Risk Based Audit Plan 2009-2012

Risk Based Audit Plan 2009-2012 WESTERN ECONOMIC DIVERSIFICATION CANADA Audit, Evaluation & Disclosure Branch March 2009 Western Economic Diversification Canada Table of Contents 1.0 Introduction 1.1 Purpose 2.0 Governance 2.1 Organization 2.2 Role of Internal Audit 3.0 The Audit Universe 3.1 Approach 3.2 Risk Assessment and Prioritization 3.3 Departmental Corporate Risk Profile 3.4 Chief Audit Executive’s Holistic Assurance 3.5 Audit Coverage 3.6 Carry-Over Audits 3.7 Follow-up Audits 3.8 Audits from Other Assurance Providers 3.9 Resources 3.10 Other Activities 4.0 Conclusion 5.1 Table 1: Audit Plan Summary 2009-2012 5.2 Table 2: Audit Plan 2009-2010 5.3 Table 3: Audit Plan 2010-2011 5.4 Table 4: Audit Plan 2011-2012 5.5 Table 5: Resource Allocation for 2009-2010 1 1 1 2 2 2 3 3 4 4 4 5 5 5 5 6 6 7 8 11 13 15 Risk Based Audit Plan 2009-2012 2 1.0 Introduction The Risk Based Audit Plan defines the approach that Western Economic Diversification Canada (WD) has used to identify and select upcoming audits from the WD audit universe. This Risk Based Audit Plan covers the three-year period of 2009-10 to 2011-12. It provides the direction and authority for the scope, objectives and timing of internal audits and their associated resources. The following are the major characteristics of this plan:  This internal audit plan is multi-year (e.g. three year) and will be updated on a regular, periodic basis;  The plan uses a risk-based methodology, including identification of an audit universe, risk assessment and prioritization of potential areas of planned audit work.  The planned audit coverage addresses areas of highest identified risk over the life of the plan, and takes into consideration planned Office of the Comptroller General horizontal audit activity;  The plan identifies audit projects, their rationale, timetable, and associated resources. The focus is on audit assurance work; and  The audit plan has been reviewed and recommended by the department audit committee to the Deputy Minister, who in turn approved it and provided a copy to the Comptroller General. 1.1 Purpose Risk based audit planning is a systematic process whereby auditable entities are identified, prioritized and scheduled for the conduct of audit activities. The plan identifies the priorities of the internal audit activity over the three-year period of 2009 to 2012. 2.0 Governance The WD Internal Audit Charter was approved by the Department Audit Committee in October 2007. The charter establishes and defines the purpose and scope of the Internal Audit function within WD. The charter establishes Internal Audit’s purpose, authority, responsibilities, accountability, independence, and objectivity within WD. The Internal Audit function is further guided by the standards of internal audit practices adopted by the Government of Canada and the Institute of Internal Auditors. The Departmental Audit Committee is an essential part of the Department’s governance structure and audit regime. The Audit Committee ensures that the Deputy Minister has independent and objective advice on the adequacy of the Department's control and accountability processes. The Audit Committee exercises active oversight of core areas of departmental control and accountability in an integrated and systematic manner. WD’s Audit Committee consists of an external chair, two external members, and the Deputy Minister in an ex-officio capacity. Risk Based Audit Plan 2009-2012 1 The Chief Audit Executive reports directly and exclusively to the Deputy Minister. 2.1 Organization The Internal Audit activity is a function within the Audit, Evaluation & Disclosure branch at WD. Audit, Evaluation and Disclosure Branch – Organizational Chart Organizational Chart - Audit, Evaluation & Disclosure Branch (A&E) Departmental Evaluation Committee (DEC) Deputy Minister Departmental Audit Committee (DAC) Chief Audit Executive Director General Executive Assistant Senior Audit Officer Senior Audit Officer Senior Audit Officer Senior Evaluation Officer Senior Evalauation Officer Practice Management Internal Auditor Internal Auditor 2.2 Role of Internal Audit The primary role of Internal Audit is to provide independent and objective assurance and consulting activity designed to add value and improve WD’s operations. Internal Audit helps WD to accomplish its strategic objectives by bringing systematic, disciplined approach to evaluate and improve the effectiveness of:  Risk management;  Control; and  Governance practices. 