2020–2021 Audit and Evaluation Committee Annual Report
Office of the Information Commissioner
- Foreword from the Chair
- Committee role and membership
- Overall assessment of risk management, control and governance
- Committee effectiveness
- Forward planning
Foreword from the Chair
The Office of the Information Commissioner has been faced with two major challenges during this period, both of which were out of its control: the Phoenix pay system, and the COVID-19 pandemic. In both cases, the organization responded effectively, limiting the scope of the impact of Phoenix, and transforming its working methods so that all employees could work from home. As Commissioner, Caroline Maynard made a point of reaching out personally to every employee, a significant accomplishment during a difficult and stressful time. At the same time, the staff made remarkable progress in adapting to the new legislation, and in tackling the backlog of cases.
The Audit and Evaluation Committee itself has gone through changes. David Rattray’s term as an external member came to an end, and I would like to thank him for his knowledgeable and enthusiastic contributions. And I would like to welcome André Grondines, who brings rigour and expertise to the AEC.
I have been extremely impressed by the leadership provided by the Commissioner, and the dedication and hard work of the executives and staff of the organization. This has enabled the Office to make an effective transition to the demands and expectations of the new legislation.
Graham Fraser O.C.
Chair, Audit and Evaluation Committee
The external members of the Audit and Evaluation Committee (AEC) of the Office of the Information Commissioner (OIC) have prepared this report as a summary for the Information Commissioner of the Committee’s work from April 1, 2020, to March 31, 2021.
The report is also a vehicle for the external members to present their thoughts on areas for improvement at the OIC, based on the Committee’s assessments and deliberations over the year. The previous Audit and Evaluation Committee Report for 2019-2020 was approved by the Commissioner at the AEC meeting on November 26, 2020..
Committee Role and Membership
The Committee’s role is to provide the Commissioner with objective advice, guidance and recommendations on the adequacy of the OIC’s control and accountability processes, as well as the use of evaluation within the OIC, in order to support management practices, decision-making and program performance.
To offer this support, the Committee exercises active oversight of core areas of the OIC’s management control and accountability framework. In so doing, Committee members address high-level strategic issues, as well as ongoing operational ones, to support the independence of internal audit activities within the OIC and the neutrality of the evaluation function. The Committee’s input also helps ensure that internal audit and evaluation results are incorporated into the OIC’s priority setting, and business and planning processes.
Committee members, as strategic resources for the Commissioner, also provide such advice and recommendations as she may request on specific emerging priorities, concerns, risks, opportunities and/or accountability reporting. This activity was largely carried out not only during the four Committee meetings held during the past year, but also in during meetings with the Commissioner outside of the formal meetings.
The Committee has three members, two of whom are external to the federal government. The external members during 2020-2021 were Graham Fraser and André Grondines, who succeeded David Rattray, whose second term came to an end on August 30, 2020. Together, the external members have broad knowledge and experience in the areas of audit, management controls and risk management in both the public and private sectors, as well as in the operations and responsibilities of Agents of Parliament. Information Commissioner Caroline Maynard is the third member of the Committee.
The OIC’s Chief Financial Officer, Chief Audit and Evaluation Executive and Deputy Commissioner of Corporate Services, Strategic Planning and Transformations Services, France Labine, Deputy Commissioner of Investigations and Governance Layla Michaud, Deputy Commissioner of Legal Services and Public Affairs Gino Grondin, Director, Financial Management, Procurement and Audit, Stephen Campbell and a senior representative of the Office of the Auditor General attended all meetings during the reporting period. Various OIC other staff members were also in attendance to present reports and other deliverables, or to give Committee members updates on the OIC’s business and other activities.
The Audit and Evaluation Committee met four times in person between April 1, 2020, and March 31, 2021: May 21, 2020; October 13, 2020; November 26, 2020 and February 18, 2021. In camera sessions involving only the Commissioner and the external members took place at the conclusion of each meeting. The OIC posted the approved Committee meeting minutes (record of meeting) on its website.
The Committee’s activities fall under nine categories, as set out below. These areas of responsibility are linked in many ways—particularly with regard to risk and strategic priorities —and Committee members take this into account when carrying out their assessments and providing advice.
Values and Ethics
The Committee reviews any measures OIC management puts in place to exemplify and promote public service values and to ensure compliance with laws, regulations and policies, and standards of ethical conduct. The Committee also received feedback on OIC employee surveys and action plans during the year. The AEC was satisfied with the degree of which ethics and values are embedded and assessed within OIC operations. There was no report or cases of wrong doing and the value and ethics code is being respected. This included violence in the workplace and conflict of interest. The preparation of a new values and ethics code (code of conduct) is underway.
Risk assessment and mitigation are ongoing focuses of the Committee’s work, including reviewing the OIC’s corporate risk profile and risk management strategies and activities.
Committee members, with the assistance of the OIC’s Chief Audit Executive, reviewed and adjusted the schedule of upcoming audits and evaluations.
The Threat and Risk Assessment (TRA) and Threat and Vulnerability Assessment (TVA) - Presented by the Director of IT/IM, it provided the status and the next steps of the Office of the Information Commissioner assessments and an update on the security posture. The members reviewed and discussed the information presented. The timing in improving the technology was excellent, as it was a big challenge during the pandemic to have the entire staff connected in order to be able to work from home.
Evaluation of Investigations - Given the unprecedented circumstances of COVID-19, the OIC has experienced procurement delays; however there may be an opportunity to develop/improve plans to ensure both a smooth transition and an adoption of more efficient processes. Therefore, an evaluation rescheduled to 2021-22 and 2022-23 would be more beneficial and valuable, as it will produce better results.
Audit of Information Management and Physical Security - Considering the sensitivity of the information retained by the OIC, and the reputational risk to the OIC in the case of improper management of private or restricted information, an audit of this activity is highly recommended but for 2022-23 instead of 2021-22. This change is due to the pandemic situation and the derogation in effect in the IM Security.
Committee members considered risk-related input from external agencies such as the OAG, the Office of the Comptroller General (OCG) as well as Treasury Board Secretariat (TBS) and how that might apply to the OIC. This included the list of high risks for small departments prepared by the OCG.
Management Control Framework
The Committee reviews the OIC’s internal control mechanisms, including adequacy of management-led audits.
Activities and discussions pertaining to the management control framework, which is linked to all other areas of responsibility, are ongoing.
Through an agreement with the OIC, the Canadian Human Rights Commission (CHRC) provides financial management and specialized procurement services to the OIC. The OIC relies on CHRC's internal management controls over financial reporting and the financial management system to process the financial data that the OIC has approved, authorized and transmitted to the CHRC for processing.
Each year, the CHRC provides a general outline to the OIC of the oversight it exercises with regard to its system of internal control over financial reporting, reasonable assurance that these controls are being properly managed, and an attestation about the assessment of the CHRC’s system of controls.
As part of the internal control over financial management and reporting, the CHRC performed the following functions:
- Reviewed and updated documentation of business processes and controls to ensure they represent the current processes and controls in place;
- Evaluation of Payroll controls (conducted in 2020/21 and results presented in 2021/22)
- Reviewed the OIC’s transactions for the contracting process and the CHRC’s transactions for the other business processes, which revealed that the key internal controls over these business processes were all strong and operating effectively, with the exception of the payroll-related transactions using the Government of Canada’s Phoenix system; and
- Assessed, for the OIC’s transactions, the operating effectiveness of IT management and security.
The CHRC Assessment demonstrated to OIC that the IT general controls related to systems remain appropriate and can be relied upon. For IT management, the GX financial system was tested with regard to internal controls over financial controls and was assessed as strong.
The Committee’s responsibilities with regard to internal audit include reviewing plans for and reports on internal audits, and their resulting management action plans.
The Committee’s responsibilities with regard to evaluations include reviewing and approving the OIC’s RBAEP, reports on individual evaluations and management action plans, and receiving status updates on how the OIC implementing the recommendations. The AEC also monitors the Treasury Board Policy on Evaluation for any changes to that policy direction. Like the Policy on Internal Audit, the OIC is not mandated to adhere to either policy as an independent Agent of Parliament, but chooses to follow the spirit of the policies.
An evaluation of the OIC’s Investigations Program is planned for 2020–2021 and 2021-2022.
Follow-up on Management Action Plans
The Committee received regular updates from management on action plans on the status and effectiveness of management follow-up actions. Follow up briefings were provided at each of the four meetings held during the year and included such management areas as: Corporate Services; Investigations; Legal Services; and Public Affairs.
As of March 31, 2021, follow-up actions highlighted during senior staff briefings on the above management areas noted above were either nearing completion or had been completed. The AEC was impressed with management actions taken.
At each AEC meeting, members were provided with the minutes and an update of action items arising from those meetings and were satisfied that all actions had been satisfactorily addressed.
The Committee also reviewed the recommendations and action plan resulting from the IT risk assessment carried out and were satisfied with the results.
Financial Statements and Public Accounts Reporting
The OAG presented its annual Financial Audit Report for 2018–2019 with an unmodified opinion, finding no significant deficiencies in internal controls and requiring no significant financial statement adjustments. The major risk for this audit (and not limited only to the OIC) is related to the Phoenix system. The risk remains high but controls in place ensure that the risk is very limited. Based on the test sample, the OAG was very comfortable but noted the delays in the transfer of employee pay files which is a common challenge for departments in general. The 2020-21 Audit Plan of the OAG was presented by the OAG Principal at the Committee meeting on February 18, 2021 and the approach was approved. The AEC confirmed to the OAG that there were no changes in management’s fraud prevention and detection responsibilities and that there was no knowledge of any fraud.
Throughout the year, the DCFO briefed Committee members on the status of the current year budget (2020-21), and the preparation of the 2021–22 budget. The Committee meeting of November 26, 2020 received a comprehensive discussion of the results of the mid-year budget review and was satisfied with the review results.
