Final Audit Report - First Nations and Inuit Health Branch - Audit of the Recipient Audit Function

September 2009

Help on accessing alternative formats, such as Portable Document Format (PDF), Microsoft Word and PowerPoint (PPT) files, can be obtained in the alternate format help section.

Management Response and Action Plan

Table of Contents

• Executive Summary
• Introduction
  • Background
  • Objective
  • Scope and Approach
• Findings, Recommendations and Management Responses
  • Selection of Recipients to be Audited
  • Conduct, Reporting and Follow-up of Recipient Audits
    • Conduct of Recipient Audits
    • Reporting of Recipient Audits
    • Quality Assurance Review
    • Audit Response Process
    • Timeliness of Process
• Conclusion
• Appendix A - Audit Criteria

Executive Summary

The First Nations and Inuit Health Branch (FNIHB) of Health Canada was responsible for distributing $998.3 million of contribution funding in 2007-08.  Part of the oversight role of the Business Planning and Management Directorate within FNIHB is the assessment of recipient risk for inclusion in recipient audits. The objective of this audit of FNIHB Recipient Audit Function was to provide assurance that FNIHB has in place effective oversight related to recipient auditing. The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, and has examined sufficient, relevant evidence and obtained sufficient information and explanations to provide a reasonable level of assurance in support of the audit conclusion.

The audit was conducted by the Audit and Accountability Bureau in accordance with the Government of Canada's Policy on Internal Audit. 

FNIHB has designed a sound risk assessment process for the prioritization of recipient audits, combining a formalized risk assessment element and a judgment-based component. However, opportunities for improvement were identified to enhance the transparency and documentation of decisions that impact the results of the risk assessment process and selection of recipients subject to recipient audits.

FNIHB has developed a framework for the conduct of recipient audits which is outlined in the Ministerial Audit Guide and the Contributions and Contracts Audit Procedures. Specific elements of the conduct of recipient audits have not been formally defined within these documents and, as a result, opportunities for improvement were identified in the following areas:

• Updating FNIHB's Ministerial Audit Guide to provide specific, detailed guidance for the conduct of recipient audits;
• Documenting the requirement for a level of assurance/conclusion related to financial information to be included in the audit report of each recipient;
• Obtaining audit programs used by auditors to plan audits in order to review them as part of the quality assurance process;
• Improving the oversight function for the review and approval of audit responses proposed prior to final submission to the Branch Executive Subcommittee on Audit, Evaluation and Review; and
• Improving the enforcement of timelines related to the development of audit responses to maximize the relevance of the findings and the impact of the action plans.

Management agrees with the recommendations, its response indicates its commitment to take action and many of the proposed actions that will address the findings have already started to be implemented.

Introduction

Background

The First Nations and Inuit Health Branch (FNIHB) negotiates contribution agreements with First Nations on reserve and Inuit recipients for the delivery of health services. These contributions totalled $998.3 million in 2007-08, $942.5 million of which was dispersed by the Health Canada Regions and $55.8 million from Headquarters.

The Business Planning and Management Directorate (BPMD) is the directorate within FNIHB responsible for implementing nationwide policies and mechanisms to support the delivery of efficient and effective health services. As part of this responsibility, BPMD conducts each year a number of compliance audits of contribution agreements (recipient audits).

Through a risk-based planning exercise, BPMD selects recipients for audit. Contribution agreements signed with these recipients are then included in the Branch's Risk-Based Audit Plan, which is approved by the Branch Executive Subcommittee on Audit, Evaluation and Review (BEC-AER) and FNIHB Assistant Deputy Minister. For fiscal year 2007-08, 17 recipient audits covering 30 contributions agreements, included in the Branch Plan, were carried out.

The recipient audits focus on: expenses incurred by the recipient that have been claimed; the recipient's compliance with the Terms and Conditions of the CA; the soundness of the recipient's financial controls and management framework; and the recipient's ability to effectively deliver the programs outlined in the CA.

Recipient audits, which are contracted out, are complementary to ongoing monitoring under the responsibility of Program Management, and the mandatory reporting activities set out in contribution agreements. They do not replace on-going monitoring activities (on-site visits, regular contact and assessment of financial and non-financial reports) under the responsibility of the Program Manager, nor do they replace annual financial statement audits performed by independent external auditors hired by the recipients.

FNIHB Recipient Audit Function was the subject of a previous audit for which the Audit and Accountability (AAB) tabled an audit report at the Departmental Audit and Evaluation Committee on June 18, 2007. The period covered by this audit was fiscal years 2003-04 to 2006-07. It should be noted that the objectives of the 2007 audit were different from those for the current audit. The overall conclusion was that FNIHB's audit process is effective. However, it also identified opportunities for improvement.