3.0 The Audit Universe An audit universe represents the potential range of all audit activities and is comprised of a number of auditable entities. These entities generally include a range of programs, activities, functions, structures and initiatives which collectively contribute to the achievement of the department’s strategic objectives. WD’s Audit Universe is detailed stand-alone document that is updated on a periodic basis. The universe has been mapped against the federal government Management Accountability Framework (MAF), taking into consideration WD’s Program Activity Architecture and Management Resources and Results Structure. Risk Based Audit Plan 2009-2012 2 Western Economic Diversification Canada 3.1 Approach The Risk Based Audit Plan was developed through consultation with WD’s Department Audit Committee, senior management and business planners. Internal Audit also consulted with the Office of the Comptroller General, the Office of the Auditor General and other assurance providers to ascertain if any of their planned audits include WD. To ensure the risks identified in the audit plan were consistent with the WD’s mandate and priorities, Internal Audit researched a number of relevant documents. Reference sources included: Program Activity Architecture, Management Resources and Results Structure, Corporate Risk Profile, Treasury Board Submissions, Reports on Plans and Priorities, Departmental Performance Report, Management Accountability Framework assessments, previous Internal Audit Reports, unaudited Financial Statements, and Evaluation Reports. As a result of this thorough process, Internal Audit selected and prioritized the audit engagements for 2009–2012 based on risk exposure, significance, and the quality of internal control environments that exist to mitigate risks. Any planned audit to be led by an external assurance provider was also included in the plan. 3.2 Risk Assessment and Prioritization Through the risk based audit planning process, internal audit priorities have been identified and audit projects planned in those areas that reflect the greatest need or priority from a departmental perspective. First, Internal Audit assigned a preliminary ranking by assessing each auditable entity in terms of its risk exposure and significance considering the WD Corporate Risk Profile and other relevant inherent business risks. Internal Audit consulted with senior management and business planners to fully understand WD’s business and associated key risks. Second, Internal Audit assigned a final ranking by incorporating additional priority factors such as management or audit committee requests, horizontal audits, CAE holistic assurance coverage, and past audit coverage. Risk exposure is defined as the level of risk to which each auditable entity is exposed and considers the following:  The auditable entity’s current and anticipated business conditions and the presence of risk factors;  The number and nature of potential risk events to which the auditable entity is exposed as a result of its business conditions/risk factors; The severity of consequences if the risks to which the entity is exposed materialized; and The overall state of control in place within a given auditable entity.   Significance is the value or impact of the entity in the context of WD’s overall objectives. Significance considers materiality, expected benefits to the department and its stakeholders, and the degree to which the audit entity is exposed to public or political scrutiny. Risk Based Audit Plan 2009-2012 3 Western Economic Diversification Canada The results of this risk analysis and ranking of the audit universe is found in Risk Assessment Worksheet, Annex A. This risk assessment incorporated both WD-specific risks and those that are government-wide as identified by the Office of the Comptroller General. 3.3 Departmental Corporate Risk Profile The risk assessment also incorporated and included linkages of the audit topics to the Corporate Risk Profile. Currently, the nine key risk areas identified and approved by WD management are summarized below. Strategic Risks (Loss or damage caused by external conditions or events which may negatively affect WD’s policy or program delivery, or other decisions) 1. Results; 2. Partnership; 3. Program Relevance; 4. Reputation; 5. Economic Conditions; Operational Risks (Loss or damage caused by failures in people, processes or internal systems) 6. Public Service Renewal; 7. Resource Management; 8. Communication; and 9. Financial Management. 3.4 Chief Audit Executive’s Holistic Assurance One of the key requirements of the 2006 Treasury Board Policy on Internal Audit is the requirement for the Chief Audit Executive to provide a holistic assurance on departmental risk management, control and governance processes. As a result, the plan has incorporated selected audit coverage towards supporting the Chief Audit Executive’s ability to provide a future holistic assurance. This was one of the factors that influenced changes between the preliminary rankings and the final rankings. 