Total   $3,604,280

Appendix B: Audit Criteria

The audit criteria used to assess the audit reports are derived directly from the Institute of Internal Auditors' (IIA) Standards and Practice Advisories. The audit criteria and sub-criteria are:

Engagement Planning

  • A risk-based approach is established and followed in planning and undertaking the audits.
  • Areas of examination during the audits are defined and exclusions are identified.
  • The scope and objectives of the audit engagements are clearly defined.

Methodology

  • The criteria used to assess the subject matter of the engagements are identified.
  • The nature of the audit work conducted evaluates and contributes to the improvement of management practices, control systems, information, and best practices.
  • All tests and analysis undertaken by the audit teams are described.

Verification Phase

  • Properly referenced evidence has been provided by the audit teams.
  • A quality control process over the audit engagements is in place.

Engagement Reporting

  • Audit findings are provided.
  • Opinions on the soundness of the entity audited are provided.
  • Conclusions are logical, flow from the audit work performed, report against audit criteria, and address the objectives fully.
  • Recommendations that flow from the conclusions are included.

Follow-Up Procedures

  • Action plans or an overall strategy have been established to address recommendations including recoveries from the audits.
  • A process to follow-up on action plans is in place.
Date Modified: 2009-07-10

Top of Page
Important Notices