Chief Audit Executive Annual Report

March 31, 2013

1. Introduction

This report of the Chief Audit Executive of the Office of the Information Commissioner (OIC) review the activities of the OIC’s internal audit function from April 1, 2012, to March 31, 2013. It fulfills the annual reporting requirement under section 6.6 of the Treasury Board Secretariat Directive on Internal Auditing in the Government of Canada.

2. Overview of OIC’s internal audit function

2.1 General

The internal audit function helps the OIC to accomplish its objectives by bringing a systematic and disciplined approach to assessing and improving the effectiveness of risk management, control and governance processes.

The work of the internal audit function focuses primarily on the provision of assurance and compliance services—that is, objective examinations of evidence for the purpose of providing an independent assessment of the soundness of risk management strategies and practices, management control frameworks and practices, and information used for decision making and reporting.

2.2 Changes to the internal audit function in 2012–2013

The 2012–2013 fiscal year was a year of change for the internal audit function at the OIC:

  • The OIC terminated, due to poor performance, its association with the firm that had been providing auditing services since 2011. In its place, the OIC hired two firms to complete various projects.
  • One of the members of the Audit Committee, John McCrae decided to step down at the end of his term. In February 2013, the OIC engaged Bernard Bougie to fill the vacancy.
  • The Secretary to the Audit Committee accepted a position with another organization. Since then, the Director General, Corporate Services, has been acting in this role.
  • To comply with the Treasury Board Policy on Evaluation, the OIC decided to combine its audit and evaluation functions. The Audit Committee Charter was amended to this effect. Two new policies, specific to the OIC, were also developed, one on auditing and the other on evaluation. The mandate of the Audit Committee is in the process of being expanded to include evaluation functions and its name has been changed to the Audit and Evaluation Committee as a result.

Despite these changes, the internal audit function was able to provide the Information Commissioner with information, advice and assurance on whether important management systems and processes, and administrative services are appropriately designed and effectively operating to comply with policies and guiding principles.

2.3 Independence

Given that the OIC is a small entity, the OIC’s Chief Financial Officer has played the role of Chief Audit Executive (CAE). Since this model compromised the independence and integrity of the internal audit function to some extent, the OIC put mitigation strategies in place, such as contracting out the conduct of its audit engagements and the annual update of its Risk-Based Audit Plan to audit professionals. Although this model was functional, the OIC was of the view it could still be improved on to put further distance between the CAE and OIC management, without filling the position full time. As a result, the OIC assigned the CAE responsibilities to one of the external members of the Audit and Evaluation Committee, Bernard Bougie, in February 2013. The CAE will be supported by the Director General, Corporate Services. However, since this model was only put in place in recent months, the OIC is still working out the operational details.

The Director General, Corporate Services, ensures auditors have access to all the OIC records, databases, workplaces and employees required to conduct their work. The auditors have a direct line to the Commissioner and the external members of the Audit and Evaluation Committee throughout the conduct of audits. Moreover, it is important to note that the Office of the Auditor General conducts an independent financial audit of the OIC each year, and presents the results to the Audit and Evaluation Committee.

2.4 Quality assurance

In conducting internal audits for the OIC, audit professionals are required to comply with the Internal Auditing Standards of the Government of Canada. Each internal audit report must include an attestation that the audit was conducted in accordance with these standards.

3. Performance and results

3.1 Human resources staffing audit

The Public Service Commission (PSC) conducted an audit to determine whether the OIC had an appropriate framework, and systems and practices in place to manage its appointment activities, and whether appointments and appointment processes complied with the terms of the Public Service Employment Act (PSEA). The audit covered the period from January 1, 2010, to August 31, 2011; the report was tabled in the fall of 2012. The PSC found that there were some areas in which the OIC was not in compliance or that otherwise required attention. The OIC immediately developed an action plan aimed at strengthening its efforts to safeguard the integrity of the staffing system. In addition, the Information Commissioner decided on March 23, 2012, to outsource all human resources functions to an external service provider—Public Works and Government Services Canada’s Shared Human Resources Services (SHRS). The full transfer of services occurred on April 10, 2012.