3.5 Audit Coverage Audit engagements are targeted to provide assurances around key risk management, control and governance processes within WD. For the purposes of this plan, assurance engagements have been categorized into auditable entities and topics that reflect all the Management Accountability Framework indicators and WD’s business activities that support the achievement of its three Strategic Outcomes. Audit projects for the period are summarized in Table 1 and detailed in Tables 2-4. All the audits selected contribute in one way or another to the success of WD’s three Strategic Outcomes:  Policies and programs that support the development of Western Canada;  Economically viable communities in Western Canada with a high quality of life; and  A competitive and expanded business sector in Western Canada and a strengthened western Canadian innovation system. Risk Based Audit Plan 2009-2012 4 Western Economic Diversification Canada 3.6 Carry-Over Audits The 2009-12 audit plan contains one audit that is being carried over from the 2008-09 audit plan. The Audit of the Western Economic Development Program was commenced later than scheduled in 2008-09 due to delays in securing an external contractor through government procurement processes. The audit was well underway in 2008-09 and is scheduled to be completed early in the first quarter of 2009-10. 3.7 Follow-up Audits Internal Audit conducts follow up work in three forms. Firstly, Internal Audit does semiannual follow-up audit work on outstanding recommendations from previous audits. The report of that follow up work is presented to the Departmental Audit Committee. Secondly, while conducting its periodic risk assessment and prioritization, Internal Audit assesses past audit work to determine if follow-up audits are required on a previously completed audit. Finally, Internal Audit may select an audit that is blended, containing some follow up work from a previously conducted audit and some revised scope elements. The 2009-12 audit plan contains follow up work in the first and third categories, including these five audits that are considered blended follow-ups: Community Futures Program (200910), Governance (2010-11), Grants and Contributions - Monitoring and Payments (2010-11), Infrastructure Programs (2010-11), and Grants and Contributions – Due Diligence Approval Process (2011-12). 3.8 Audits from Other Assurance Providers Internal Audit canvassed other assurance providers to determine what work, if any, they would be conducting during 2009-10 that would impact on WD. The following is a list of activities for which Internal Audit will be providing a liaison role and that will have some resource demands within other parts of WD as a result of these audits taking place: 1. Office of the Auditor General – Audit of Program Evaluation; 2. Office of the Auditor General – Audit of the Application of the Canadian Environmental Assessment Act; 3. Office of the Comptroller General – Horizontal Audit of Corporate Risk Profiles; and 4. Office of the Comptroller General – possible Horizontal Audits of IT Asset Management, Business Cases for Major Investments, Real Property Assets, Financial Reporting Control and Fraud Risk and Control Strategies. In all of these cases, the Internal Audit resources required to support these initiatives is recorded as part of the Practice Management function on Table 5. 3.9 Resources Internal Audit has five full-time audit professional staff, the Chief Audit Executive and one administrative assistant. The Chief Audit Executive will be adding a Principal, Practice Management in early 2009-10. The Chief Audit Executive concludes that the current Risk Based Audit Plan 2009-2012 5 Western Economic Diversification Canada resource level of personnel and operating funds is adequate for the audits planned for 20092012. The audit plan will use a combination of internal and external resources because of the volume of planned engagements as well as to fulfill the collective proficiency standards required for internal auditing. The operating budget includes some targeted funding to support the operation of the Departmental Audit Committee and the continuous professional development of the internal audit staff. 2009 - 2010 $1,020,000 8 2010 - 2011 $1,040,000 8 2011 - 2012 $1,060,000 8 Financial Resources Human Resources – FTEs Resource allocations for all 2009-10 audit projects can be found on Table 5. 3.10 Other Activities Some key consulting activities that Internal Audit will pursue in the planning cycle include: 1. Consulting engagements requested by senior management (subject to preservation of Internal Audit’s objectivity and independence); 2. Quality Assurance and Improvement Program enhancements; 3. Continuous professional development for internal audit staff; 4. Support to the Departmental Audit Committee; 5. Education of staff and other stakeholders on the role of Internal Audit; and 6. Support to horizontal engagements assigned from outside assurance providers and central agencies. 