The Committee reviewed various corporate accountability reports and provided advice to the Commissioner during the year.
The Committee reviewed and commented on the following in 2020-21:
2019-20 Departmental Results Report; 2021-22 Departmental Plan, and overall direction and observations on Commissioner’s Annual Report to Parliament.
External Assurance Provider
The Committee carried out objective assessments of evidence and data to provide an independent opinion or conclusions regarding the OIC’s operations, results, risks, stewardship and governance.
The Committee carried out its role during the year of satisfactorily providing advice and recommendations on matters for which the Commissioner, as the Deputy Head, serves as the Accounting Officer for the organization.
The Committee received all the information it deemed necessary to fulfil all its mandate obligations.
Overall Assessment of Risk Management, Control and Governance
Based on reviews conducted and discussions held throughout 2020-21, the Committee is reasonably satisfied that the OIC’s risk management, control and governance processes are functioning well.
The Committee appreciates the due diligence the OIC has exercised in the development of sound management and internal control processes and practices, and is encouraged that management strives for constant improvement.
Audit and Evaluation Committee Effectiveness
The Committee’s external members are pleased with the Committee’s ongoing development and maturity in its advisory role. Members were provided with complete, timely and accurate information to enable them to discharge their mandate. Members were pleased with the professionalism of staff, their candour concerning the challenges they face and their willingness to implement suggestions.
The Committee has established itself as an integral part of the OIC’s governance system. Despite the pressures of competing priorities and the multitasking typical of small organizations, the commitment and engagement of senior officials and functional specialists have been invaluable in helping the Committee fulfill its role. Based on our observations over the past year, the two external members of the Committee conclude that the OIC has a systematic and rational approach to addressing its mandate, to monitoring results and to reporting publicly.
The Committee is scheduled to meet four times during 2021-22. Its goals are to continue to provide advice that reflects core public sector principles and values, take into account the independence of Agents of Parliament, and encompass innovative and creative perspectives.
The Audit and Evaluation Committee conducted its annual review of next fiscal year obligations (2021-22) and approved the Calendar of Activities on February 18, 2021.
The table below provides the scope, objective and rationale for each of the audit and evaluation projects proposed for 2021-22 and 2022-23. A change in the proposed audit and evaluation timelines was approved at the Committee meeting on February 18, 2021 and is reflected in the table below.
A change to the calendar for the RBAEP was proposed, namely, to extend the duration of the Evaluation of Investigations planned for fiscal years 2020-21 and 2021-22 to fiscal years 2021-22 and 2022-23 and extend the audit of Information Management and Physical Security planned for 2021-22 to fiscal year 2022-23.
The change was discussed and accepted by the members.
Evaluation of Investigations
Complaints Resolution and Compliance
Scope: The Investigations program.
Objective: Address, as per the TB Policy on Results, the relevance and performance of the investigations program. The evaluation should consider the evolving nature of investigations through an analysis of the portfolio of complaints (e.g. source, targeted institution, complaint type), as well as the new context in which the program is operating (e.g. C-58 legislative changes).
Rationale: High evaluation requirement, 4.2 Impact and 3.6 Probability. Given unprecedented circumstances of COVID-19, the OIC has experienced procurement delays; however there may be an opportunity to develop/improve plans to ensure both a smooth transition and an adoption of more efficient processes. Therefore, an evaluation rescheduled to 2021-22 and 2022-23 would be more beneficial and valuable, as it will produce better results. Considering that, the Investigations program is the key program at the OIC, an evaluation of this activity is recommended every 5 years.
Performance and Talent Management Review
Human Resources (HR)
Scope: A review of OIC HR practices
Objective: Not an in-depth audit, but a review of the following OIC HR practices i) effectiveness of employee performance evaluation; ii) effectiveness of Talent Management program, iii) employee turnover, and iv) exit interviews.
Rationale: High audit requirement, 3.3 Impact and 3.4 Probability. During the interviews of Management and the Strategic Planning meeting, the need to recruit high performing employees in several key positions was identified as a high priority. Given unprecedented circumstances of COVID-19, there may be an opportunity to develop/improve plans to ensure both a smooth transition and an adoption of more efficient processes. A review postponed to 2021-22 would be more beneficial and valuable, as it will produce better results.
Audit of Information Management and Physical Security
Scope: Management practices and assessment of controls related to information management.
Objective: Assess the operational effectiveness of information management practices and compliance with recommendations made in the RHEA audit, notably as they relate to the retention and disposition of sensitive and restricted documents.
Rationale: High audit requirement, 3.2 Impact and 2.3 Probability. Considering the sensitivity of the information retained by the OIC, and the reputational risk to the OIC in the case of improper management of private or restricted information, an audit of this activity is highly recommended but for 2022-23 instead of 2021-22. This change is due to the pandemic situation and the derogation in effect in the IM Security.