2024-25 Audit and Evaluation Committee Annual Report

Table of Contents

• Foreword from the Chair
• Introduction
• Committee Role and Membership
• Meetings
• Activities
  • Values and Ethics
  • Risk Management
  • Management Control Framework
  • Internal Audit
  • Evaluation
  • Follow-up on Management Action Plans
  • Financial Statements and Public Accounts Reporting
  • Accountability Reporting
  • External Assurance Provider
• Overall Assessment of Risk Management, Control and Governance
• Audit and Evaluation Committee Effectiveness
• Forward Planning

Foreword from the Chair

2024-25

This report marks the end of Caroline Maynard's first term as the Information Commissioner of Canada and with her renewal, looks forward to her second mandate in the role.

As Chair, I have been consistently impressed by the leadership demonstrated by the Commissioner, as well as by the dedication and hard work of the organization's executives and staff. During this time, she has successfully guided the OIC through the challenges of a global pandemic, a record volume of complaints, and ongoing funding constraints. Her leadership has empowered the Office to handle the large volume of complaints it receives each year, while also making remarkable progress in reducing the backlog of cases she inherited at the start of her mandate.

The Committee members look forward to working with Commissioner as she continues to encourage efficiency and innovation, as the OIC strives to resolve cases as quickly as possible and maintain a contemporary inventory of complaints. The Committee is also certain the Commissioner will continue to be a champion to improve the access to information system in Canada. Furthermore, the Committee members are encouraged by the fact that the Commissioner will have an opportunity to be involved in the Government's legislative review of the Access to Information Act planned for 2025 which will give the Commissioner the opportunity to advocate for changes to modernize the federal access law in Canada.

The Audit and Evaluation Committee has been in a privileged position to see how the executive has responded effectively to the unique problems faced by the organization. The Office of the Information Commissioner is a small organization, with a limited budget and no control over the volume of work it receives. I have been impressed by the scrupulous and responsible management of its budget and the competence of the management team.

I wish to acknowledge the continued contribution of fellow Committee member, André Grondines, who brings rigour and expertise to the Committee.

Janine Sherman
Chair, Audit and Evaluation Committee

Introduction

The external members of the Audit ad Evaluation Committee (AEC) of the Office of the Information Commissioner (OIC) have prepared this report as a summary for the Information Commissioner of the Committee's work from April 1, 2024 to March 31, 2025.

The report is also a vehicle for the external members to present their thoughts on areas for improvement at the OIC, based on the Committee's assessments and deliberations over the last year. The previous Audit and Evaluation Committee Report for FY 2023 – 24 was approved at the AEC meeting on June 13, 2024.

Committee Role and Membership

The Committee's role is to provide the Commissioner with objective advice, guidance and recommendations on the adequacy of the OIC's control and accountability processes, as well as the use of evaluation within the OIC, in order to support management practices, decision-making and program performance.

To offer this support, the Committee exercises active oversight of core areas of the OIC's management control and accountability framework. In so doing, Committee members address high-level strategic issues, as well as ongoing operational ones, to support the independence of internal audit activities within the OIC and the impartiality of the evaluation function. The Committee's input also helps ensure that internal audit and evaluation results are incorporated into the OIC's priority setting, and business and planning processes.

Committee members, as strategic resources for the Commissioner, also provide such advice and recommendations as she may request on specific emerging priorities, concerns, risks, opportunities and/or accountability reporting. This activity was largely carried out not only during the four Committee meetings held during the past years, but also during meetings with the Commissioner outside of the formal meetings.

The Committee has three members, two of whom are external to the federal government. The external members during 2024-2025 were Janine Sherman (chair) and André Grondines. Together, the external members have broad knowledge and experience in the areas of audit, management controls and risk management in both the public and private sectors, as well as in the operations and responsibilities of Agents of Parliament. Information Commissioner Caroline Maynard is the third member of the Committee.

Permanent Committee members attended meetings during the reporting period:

• France Labine, Chief Financial Officer, Chief Audit and Evaluation Executive and Deputy Commissioner of Corporate Services, Strategic Planning and Transformations Services
• Layla Michaud, Deputy Commissioner of Investigations and Governance
• Marie-Josée Montreuil or Natacha Bernier, Acting General Counsel of Legal Services
• James Ellard, Senior Director, Public Affairs and Communications Services
• Sébastien Lafond, Deputy Chief Financial Officer (DCFO) and Senior Director, Finance, Procurement, Administration and Security
• Michael Walsh, Financial Management Advisor and
• Catherine Lapalme, a senior representative of the Office of the Auditor General (OAG)

Various OIC other staff members were also in attendance to present reports and other deliverables, or to give Committee members updates on the OIC's business and other activities.