4.0 Conclusion In this Risk Based Audit Plan, Internal Audit has selected audits that will provide audit assurance by bringing a systematic, disciplined approach to evaluate and add value to improve the effectiveness of risk management, control, and governance practices at Western Economic Diversification Canada. Risk Based Audit Plan 2009-2012 6 Western Economic Diversification Canada 5.1 Table 1: Audit Plan Summary 2009-2012 WD Strategic Outcomes 1. Policy, Advocacy and Coordination 2. Community Economic Development 3. Entrepreneurship and Innovation Audit Priority Very High 2. Very High 3. Very High 4. Very High 5. Very High 6. High 7. High 2009-2010 1. Carry Over Audit Western Diversification Program Community Futures Program G&Cs – Third Party Delivery G&Cs –Budget 2009 New Initiatives – Preliminary Assessment G&Cs – Accounts Receivable & Recoveries Integrated Risk Management 2010-2011 1. Governance 1. 2011-2012 G&Cs – Budget 2009 Initiatives G&Cs - Due Diligence Approval Process 2. G&Cs – Monitoring and Payments G&Cs – Performance Information 2. 3. 4. Mountain Pine Beetle 3. Conditional Grants Internal Audit Quality Assurance Self Assessment 5. Canada Business Service Centres Infrastructure Programs IM/IT Governance 4. Urban Development Agreements Performance Accountability Learning and Change Management Financial Analysis and Reporting Follow-up on past recommendations High 8. Information Technology Security Project Management – Project Gateway 6. 7. 5. 6. High High Mod 9. 7. 8. 10. Follow-up on past recommendations 8. Follow-up on past recommendations Risk Based Audit Plan 2009-2012 7 Western Economic Diversification Canada 5.2 Table 2: Audit Plan 2009-2010 Project, Scope, Objectives 1. Western Diversification Program Compliance with Treasury Board authorities, terms and conditions Audit Priority Rationale For Conducting Audit Very High Score 12 Links to Corporate Risks #1-9 Links to MAF Element: Policy and Programs Results and Performance Stewardship           Audit in progress, carried over from 2008-09. Expected completion May 2009 Complexity Materiality – WD’s largest program Third party dependencies WDP agreement renewal audit Towards holistic assurance Agreement Renewal audit required Complexity Materiality Third party dependencies 2. Community Futures Program Compliance with Treasury Board authorities, terms and conditions Very High Score 12 Links to Corporate Risks # 1,2,3,4,8, 9 Links to MAF Element Policy and Programs Results and Performance Risk Management Accountability Links to MAF Element Policy and Programs Results and Performance Risk Management Accountability Links to MAF Element: Policy and Programs Results and Performance Risk Management Stewardship 3. G&Cs – Third Party Delivery Examine mechanisms WD has put in place to ensure that the governance, risk management and controls in the third party organization work and will lead to intended results. Assess effectiveness, efficiency and economy of existing mechanisms G&Cs – Budget 2009 New Initiatives –Preliminary Assessment Assess that smart controls are established to enable successful delivery of CAF e.g. design, time pressure implications, clarity, quick results, governance, risk management, performance information collection, accountabilities, communication, financial management, Very High Score 11 Links to Corporate Risks # 1,2,3,4,8, 9      Results Third Party dependencies Values & ethics Terms and Conditions Significance is material 4. Very High Score 11 Links to Corporate Risks #1-9       New territory - change Materiality of stimulus initiatives Time pressures Quick expectations impacting controls Risk Management Compliance and policy impacts Risk Based Audit Plan 2009-2012 8 Western Economic Diversification Canada Project, Scope, Objectives policy consistency & compliance. Audit Priority Rationale For Conducting Audit Accountability           A forward looking audit towards desired sunset results Significance Holistic assurance Core program Third party dependencies G&C process cyclical audit No previous audit coverage Holistic assurance Significance IRM revised in 2008-09 5. G&Cs – Recoveries and Accounts Receivable Forecast recoveries from contribution agreements are monitored on a regular basis for progress and results reported as appropriate. Significant variances are identified and explained Integrated Risk Management Adequacy and effectiveness of corporate risk profiling, including risk identification and assessment and implementation of risk management strategies. The degree to which risk information is applied to planning and decision-making Internal Audit Quality Assurance Self Assessment Adequacy and effectiveness of the Internal Audit Activity and Audit Committee, including the degree to which departments are in compliance with IA Policy. Very High Score 11 Links to Corporate Risks # 1,2,4,8,9 Links to MAF Element: Policy and Programs 6. High Score 9 Links to Corporate Risks #1-9 Links to MAF Element: Risk Management 7. High