One of the activities in the action plan was to undertake, via the internal audit function, a follow-up audit. The contract was awarded to Samson & Associates in the winter of 2013. The objective of the follow-up was to determine whether the OIC had, since the PSC audit, implemented an appropriate framework, and practices and systems to manage its appointment activities and whether appointments complied with the PSEA, the Public Service Employment Regulations, the PSC Appointment Framework and other policies. The results of the follow-up audit were presented to the Audit and Evaluation Committee in May 2013. The President of the PSC attended the committee meeting and noted in her remarks her appreciation of the way the OIC responded to the audit and of management’s rapid development and implementation of the action plan. She also requested that the OIC share its experience for the benefit of other small organizations.

3.2 Office of the Auditor General audit

The OIC received an unmodified opinion from the Office of the Auditor General for 2011–2012. The audit report is available on the OIC website.

3.3 Review of internal controls

The OIC had tasked Samson & Associates in 2010 with documenting and carrying out a preliminary review of key financial processes in place from April 1, 2010, to September 30, 2010. The following significant processes and controls were documented: salary expenditures, purchase of goods and services and payment to suppliers, management of assets and inventories, and accounting period closing processes and controls. In 2012–2013, it became apparent that it was time to review and update all documentation related to human resources internal controls and processes in light of the OIC’s having outsourced its human resources function to SHRS and since that outsourcing had led to some changes in processes and control points.

The objective of this project was to validate the human resources internal controls that the OIC had already documented and to update these controls, as required, based on any new processes. In particular, the review looked at controls related to the input into the Human Resources Information System (used by the OIC only) and to the information OIC sends to SHRS for input into the Regional Pay System. This review was conducted to provide management with reasonable assurance that these controls were in place such that employees were paid according to the terms and conditions of employment, collective agreements, and Treasury Board and OIC policies. In addition, Samson reviewed controls related to approvals under sections 32, 33 and 34 of the Financial Administration Act throughout the pay administration cycle.

Samson found that even though the OIC had modified its human resources practices and control framework, including redefining roles and responsibilities of stakeholders, key controls related to the management of human resource functions are in place. It noted that only minor improvements are required and made a series of recommendations to further strengthen overall stewardship and accountability, and improve the effectiveness of the OIC’s human resources and pay administration processes. The recommendations took into account the OIC’s small size and the resulting difficulty of having a high level of segregation of duties, along with available resources and the transition to SHRS—to strengthen the effectiveness of the controls while ensuring that it is feasible to implement the proposed solutions.

3.4 Risk Based Audit and Evaluation Plan

The Risk-Based Audit and Evaluation Plan (RBAEP) for the OIC combines both the internal audit and evaluation plans for the next five years (2014 to 2018). The objective of the RBAEP is to allocate resources to the areas of most significant risk and priority to the OIC as well as to align with the requirements of Treasury Board policies on internal audit and evaluation.

The RBAEP further builds on the OIC’s 2010–2013 Risk-Based Audit Plan through the integration of evaluation projects in accordance with the Treasury Board Policy on Evaluation. The plan identifies resource requirements to ensure that requests from the Audit and Evaluation Committee and the Executive Committee can be allocated efficiently and in a timely manner. The RBAEP reconfirms the objective of allocating resources to those areas that represent the most significant organizational priorities and to ensure that internal audit and evaluation services will provide the greatest benefit to the OIC.

The audit and evaluation coverage proposed by the integrated RBAEP strives to achieve an effective balance between a number of requirements and considerations in the context of the budget constraint assumption on which the plan is based and allows for carrying out one or two projects per year. The five-year plan takes into account the necessary alignment with organizational risks and priorities. The RBAEP presupposes that additional funding will be allocated to support the evaluation of direct program spending.

3.5 Capacity and resource utilization

The internal capacity for the internal audit function amounted to .5 to .75 full-time equivalents over the course of the year. The main resources for the internal audit function were acquired under contract to professional auditors for both the conduct of the audit engagements and the update of the Risk-Based Audit Plan.

The OIC is working with other Agents of Parliament to find a better solution for internal audit. For example, the OIC and the Office of the Commissioner for Official Languages (OCOL) has begun sharing various documents, such as their respective audit charters, policies, RBAEPs.

4. The year ahead

In 2013–2014, the OIC will continue to implement its new model for the internal audit function, in particular having the responsibilities of the CAE carried out by an external member of the Audit and Evaluation Committee. It will also begin to implement the 2014–2013 RBAEP, including conducting an audit of its physical infrastructure security after it relocates its offices in late 2013. This will be the first opportunity for the OIC to engage outside audit services under a contract put in place by OCOL. Finally, the OIC will continue to share information with other Agents of Parliament on the subject of internal audit to build expertise and capacity among these offices.

Date modified: