Audit of Risk Mitigation in Human Resources Branch (2007-716)

2008-09-25

Table of Contents

• Main Points
  • What was examined
  • Why it is important
  • What was found
  • Management Response Management Response - Main Points
• Introduction
• Background
• Focus of the Audit
• Observations
  1. Human Resources Branch has identified mitigation strategies to respond to identified human resources risks.
  2. The identified mitigation strategies were not reassessed when funding was not available.
  3. The monitoring of risk mitigation implementation to assess the functioning and effectiveness of risk responses is weak, lessons learned are not identified and analysed on a Branch-wide basis and the process is not adequately documented.
  4. HRB needs to ensure that its managers receive the training and guidance necessary to implement the Integrated Risk Management process.
• Conclusions
• Management Response Management Response - Conclusions
• Recommendations
• About the Audit
  • Objectives
  • Scope and Approach
  • Criteria
  • Audit Work Completed
  • Audit Team

Main Points

What was examined

1. The auditors examined the process used by the Human Resources Branch (HRB) to effectively manage identified and assessed risks, and achieve the expected results of their business plan commitments.

2. An examination was done of:

• HRB's risk mitigation strategies (2007-2008);
• HRB's monitoring of the progress on the risk mitigation strategies; and
• HRB's documentation of the risk mitigation process.

Why it is important

3. Effective risk management ensures the continuity of government operations - to maintain services and protect the interests of the Canadian public. Risk management can be extremely cost-effective when departments assess and manage their risks properly. This enables departments to determine the most economical way to avoid risks entirely, or reduce them to a minimum, thereby limiting potential expenditures arising from accidents or emergencies and maximizing achievement of objectives.

4. The importance of risk management has been growing steadily over the last several years. There is increasing awareness and expectation of the need to manage risks, rather than leaving them solely to insurance.

5. Public Works and Government Services Canada's (PWGSC) mandate is to act as a common service provider for the Government of Canada's various departments, agencies and boards. With a strong focus on quality services and sound financial stewardship, PWGSC ensures optimum value by enabling other government departments and agencies to effectively provide programs and services to Canadians.

6. Central to the management of PWGSC's 13,743-person workforce is an efficient and effective human resources function. As part of its integrated risk management process, HRB identified three key risks that may have the biggest impact on the Branch, its clients and departmental priorities. Management of these risks will affect the way HRB provides services to client branches within PWGSC. If left unmitigated, such risks may jeopardize the quality and efficiency of services that PWGSC provides to other government departments and agencies.

What was found

7. HRB has made progress in integrating risk management into its planning process during its inaugural Integrated Risk Management process. This demonstrates the Branch's commitment to integrating risk into its yearly business planning process. However, we have identified some areas for improvement.

8. Specifically

• HRB developed mitigation strategies to respond to identified risks. However, once it was determined that HRB would not receive the requested funding to implement its risk mitigation strategies, we could find limited evidence that these strategies were reassessed.
• We also found limited evidence of ongoing monitoring of the implementation of the risk mitigation strategies to assess functioning and effectiveness of responses. In addition, documentation of monitoring is weak. Although Branch managers took actions individually to monitor progress on risks affecting their divisions, we could find only limited evidence that monitoring was carried out in an organized, Branch-wide fashion. Improved monitoring of the risks and related mitigation strategies would ensure their ongoing relevance.
• Branch-level analysis and documentation of lessons learned needs to be improved. To ensure they are identified, more detailed analysis, discussion and documentation are required during HRB's mid-year review. This will allow the Branch to conduct effective risk assessments in the future.
• HRB noted that its managers have not received training in the field of risk. This created challenges for those involved in the risk management process.

Management Response

9. HRB considers the results of the Audit accurately and fairly reflect the state of Integrated Risk Management within HRB during the fiscal year 2007-08. HRB intends to act on all three recommendations of the audit by implementing a Management Action Plan, detailed as follows.

10. The auditors recommend that the Assistant Deputy Minister, HRB:

1. Actively monitor and document implementation of risk mitigation strategies to assess the functioning and effectiveness of responses, modify the risk profile as required, and take early and effective remedial action where required.

HRB's response. HRB accepts the recommendation and will be taking the following actions:

1.1 As part of its objective to better integrate risk management into its daily operations, HRB will include a standing item on the Human Resources Branch Management Committee agenda, quarterly in line with the Business Planning schedule, to manage, monitor, assess, and modify risk mitigation strategies as per documented HRBMC minutes.

