AUDITING IN A CIS ENVIRONMENT

CHAPTER 6
COMPONENTS OF AN RBAF

Objective
1. Discuss the Components of an RBAF
2. Discuss the Risk Identification, Assessment and
Management Summary

The RBAF consists of the following key components:

The preparation of the RBAF involves a systematic and analytical process.

This section of the guide takes managers and specialist advisors through the
distinct steps in this process – the product of each step being a key element of
the final framework.

Introduction

 The RBAF should be introduced with a concise explanation of the

purpose of the RBAF in context of PTP requirements and the demonstration of
good governance.
 A brief description of the program background should be provided to
set the overall context. Background information would include events giving
rise to the program, the nature of the contribution agreement (i.e. payable,
non-repayable), magnitude of the transfer payments and the timeframe of the
funding authority.
 If program management chooses to integrate the RBAF with the
RMAF, this section should be used to briefly outline the points and extent of
integration.
AUDITING IN A CIS ENVIRONMENT

Roles, Responsibilities and Relationships

a) Purpose This section should clearly delineate the respective roles and
responsibilities of management and IA in fulfilling the PTP monitoring, auditing
and RBAF requirements. A summary of the recipient’s role and responsibilities
for complying to terms and conditions should also be provided.
b)Process The PTP (Section 8.5) and the Guide on Grants, Contributions
and Other Transfer Payments delineate the roles and responsibilities of
management and IA.
 Management is responsible for ongoing financial and operational
monitoring and the audit of recipient’s compliance to terms and conditions
and the audit of recipients. The audit of recipients can also examine
whether results data is reliable.
 Internal Audit’s (IA) role is to employ risk-based methodologies in
planning and conducting audits to provide assurance on the adequacy of
integrated risk management practices, management control frameworks
and information used for decision-making and reporting on the
achievement of overall objectives. Management is responsible for applying
and describing the risk-based approach in the selection of recipient audits.
If management is not familiar with a risk-based methodology, IA could be
of assistance in discharging this responsibility. 10 While management has
overall responsibility for the RBAF, IA is responsible for employing a
risk-based approach in establishing whether the overall transfer payment
program should be subject to audit. As such, IA should complete the
Internal Auditing section [Section 6.0] of the RBAF. Managers and IA
should consult as soon as the RBAF requirement had been identified.
They should reach an agreement on the collaboration needed to complete
the Recipient Auditing and Internal Auditing sections of the RBAF. To
facilitate a common understanding of compliance and ongoing monitoring
requirements, it may also be beneficial to articulate recipients’ roles and
responsibilities for meeting contribution agreement terms and conditions.
c)Product A statement of roles, responsibilities and relationships between
PTP management, IA and recipients.

Program Profile

a)Purpose The Program Profile should provide the context and the key areas
of inherent risk (Key Risk Areas) that evolve from the transfer payment
program’s objectives and environment. Overall, the profile assists the manager
in:
 meeting good governance expectations through a sound
understanding of the accountability and risk management environment; and
 conducting a more efficient and effective detailed identification and
assessment of risk for the Risk Assessment and Management Summary in the
next RBAF component.
b)Process The Program Profile should be developed with reference to the
organization’s outcomes and design information that has been compiled during
recent business planning and the development of the RMAF. As a first step in
AUDITING IN A CIS ENVIRONMENT

the process, the “Performance Profile” and other pertinent RMAF data should
be verified with participating managers. Clearly articulated objectives and
context will provide the basis for further internal and external environmental
analysis and identification of the Key Risk Areas that evolve from the mandate.
In this context, for ongoing programs, any recent internal audit or evaluation
should be described, particularly the effect that their results may have had on
the program. In the case of a small, uncomplicated program, the Profile can be
developed by the manager alone. However, as the complexity and magnitude
of the program increases, greater detail will be required from key
knowledgeable stakeholders to ensure all Key Risk Areas are identified and
adequately described. Knowledgeable stakeholders include experienced
program staff, internal audit and evaluation advisor(s) and, if deemed
necessary, external stakeholders. The involvement of a risk management
advisor may also be required, depending on the degree of program complexity.
c)Product The Profile should include:
 the background, underlying rationale, objectives and need for the program;
 the target population, resources, product groups, delivery mechanisms,
TPP stacking provisions and governance structure; and
 the key internal and external areas of risk (Key Risk Areas) that evolve
from the legislation, mandate, program design and/or operating
environment where there is a potential for significant impact on
performance (i.e. anticipates, in macro terms, the work to be done in the
next section).

Risk Identification, Assessment and Management Summary

The key risks should ideally be identified, assessed, and associated mitigation
measures either implemented or in progress, prior to the development of the
proposed Treasury

Board submission (in the case of new policy initiatives, prior to the
Memorandum to Cabinet). If available, the departmental Integrated Risk
Management Framework (IRMF) would be a primary source of reference or at
least a starting point.
a)Purpose The purpose of this component is to ensure an explicit
understanding of the level of key risks. Through systematic risk identification,
assessment and development of response or mitigation procedures, managers
will acquire an explicit understanding of all aspects of key risks. Furthermore,
AUDITING IN A CIS ENVIRONMENT

this component provides insight into the main operational measures, including
controls used to mitigate key risks and thereby contributes data relevant to the
explanation of Program Monitoring presented in Section 3.5.
b)Process The preparation of the Risk Assessment and Management
Summary section generally requires input from a team of managers and
knowledgeable staff within the program area, supported by various functional
groups.
The team should carry out the following steps: Preparation Steps
● Consider who should participate
● Clearly define risk
● Establish a time horizon
● Customize a risk matrix
● Consider other tool requirements
Process Steps
1.Understand Objectives
● Clearly articulate and understand the program’s objectives with reference
to the outcomes established in the RMAF Logic Model.
2.Risk Identification
● Identify risk areas (sources of risk) related to the achievement of objectives
(e.g. events, hazards, issues, lost opportunities and circumstances that could
lead to an impact on stewardship, delivery, outputs, outcomes, etc.); and
● Conduct a preliminary intuitive analysis of the risk level of each area (high,
medium, low) to select the risk areas that require further analysis.
3.Risk Assessment
● Articulate the particular concerns and existing mitigation measures for the
risk areas selected for detailed analysis; and
● Assess the likelihood and impact of an undesirable effect, given existing
mitigation measures, to arrive at a residual level of risk.

4.Risk Response or Mitigation

● Establish incremental response strategies to avoid, share, transfer, accept
and manage the risk.
5.Key Risk Summaries
● Summarize the Key Risks and related particular concerns, existing
measures, and Incremental Risk Management Strategies.
c)Product The Risk Assessment and Management Summary should
include:
● A methodology section which explains the risk definition and model;
● A brief description of the process steps followed;
● The identification of parties involved in the process;
● A Risk Matrix to explain the criteria and define the levels of impact and
likelihood
● An elaboration of the Key Risk Areas that were used in the Profile section
to explain the overall risk context of the program; and
● summaries of the Key Risks that were identified including particular
concerns, existing mitigation measures and incremental risk response
strategies, if required.
Further Discussion about Audit the management review process
AUDITING IN A CIS ENVIRONMENT

Information the role of Internal Audit in risk

management
https://youtu.be/t2p6oby_rss
Further discussion about Risk analysis and
mitigation
https://youtu.be/lHhpZiWwuts
Additional information about Risk assessment
https://youtu.be/SBV5-9dkbU4

Reference:
Compilation of lecture
notes by Dean Bacay