2014–2018
Integrated Risk-Based Internal Audit and Evaluation Plan
Office of the Information Commissioner

Executive Summary

1.1 Introduction

This document presents the Integrated Risk-Based Audit and Evaluation Plan (RBAEP) for the Office of the Information Commissioner of Canada (OIC). The RBAEP combines both the internal audit plan and the evaluation plan for the next five years (2014 to 2018). The objective of the RBAEP is to allocate resources to the areas of most significant risk and priority to the OIC, as well as to align with the requirements of Treasury Board (TB) policies on internal audit and evaluation.

The RBAEP builds on the OIC’s 2010–2013 Risk-Based Audit Plan through the integration of evaluation projects in accordance with the TB Policy on Evaluation. The plan identifies resource requirements to ensure that requests from the Audit and Evaluation Committee and the Executive Committee can be allocated efficiently and in a timely manner. The RBAEP reconfirms the objective of allocating resources to those areas that are of the most significant organizational priority and to ensure that internal audit and evaluation services provide the greatest benefit to the OIC.

As an Agent of Parliament, the OIC is independent from government and the oversight of the Treasury Board of Canada Secretariat (TBS). Consequently, the OIC considers its internal oversight mechanisms (including internal audits and evaluations) of increased importance in helping ensure that adequate management practices are in place.

1.2 Proposed Audits and Evaluations

The audit and evaluation coverage proposed in the RBAEP strives to achieve an effective balance between a number of requirements and considerations in the context of budget constraint, and allows for one or two projects per year. The five-year plan takes into account the necessary alignment with organizational risks and priorities. The RBAEP presupposes that additional funding will be allocated to support the evaluation of direct program spending.


Year
Audit Project Name Primary Entity Estimated Budget
2013–2014 Audit of Staffing and Governance Corporate Services $30,000
2014–2015
(after the move)
Audit of Information Technology and Physical Infrastructure Security Corporate Services $45,000
2014–2015 Evaluation of Complaints Resolution and Investigations, Phase I: Development of Performance Measurement and Evaluation Framework Complaints Resolution and Compliance
(Legal Services)
$25,000
2015–2016 Audit of Procurement and Contracting Corporate Services $35,000
2015–2016 Audit of Information Management Corporate Services $35,000
2016–2017 Evaluation of Complaints Resolution and Investigations, Phase II: Implementation Complaints Resolution and Compliance
(Legal Services)
$75,000
2017–2018 Audit of Case Management System Corporate Services $40,000

2 Planning Context

2.1 Background

The Office of the Information Commissioner is an independent public body established in 1983 under the Access to Information Act to support the Information Commissioner of Canada in her roles as Agent of Parliament and ombudsman. The mandate of the OIC is to assist individuals and organizations who believe that federal institutions have not respected their rights under the Act. In doing so, the OIC must also ensure that the rights of government organizations and any involved third parties are respected.

Each Information Commissioner is appointed by and reports directly to Parliament. The Commissioner provides arm’s-length oversight of the federal government’s access to information practices. The Commissioner encourages and helps institutions adopt approaches to information sharing that meet the objectives of the Act, and advocates for greater access to information in Canada.

The Commissioner has strong investigative powers to assist her in mediating between dissatisfied information requesters and government institutions. As an ombudsperson, the Commissioner may not order a complaint to be resolved in a particular way, although she may refer a case to the Federal Court for resolution. The Information Commissioner is supported by the staff of the OIC. They carry out investigations and dispute resolution efforts to resolve complaints, represent the Commissioner in court cases and provide legal advice on investigations and legislative matters.

The OIC is funded through annual appropriations from Parliament. The OIC has a workforce of 89 full-time equivalents and an annual operating budget in excess of $11 million. The OIC receives and investigates between 1,500 and 1,800 complaints annually, pursues important principles of law, engages with stakeholders, and provides advice to Parliament on matters within the scope of the Commissioner’s powers, duties and functions.

2.2 Government Priorities

In March 2011, the Government of Canada launched its Open Government Strategy and then later that year announced its intention to join the international Open Government Partnership. The government released Canada’s Action Plan on Open Government in 2012. This plan sets out federal commitments over the subsequent three years to Canadians and for the Open Government Partnership, and is structured along the three streams of the federal Open Government Strategy: open information, open data and open dialogue.

The current economic priorities of the Government remain focused on economic recovery and the return to fiscal balance by 2015–2016. Budget 2010 announced a number of cost-containment measures to reduce the rate of operating expenditures over the following three years. Budget 2011 re-announced a strategic and operating review of federal spending, now referred to as the Deficit Reduction Action Plan, to achieve at least $4 billion in ongoing savings by 2014–2015. Budget 2012 announced focused spending reductions intended to result in a more productive, efficient and responsive government by doing the following:

  • refocusing government and programs;
  • making it easier for Canadians and businesses to deal with their government; and
  • modernizing and reducing back-office functions.

2.3 OIC Strategic Outcome and Operational Priorities

In its 2013–2014 Report on Plans and Priorities, the OIC identifies its strategic outcome as, “Requestors’ rights under the Access to Information Act are safeguarded.”

The OIC’s operational priorities for 2013–2014 are the following:

  • Exemplary service delivery to Canadians: carry out efficient, fair and confidential investigations.
  • A leading access to information system: help create an efficient and modern access to information system.
  • An exceptional workplace: attract and retain high-quality staff.

2.4 Key Organizational Risks

The OIC undertakes an annual corporate risk profile exercise to identify, update and assess key risks. The risk profile serves as the foundation for effective risk mitigation and management, and informs corporate planning and decisions. Three important risks were identified by management and included in the 2013–2014 Report on Plans and Priorities:

  • Financial resource constraints:the risk that successive and significant budget cuts have placed the OIC at the limit of its financial and organizational flexibility.
  • Changing complaints picture: the risk that continued significant increases in complaints received could seriously stretch OIC’s investigative resources, possibly resulting in a growing inventory of complaints. A further risk is that institutions may not be able to respond to investigative queries in a timely manner, which could result in the OIC having to follow more formal processes, in increased litigation and, ultimately, in there being a negative impact on requestors’ rights.
  • Workforce: the risk that the 2013–2014 office move will have a negative impact on OIC’s productivity. Productivity will be diminished during the move and there will be a period of diminished efficiency as the workforce adjusts to the new tools and space under Workplace 2.0. This risk is compounded by OIC’s operating with a streamlined Corporate Services group in which corporate knowledge of key organizational information, skills and expertise is retained by a limited number of individuals.

In addition to these three key risk areas that were validated with management, interviews with management identified the following as emerging risk areas to be considered in the development of the RBAEP:

  • Change management:the risk that ongoing organizational changes across key functional areas, core processes and systems, combined with the physical move to a Workplace 2.0 environment in 2013–2014, will divert management focus and OIC resources away from their key function of ensuring efficient investigations and quality resolution of complaints.
  • Physical and information technology (IT) security: the risk that the office relocation will present challenges related to meeting physical and IT-related policy requirements in light of vulnerabilities linked to shared areas and technology platforms that impact on the OIC’s ability to demonstrate exemplary practices and/or on its reputation.
  • Inadequate performance measures and targets: the risk that the OIC’s performance measurement framework and/or data collection strategy will not support ongoing monitoring and reporting of key performance indicators, and the timely identification and implementation of required corrective measures. Also, the risk that performance targets do not reflect the OIC’s current inventory, the growing complexity of investigations, the anticipated increase in litigation cases, financial and human resources constraints, as well as the impact of ongoing organizational and policy changes. The inability to meet planned targets could affect OIC’s reputation.

3 Planning Approach

3.1 Key Audit and Evaluation Requirements

There are a number of TB policies, and TBS directives and guidelines that establish the requirements and best practices for audit and evaluation planning in the federal government. Although the OIC is not required to comply with them, since it is an Agent of Parliament, these policies, directives and guidelines were used as best practices in the development of the RBAEP. This section highlights some of the key requirements and obligations and presents the approach used to assess and prioritize projects for inclusion in the RBAEP.

3.1.1 Evaluation Coverage and Plan

In the Government of Canada, evaluation is the systematic collection and analysis of evidence on the outcomes of programs in order to make judgments about the value for money (i.e. relevance and performance) of federal government programs and alternative ways to deliver them to achieve the same results. Footnote1

In accordance with TB policy, federal institutions are required to prepare a rolling five-year evaluation plan. The plan’s required coverage is twofold:

  • The Financial Administration Act (section 42.1) requires that an evaluation be performed of all ongoing grant and contribution programs on a five-year cycle (does not apply to the OIC).
  • The TB Policy on Evaluation requires that, starting in 2013–2014, all direct program spending (excluding ongoing grants and contribution spending) be evaluated on a five-year cycle.

In addition, there are a number of other potential planning requirements. Notably, evaluation plans must also do the following:

  • align with the Management, Resources and Results Structure (MRRS);
  • support the Expenditure Management System, including strategic reviews;
  • include the administrative aspect of major statutory spending (does not apply to the OIC); and
  • include other programs, specific evaluations or elements of the government’s overall evaluation plan, when applicable.

Given the OIC’s mandate, direct program spending is limited to one program area: compliance with access to information obligations. This program is supported by the internal services program. While the OIC does not have an internal evaluation function, a formal performance measurement strategy is in place and the annual report provides detailed and comparative analysis of OIC’s performance of both its program area and internal services. More in-depth reviews are undertaken, when warranted, to assess underlying causes of emerging trends and variations in performance in safeguarding requestors’ rights under the Access to Information Act.

In accordance with the requirements of the TB Policy on Evaluation, the OIC is required to evaluate its program (compliance with access to information obligations) every five years. To achieve efficiencies and promote an integrated oversight function, evaluation activities within the OIC will be integrated within the internal audit function.

3.1.2 Internal Audit Plan

Internal audits provide independent, objective and substantiated conclusions on the effectiveness of risk management, control and governance processes. The focus is on all management systems, processes and practices, including the integrity of financial and non-financial information. Internal audit assurance services provide evidence-based opinions on the extent to which the system of internal controls is adequate and effective to support the following imperatives:

  • achievement of operational objectives;
  • safeguarding of assets;
  • economy and efficiency of operations;
  • reliability and integrity of financial and operational information; and
  • compliance with legislation, policies and procedures.

In accordance with TB policy, internal audit plans must ensure coverage of areas of higher risk and significance. The internal audit plan should also have the following characteristics:

  • be risk-based;
  • be reviewed by the audit committee;
  • be focused predominantly on the provision of assurance services;
  • have a multi-year horizon;
  • address risks and internal audits identified by the Comptroller General as part of government-wide coverage; and
  • support annual assurance reporting on the overall state of organizational risk management, control and governance processes.

3.2 Planning Approach

The approach on which this plan is based complies with the Institute of Internal Auditors’ International Professional Practices Framework. The RBAEP was developed using the approach outlined in the following figure.

Risk-Based Audit and Evaluation Planning Approach
Text version

This figure sets out the four steps of risk-based audit and evaluation planning. There are four columns. Each column is headed by a numbered title, with a series of points listed below it, as follows:

1. Identification of the audit and evaluation universe

  • PAA aligned
  • Defines potential scope of internal audit and evaluation activity
  • Comprised of “auditable” or “evaluable” entities

2. Environmental scan of the audit and evaluation universe

  • Strategic consultations with Commissioner, Assistant Commissioner, senior management and audit committee member
  • Review of key documents (for example, PAA, RPP, CRP)

3. Prioritization of audit and evaluation universe entities

  • Context-sensitive and weighted criteria-based approach for each universe entity
  • Risk exposure: 50 percent
  • Importance: 50 percent

4. Project selection and plan development

  • Consider feasibility, previous audits, evaluations and other assessments
  • Consider available resources, timing, scope and objectives
  • Update annually

3.2.1 Identification of the Audit and Evaluation Universe

The audit and evaluation universe defines the potential scope of proposed engagements and comprises individual “universe entities” that may be the subject of internal audit or evaluation activity. To ensure alignment between the focus of internal audit and evaluation projects with the OIC’s operational structure, the universe entities were aligned with the OIC’s program and internal services, as identified in the 2013–2014 Program Alignment Architecture (PAA).

The following table presents the OIC’s audit and evaluation universe. A more detailed overview of each element is provided in Appendix C.