1.2 Develop and implement a monitoring process to evergreen the HRB business plan.

2. Analyse and document the results of the risk management process at the Branch-level to identify lessons learned for subsequent integrated risk management, human resources, and operational planning and reporting.

HRB's response. HRB accepts the recommendation and will be taking the following actions:

2.1 Conduct a risk review of HRB which:

• Assesses Risk Management Maturity, Capacity and Approach in HRB
• Develops a comprehensive HRB Risk and Issues Inventory
• Promotes Risk Management Maturity in HRB

2.2 Analyse, document and communicate Integrated Risk Management lessons learned annually as part of the initiation of the business planning cycle and dedicate a HRBMC meeting for this specific purpose.

3. Ensure that Branch managers receive the training and guidance necessary to implement the integrated risk management process.

HRB's response. HRB accepts the recommendation and will be taking the following action:

3.1 Organize and have delivered an Integrated Risk Management course for the entire HRB extended management team.

3.2 Incorporate training into the orientation for new managers' course.

Introduction

11. The objective of the audit was to assess the implementation of the Human Resources Branch's (HRB) risk mitigation strategies and related action plan.

Background

12. In 1994, the Treasury Board (TB) issued the Risk Management Policy. The policy's objective is to ensure that Departments manage their risks. Later, in April 2001, the Treasury Board Secretariat (TBS) issued the Integrated Risk Management Framework (the Framework) as guidance for managing risk. The result of extensive research conducted in Canada and abroad, the Framework is built upon a strong foundation of consultation and cooperation. A key feature of the Framework is its corporate approach to managing risks, which involves identifying, understanding, assessing and managing key risk challenges from an organization-wide perspective.

13. Public Works and Government Services Canada (PWGSC) is committed to strengthening its risk management practices to support enhanced decision-making. To this end, PWGSC published its own Integrated Risk Management Framework in 2001. The Department's Integrated Risk Management Policy defines the roles and responsibilities for PWGSC employees with respect to risk management. It also serves as a guide to support the development of organization-wide risk management practices.

14. In an effort to manage the risks arising from the ongoing business transformation and supporting reforms, PWGSC established the Office of the Chief Risk Officer (OCRO) in Fall 2005. OCRO's mandate is to provide independent assurance to the Deputy Minister that significant risks are identified and appropriately managed, and to strengthen the Department's risk management process. It provides a focal point for risk management advice as well as oversight of the implementation of the departmental Integrated Risk Management Framework and Policy.

15. PWGSC's Risk Management Process is outlined in the Department's Integrated Risk Management Framework and is comprised of the following activities:

• Risk Identification: the goal of risk identification is to identify risks that threaten the achievement of objectives and priorities.
• Risk Assessment: the goal of risk assessment is to assess the likelihood and impact of the risk occurring and to rank risks based on this assessment so highest-priority risks receive the greatest attention.
• Risk Response (or Risk Mitigation): the goal of risk response is to find cost-effective options for preventing or reducing the likelihood or impact of risks.
• Monitoring: the goal of monitoring is to assess the functioning and effectiveness of risk responses and to identify changes to the risk profile.
• Documentation of risk management: the goals of documenting the risk management process are to communicate decisions to the parties involved, refer to them as a tool for lessons learned, and demonstrate due diligence.

16. The audit's focus was in the area of risk mitigation, which comprises risk response, monitoring, and documentation of risk management.

17. HRB plays a key role in supporting the Department in achieving its priorities. This role contributes to effective human resource management by creating and maintaining an internal support structure of policies, tools, frameworks, corporate human resources expertise and client support teams. HRB provides support to departmental clients, particularly managers with sub-delegated human resources authorities, so they can effectively manage human resources to meet business goals and contribute to departmental priorities.

18. HRB has integrated risk into their 2007/2008 business planning process. They have identified three key risks that may have the biggest impact on HRB, client and departmental priorities:

• Inability to create and sustain sufficient capacity within HRB to fully support PWGSC's transformation and sustaining agendas offer core services and to fully support modernized Human Resource Management in PWGSC;
• Inability to modernize human resources systems and business approaches to align with human resources modernization objectives; and
• Inability to ensure full departmental compliance with the Public Service human resources legal and regulatory framework.

