This is how we determine which areas we're going to look at. We do a risk-based plan. So we will go through, actually, a pretty extensive exercise to determine the major risks to a department in achieving its objectives, in close consultation, obviously, with the department, but also with outside stakeholders. Then we will look to see which of those risks can be subject to audit. Some could be issues of policy, which of course we don't get into. Then we do our plan for three to five years.
On June 15th, 2006. See this statement in context.