Objective

The objective of the audit was to provide assurance to the Deputy Minister and the Departmental Audit Committee (DAC) that FNIHB has in place an effective recipient audit function by assessing, for the two following components, the adequacy and the compliance with applicable Treasury Board Secretariat's policies:

• the risk-based planning exercise developed to select contribution agreements to be audited; and
• the planning, conduct, reporting and follow-up of recipient audits.

Scope and Approach

The audit was undertaken by the Audit and Accountability Bureau as per the Health Canada Risk-Based Audit Plan for 2008-2009 which was approved by the Departmental Audit Committee on April 3, 2008 and was conducted in accordance with the Internal Auditing Standards for the Government of Canada, and has examined sufficient, relevant evidence and obtained sufficient information and explanations to provide a reasonable level of assurance in support of the audit conclusion.

Our approach included the conduct of interviews and the review of documents, including recipient audit files. In fiscal 2007-08, BPMD initiated a total of 17 recipient audits, corresponding to 30 contributions agreements (representing an amount of $76.2 million or 7.6% of the total recipient funding of $998.3 million distributed by FNIHB in this year). These recipient audits were selected during a risk-based planning exercise conducted in fiscal year 2005-06. Our file review covered only the audits related to 11 recipients (out of 17) that were completed at the time of planning this audit (amounting to funding of $69.7 million).

Audit criteria were taken from Treasury Board Transfer Payments Policy and relevant FNIHB policies, guides and procedures. These criteria were accepted by FNIHB Management.

Findings, Recommendations and Management Responses

Selection of Recipients to be Audited

Audit Criteria
A risk-based approach is established and consistently applied to ensure that the selection of recipients (and associated contribution agreements) to be audited is based on a consistent and timely risk assessment of recipients, including the following elements:

• Universe of recipient audits;
• Risk analysis framework and templates;
• Risk assessment process; and
• Selection of recipients and agreements for audit.

Through its risk-based planning exercise, BPMD selects recipients for audit. Contribution agreements signed with these recipients are then included in the Branch's Risk-Based Audit Plan. The last exercise, which was conducted in fiscal year 2005-06, is based on an approach that includes both a systematic component and judgmental component. The systematic component, which is titled Systematic Risk Assessment, uses the following criteria:

1. Allegations and complaints;
2. Quality of financial information;
3. Past years' financial results;
4. Communication;
5. Stability/capacity of organization;
6. Service quality; and
7. Co-management or third-party management.

Using risk levels of 0 (low), 2 (fair) and to 3 (high), contribution agreements are rated according to these seven criteria in order to calculate a cumulative rating. As for the judgmental component, it is based on an assessment of risks associated with recipients as perceived by management of regional and headquarters offices. The results generated by these two components are then combined to select the recipients and related contribution agreements to be audited within the 3-year period covered by FNIHB's Recipient Audit Plan and submitted to the approval of the BEC-AER and FNIHB Assistant Deputy Minister.

This above-described approach was found to be effective as it allows for the flexibility of judgment by the regional offices which work with the recipients on a daily basis. This said, we noted that BPMD postpones the conduct of contribution agreements audits. On average, this represents one or two recipients per year. Corresponding audits remain in the audit plan and are generally conducted in the next two years. These decisions are made for different reasons and are generally recommended by the regions and approved by BPMD. However, no guidelines are in place for this type of decision. As a result, the decisions, including the underlying rationale and conditions, are not adequately documented in recipient audit files. Furthermore, they are not approved by the BEC-AER. Although no evidence was found that decisions made in 2007-08 were not adequately supported, there is clearly a need for more guidance with regards to their process, documentation, approval and follow-up.

Recommendation No. 1

It is recommended that the Assistant Deputy Minister of the First Nations and Inuit Health Branch ensure that guidelines are developed and implemented to ensure that decisions to postpone recipient audits are adequately supported, approved by the Branch Executive Subcommittee on Audit, Evaluation and Review, and followed.

Management Response

Management accepts the recommendation.

FNIHB has implemented new guidelines and a change-request form for the 2009-2010 FNIHB Risk-Based Audit Plan in order to ensure that any requests for changes or postponements of recipient audits are adequately supported, approved by the Branch Executive Subcommittee on Audit, Evaluation and Review, and followed.

Conduct, Reporting and Follow-up of Recipient Audits

Audit Criteria
The recipient audit completed by FNIHB were conducted, reported on and followed up in accordance with applicable audit standards. This includes follow-up on the implementation status of recommendations made within previous audit reports.

Conduct of Recipient Audits

Objectives of the recipient audits, as stated in the May, 2004 FNIHB Ministerial Audit Guide, are as follows:

1. To ensure compliance with Terms and Conditions of the Agreement;
2. Ensure compliance with Treasury Board's policies and standards and with FNIHB policies;
3. To evaluate efficiency and effectiveness in administering the contribution agreement, in managing the Program, as well as the Recipient's organizational capacity; and
4. To assess the quality and adequacy of financial controls and mechanisms in place to manage risks effectively.