Focus of the Audit

19. HRB separated from Corporate Services, Policy and Communications Branch in Spring 2006, becoming a separate branch. We focussed on HRB's first complete integrated risk management process conducted in 2007/2008 and the risk mitigation strategies developed to achieve the expected results of its business plan.

20. More information on the objectives, scope, approach and criteria can be found in the section, "About the Audit."

Observations

1. Human Resources Branch has identified mitigation strategies to respond to identified human resources risks.

21. A risk mitigation strategy is any action taken by management to prevent or minimize the impact of a risk occurring.

22. We expected to find that HRB had developed risk mitigation strategies for identified human resource risks.

23. Having regained Branch status in spring 2006, HRB has been concentrating on rebuilding its capacity to better contribute to effective Departmental Human Resources Management. In undertaking its first integrated risk management process, HRB was faced with the challenges of both limited resources to dedicate to the exercise and limited support in applying a formal integrated risk management process.

24. We found that HRB has developed a risk management process for the Branch and that it uses an integrated approach to planning, effectively building in risk mitigation into the process. In the 2007/2008 business planning period, the Branch identified risks taking into account the previous year's risks and the current situation. This resulted in three key risks and 16 risk mitigation strategies being identified in the 2007/2008 Human Resources Branch Final Business Plan. We found that the mitigation strategies were designed to prevent or reduce the likelihood or impact of the identified risks.

25. While we recognize that this was the first Integrated Risk Management process for the Branch, we found that HRB was very optimistic in their approach to mitigating their key risks. While it is important not to discourage ambitious plans, this must be balanced against the possibility that risks will be unmanaged should the plans not be implemented.

26. As mentioned, part of OCRO's role is to provide a focal point for risk management advice. At the time of the audit, OCRO had not provided comments on HRB's Risk Profile and Risk Mitigation Strategies prepared through the 2007-2008 Business Planning Cycle.

"Best Practices in Risk Identification, Assessment and Mitigation

• Using a risk-based approach to planning facilitates the integration of risk mitigation into the planning process.
• Risk identification should be based on internal and external risks and linked to Department and Branch priorities and commitments.
• Risk assessment should adequately take into account both the likelihood of the risk and the impact of its occurrence and mitigation strategies should consider the cost/benefit of implementing the strategies.
• Risk profiles and mitigation strategies should be reviewed and challenged by risk experts to assist in ensuring consistent application of the policy and framework, and the appropriateness of risk mitigation actions taken."

2. The identified mitigation strategies were not reassessed when funding was not available.

27. Resources within the organization can cover the cost of implementing some mitigation strategies. However, in other cases, additional resources are required. If resources are not available, strategies need to be reworked to reflect the operational constraints faced by the organization.

28. In developing its risk mitigation strategies, HRB identified a need for additional funding to help mitigate its three main risks. HRB developed four Strategic Investment Proposals seeking funding from the Department's Strategic Reserve of $12.75M to fund their mitigation strategies.

29. These included:

1. Strengthening Human and Systems Capacity in Compensation ($6.8M);
2. Investing in Human Resources Branch Capacity to Support the Transformation Agenda ($3.5M);
3. Leadership Development to Support the Transformation Agenda ($450K); and
4. PeopleSoft Readiness: Pre-Definition Phase ($2M).

30. These proposals were considered in the context of other proposals seeking funding. As a result, HRB received $5M for Strengthening Human and Systems Capacity in Compensation from the strategic reserve. No additional funding was granted to help mitigate the three remaining proposals.

31. Identification and mitigation of risks must be an ongoing process to manage risks effectively. We expected HRB to demonstrate that risk mitigation strategies would be reassessed once it was determined that funding had not been allocated to the Branch's funding requests. While HRB stated in its business cases that without funding there would be an impact on its provision of core human resources services and would add further delays in responding to much-needed improvements in the Department's human resources systems to support the Transformation Agenda, we did not see any formal monitoring or review of HRB's risk mitigation strategies to support re-assignment of resources, or to identify the specific impacts of not receiving funding.