Score 9 Links to Corporate Risks #1-9 Links to MAF Element: Stewardship Governance       Compliance with policy & standards Implementation milestones Qualified assessors perspective OCG Coordinated Effectiveness of activity Results communication Constant change environment No recent audit Holistic assurance OCG horizontal audit 8. Information Technology Security Security and privacy of organizational data and information. Assess threat/analysis and safeguards consistent with the compliance requirements and informed risk management Project Management – Project Gateway Examine strategies to risk manage time, cost and performance parameters for major IT investments and to ensure that the original investment drivers and High Score 8 Links to Corporate Risks # 8,1,5,3 Links to MAF Element: Stewardship        9. High Score 8 Links to Corporate Risks #1,2,7,9 Links to MAF Element: Stewardship Results and Performance Change Major new systems enhancement No previous audit Risk Based Audit Plan 2009-2012 9 Western Economic Diversification Canada Project, Scope, Objectives parameters are periodically validated over time. Audit Priority Rationale For Conducting Audit   Significant investment Holistic assurance 10. Follow-up on past recommendations Effective management action plans are implemented. Communicate any significant residual risk Moderate Score 7 Links to Corporate Risks #1-9 Links to MAF Element: Stewardship    Significance Required standard Residual risk communication Risk Based Audit Plan 2009-2012 10 Western Economic Diversification Canada 5.3 Table 3: Audit Plan 2010-2011 Project, Scope, Objectives 1. Governance Clarity of governance bodies’ roles and responsibilities,. Appropriateness of the governance processes in support of corporate planning and results. Alignment between strategic objectives and performance Audit Priority Rationale for Conduct Links to Corporate Risks #1-9 Very High Score 11 Links to MAF Element: Results and Performance Governance       Priority score vey high but Governance audit done in 2008-09, so can wait Organizational priority Significance Complexity Holistic assurance Follow-up to Governance & Performance audit in 2008, do after Strategic Review Other Audit Topics to cover simultaneously:      2. Governance & Performance follow-up audit Information for Decision Making Alignment of Accountability Instruments Regional and HQ Operations Strategic Review G&Cs – Monitoring & Payments Monitoring is conducted on a regular basis for both financial and non-financial requirements towards desired results. Compliance with terms and conditions of contribution agreements G&Cs – Performance Information Financial and non-financial performance project information results are documented and communicated to the required management level and stakeholders on a timely basis. Processes and systems exist to enable rollup and continuity of information systems. Mountain Pine Beetle Sound Stewardship, project management, governance, risk management and control mechanisms exist to achieve the results of the initiative Canada Business Service Centres Very High Score 11 Links to Corporate Risks # 1,4,8,9 Links to MAF Element: Policy and Programs Stewardship           Significance Holistic assurance Core program Third party dependencies G&C process cyclical audit Significance Holistic assurance Core program Third party dependencies G&C process cyclical audit 3. Very High Score 11 Links to Corporate Risks # 1,2,3,4,8,9 Links to MAF Element: Policy and Programs Results and Performance 4. High Score 9 High Links to Corporate Risks # 1,2,3,4,8,9 Links to MAF Element: Policy and Programs Results and Performance Links to MAF Element: Compliance No previous audit Holistic assurance Materiality  Client-focused services 5. Links to Corporate Risks Risk Based Audit Plan 2009-2012 11 Western Economic Diversification Canada Project, Scope, Objectives Sound Stewardship, project management, governance, risk management and control mechanisms exist to achieve the results of the program 6. Information Management and Technology Governance Adequacy and effectiveness of the IM/IT governance framework. Adequacy and effectiveness of the IT asset management functions, including investment planning, lifecycle Infrastructure Programs Compliance with authorities, terms and conditions of INFC-WD MOUs. Governance, stewardship, risk management, performance information, project and financial management Follow-up on past recommendations Effective management action plans are implemented. Communicate any significant residual risk Audit Priority Rationale for Conduct # 1,2,3,4,8,9 Score 8 Links to Corporate Risks # 1,4,7,8,9 Policy and Programs Results and Performance Links to MAF Element: Stewardship      No previous internal audit Third party dependencies Change No recent audit Holistic assurance High Score 8 7. High Score 8 Links to Corporate Risks #1-9 Links to MAF Element: Policy and Programs     Horizontal initiative program End of program audit Mandatory required audit – interdepartmental MOU Complexity Significance Required standard Residual risk 8. Moderate Score 7 Links to Corporate Risks #1-9 Links to MAF Element: Stewardship    Risk Based Audit Plan 2009-2012 12 Western Economic Diversification Canada 5.4 Table 4: Audit Plan 2011-2012 Project, Scope, Objectives 1. G&Cs Budget 2009 Initiatives Compliance with terms and conditions of agreements. Assess performance reporting, governance, risk management and controls on sunset initiatives Audit Priority Rationale for Conduct Very High Score 11 Links to Corporate Risks #1-9 Links to MAF Element: Policy and Programs Results and Performance                          Significance Holistic assurance Core program Third party dependencies G&C process cyclical audit Significance Holistic assurance Core program Third party dependencies G&C process cyclical audit Holistic assurance Third party dependencies Grants process audit No previous audit FedAA, follow the money concept Significance Holistic assurance Core program Third party dependencies G&C process cyclical audit Organizational priority Significance Complexity Holistic assurance No previous audit 2. G&Cs – Due Diligence Approval Process Assess the effectiveness, efficiency and economy of mechanisms in place that ensure stewardship, ethics, governance, risk management and controls in the project approval and funding process work and will lead to intended results. Conditional Grants Compliance with terms and conditions of specific grant agreements. Follow the money concept Very High Score 11 Links to Corporate Risks # 1,2,3,4,8,9 Links to MAF Element: Policy and Programs Results and Performance 3. High Score 8 Links to Corporate Risks # 1,2,3,4,8.9 Links to MAF Element: Client-Focus 4. Urban Development Agreements Compliance with terms and conditions of agreements. Assess performance reporting, governance, risk management and controls High Score 8 Links to Corporate Risks #1-9 Links to MAF Element: People 5. Financial Analysis & Reporting   Financial Statements Financial Reporting Controls Score 8 High Links to Corporate Risks # 1,2,3,4,7,8.9 Links to MAF Element: Stewardship Results and Performance Risk Based Audit Plan 2009-2012 13 Western Economic Diversification Canada Project, Scope, Objectives 6. Performance Accountability Relevant information on results, internal operations and programs is gathered and used to make departmental decisions, and public reporting is balanced, transparent and easy to understand. Other Audit Topics to cover simultaneously:       7. Corporate Performance and Reporting Information for Decision Making Alignment of Accountability Instruments Regional and HQ Operations Strategic Review Federal Accountability Act Audit Priority Rationale for Conduct Links to Corporate Risks #1-9 Links to MAF Element: Results and Performance Governance        Organizational priority Post Strategic Review Alignment and integration of priorities Significance Complexity Holistic assurance No previous audit High Score 8 Learning and Change Management Adequacy and effectiveness of internal communications, Adequacy and effectiveness of project management practices, in support of major transformative initiatives High Score 8 Links to Corporate Risks #1-9 Links to MAF Element: People Stewardship          Organizational priority Significance Complexity Holistic assurance No previous audit Significance Required standard Management Action Plan timelines Residual risk communication 8. Follow-up on past recommendations Effective management action plans are implemented. Communicate any significant residual risk Moderate Score 7 Links to Corporate Risks #1-9 Links to MAF Element: Stewardship Risk Based Audit Plan 2009-2012 14 Western Economic Diversification Canada 5.5 Table 5: Resource Allocation for 2009-2010 Budgeted costs for the first year 2009-10 projects include a combination of: full-time equivalent (FTE) employee costs, operating and maintenance (O&M) expenses and outsource contracting costs where applicable. Audit Project FTE O&M Total Cost Western Diversification Program 2. Grants and Contribution Community Futures 3. G&Cs – Third Party Delivery 4. G&Cs – CAF Initiatives 5. G&Cs – A/R and Recoveries 6. Integrated Risk Management 7. Internal Audit Quality Assurance Review 8. Information Technology Security 9. Project Management – Project Gateway Assurance projects sub-total Practice Management Assurance work sub-total 1. 0.3 1.6 0.7 0.6 0.6 0.5 0.3 0.3 0.5 5.4 1.0 6.4 0.6 1.0 8.0 $25,000 15,500 5,800 3,000 5,000 2,800 20,000 89,000 4,800 $170,900 10,000 $180,900 20,000 54,900 $255,800 $80,140 163,000 69,000 58,000 66,140 48,000 50,000 94,000 50,000 $678,280 100,420 $778,700 75,000 166,300 $1,020,000 Consulting Engagements Management and Overhead Total Risk Based Audit Plan 2009-2012 15