Audit and Evaluation Universe
Strategic Outcome Requestors’ rights under the Access to Information Act are safeguarded.
Program 1. Compliance with access to information obligations
Audit and Evaluation Universe  Entities Complaints and investigations (three organizational units)
Court proceedings and litigation
Advice to Parliament
Program 2.  Internal services
Audit and Evaluation Universe  Entities Commissioner’s Office Corporate planning and reporting Human resources management
Finance Information technology Information management
Access to information and privacy Procurement, acquisition cards and contracting Travel and hospitality
Values and ethics Administrative services Internal audit and evaluation

3.2.2 Environmental Scan

A series of interviews were conducted with the Information Commissioner, the Assistant Commissioner, senior management and an external member of the Audit and Evaluation Committee to identify organizational changes, key risks to which operations are exposed, and areas in which internal audit or evaluation could provide the most value in supporting the achievement of organizational objectives.

Key documents such as the Corporate Risk Profile and the 2013–2014 Report on Plans and Priorities were reviewed to facilitate the identification of organizational priorities and key risk areas. This information not only provided important insight into areas of management focus but also risk exposure information that was used to identify the universe entities and to prioritize audit and evaluation projects.

3.2.3 Prioritization of Audit and Evaluation Entities

Each entity of the audit universe was ranked using two criteria: risk exposure and importance. Each criterion was assessed and weighted based on the relative importance of three sub-elements, as follows:

Risk exposure

  • review of corporate risk profile and consultations;
  • degree and recentness of changes; and
  • complexity, dependencies and legislative requirements.

Importance

  • materiality (the entity’s budget: low = <$500,000; moderate = >$500,000 but <$1 million; high = >$1 million);
  • sensitivity and public profile; and
  • link to mandate.

Taken together, these criteria were used to derive a total weighted priority score from which preliminary prioritization of the audit universe was generated. Then, recent audit coverage of the entity was considered before assigning it a requirement-for-audit rating. The outcome is a preliminary ranked list of audit priorities, details of which can be found in Appendix B.

For the evaluation plan, each universe entity was assessed in relation to the extent of evaluation coverage provided and the perceived value of the information gained by management to contribute to the enhanced effectiveness and efficiency of OIC programs.

3.2.4 Project Selection and Plan Development

Finally, the project team selected audit and evaluation projects to be included in the five-year RBAEP. To this end, the highest audit priorities identified served as the starting point and provided the main but not only consideration for project selection. The team examined the top priority entities against a variety of constraints and opportunities, including the following:

  • availability of audit and evaluation resources over the five-year period;
  • feasibility of conducting an audit or evaluation;
  • other reviews providing oversight (i.e. evaluations, Office of the Auditor General [OAG] audits);
  • mandated audit projects (i.e. follow-ups, OAG and Public Service Commission obligations for horizontal audits);
  • management requests; and
  • Audit and Evaluation Committee and senior management direction.

New priorities were determined based on these considerations. Audit and evaluation projects were defined for the top priorities. The outcome was a shortlist of projects to be conducted over the five-year planning horizon.

In finalizing the RBAEP, care was taken to ensure the audit and evaluation universe was appropriately covered. The RBAEP reinforces the integration of audit and evaluation projects, when feasible, while ensuring evaluation coverage of all direct program spending over the five-year period. Depending on the scope of the proposed evaluation engagements, the coverage will be direct or indirect; this will be confirmed during the evaluation planning phase.

4 Audit and Evaluation Plan Summary

The audit and evaluation coverage proposed in the RBAEP strives to achieve an effective balance between a number of requirements and considerations in the context of budget constraint, and allows for carrying out one or two projects per year. The five-year plan takes into account the necessary alignment with organizational risks and priorities. An overview of the risk assessment of the OIC universe elements is presented in Appendix B.

The OIC has one program, namely “Compliance with access to information obligations”. The TB Policy on Evaluation requires that, starting in 2013–2014, evaluations provide coverage of all direct program spending over a five-year period. While the proposed evaluation plan is short of the expected 100-percent coverage of all aspects of the OIC program, the plan maximizes coverage by focusing on the core activities to which direct program spending is allocated (i.e. complaints and investigations). The detailed audit and evaluation plan (Appendix A) provides comprehensive information on the planned projects.

This RBAEP is based on a fundamental assumption regarding allocated funding. While the average annual budget has been estimated at $80,000, the OIC’s allocation process is not complete and still subject to adjustment. Under the current allocation agreement, an annual amount of approximately $40,000 is provided for internal audit. The proposed audit engagements fall within this parameter. The RBAEP presupposes that additional funding will be allocated to support evaluation activities at the OIC.

While the estimated budget is considered to be stable over the five-year cycle, it is more realistic to presume that actual funding requirements to implement the RBAEP will fluctuate, with requirements in years in which both evaluation and audit projects are planned being higher than those in years in which no evaluation engagements are proposed. Still, the RBAEP anticipates that the overall total funding will respect an annual $80,000 base allocation. Once the final budget is approved and available resources are confirmed, the RBAEP will need to be reviewed, and projects recalibrated accordingly. Section A.2 of Appendix A provides an overview of planned resources by engagement and fiscal year. It is important to note that the amounts indicated are for budgeting purposes only. Allocated funding for current engagements should be reviewed and adjusted, as required, based on the scope of the engagement and the availability of internal data and resources to support the engagement.

It is expected that the OIC will achieve coverage of its highest audit and evaluation priorities over the five-year planning horizon. When the feasibility or value of either conducting or continuing an audit or evaluation project is in question—due to factors such as major changes, new priorities, or lack of resources or subject-matter expertise—the Chief Audit Executive will bring this to the attention of the Audit and Evaluation Committee for formal consideration and approval.

The following table summarizes in a comparative format all audit and evaluation projects planned over the next five years. The table is organized according to the audit and evaluation universe. A more detailed overview of the audit and evaluation universe entities is presented in Appendix C.

Audit and Evaluation Universe
(PAA)
Risk Footnote2 Audit Projects Evaluation Projects
2013–14 2014–15 2015–16 2016–17 2017–18 Optional 2013–14 2014–15 2015–16 2016–17 2017–18 Optional
Strategic Outcome: Requestors’ rights under the Access to Information Act are safeguarded.
1. Compliance with access to information obligations
Complaints and investigations H Audit of Case Management System* Evaluation of Complaints Resolution and Investigations, Phase I: Development of Performance Measurement and Evaluation Framework Evaluation of Complaints Resolution and Investigations, Phase II: Implementation Reviews of Complaints Resolution and Investigations Sub-Components
Court proceedings and litigation H
Advice to Parliament M Evaluation of Special Reports
2. Internal services
Commissioner’s Office L
Corporate planning and reporting H Audit of Integrated Planning
Human resources management H Audit of Staffing and Governance
Finance M Audit of Compliance with Policy on Internal Controls*
Information technology H Audit of Information Technology and Physical Infrastructure Security Audit of Case Management System*
Information management H Audit of Information Management
Access to information and privacy H
Procurement, acquisition cards and contracting H Audit of Procurement and Contracting
Travel and hospitality L
Values and ethics M Audit of Value and Ethics
Administrative services H Audit of Information Technology and Physical Infrastructure Security
Internal audit and evaluation M

Appendix A. Detailed Audit and Evaluation Plan

A.1 Detailed Internal Audit and Evaluation Plan

The table below provides the scope, objective and rationale for each of the audit and evaluation projects proposed for 2014 to 2018. The rationale includes, where applicable, a mapping to the identified key risks facing the OIC and a reference to the audit priority rating detailed in Appendix B. It should be noted that final scope, objectives and estimated budgets for the proposed audits/evaluations may be modified depending on the results of the planning phases of each of the respective projects. In addition to the audit projects below, internal auditors will continue to attend key management and Audit and Evaluation Committee meetings, conduct follow-ups on previous audits (as appropriate), and develop the engagement scope for projects identified in the RBAEP.

Year Audit Project Name Primary Entity Estimated Budget Audit Scope, Objective and Rationale
2013–2014 Audit of Staffing and Governance Corporate Services $30,000

Scope: management practices related to staffing.

Objective: to provide follow-up assurance to the recent Public Service Commission (PSC) audit by providing an assessment of i) staffing files since the transfer to Shared Services; ii) strategies and actions undertaken to address the findings of the PSC audit; and iii) the implementation of the OIC governance model (e.g. human resources delegation, policies, mandatory training). Staffing files are to be audited in accordance with the principles in the PSC Audit Manual.

Rationale: high audit requirement. Considering the OIC’s commitment to carry out a follow-up internal audit in 2014 to the recent PSC audit and the recent transfer of staffing services to Shared Services, an audit of this activity is highly recommended.

2014–2015
(after the move)
Audit of Information Technology and Physical Infrastructure Security Corporate Services $45,000

Scope: management practices related to information technology (IT) and physical infrastructure security. This includes the security of the network perimeter, the data centre and the physical perimeter in the new building, and could include access controls within the Intrac Case Management System.

Objective: to assess the effectiveness of OIC management practices and controls in place to help ensure the security of IT and physical infrastructure. It does not include the secure handling of individual investigative, legal or administrative files.

Rationale: high audit requirement. Considering the sensitivity of information stored on the OIC network, the planned move to a Workplace 2.0 environment in which the data centre and other physical areas will be shared, combined with recent changes to TB policy requirements for IT and physical security, an audit of this activity is highly recommended.

2014–2015 Evaluation of Complaints Resolution and Investigations, Phase I: Development of Performance Measurement and Evaluation Framework Complaints Resolution and Compliance
(Legal Services)
$25,000

Scope: complaints resolution and investigations program, including assessment of the Intake and Early Resolution Unit, Complaints Resolution Team, Strategic Case Management Team and Legal Services program components. A two-phased approach will entail the development of the performance measurement and evaluation framework in Phase I, and the implementation of the evaluation in Phase II. The activities undertaken during Phase I will include the development of the logic model, evaluation matrix, performance measures and targets, as well as the identification of data sources and data collection methods.

Objective: address, as per the TB Policy on Evaluation, the relevance and performance of the complaints resolution and investigations program. The evaluation should consider the evolving nature of complaints and investigations through an analysis of the portfolio of complaints (e.g. source, targeted institution, complaint type), as well as the new context in which the program is operating (e.g. InTrac Case Management System), ensuring it brings a forward-looking approach that will guide future direction.

Rationale: high evaluation requirement. Considering that the complaints resolution and investigations program is the key program at the OIC, an evaluation of this activity is highly recommended. The program has faced a number of challenges over the past years, in particular having to do with legacy files and increasingly complex non-administrative complaints. The OIC has invested significantly in realigning internal processes and leveraging IT through the InTrac Case Management System to ensure efficient services for Canadians. An evaluation would provide timely information on the effectiveness of the program design and identify opportunities to enhance the delivery of activities and outputs in order to ensure the achievement of intended outcomes and organizational objectives.

2015–2016 Audit of Procurement and Contracting Corporate Services $35,000

Scope: management practices and assessment of controls related to procurement and contracting.

Objective: assess the operational efficiency and compliance of procurement and contracting practices and processes as well as the extent to which procurement activities support business lines and organizational objectives.

Rationale: high audit requirement. Considering the complexity of and number of recent changes to federal procurement and contracting policies, the inherent reputational risk associated with these activities, the large dollar value of procurement and contracting activities related to the implementation of the five-year IM/IT Strategy in conjunction with acquisitions associated with the move to a new building, an audit of this activity is highly recommended.

2015–2016 Audit of Information Management Corporate Services $35,000

Scope: management practices and assessment of controls related to information management.

Objective: assess the operational effectiveness of information management practices and compliance with the TB Policy on Information Management (2012) and the TBS Directive on Recordkeeping, notably as they relate to the retention and disposition of sensitive and restricted documents.

Rationale: high audit requirement. Considering the sensitivity of the information retained by the OIC, and the reputational risk to the OIC in the case of improper management of private or restricted information, combined with the requirements of the new Directive on Recordkeeping that become effective in 2015, an audit of this activity is highly recommended.

2016–2017 Evaluation of Complaints Resolution and Investigations, Phase II: Implementation Complaints Resolution and Compliance
(Legal Services)
$75,000

Scope: evaluation of the complaints resolution and investigations program in accordance with the evaluation matrix developed in Phase I.

Objective: address, as per the TB Policy on Evaluation, the relevance and performance of the complaints resolution and investigations program.

Rationale: high evaluation requirement. Considering that the complaints resolution and investigations program is the key program at the OIC, an evaluation of this activity is highly recommended.

2017–2018 Audit of Case Management System Corporate Services $40,000

Scope: management practices and assessment of the effectiveness of the Intrac Case Management System, including change management processes, access controls, consistency of use, data quality and the effective use of information for decision making.

Objective: determine whether the OIC has an effective, integrated system in place to consistently and efficiently manage cases.

Rationale: high audit requirement. Considering the importance of effective case management processes for the OIC when investigating complaints and given the opportunities for efficiency gains provided by the case management system, an audit of this tool is recommended.

Optional Audit of Integrated Planning Corporate Services $35,000

Scope: management practices related to integrated strategic and operational planning.

Objective: determine whether the OIC has an effective integrated planning process that supports flexible and responsive decision making, resource allocation, outcomes management and accountability. The audit will focus on the OIC Management, Resources and Results Structure, including the design, relevance and clarity of the strategic outcome, Program Alignment Architecture and governance structures that are in place to manage performance.

Rationale: moderate audit requirement. Considering the importance of efficient and effective program delivery, as well as the ability to support and demonstrate performance in an outcomes-based resource allocation environment, an audit of this activity is an option.

Optional Audit of Compliance with Policy on Internal Controls Corporate Services $40,000

Scope: management practices and assessment of controls related financial reporting in compliance with the Policy on Internal Controls.

Objective: assess compliance with the Policy on Internal Controls.
Rationale: moderate audit requirement. While an assessment was conducted in recent years, the area of financial management policy instruments in the Government of Canada is complex and the Policy on Internal Controls requires Agents of Parliament to ensure that risks relating to the stewardship of public resources are adequately managed through effective internal controls, including financial controls over financial reporting. The broad application of the policy increases the risk of non-compliance and, as such, an audit could be conducted as an option.

Optional Audit of Value and Ethics Corporate Services $35,000

Scope: management practices related to values and ethics.

Objective: determine whether the OIC has appropriate and effectively communicated value and ethics tools and processes in place.

Rationale: moderate audit requirement. Considering that the OIC has recently named a Value and Ethics Champion and is currently developing a Code of Values and Ethics, an audit could be conducted to provide valuable information on the adequacy and awareness of key mechanisms, such as those related to internal disclosure and wrongdoing.

Optional Reviews of Complaints Resolution and Investigations Sub-Components Complaints Resolution and Compliance
(Legal Services)
To be determined, based on scope

Scope: in lieu of an evaluation of the four components that comprise the complaints resolution and investigations program (described above), a review or series of reviews of key program components such as the Complaints Resolution Team. Although the scope and methodology of the reviews would not meet the same evidentiary requirements as those of an evaluation, they would provide targeted information on the effectiveness of each respective business process. The reviews could be implemented across the five-year horizon of the RBAEP, as funding permitted.

Objective: consider, to the extent possible, the evolving nature of complaints and investigations through an analysis of the component’s portfolio of complaints (e.g. source, targeted institution, complaint type), as well as the new context in which the program component is operating (e.g. InTrac Case Management System), ensuring a forward-looking approach to guide future direction.

Rationale: high review requirement. The complaints resolution and investigations program is the key program at OIC. The various program components have faced a number of challenges over the past years in addressing legacy files and the increasing complexity of non-administrative complaints. The OIC has invested significantly in realigning internal processes and leveraging IT through the InTrac Case Management System to ensure efficient services for Canadians. A review (or series of reviews) would provide timely information on the effectiveness of the current business process and identify opportunities to enhance the delivery of the activities and outputs in order to ensure the achievement of intended outcomes and organizational objectives.

Optional Evaluation of Special Reports Complaints Resolution and Compliance
Legal Services
$75,000

Scope: special reports prepared on investigations into institutions’ access to information practices or to provide advice to Parliament on areas of special interest with respect to the Act.

Objective: address, as per the TB Policy on Evaluation, the relevance and performance of the special reports in achieving their intended outcomes. The evaluation should consider the evolving nature of the OIC’s role in advising Parliament and federal institutions on access to information.

Rationale: moderate evaluation requirement. Considering that special reports are a key way in which the OIC assess and alerts Parliament to emerging issues, and the limited powers of the OIC with respect to ensuring compliance with the Act, the effectiveness of special reports in supporting the diffusion and adoption of best practices is an area of particular interest in promoting an effective and consistent access approach within the Government of Canada. The evaluation should focus on the extent to which intended outcomes have been achieved as well as identify opportunities for increased effectiveness and efficiencies.

A.2 Audit and Evaluation Resources

The following table sets out estimates by fiscal year of the resources needed to carry out the proposed audit and evaluation engagement. The actual resources allocated to each engagement may vary depending on the scope of the project.

Proposed Resources by Fiscal Year
OIC Audit and Evaluation Engagements 2013–14 2014–15 2015–16 2016–17 2017–18 Total
Audit of Staffing and Governance $30,000 $30,000
Audit of Information Technology and Physical Infrastructure Security $45,000 $45,000
Evaluation of Complaints Resolution and Investigations $25,000 $75,000 $100,000
Audit of Procurement and Contracting $35,000 $35,000
Audit of Information Management $35,000 $35,000
Audit of Case Management System $40,000 $40,000
Total $30,000 $70,000 $70,000 $75,000 $40,000 $285,000

Appendix B. Audit and Evaluation Prioritization

B-1 Prioritization Criteria

The following table sets out the rating criteria used to prioritize auditable entities and establish audit plan priorities.


Criteria
Ratings
Total Weight Total Weight Definitions
Risk Exposure 50% Review of Corporate Risk Profile and consultations 1/6 Review of the Corporate Risk Profile and consultations with the Commissioner, Assistant Commissioner, senior management and the Chair of the Audit and Evaluation Committee provide insights into the risk exposure of each auditable entity.
1 =
5 =
10 =
Low
Moderate
High
Degree and recentness of changes 1/6 Impact of change includes the magnitude, history and timing of the change. This criterion includes all changes recently done or anticipated during the five-year audit planning cycle. Changes considered include legislation, regulations and internal policies; governance structure; personnel; finance/funding; operational restructuring; and new technology or systems
1 =
5 =
10 =
No major changes done/anticipated
Some significant changes done or anticipated
Very significant changes done or anticipated
Complexity, dependencies and legislative requirements 1/6 The complexity of business processes, technology and the regulatory environment are considered. The greater the dependencies, the more coordination required. Legislative requirements consider the extent of obligations on the OIC due to legislation.
1 =
5 =
10 =
Low
Moderate
High
Importance 50% Materiality 1/6 This criterion considers the dollar value associated with both O&M and salaries for 2013–2014 for each entity.
1 =
5 =
10 =
Low (<$500,000)
Moderate (>$500,000 but <$1 million)
High (>$1 million)
Sensitivity and public profile 1/6 External and internal factors and activities influencing an organization’s policy and management agenda, including public visibility; political influence; social influence; media scrutiny; and impact on stakeholders
1 =
5 =
10 =
Low
Moderate
High
Link to mandate 1/6 All activities linked directly to the OIC’s strategic outcome are inherently high risk, since they are critical to fulfilling the organization’s mandate.
1 =
5 =
10 =
No direct link to mandate
Linked, but not directly, to mandate
Linked directly to mandate

B-2 Prioritization Ratings

When determining audit priority ratings for each audit entity, the following scale was used:

  • Low: < 6
  • Moderate (Mod): 6 to < 8
  • High: > 8

B.3 Prioritization of Internal Audit Projects

The following table provides a complete analysis of risk exposure, importance and recent audit coverage for each activity included in the audit universe. This analysis ensures that the RBAEP focuses on high-risk areas and areas of concern for management.


Audit Entity
2014–2018 Audit Prioritization Proposed
2014–2018 Audits and Evaluations
Risk Exposure Importance Audit Priority
Rating
Recent Audit Coverage Audit Requirement Rating and Rationale
Risk profile  and consultations Recentness of changes Complexity and dependencies Materiality Sensitivity and public profile Link to mandate

1. Complaints and investigations

9 9 10 9 9 10 9.3 High Audit of Intake and Early Resolution Unit (2010)
Audit of Complaints Resolution and Compliance Branch (2011)

Audit Requirement Rating: Moderate

Considering the extent of recent audit coverage and discussions with management, an audit is not required at this time, since there were no significant issues identified with this activity.

Evaluation Requirement Rating: High

The complaints resolution and investigations program is the key program at the OIC. The program has faced a number of challenges over the past years in addressing legacy files and the increased complexity of non-administrative complaints. The OIC has invested significantly to ensure efficient services for Canadians.

2014–2015 Evaluation Project

Evaluation of Complaints Resolution and Investigations, Phase I: Development of Performance Measurement and Evaluation Framework

2016–2017 Evaluation Project

Evaluation of Complaints Resolution and Investigations, Phase II: Implementation

2. Court proceedings and litigation

9 9 10 7 9 10 9.0
High
No recent audit coverage

Audit Requirement Rating: Low

Considering discussions with management, an audit is not required at this time, since there were no significant control issues identified with this activity.
Evaluation Requirement Rating: High
Considering the importance of Legal Services in supporting the complaints resolution and investigations program, and the role it plays in supporting the Commissioner’s mandate through court proceedings and litigations, an evaluation is recommended.

2014–2015 Evaluation Project

Evaluation of Complaints Resolution and Investigations, Phase I: Development of Performance Measurement and Evaluation Framework

2016–2017 Evaluation Project

Evaluation of Complaints Resolution and Investigations, Phase II: Implementation

3. Advice to Parliament

7 5 10 3 8 9 7.0
Mod
Internal Assessment of Annual Reports (2013)

Audit Requirement Rating: Low

Considering the audit priority ratings and discussions with management, an audit is not required at this time, since there were no significant issues identified with this activity.

Evaluation Requirement Rating: Moderate

Considering that special reports prepared by the OIC are a key mechanism by which it assesses emerging issues and the limited powers of the OIC with respect to ensuring compliance with the Act, the effectiveness of the special reports in supporting the diffusion and adoption of best practices is an area of particular interest in promoting an effective and consistent approach to access to information within the Government of Canada. The evaluation should focus on the extent to which intended outcomes have been achieved as well as identify opportunities for increased effectiveness and efficiencies.

Optional Evaluation Project

Evaluation of Special Reports

4. Commissioner’s Office

3 3 5 3 8 8 5.0
Low
No recent audit coverage

Audit Requirement Rating: Low

Considering the audit priority rating and discussions with management, an audit is not required at this time, since there were no significant issues identified with this activity.

None identified

5. Corporate planning and reporting

7 7 7 5 5 5 6.0
Mod
Internal Assessment of Annual Reports (2013)

Audit Requirement Rating: Moderate

Considering the importance of efficient and effective program delivery, as well as the ability to support and demonstrate performance in a federal outcomes-based resource allocation environment, an audit of this activity is of moderate importance.

Optional Audit Project

Audit of Integrated Planning

6. Human resources management

9 9 8 9 8 8 8.5
High
Public Service Commission Audit of OIC Appointment Framework and Practices (2012)

Audit Requirement Rating: High

Considering the requirement for a follow-up audit in 2014 to the recent PSC audit and the recent transfer of staffing services to Shared Services, an audit of this activity is highly recommended.

2013–2014 Audit Project

Audit of Staffing and Governance

7. Finance

5 5 5 5 8 5 5.5
Low
OAG Annual Audit of Financial Statements Assessment of Internal Controls (2010)

Audit Requirement Rating: Low

Considering the audit priority rating, discussions with management, and that annual external audits are conducted by the OAG, an audit is not required at this time, since there were no significant issues identified with this activity. However, given the importance of financial controls, an optional audit has been identified for this activity.

Optional Audit Project

Audit of Compliance with Policy on Internal Controls

8. Information technology

8 10 8 9 8 8 8.5
High
No recent audit coverage

Audit Requirement Rating: High

Considering the recent implementation of OIC’s five-year IT/IM Strategy and the planned move to a Workplace 2.0 environment in which the LAN will be shared, combined with recent changes to TB policy requirements for IT, an audit of this activity is highly recommended for 2015.

Audit Requirement Rating: High

Considering the importance of effective case management processes for the OIC in resolving issues related to the complaints inventory and given the opportunities for efficiency gains provided by the InTrac Case Management System, an audit of this activity is highly recommended.

2014–2015 Audit Project

Audit of Information Technology and Physical Infrastructure Security  

2017–2018 Audit Project
Audit of Case Management System

9. Information management

8 9 9 5 10 10 8.5
High
No recent audit coverage

Audit Requirement Rating: High

Considering the sensitivity of federal institutions and complainants with respect to unauthorized disclosures of personal or organizational information retained by the OIC, and the reputational risk to the OIC in the case of improper management of private or restricted information, an audit of this activity is highly recommended.

2015–2016 Audit Project

Audit of Information Management

10. Access to information and privacy

8 7 7 5 10 10 8.2
High
No recent audit coverage

Audit Requirement Rating: High

Considering the OIC’s interest in promoting best practices in the area of access to information within the federal government and the reputational risk to OIC, an audit of this activity is highly recommended.

11. Procurement, acquisition cards and contracting

6 10 8 8 9 8 8.2
High
Assessment of Procurement and Contracting (2011)

Audit Requirement Rating: High

Considering the complexity and the number of recent changes to federal procurement and contracting policies, as well as the increase in procurement activity associated with the planned move to a new office, an audit of this activity is highly recommended. Also, strategic and efficient procurement should provide opportunities for the OIC to optimize value for money.

2015–2016 Audit Project

Audit of Procurement and Contracting

12. Travel and hospitality

3 3 5 3 9 5 4.7
Low
Limited coverage as part of the OAG’s financial audit

Audit Requirement Rating: Low

Considering the audit priority rating and discussions with management, an audit is not required at this time, since there were no significant issues identified with this activity.

None identified

13. Value and Ethics

5 8 8 5 9 7 7.0
Mod
No recent audit coverage

Audit Requirement Rating: Moderate

Considering that the OIC has recently named a Value and Ethics Champion and is currently developing a Code of Values and Ethics, an audit would provide valuable information on the adequacy and awareness of key mechanisms tools such as those related to internal disclosure and wrongdoing.

Optional Audit Project

Audit of Value and Ethics

14. Administrative services

8 10 9 5 9 9 8.3
High
Threat and Risks Assessment—with recommendations (2011)

Audit Requirement Rating: High

Considering the planned move to a Workplace 2.0 environment in which physical areas will be shared, combined with recent changes to TB policy requirements for physical security, an audit of this activity is highly recommended for 2015.

2014-2015 Audit Project
Audit of Information Technology and Physical Infrastructure Security

15. Internal audit and evaluation

3 5 5 3 8 8 5.3
Low
No recent audit coverage

Audit Requirement Rating: Low

Considering the low audit priority rating and discussions with management, an audit is not required at this time, since there were no significant issues identified with this activity.

None identified

Appendix C. Audit and Evaluation Universe

C.1 OIC Audit and Evaluation Universe (as per 2013–2014 Program Alignment Architecture)

The audit and evaluation universe defines the potential scope of internal audit and evaluation activity and comprises individual “auditable and evaluable entities” that may be subjected to audit and/or evaluation activity. To ensure alignment between the focus of internal audit and evaluation, and the operational structure of the organization, the entities were aligned with the programs identified in the 2013–2014 Program Alignment Architecture. This table sets out the OIC’s audit and evaluation universe, and includes a description of each of the entities. 

Strategic Outcome: Requestors’ rights under the Access to Information Act are safeguarded

1. Compliance with access to information obligations

The OIC supports the Commissioner's dual role as Agent of Parliament and ombudsperson. Through this program, the OIC investigates complaints about how federal institutions handle access to information requests. The OIC reports results of investigations, reviews and recommendations to complainants, federal institutions and Parliament. When required, the OIC assists the Commissioner in bringing issues of enforcement or interpretation of the Act to the Federal Court. The OIC also assists the Commissioner in her advisory role to Parliament and parliamentary committees on all access to information matters. The OIC conducts benchmarking and analysis to provide the Commissioner with the best possible information to support her advice and recommendations.
Complaints and investigations The OIC's mission is to conduct efficient, fair and confidential investigations into complaints about federal institutions' handling of access to information requests. The Access to Information Act requires that the OIC investigate all the complaints it receives. Complaints are classified into three broad categories: administrative complaints; refusal complaints; and Cabinet confidence exclusion complaints. Investigations include reviewing the records at issue, providing institutions with the opportunity to make representations, seeking representations from the complainant and, when necessary, making formal recommendations to the heads of institutions before reporting the results of an investigation. The Intake and Early Resolution Unit assesses and prioritizes complaints, prepares files for investigation and investigates straightforward complaints, usually administrative in nature. The Complaints Resolution Team investigates complex complaints, generally refusal and exclusion cases. The Strategic Case Management Team investigates the oldest files in the inventory of complaints. Legal Services provides legal advice to investigations.
Court proceedings and litigation The OIC may bring forward and intervene in court cases to defend or clarify important principles that underlie the fundamental right of access to government information, while contributing to the development of jurisprudence that favours disclosure. Court proceedings or litigation may be undertaken by the OIC in order to seek judicial review by the Federal Court when an institution refuses to comply with a formal OIC recommendation to disclose records. The OIC may also be involved in other types of court proceedings that relate to access to information or to defend the Commissioner's jurisdiction or powers. The OIC also monitors legal cases with potential ramifications for the OIC or for access to information in general.
Advice to Parliament The Commissioner offers to parliamentarians, upon request, her perspective on national and international developments in access to information, with the goal of helping create a leading access regime in Canada. Under the Act, the Commissioner is required to table an annual report to Parliament on the activities of the OIC, including reporting on investigations that illustrate important principles in the Access to Information Act. In addition, the Commissioner may, at any time, make a special report to Parliament referring to and commenting on any matter within scope of her powers, duties and functions. The Commissioner also pursues multi-institution investigations and reports on their results to Parliament, and may provide recommendations to TBS, as the system administrator, to prompt improvements across institutions.

2. Internal services

Internal services are groups of related activities and resources that are administered to support the needs of programs and other corporate obligations of an organization. These activities and services are management and oversight; human resources; financial management; information management and technology; communications; access to information and privacy; materiel and acquisition services, travel and other administrative services. Internal services include only those activities and resources that apply across an organization and not to those provided specifically to a program.
Commissioner’s Office The Commissioner's Office ensures proper coordination between all the branches, that the Commissioner is kept up-to-date on important issues, that travel arrangements are planned in advance, and that the Commissioner is provided with all the support necessary to perform her role effectively and efficiently.
Corporate planning and reporting Planning and reporting include a wide range of activities such as resources and process management, budget planning and management, salary management, funding decisions, resource allocations, as well as integrated strategic and business planning. Strategic planning also includes activities such as risk management and performance measurement. Risk management is considered by the OIC as the integration of risk management into business practices through activities such as ensuring that the Corporate Risk Profile is kept up-to-date and that all key stakeholders are informed of important risks. The OIC must produce several reports on a regular basis to properly explain and illustrate its performance. These reports include the Report on Plans and Priorities, Departmental Performance Reporting, annual report, Program Alignment Architecture and Performance Measurement Framework. A new set of performance measures was defined and implemented in 2012–2013.
Human resources management The Human Resources Unit (Shared Services) carries out all aspects of human resources management and provides advice to OIC managers and employees on human resources issues. As the result of a major recruitment campaign in 2010–2011, the OIC is now nearly fully staffed. The OIC has implemented a talent management program that includes training tailored to operational requirements and career development.
Finance The Strategic Planning, Finance and Administration Unit provides financial leadership at the OIC. For purposes of the Financial Administration Act, the OIC and the Office of the Privacy Commissioner (OPC) submit their trial balances jointly to PWGSC. OPC hosts the financial management system on behalf of the OIC. The OIC is a member of the working group for the Shared Financial System and Services Project that is looking at identifying business requirements for a new shared financial system potentially hosted by PWGSC on behalf of Agents of Parliament and small and medium-sized federal organizations. In 2010–2011, the OIC carried out a preliminary review (i.e. a self-assessment) of controls over salary, operating expenditures and material management.
Information technology The Information Management and Technology Unit provides technological support and direction for the OIC. The OIC is currently in year five of its five-year IM/IT Renewal Strategy. The IT focus is on infrastructure consolidation through the integrated case management system and network hardening to address security vulnerabilities. The planned move to a Workplace 2.0 environment in 2013 may create challenges reconciling IT-related policy requirements and instruments with vulnerabilities linked to shared technology platforms.
Information management The Information Management and Technology Unit is responsible for organizing and managing a variety of services and initiatives in information management. As part of its five-year IM/IT Renewal Strategy, the OIC has implemented a new records and case management system for investigations (InTrac) and is currently implementing the legal services component of InTrac. The new InTrac system should enhance reporting and analytical capacities. In addition, the rollout of RDIMS, a federal electronic records repository, was completed in 2011–2012. As part of OIC’s corporate knowledge management strategy, individuals whose knowledge is critical to the organization have been identified, and ways to effectively transfer this knowledge are being developed. As the OIC prepares to relocate to new offices and a 2.0 Workplace environment, it is completing an IM framework to enable the organization to fully meet the objective of the government’s Directive on Recordkeeping. The OIC is responding to the challenges of using Web 2.0 while continuing to meet certain policy obligations (e.g. official languages, protection of the privacy of personnel/citizens interacting online), as well as the need to comply with new standards designed to ensure the accessibility of websites and usability of Web information, tools and services.
Access to information and privacy The Access to Information and Privacy Unit processes all requests for information under the Access to InformationAct and Privacy Act.
Procurement, acquisition cards and contracting The Strategic Planning, Finance and Administration Unit provides strategic and corporate leadership in the areas of financial management and administration. PWGSC centrally administers the payment of salaries and the procurement of some goods and services, and provides cheque-issuing services as well as accommodations for the OIC. In 2012–2013, approximately 75 percent of the OIC’s budget of $11.7 million was allocated to salaries and 25 percent to O&M costs. Of the O&M budget, one third relates to fixed costs.
Travel and hospitality The Strategic Planning, Finance and Administration Unit provides guidance and support on travel and hospitality-related expenditures. The Commissioner and Assistant Commissioner undertake minimum travel. Travel and hospitality expenditures are not significant or material. All travel expenditures are posted online.
Values and ethics Values and ethics encompass all management controls to provide for an environment that fosters ethical behaviour and compliance with TBS’ Values and Ethics Code for the Public Service, as well as internal disclosure and wrongdoing mechanisms. In 2012–2013, the OIC named a Values and Ethics Champion and is developing an audit and ethics code, which is expected to be implemented in 2013–2014.
Administrative services The Strategic Planning, Finance and Administration Unit provides corporate leadership and support in the areas of administrative services. Administrative services include activities related to organizational health and safety, personnel and physical security, telecommunications, facilities management and common services. Security activities are designed to provide compliance with the Policy on Government Security, telecommunications security, emergency response planning, workplace health and safety, and restricting access to the OIC's offices. In 2010–2011, the OIC conducted a self-assessment of all aspects of security management. This led to the implementation of upgrades to the physical security infrastructure and measures to strengthen the protection of assets and information integrity. The OIC partners with other federal organizations, such as the Office of the Privacy Commissioner, to help achieve economies. In 2013–2014, the planned relocation with the OPC and Elections Canada will provide new opportunities for collaboration. The OIC has started to work with these organizations as well as other Agents of Parliament to explore opportunities for shared services, especially with regard to internal services. The OIC has adopted and will continue to implement standard business processes consistent with other departments, which will facilitate OIC’s transition to other future shared service arrangements.
Internal audit and evaluation The Internal Audit and Evaluation Charter of the OIC is based on the Joint Agreement between Agents of Parliament and the Treasury Board Secretariat, the TB Policy on Internal Audit and Policy on Evaluation, and Chapter 1000 of the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. The internal audit function is accountable to management and the Audit and Evaluation Committee to i) annually assess the adequacy and effectiveness of the OIC’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work, ii) report significant issues related to the processes for controlling the activities of the organization and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution, iii) periodically provide information on the status and results of the annual audit and evaluation plan and the sufficiency of resources, and iv) coordinate with and provide oversight of other control and monitoring functions (e.g. risk management, compliance, security, legal, ethics, environmental, external audit). The OIC has implemented an evaluation function to comply with the TB Policy on Evaluation and to support effective and efficient program delivery.

Endnotes

Footnotes

Footnote 1

“Relevance” refers to the extent to which a program addresses a demonstrable need, is appropriate to the federal government and is responsive to the needs of Canadians. “Performance” refers to the extent to which a program achieves effectiveness, efficiency and economy.

Return to footnote 1 referrer

Footnote 2

Risk rankings are used by auditors to identify areas of highest risks and priorities. Risk rankings help inform the depth of coverage and timing of the proposed evaluation projects.

*Carried over from the 2010–2013 Risk-Based Audit Plan and not yet completed.

Return to footnote 2 referrer