"Best Practices in Implementing Risk Mitigation Strategies

• Identification of risk mitigation strategies needs to adequately take into account the tolerance to accept, transfer, share, avoid or mitigate risk; costs for their mitigation and impact on the risk; and the capacity to obtain resources to respond to them.
• Business cases that clearly outline the risks, the proposed mitigation strategies, and the consequences of not implementing those strategies are prepared when it is determined that the cost of implementation of some mitigation strategies requires additional support.
• Risk mitigation strategies need to be modified if the availability of resources varies from original plans."

3. The monitoring of risk mitigation implementation to assess the functioning and effectiveness of risk responses is weak, lessons learned are not identified and analysed on a Branch-wide basis and the process is not adequately documented.

32. Monitoring of risk mitigation strategies allows management to assess the functioning and effectiveness of risks responses and take early and effective action where responses are not having the desired impact. Documentation of the risk mitigation process allows the Branch to demonstrate the rational for decisions made. Without ongoing evaluation of the risk management process there is no assurance that lessons learned are identified and that subsequent improvement of decision-making and appropriate reporting on performance and results is accomplished.

33. PWGSC Departmental Policy on Integrated Risk Management assigns responsibility for managing risks to the Departmental Policy Committee, Branch and operating managers, and states that the Departmental risk profile is to be reviewed regularly. Further, the policy requires that management and employees ensure that significant components of the risk assessment are documented. It notes that the extent of documentation required will depend on the magnitude and complexity of the risk issues involved, stakeholder expectations, and the anticipated need to explain and reference the risk assessment. Finally, documentation allows management to demonstrate due diligence in the future.

34. We expected to find HRB's risk mitigation process to be adequately monitored and documented to communicate and manage risk. Further, we expected the process to be evaluated and lessons learned to be integrated into future activities. This includes compliance with PWGSC and TB policies and TBS frameworks.

Limited evidence of ongoing monitoring and its documentation

35. We found that there was some monitoring of progress against risk mitigation strategies. This included responding to some of the Public Service Commission's mandatory requirements for monitoring.

36. However, we found limited evidence of ongoing monitoring of the implementation of the risk mitigation strategies to assess functioning and effectiveness of responses. In addition, documentation of monitoring is weak. Without adequate monitoring, the Branch is unable to identify changes to the risk profile, or adjust to ongoing corrective actions. Although issues related to individual risk mitigation strategies may be raised at various meetings and retreats, ongoing monitoring of risks and risk mitigation strategies is not undertaken in an organized fashion.

37. HRB's Dashboard is the mechanism used to document, monitor and report on progress on specific actions taken for each of the Branch's risk mitigation strategies. However, it was not used effectively for this purpose. Although the Dashboard was populated with initial information, we noted that there was little monitoring of the status of actions. As there have been minimal updates since the information was first recorded, we could find no indication of continual monitoring or progress on file.

38. Based on HRB's action plan, the Branch was to establish Integrated Risk Management as a bi-monthly agenda item for the HRB Management Committee. We did not find any documentation, presentations, minutes of meetings, or records of decision as evidence that Integrated Risk Management was discussed every other month at HRB's Management Committee. In addition, we could find no formal documented steps to ensure that the results of HRB mitigation strategies are reported to appropriate personnel within and outside the Branch.

39. The 2008/2009 Business Planning Cycle was initiated during the Branch's 2007/2008 mid-year review. This process was to include a review of risks and lessons learned from 2007/2008 to develop corrective actions and preventive action plans by adjusting operational plans. Senior management was asked to develop corrective and preventive action plans and detailed reports on the status of various risk mitigation strategies for the identified risks. While HRB reported some progress against several of the 16 mitigation strategies, we saw only limited progress on a number of key strategies. For example, there was a lack of progress in the development of detailed sub-plans (including Staffing Plans, Retention Plans, Succession Plans, Learning Plans and Classification Plans) that expand on the current framework of the Human Resources Plan. The implications of not developing the sub-plans were not reported.

40. If HRB is to ensure that it is adequately responding to the identified risks it needs to: monitor risks and related mitigation strategies on a continuous basis to ensure their ongoing relevance and success; and document this monitoring. The process HRB is currently using is not sufficient to measure progress and manage risks.

Need for identification, analysis and documentation of results and lessons learned on a Branch-wide basis.

41. As previously mentioned, one of the objectives of the Departmental Integrated Risk Management Policy is to create a risk-smart culture and environment by fostering a workforce that values learning from experience, shares best practices and lessons learned, and embraces innovation. Documenting the rationale for arriving at decisions strengthens accountability and demonstrates due diligence. In addition to demonstrating accountability, transparency and due diligence, proper documentation may also be used as a learning tool.

42. HRB is using the established/documented departmental processes identified in the Departmental Policy and the PWGSC Integrated Risk Management Framework. As part of the 2007/2008 Human Resources Branch Final Business Plan, HRB documented the results of its initial risks identification and assessment process. As well, individual managers have taken steps to implement lessons learned within their individual sectors.

43. Some of the key lessons learned and being acted upon include:

• With the support of the Chief Executive Officer, Information Technology Services Branch, the Director of Business Systems and New Initiatives is redrafting the PeopleSoft business case to better articulate why funding for the software is needed. The intention is to present it at the next Departmental Committee meeting where funding priorities are established.
• Human Resource Planners, who develop human resources plans for client branches, are introducing a new template for the 2008/2009 Human Resources Plans. This template places a greater emphasis on risk assessment, including a set process and a Guide to Human Resources Planning. The Guide will discuss the roles of Human Resources Planners, stakeholders, the Human Resources Service Director and Branch senior management, as well as defining the Human Resources Planner's deliverables. HRB also plans to hire a consultant to create a Human Resources planning calendar so that the cycle is completed at the same time each year.

44. While we did find evidence of lessons learned at a sector level, documentation of results and lessons learned on a Branch-wide basis needs to be improved. This will enable early corrective action and guidance for subsequent human resources planning and risk management activities. In addition, we saw limited reporting on the implications of issues and on which issues management should address. We found that the section on risk management in HRB's operational plans was not completed thoroughly and was not being used as an effective tool to monitor and report on the implementation of the risk mitigation strategies.

45. As part of the mid-year review, HRB was to discuss lessons learned from the Integrated Risk Management Process to guide the development of the plan for the next fiscal year as well as the IRM process. Although no documentation could be provided, we were informed during interviews that lessons learned were discussed. We expected, as part of the mid-year review process, that HRB would have developed a presentation on the results of monitoring to date and lessons learned. We also expected that minutes or records of the meeting and other documentation would be available to show that standing items were discussed, along with corrective actions taken for issues raised, risk review or monitoring, and lessons learned. We found no evidence that this was undertaken. Documentation or records of monitoring, adjustments, decisions and lessons learned are needed to facilitate work on subsequent operational plans and to identify ongoing and future risks.

46. To ensure that lessons learned are used to improve activities, there is a need for more detailed analysis, discussion and documentation. In this way, planning in subsequent years can take into consideration any lessons learned to enable the Branch to conduct effective risk assessments in the future.

"Best Practices in Risk Monitoring and Documentation

• Risk mitigation strategies need to be modified as situations change, new risks are identified and/or progress is not as anticipated.
• Risk management performance needs to be monitored, documented and communicated throughout the year to manage risks and facilitate decision-making on corrective actions.
• Risk management includes accepting and learning from both successes and mistakes by identifying and communicating best practices and lessons learned.
• The mid-year review of the business planning cycle is an ideal time to formally review risks, identify lessons learned and ensure corrective actions are taken in areas of concern. This will also facilitate planning and Integrated Risk Management for the next fiscal year."

4. HRB needs to ensure that its managers receive the training and guidance necessary to implement the Integrated Risk Management process.

47. The Department has developed a Risk Management Guide/Handbook based on the TB Framework for integrating risk management. This document provides HRB managers with a common approach to aid them in assessing and addressing risks.

48. HRB has noted that many of its managers have not received formal training in the field of risk management. Without proper training and guidance, it is challenging for managers to identify all of the risks and develop appropriate strategies and actions to mitigate these risks.

49. HRB needs to ensure that its managers receive the training and guidance necessary to implement the integrated risk management process. This includes obtaining guidance and assistance from functional experts on integrated risk management and feedback on profiles and strategies developed. Over the course of the audit, OCRO has developed a course curriculum on risk management for PWGSC managers and held a pilot course on February 21, 2008.

"Best Practices in Implementing the Risk Management Process

• Managers need training to acquire and maintain knowledge of the IRM framework, policy, risk management procedures and tools. This will provide them with a common approach to assess risks, develop risk mitigation strategies and implement the integrated risk management process.
• Risk managers need ongoing guidance to effectively implement the integrated risk management process. This will provide them with the skills and abilities they need to apply the policy, framework and risk management tools that have been developed."

Conclusions

50. HRB's inaugural Integrated Risk Management process demonstrated a commitment to integrating risk into its annual business planning process. We found that the Branch has developed mitigation strategies to respond to identified human resources risks. We also found that HRB, when faced with an absence of funding, did not reassess the situation to determine appropriate mitigation strategies that could be implemented with existing resources.

51. Although HRB managers took actions individually to monitor progress on risks affecting their respective sectors, there is limited evidence that monitoring was carried out using an organized Branch-wide approach. We found only limited information of the results of the implementation of risk mitigation strategies being communicated to management. As a result, there was no assurance that management monitored the Integrated Risk Management process. Additional attention to ongoing evaluation of the risk management process and its documentation will allow the Branch to better demonstrate due diligence and will facilitate the identification of lessons learned to assist HRB to respond better to its risks and serving its clientele.

Management Response

52. HRB considers the results of the Audit accurately and fairly reflect the state of Integrated Risk Management within HRB during the fiscal year 2007-08. HRB intends to act on all three recommendations of the audit by implementing a Management Action Plan, detailed as follows.

Recommendations

The auditors recommend that the Assistant Deputy Minister, HRB:

1. Actively monitor and document implementation of risk mitigation strategies to assess the functioning and effectiveness of responses, modify the risk profile as required, and take early and effective remedial action where required.

HRB's response. HRB accepts the recommendation and will be taking the following actions:

1.1 As part of its objective to better integrate risk management into its daily operations, HRB will include a standing item on the Human Resources Branch Management Committee agenda, quarterly in line with the Business Planning schedule, to manage, monitor, assess, and modify risk mitigation strategies as per documented HRBMC minutes.

1.2 Develop and implement a monitoring process to evergreen the HRB business plan.

2. Analyse and document the results of the risk management process at the Branch-level to identify lessons learned for subsequent integrated risk management, human resources, and operational planning and reporting.

HRB's response. HRB accepts the recommendation and will be taking the following actions:

2.1 Conduct a risk review of HRB which:

• Assesses Risk Management Maturity, Capacity and Approach in HRB
• Develops a comprehensive HRB Risk and Issues Inventory
• Promotes Risk Management Maturity in HRB

2.2 Analyse, document and communicate Integrated Risk Management lessons learned annually as part of the initiation of the business planning cycle and dedicate a HRBMC meeting for this specific purpose.

3. Ensure that Branch managers receive the training and guidance necessary to implement the integrated risk management process.

HRB's response. HRB accepts the recommendation and will be taking the following actions:

3.1 Organize and have delivered an Integrated Risk Management course for the entire HRB extended management team.

3.2 Incorporate training into the orientation for new managers' course.

About the Audit

Objectives

53. The objective of this internal audit was to assess the implementation of the Human Resources Branch's (HRB) risk mitigation strategies and related action plan.

Scope and Approach

54. This audit was conducted from November 2007 to February 2008. It focused on the 2007/2008 risk mitigation strategies developed by HRB to achieve the expected results of its business plan commitments.

55. The audit scope included the Branch's method of risk mitigation, risk monitoring and documentation of risk management that respond to its identified risks. Both intuitive and systematic risk management approaches used by managers were considered.

56. The audit was conducted in accordance with the TB Policy on Internal Audit and the Internal Auditing Standards for the Government of Canada

57. Interviews were conducted with key personnel. Relevant processes and documentation were reviewed. Based on analysis of the information and evidence collected, the audit team prepared audit findings and conclusions, which were validated with the appropriate managers prior to tabling the Draft Final Report at the PWGSC Audit and Evaluation Committee.

Criteria

58. The following audit criteria were reviewed and accepted by the Human Resources Branch:

1. Human Resources Branch identifies mitigation strategies to respond to the human resource risks identified.
2. Risk mitigation implementation should be monitored to assess the functioning and effectiveness of risk responses.
3. The risk mitigation process should be documented to communicate and manage risk.

Audit Work Completed

59. Audit fieldwork for this audit was substantially completed on February 13, 2008.

Audit Team

60. The audit was conducted by members of the Audit and Evaluation Branch and a human resources audit consultant under the overall direction of the Chief Audit Executive, Audit and Evaluation Branch.