Office of the Information Commissioner of Canada

Chief Audit Executive

2013-2014

Annual Report

May 28, 2014

1. Introduction

This report of the Chief Audit Executive of the Office of the Information Commissioner (OIC) reviews the activities of the OIC’s internal audit function from April 1, 2013 to March 31, 2014. It fulfills the annual reporting requirement under section 6.6 of the Treasury Board Secretariat Directive on Internal Auditing in the Government of Canada.

2. Overview of OIC’s internal audit function

2.1 General

The internal audit function helps the OIC accomplish its objective of bringing a systematic and disciplined approach to assessing and improving the effectiveness of risk management, control and governance processes.

The work of the internal audit function focuses primarily on providing an independent assessment of the soundness of risk management strategies and practices, and the management control frameworks and practices in achieving OIC’s objectives.

2.2 Changes to the internal audit function in 2013–2014

The OIC is a small entity with a unique mandate defined by legislation. It has a small workforce and a limited volume of financial transactions. The OIC has an independent Audit and Evaluation Committee and has outsourced its key systems of human resources management to Public Works and Government Services Canada (PWGSC) and its financial data processing to the Office of the Privacy Commissioner (OPC). Furthermore, it is subject to annual audits by the Office of the Auditor General (OAG). Considering these factors, a full-time position for a Chief Audit Executive (CAE) was not warranted.

The OIC’s Chief Financial Officer occupied the role of Chief Audit Executive (CAE) in 2012‑2013.

For 2013-2014, the OIC has opted to have one of the independent members of its Audit and Evaluation Committee to assume the responsibilities of the CAE.

Despite these changes, the internal audit function has been able to provide the Information Commissioner with information and advice on whether important management systems and processes, and administrative services are appropriately designed and effectively operating to comply with policies and guiding principles.

2.3 CAE working framework

In February 2013, the OIC assigned the CAE responsibilities to Bernard Bougie, an external member of the Audit and Evaluation Committee. The CAE is supported by the Director General, Corporate Services, OIC.

The Director General, Corporate Services, ensures the CAE has access to all the OIC records, databases, workplaces and employees required to conduct their work. The CAE and consultants have a direct line to the Information Commissioner and the external members of the Audit and Evaluation Committee throughout the conduct of audits.

Moreover, it is important to note that the Office of the Auditor General conducts an independent financial audit of the OIC each year, and presents the results to the Audit and Evaluation Committee.

Within this framework, the CAE retains the independance and integrity required by the internal audit function. Furthermore, in order to execute the Risk-Based Internal Audit and Evaluation Plan (RBAEP), mitigation strategies have been put in place, such as contracting audit professionals to conduct its audit engagements and regularly update its Risk-Based Audit Plan.

Independant members of the Audit and Evaluation Committee will play a greater role in defining the committee’s agenda, reviewing management of risk and implementation of controls.

The CAE will be guided and will rely on the 2014-2018 Integrated Risk-Based Internal Audit and Evaluation Plan prepared by the OIC with the assistance and expertise of an independent professional firm.

2.4 Quality assurance

In conducting internal audits for the OIC, audit professionals are required to comply with the Internal Auditing Standards of the Government of Canada. Each internal audit report includes an attestation that the audit was conducted in accordance with these standards.

3. Performance and results

3.1 Human resources staffing audit

The Public Service Commission (PSC) conducted an audit to determine whether the OIC had an appropriate framework, and systems and practices in place to manage its appointment activities, and whether appointments and appointment processes complied with the terms of the Public Service Employment Act (PSEA). The PSC found that there were some areas in which the OIC was not in compliance or that otherwise required attention. The OIC immediately developed an action plan to address the issues and outsourced human resources functions to an external service provider—PWGSC’s Shared Human Resources Services (SHRS). The full transfer of services occurred on April 10, 2012.

