2021-22 Audit and Evaluation Committee Annual Report

Office of the Information Commissioner

Table of Contents

• Foreword from the Chair
• Introduction
• Committee Role and Membership
• Meetings
• Activities
  • Values and Ethics
  • Risk Management
  • Management Control Framework
  • Internal Audit
  • Evaluation
  • Follow-up on Management Action Plans
  • Financial Statements and Public Accounts Reporting
  • Accountability Reporting
  • External Assurance Provider
• Overall Assessment of Risk Management, Control and Governance
• Audit and Evaluation Committee Effectiveness
• Forward Planning

Foreword from the Chair

2021-22

This report marks the end of my tenure as Chair of the Audit and Evaluation Committee for the Office of the Information Commissioner. During this period, I have watched as Commissioner Caroline Maynard absorbed and adapted to the changes in the Access to Information legislation which expanded the powers of her office, managed the dramatic increase in complaints, and dealt with the challenges of the problems of the Phoenix pay system and the COVID-19 pandemic. She displayed impressive leadership skills, rising to these unprecedented challenges.

The Audit and Evaluation Committee has been in a privileged position to see how the executive has responded effectively to the unique problems faced by the organization. André Grondines has brought experience and expertise to the committee, providing wisdom and encouragement.

I would be remiss if I did not mention the contribution made by Riowen Abgrall of the Office of the Auditor-General who provided support to the Committee.

It has been a pleasure to serve as Chair of the Committee, and I welcome my successor, Janine Sherman, who brings years of experience at the Privy Council Office to the position. She will, I am sure, find a dedicated and effective organization.

Graham Fraser O. C.

Chair, Audit and Evaluation Committee, 2019-2023

Introduction

The external members of the Audit ad Evaluation Committee (AEC) of the Office of the Information Commissioner (OIC) have prepared this report as a summary for the Information Commissioner of the Committee’s work from April 1, 2021 to December 31, 2022.

The report is also a vehicle for the external members to present their thoughts on areas for improvement at the OIC, based on the Committee’s assessments and deliberations over the last years. The previous Audit and Evaluation Committee Report for FY 2020 – 21 was approved by the Commissioner at the AEC meeting on November 3, 2021.

Committee Role and Membership

The Committee’s role is to provide the Commissioner with objective advice, guidance and recommendations on the adequacy of the OIC’s control and accountability processes, as well as the use of evaluation within the OIC, in order to support management practices, decision-making and program performance.

To offer this support, the Committee exercises active oversight of core areas of the OIC’s management control and accountability framework. In so doing, Committee members address high-level strategic issues, as well as ongoing operational ones, to support the independence of internal audit activities within the OIC and the impartiality of the evaluation function. The Committee’s input also helps ensure that internal audit and evaluation results are incorporated into the OIC’s priority setting, and business and planning processes.

Committee members, as strategic resources for the Commissioner, also provide such advice and recommendations as she may request on specific emerging priorities, concerns, risks, opportunities and/or accountability reporting. This activity was largely carried out not only during the seven Committee meetings held during the past years, but also in during meetings with the Commissioner outside of the formal meetings.

The Committee has three members, two of whom are external to the federal government. The external members during 2021-2022 were Graham Fraser (chair) and André Grondines. Together, the external members have broad knowledge and experience in the areas of audit, management controls and risk management in both the public and private sectors, as well as in the operations and responsibilities of Agents of Parliament. Information Commissioner Caroline Maynard is the third member of the Committee.

Permanent Committee members attended all meetings during the reporting period:

• France Labine, Chief Financial Officer, Chief Audit and Evaluation Executive and Deputy Commissioner of Corporate Services, Strategic Planning and Transformations Services
• Layla Michaud, Deputy Commissioner of Investigations and Governance
• Gino Grondin, Deputy Commissioner of Legal Services and Public Affairs
• Sébastien Lafond, Deputy Chief Financial Officer (DCFO) and Senior Director, Finance, Procurement, Administration and Security
• Bojana Terzic, Team lead - Strategic Planning, Policy and Program Evaluation and Audit who served as the AEC secretary, and
• Riowen Abgrail, a senior representative of the Office of the Auditor General (OAG)

Various OIC other staff members were also in attendance to present reports and other deliverables, or to give Committee members updates on the OIC’s business and other activities.

Meetings

The Audit and Evaluation Committee met seven times between April 1, 2021 and December 31, 2022:

• June 2, 2021 
• August 19, 2021 
• November 3, 2021
• February 2, 2022
• June 1, 2022
• August 26, 2022 (conducted secretarially)
• November 17, 2022

The Commissioner met with the external members in camera at the conclusion of each meeting. The OIC posted the approved Committee meeting minutes on its website.

Activities

The Committee’s activities fall under nine categories, as set out below. These areas of responsibility are linked in many ways—particularly with regard to risk and strategic priorities —and Committee members take this into account when carrying out their assessments and providing advice.

Values and Ethics

During the period, the Committee approved a new Code of Values and Ethics for the Office of the Information Commissioner. The Code expanded on the five values set out in the Strategic Plan 2020-21 to 2024-25: Respect, Collaboration, Transparency, Accountability and Conflict of Interest, and advised employees on the use of caution and good judgment in their personal use of social media.

 The Committee reviews any measures OIC management puts in place to exemplify and promote public service values and to ensure compliance with laws, regulations and policies, and standards of ethical conduct. The Committee also received feedback on OIC employee surveys and action plans during the year. The AEC was satisfied with the degree of which ethics and values are embedded and assessed within OIC operations. There was no report or cases of wrong doing and the value and ethics code is being respected. This included violence in the workplace and conflict of interest. 

Risk Management

Risk assessment and mitigation are ongoing focuses of the Committee’s work, including reviewing the OIC’s corporate risk profile and risk management strategies and activities.

Committee members, with the assistance of the OIC’s Chief Audit Executive, reviewed and adjusted the schedule of upcoming audits and evaluations.

Update on the Threat and Risk Assessment (TRA) and Threat and Vulnerability Assessment (TVA) - sponsored by the Chief Information Officer, it  provided the status and the next steps of the Office of the Information Commissioner assessments and an update on the security posture. The members reviewed and discussed the information presented. It was recognized that the past technology improvements were crucial for enabling operations during the pandemic by having the OIC staff connected in order to be able to  work remotely (from home).

Evaluation of Investigations – Program Evaluation was conducted in two phases. Phase I was conducted in 2021 and focused on the Evaluation of the Registry.  Final report was tabled at November, 2021 AEC meeting and Management Action Plan (MAP) was approved. During 2022, Phase II of the program evaluation was conducted and majority of the items in Phase I MAP addressed.  

Audit of Information Management and Physical and Security was deferred due to the security enhancements that was completed during the reporting period and as such, lowered the priority of this audit.

The OIC Risk Management Framework was developed, and the OIC is still monitoring risk-related input from external agencies such as the OAG, the Office of the Comptroller General (OCG) as well as Treasury Board Secretariat (TBS) and how that might apply to the OIC. This included the list of high risks for small departments prepared by the OCG.

Management Control Framework

Activities and discussions pertaining to the management control framework, which is linked to all other areas of responsibility, are ongoing including presentations on the OIC’s internal control mechanisms.

Through an agreement with the OIC, the Canadian Human Rights Commission (CHRC) provides financial management and specialized procurement services to the OIC. The OIC relies on CHRC's internal management controls over financial reporting and the financial management system to process the financial data that the OIC has approved, authorized and transmitted to the CHRC for processing.

Each year, the CHRC provides a general outline to the OIC of the oversight it exercises with regard to its system of internal control over financial reporting, reasonable assurance that these controls are being properly managed, and an attestation about the assessment of the CHRC’s system of controls.

As part of the internal control over financial management and reporting, the CHRC performed the following functions:

• Reviewed and updated documentation of business processes and controls to ensure they represent the current processes and controls in place
• Reviewed the OIC’s transactions for the contracting process and the CHRC’s transactions for the other business processes, which revealed that the key internal controls over these business processes were all strong and operating effectively, with the exception of the payroll-related transactions using the Government of Canada’s Phoenix system; and
• Assessed, for the OIC’s transactions, the operating effectiveness of IT management and security.

The CHRC Assessment demonstrated to OIC that the IT general controls (ITGC) related to systems remain appropriate and can be relied upon. For IT management, the GX financial system was tested with regard to internal controls over financial controls and was assessed as strong.

The following recommendations (ITGC) have been received and addressed on a priority basis:

• For the asset management, recommendations have been identified to undertake a full inventory count of all assets under management, and that an asset management policy document be developed to provide clarity on how to manage, and roles and responsibilities of parties managing assets within CHRC.
• Clarify and monitor departure procedures to aid in timely removal of network accesses
• A clear IT strategy and annual plan be documented and communicated to senior management

Internal Audit

The Committee’s responsibilities with regard to internal audit include reviewing plans for and reports on internal audits, and their resulting management action plans.

Evaluation

The Committee’s responsibilities with regard to evaluations include reviewing and approving the OIC’s RBAEP, reports on individual evaluations and management action plans, and receiving status updates on how the OIC implementing the recommendations. The AEC also monitors the Treasury Board Policy on Evaluation for any changes to that policy direction. Like the Policy on Internal Audit, the OIC is not mandated to adhere to either policy as an independent Agent of Parliament, but chooses to follow the spirit of the policies.

An evaluation of the OIC’s Investigations Program was conducted in this period as planned in RBAP and listed under “Risk” area of this report.

Follow-up on Management Action Plans

The Committee received regular updates from management on action plans on the status and effectiveness of management follow-up actions. Follow up briefings were provided at each of the seven meetings held during the year and included such management areas as: Corporate Services; Investigations; Legal Services; and Public Affairs.

As of December 31, 2022, follow-up actions highlighted during senior staff briefings on the above management areas noted above were either nearing completion or had been completed. The AEC was in approval management actions taken to address the identified risks or functions.

At each AEC meeting, members were provided with the minutes and an update of action items arising from those meetings and were satisfied that all actions had been satisfactorily addressed.

Financial Statements and Public Accounts Reporting

The OAG presented its annual Financial Audit Report for 2020–2021 and 2021-2022 with an unmodified opinion, finding no significant deficiencies in internal controls and requiring no significant financial statement adjustments. The major risk for this audit (and not limited only to the OIC) is related to the Phoenix system. The risk remains high but controls in place ensure that the risk is very limited. Based on the test samples, the OAG was very comfortable. The 2022-23 Audit Plan of the OAG was presented by the OAG Principal at the Committee meeting on February 2, 2022 and the approach was approved. The AEC confirmed to the OAG that there were no changes in management’s fraud prevention and detection responsibilities and that there was no knowledge of any fraud.

Throughout the year, the CFO and the DCFO briefed Committee members on the status of the current years budget (2020-21 and 2022-23), and the preparation of the budget allocation exercise.  The Committee meeting of November 17, 2022 received a comprehensive discussion of the results of the mid-year budget review and was satisfied with the review results.

Accountability Reporting

The Committee reviewed various corporate accountability reports and provided advice to the Commissioner during the year.

The Committee reviewed and commented on the following during the reporting period:

2020-21 and 2021-22 Departmental Results Report; 2022-23 and 2023-24 Departmental Plan, and overall direction and observations on Commissioner’s Annual Report to Parliament.

External Assurance Provider

The Committee carried out objective assessments regarding the OIC’s operations, results, risks, stewardship and governance.

The Committee carried out its role during the year of satisfactorily providing advice and recommendations on matters for which the Commissioner, as the Deputy Head, serves as the Accounting Officer for the organization.

The Committee received all the information it deemed necessary to fulfil all its mandate obligations.

Two external service provider exercises took place during the reporting period. Regular updates were provided at each of the meetings on the OIC management response and progress so far.  

1.    Evaluation of Internal Controls over Salaries and Employee Benefits

OIC prepared and acknowledged the findings and recommendations from Monique Cousineau (expert advice) for the Evaluation of Internal Controls over Salaries and Employee Benefits.

The objective of the evaluation was to obtain assurance that adequate payroll controls are in place and functioning effectively within OIC to ascertain the integrity of pay transactions, including leave and overtime transactions.

The evaluation focused on the appropriateness and effectiveness of the existing management framework in place to support pay, leave, and overtime activities and transactions, and compliance with relevant regulations and policies. The scope of the audit included various types of employee pay transactions and two full pay periods selected during the period of April 1, 2020, to March 31, 2021.

2.    Evaluation (Staffing File Monitoring Exercise)

OIC prepared and acknowledged the findings and recommendations from the external provider as well as the Public Service of Canada.

The Office of the Information Commissioner of Canada (OIC) developed a response plan based on opportunities for improvement from the report. Human Resources Directorate was able to conclude that several good practices were already implemented within OIC.  As part of a continuous improvement process, the OIC committed to updating some of its tools such as essential forms and documents required for various staffing actions, including file checklists; providing the team members, consisting of administrative staff and human resources advisors, with an information session to make them aware of the various administrative requirements raised in this report; and review all of its human resources policies to ensure consistency and to facilitate their interpretation.

These actions, will allow the OIC to provide its team members with the tools they need to better support managers in fulfilling their human resources responsibilities as well to ensure compliance with the related policies and legislation.

Overall Assessment of Risk Management, Control and Governance

Based on reviews conducted and discussions held throughout 2020-21, the Committee is reasonably satisfied that the OIC’s risk management, control and governance processes are functioning well.

The Committee appreciates the due diligence the OIC has exercised in the development of sound management and internal control processes and practices, and is encouraged that management strives for constant improvement.

Audit and Evaluation Committee Effectiveness

The Committee’s external members are pleased with the Committee’s ongoing development and maturity in its advisory role. Members were provided with complete, timely and accurate information to enable them to discharge their mandate. Members were pleased with the professionalism of staff, their candour concerning the challenges they face and their willingness to implement suggestions.

The Committee has established itself as an integral part of the OIC’s governance system. Despite the pressures of competing priorities and the multitasking typical of small organizations, the commitment and engagement of senior officials and functional specialists have been invaluable in helping the Committee fulfill its role. Based on our observations over the past year, the two external members of the Committee conclude that the OIC has a systematic and rational approach to addressing its mandate, to monitoring results and to reporting publicly.

Forward Planning

The Committee is scheduled to meet four times during 2023. Its goals are to continue to provide advice that reflects core public sector principles and values, take into account the independence of Agents of Parliament, and encompass innovative and creative perspectives.

The Audit and Evaluation Committee conducted its annual review of next fiscal year obligations (2023-24) and approved the Calendar of Activities on November 17, 2022. The calendar will be reviewed by the new Chair Janine Sherman.

An updated RBAEP will be tabled to cover the new reporting cycle (calendar base) January 1, 2023 to
December 31, 2025.

OIC looks forward, under the new leadership of Janine Sherman, to support Caroline Maynard, OIC Commissioner for the remainder of her mandate.