Audit of the Industrial and Regional Benefits Management Control Framework

1.0 Executive Summary

1.1 Introduction

The Industrial and Regional Benefits (IRB) Policy was established by the Government of Canada in 1986 to lever large government procurement for industrial development. The Policy was created to ensure that Canadian companies can derive benefits from procurements, such as new business or investments in new technologies. The majority of procurements subject to the Policy are Defence procurements.

The IRB Policy requires that prime contractors (Canadian and foreign) work with Canadian firms or make investments in advanced technology sectors of the Canadian economy, in an amount usually equal to the contract value.

This audit of IRB was included in Industry Canada's 2010–11 Risk-Based Internal Audit Plan at the request of IRB Directorate management, who were seeking early feedback on changes they are making to the IRB management control framework (MCF).

The objective of this audit is to provide senior management with an assessment of the governance and risk management aspects of the IRB management control framework. Because operational processes, controls and procedures are currently being documented, the Audit and Evaluation Branch (AEB) has proposed to perform advisory services in this area during the third and fourth quarter of 2010–11.

AEB compared the IRB Directorate's proposed MCF to the Core Management Controls identified by the Office of the Comptroller General (OCG). These controls are aligned with the Treasury Board Secretariat's Management Accountability Framework (MAF), which contains a set of management expectations.

1.2 Overall Conclusion

The IRB Directorate's initiatives to update its MCF are partially implemented or under development and, therefore, it is too early for AEB to provide an assessment of the MCF's effectiveness. The Directorate's draft Business Plan 2010–13 represents a proactive approach to define the Directorate's vision and mandate, and it contains the key foundational pieces of the revised MCF that need to be implemented. The proposed MCF aligns well with most of the criteria of OCG Core Management Controls in the areas of governance processes and risk management practices.

1.3 Summary of Findings

Table 1 provides an overview of the implementation status of the IRB Directorate's MCF by the ten MAF elements, using a three-stage progressive development scale (additional details are in Section 2.4 of the report):

• Start-up Phase
• In Process
• Implemented.

Below is a summary of findings by principal lines of enquiry:

Governance

The IRB Directorate has clearly defined and communicated strategic directions and objectives, aligned with its mandate, through a draft three-year Business Plan developed in July 2010. The Directorate has been restructured to improve its effectiveness. It follows the Values and Ethics Code for the Public Service. It is currently implementing a more robust performance reporting regime. Change initiatives have been communicated effectively to IRB staff and are based on environmental and organizational analysis.

Key elements of the control framework being implemented include a policy capacity, employee performance feedback process, external and internal consultations in regard to policy/control framework changes, and plans for communications and outreach activities.

Finding 1.0: The IRB Business Plan should include a formal process to monitor the implementation of Business Plan initiatives and the IRB MCF.

Finding 2.0: No specific oversight mechanism is identified to monitor the effectiveness of the application of IRB Policy.

Risk Management

The IRB Directorate's Business Plan includes an extensive analysis of risks facing the organization and contemplates a Risk Analysis Framework to analyse industry-related risks and benefits.

Finding 3.0: The IRB Directorate has not documented and articulated its risk methodology and risk management practices at the project level.

1.4 Summary of Recommendations

Governance

Recommendation 1.0: The Director, IRB Directorate should ensure the approval of the draft Business Plan and institute a formal process to monitor implementation of the Business Plan initiatives and the IRB MCF.

Recommendation 2.0: The Director General, ADMB should explicitly identify an oversight mechanism to monitor the effectiveness of the application of the IRB Policy.

Risk Management

Recommendation 3.0: The Director, IRB Directorate should ensure that, at the project level, risk methodology, risk management practices, and related tools are documented and communicated to staff.

1.5 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed to with management. The opinion is applicable only to the entities examined and within the scope described herein. This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada.

1.6 Audit Opinion

In my opinion, Industry Canada's management control framework for the application of the Government of Canada's Industrial and Regional Benefits Policy, at its early stage of development, has defined the key foundational pieces that need to be implemented. There are a few issues with moderate risk exposures in regard to governance and risk management practices.

Susan Hart
Chief Audit Executive,
Industry Canada