A follow-up audit was undertaken by the CAE and Samson & Associates in early 2013. The objective of this follow-up was to determine whether the OIC had implemented an appropriate framework and practices to manage its appointments and appointment processes. The results of the follow-up audit were reviewed by the Audit and Evaluation Committee in May 2013. The President of the PSC attended this committee meeting. She noted her appreciation of the way the OIC responded to the audit and of management’s rapid development and implementation of the action plan.

3.2 Office of the Auditor General audit

The Office of the Auditor General reviewed the OIC’s financial statements and gave the OIC an unqualified opinion from for 2012–2013. The audit report is available on the OIC website.

3.3 Review of internal controls

The OIC had tasked Samson & Associates in 2010 with documenting and carrying out a preliminary review of key financial processes in place from April 1, 2010, to September 30, 2010. The following significant processes and controls were documented: salary expenditures, purchase of goods and services and payment to suppliers, management of assets and inventories, and accounting period closing processes and controls. In 2012–2013, it became apparent that it was time to review and update all documentation related to human resources internal controls and processes in light of the outsourcing of the human resources function to SHRS. In 2013-2014, as a result of the outsourcing to SHRS, the OIC updated all documentation related to these controls and processes.

The objective of this project was to validate the human resources internal controls that the OIC had already documented and to update these controls, as required, based on any new processes. In particular, the review looked at controls related to the input into the Human Resources Information System (used by the OIC only) and to the information the OIC sends to SHRS for input into the Regional Pay System. This review was conducted to provide management with reasonable assurance that these controls were in place such that employees were paid according to the terms and conditions of employment, collective agreements, and Treasury Board and OIC policies. In addition, Samson & Associates reviewed controls related to approvals under sections 32, 33 and 34 of the Financial Administration Act throughout the pay administration cycle.

Samson & Associates found that even though the OIC had modified its human resources practices and control framework, including redefining roles and responsibilities of stakeholders, key controls related to the management of human resource functions were in place. It noted that only minor improvements were required and made a series of recommendations to further strengthen overall stewardship and accountability, and improve the effectiveness of the OIC’s human resources and pay administration processes. The recommendations took into account the OIC’s small size and the resulting difficulty of having a high level of segregation of duties, along with available resources and the transition to SHRS—to strengthen the effectiveness of the controls while ensuring that it is feasible to implement the proposed solutions.

3.4 Risk-Based Audit and Evaluation Plan

The Risk-Based Audit and Evaluation Plan (RBAEP) for the OIC combines both the internal audit and evaluation plans for the next five years (2014 to 2018). The objective of the RBAEP is to allocate resources to the areas of most significant risk and priority to the OIC, as well as to align the organization with the requirements of Treasury Board policies on internal audit and evaluation.

The RBAEP further builds on the OIC’s 2010–2013 Risk-Based Audit Plan through the integration of evaluation projects in accordance with the Treasury Board Policy on Evaluation. The RBAEP reconfirms the objective of allocating resources to those areas that represent the most significant organizational and to mitigate risk areas.

The audit and evaluation coverage proposed by the RBAEP strives to achieve an effective balance between a number of requirements and considerations in the context of the budget constraint assumption on which the plan is based. The RBAEP allows for the OIC to carry out one or two projects per year.

The RBAEP presupposes that additional funding will be allocated to support the evaluation of direct program spending.

3.5 Capacity and resource utilization

The main resources for the internal audit function were acquired under contract for professional auditors to conduct both the audit engagements and the update of the Risk-Based Audit Plan.

The OIC is working with other Agents of Parliament to find better and more efficient solutions for internal audit projects. For example, the OIC and the Office of the Commissioner for Official Languages (OCOL) have begun sharing various documents, such as their respective audit charters, policies and RBAEPs.

4. The year ahead

For 2014-2015, the RBAEP calls for an audit of its physical infrastructure security. This will be the first opportunity for the OIC to engage outside audit services under a contract put in place by OCOL. The OIC will continue to share information with other Agents of Parliament on the subject of internal audit to build expertise and capacity among these offices. Management practices, security controls and outsourced services will be audited.