The Ministerial Audit Guide requires auditors to use a risk-based approach in the determination of the scope of the audit. It also mentions that the work must be performed in accordance with Generally Accepted Auditing Standards and include testing of the accounting system and records, as well as an analysis of the quality of the contribution management.

Although the Guide identifies high-level criteria for all of the above-mentioned objectives, it does not provide guidance, in terms of approach and methodology, to a risk-based recipient audit. Furthermore, the scope for objective 3 is more in line with a performance audit, as opposed to compliance or financial management audits.

Because the Ministerial Audit Guide only provides high level guidance, BPMD must compensate by providing detailed guidance in order to ensure consistency in the planning, conduct and reporting of recipient audits. However, such guidance is relatively limited. A second document, FNIHB Contributions and Contracts Audit Procedures, is used by BPMD to instruct employees on the conduct of recipient audits and what guidance must be provided to field auditors. As such, it provides additional details on the key phases of the audit process such as planning and the conduct of audits and the reporting of findings. However, it does not provide sufficient guidance on the approach and methodology to be used in the conduct of recipient audits.

Recommendation No. 2

It is recommended that the Assistant Deputy Minister of the First Nations and Inuit Health Branch ensure that the Branch Ministerial Audit Guide is updated to provide guidance for completion of recipient audits, including clarity and appropriateness of objectives and related criteria.

Management Response

Management accepts the recommendation.

The FNIHB Ministerial Audit Guide is currently being updated to provide additional guidance for completion of recipient audits, including clarity of objectives and related criteria.

Reporting of Recipient Audits

Of the four objectives included in the Ministerial Audit Guide, objectives 1 and 2 require a level of assurance to be provided based on the results of testing; however, no formal expectation or standard template has been developed by FNIHB to satisfy this requirement and provide an overall conclusion on these assurance elements.

Through our review of the working paper files for the 11 recipients sampled, only four audit reports provided opinion statements related to financial information. Audit reports were, in some cases, issued with an opinion letter. However, as per the current process, these letters do not accompany audit reports being tabled at the BEC-AER.

In some cases, proposed recoverables were also presented using inconsistent methods. Since that time, FNIHB has addressed this problem by developing and implementing a report template.

Recommendation No. 3

It is recommended that the Assistant Deputy Minister of the First Nations and Inuit Health Branch ensure that the Branch Ministerial Audit Guide is  updated to require the issuance of an opinion statement related to financial information in all recipient audit reports and that these statements be included in all reports tabled at FNIHB's Audit, Evaluation and Review Committee.

Management Response

Management accepts the recommendation.

FNIHB will update the Ministerial Audit Guide to require the issuance of an opinion statement related to financial information in all recipient audit reports, and these statements will be included in all reports tabled at the FNIHB Audit, Evaluation and Review Committee.

Quality Assurance Review

BPMD has developed a quality assurance process to review audit reports before their release to regions for the development of audit responses. This process covers aspects such as consistency, level of emphasis of issues identified and clarity/conciseness of reporting. However, BPMD does not request the auditor's planning memorandum, which is developed in preparation for the audit. The memorandum includes recipient audit objectives, criteria, programs that auditors carry out to examine particular areas, and sampling of transactions. As a result, BPMD does not obtain a sufficient assurance that auditors have complied with its Ministerial Audit Guide.

Recommendation No. 4

It is recommended that the Assistant Deputy Minister of the First Nations and Inuit Health Branch ensure that audit programs are obtained from auditors, in order to review them as part of the Branch's quality assurance process for the purpose of confirming compliance with its Ministerial Audit Guide.

Management Response

Management accepts the recommendation.

FNIHB will include the requirement in the Ministerial Audit Guide for auditors to include audit programs in order to review them as part of the FNIHB quality control for the review of audit reports.

Audit Response Process

The FNIHB Contributions and Contracts Audit Procedures document requires that the recipient submit a management response and action plan, hereafter referred to as the "Audit Action Plan" and the "Summary of Actions", in response to the recommendations made in the audit report.  These two documents also provide the recoverable amount, as per the audit report, and the final recoverable amount, as determined by the responsible region. They are then forwarded to BPMD for review and sent to the BEC-AER for final approval.

Regional Offices and FNIHB Program Directorates take part in the development of Audit Action Plans in collaboration with recipients. As for BPMD, it plays a key role in ensuring that these Plans adequately address recommendations and recoveries.

To the extent audit responses had been developed for the audit files reviewed, we noted instances of limited audit responses to address the audit report observations and recommendations, as presented in the Audit Action Plans. There were examples where the responses provided were not adequate to address the recommendations and did not include measurable indicators. For example, "We will explore options to resolve this issue in the 2008/09 fiscal year" was identified as an audit response to two observations. A further example was identified where the recoverable amount was reduced significantly by a regional office without documentation.

The above examples demonstrate the need for BPMD to enhance its oversight function to ensure that Audit Action Plans adequately address audit recommendations and recoveries.

Recommendation No. 5

It is recommended that the Assistant Deputy Minister of the First Nations and Inuit Health Branch ensure that BPMD improves its oversight process over audit responses. This would include improvements to the processes and criteria for determining appropriate changes to Audit Action Plans, including the review and approval of responses to recommendations for sufficiency of documentation, and, reasonability of regional and program decisions related to reducing recoverable amounts.

Management Response

Management accepts the recommendation.

FNIHB will enhance the existing process to improve audit responses by working with the regions/programs to better understand the issues they face in negotiating with the recipients. FNIHB and the region/programs will develop guidelines to improve documentation of management responses to recommendations and improved justification for the acceptance of expenditures that were adjusted by the auditor.

Timeliness of Process

The FNIHB Contributions and Contracts Audit Procedures document states that management responses and action plans must be prepared by the recipient within 45 working days of receiving the draft audit report. These management responses must then be reviewed within 20 working days of receipt by BPMD, before their tabling to the BEC-AER for approval. Once the report has been approved, BPMD is responsible for following-up with management on the implementation of their action plans within nine months.

For draft audit reports issued between August 2007 and March 2008, we noted a time lapse ranging from 12 to 18 months between the issuance of the draft audit report and the submission of the management response and action plan. Delays in finalizing audit results and responses may decrease the relevance of the recommendations and proposed action plans and postpone the repayment of recoverable amounts.

As of October 2008, none of the recipient reports had been submitted for approval by the BEC-AER.

Recommendation No. 6

It is recommended that the Assistant Deputy Minister of the First Nations and Inuit Health Branch ensure the enforcement of timelines for the development of Audit Action Plans and Summaries of Actions.

Management Response

Management accepts the recommendation.

FNIHB will undertake a study with regions/programs in order to determine more reasonable timelines and establish procedures to justify extensions for complex files. Following the study, FNIHB will recommend new timelines and enforcement procedures to BEC-AER for approval.

The existing timelines of 45 days for the completion of the audit action plans following release of the draft audit report to the region/program, frequently does not provide adequate time to discuss the report with the recipient, to develop a mutually acceptable audit action plan and recovery plan (if warranted), and to get the approval of regional/program management.

For files that exceed the revised timelines, regions/programs will be required to provide justification for the extension of timelines, which will be presented to BEC AER on a quarterly basis.

Conclusion

FNIHB has designed a sound risk assessment process for the prioritization of recipient audits, combining a formalized risk assessment element and a judgment based component. However, opportunities for improvement were identified to enhance the transparency and documentation of decisions that impact the results of the risk assessment process and selection of recipients subject to recipient audits.

FNIHB has developed a framework for the conduct of recipient audits which is outlined in the Ministerial Audit Guide and the Contributions and Contracts Audit Procedures. Specific elements of the conduct of recipient audits have not been formally defined within these documents and, as a result, opportunities for improvement were identified in the following areas:

• Updating FNIHB's Ministerial Audit Guide to provide specific, detailed guidance for the conduct of recipient audits;
• Documenting the requirement for a level of assurance/conclusion related to financial information to be included in the audit report of each recipient;
• Obtaining audit programs used by auditors to plan audits in order to review them as part of the quality assurance process;
• Improving the oversight function for the review and approval of audit responses proposed prior to final submission to the Branch Executive Subcommittee on Audit, Evaluation and Review; and
• Improving the enforcement of timelines related to the development of audit responses to maximize the relevance of the findings and the impact of the action plans.

Appendix A - Audit Criteria

Audit Objective

To assess the adequacy of the Branch's risk-based planning exercise, including the risk criteria used and its compliance to policies, guidelines and standards.

Criteria

A risk-based approach is established and consistently applied to ensure that the selection of recipients (and associated contribution agreements) to be audited is based on a consistent and timely risk assessment of recipients, including the following elements:

• Universe of recipient audits;
• Risk analysis framework and templates;
• Risk assessment process; and
• Selection of recipients and agreements for audit.

Audit Objective

To assess the Branch's level of compliance with Treasury Board policies, guidelines and relevant audit standards related to auditing recipients of contributions, including the selection, conduct, reporting and follow-up on recipient audits and the implementation of recommendations from previous audits.

Criteria

The recipient audits are planned, conducted, reported on and followed up in accordance with applicable audit standards. This includes follow-up on the implementation status of recommendations made within previous audit reports.