Meetings

The Audit and Evaluation Committee met three times between April 1, 2024 and March 31, 2025 with an addition meeting moved to early in the 2025-26 fiscal year:

• June 13, 2024
• September 18, 2024
• November 20, 2024 (in camera meeting)
• April 23, 2025

The Commissioner met with the external members in camera at the conclusion of each meeting. The OIC posted the approved Committee meeting minutes on its website.

Activities

The Committee's activities fall under nine categories, as set out below. These areas of responsibility are linked in many ways—particularly with regard to risk and strategic priorities —and Committee members take this into account when carrying out their assessments and providing advice.

Values and Ethics

With the reappointment of the Commissioner for a second term, the OIC is using this as an opportunity to create a new Strategic Plan for 2025-26 to 2028-29 which will reexamine the mission, vision, and priorities for the OIC over the next three years. The Commissioner has also decided to incorporate all of OIC employees into the process to review and update the core values for the OIC. This work started late in the 2024-25 fiscal year and the final strategic plan will be presented to the Committee in 2025-26.

The Committee reviews any measures OIC management puts in place to exemplify and promote public service values and to ensure compliance with laws, regulations and policies, and standards of ethical conduct. The AEC was satisfied with the degree of which ethics and values are embedded and assessed within OIC operations. There was no reported cases of wrongdoing and the value and ethics code is being respected. This included violence in the workplace and conflict of interest.

Risk Management

Risk assessment and mitigation are ongoing focuses of the Committee's work, including reviewing the OIC's corporate risk profile and risk management strategies and activities. In 2024-25 the OIC started a major project to develop a new Corporate Risk Profile which includes an updated key risk register. The new documents formalize the identification and management of risk at the OIC. The new Corporate Risk Profile was presented to Committee members at the April 23, 2025 meeting and it will be updated on an annual basis.

Management Control Framework

Activities and discussions pertaining to the management control framework, which is linked to all other areas of responsibility, are ongoing including presentations on the OIC's internal control mechanisms.

At the June 13, 2024 meeting, the findings of the cyber maturity self-assessment were presented to the Committee with no significant findings noted.

At the September 18, 2024 meeting the results of the 2023-24 internal control testing plan were presented. The testing performed in the year focused on the impact of the PSAC strike, retroactive payments & updated rates of pay due to the implementation of new collective agreements and annual testing of key controls over payroll & benefits. There were no significant issues identified during the testing.

Also at the September 18, 2024 meeting, the results of complainant consultation for the Investigations program was presented.

Internal Audit

The Committee's responsibilities with regard to internal audit include reviewing plans for and reports on internal audits, and their resulting management action plans. The updated Risk Based Audit & Evaluation Plan (RBAEP) was presented at the June 13, 2024 meeting.

Evaluation

The Committee's responsibilities with regard to evaluations include reviewing and approving the OIC's RBAEP, reports on individual evaluations and management action plans, and receiving status updates on how the OIC is implementing the recommendations. The AEC also monitors the Treasury Board Policy on Evaluation for any changes to that policy direction. Like the Policy on Internal Audit, the OIC is not mandated to adhere to either policy as an independent Agent of Parliament but chooses to follow the spirit of the policies.

Follow-up on Management Action Plans

The Committee received regular updates from management on action plans on the status and effectiveness of management follow-up actions.

At the April 23, 2025 meeting, final follow-up actions were presented for evaluations for the two pre-2024-25 evaluations related to I - PSC Staffing File & Monitoring Exercise and II -the Evaluation of Internal Controls over Salaries and Employee Benefits. The AEC was in approval with the management actions taken to address the identified risks.

As noted above, new management actions were presented for two evaluations completed in the year related to the cyber maturity self-assessment and the complaint consultation. The committee was satisfied with management's response and proposed course of action to address findings in the reports.

At each AEC meeting, members were provided with the minutes and an update of action items arising from those meetings and were satisfied that all actions had been satisfactorily addressed.

Financial Statements and Public Accounts Reporting

The OAG presented its annual Financial Audit Report for 2023–2024 with an unmodified opinion, finding no significant deficiencies in internal controls and requiring no significant financial statement adjustments. The major risk for this audit (and not limited only to the OIC) is related to the Phoenix pay system. The risk remains high but controls in place provide reasonable assurance that the risk is very limited. Based on the test samples, the OAG was comfortable. The 2024-25 Audit Plan of the OAG was presented by the OAG Principal at the Committee meeting on April 23, 2025 and the approach was approved. The AEC confirmed to the OAG that there were no changes in management's fraud prevention and detection responsibilities and that there was no knowledge of any fraud.

Throughout the year, the CFO and the DCFO briefed Committee members on the status of the current year's budget for 2024-25 and the preparation of the budget allocation exercise for 2025-26.

Accountability Reporting

The Committee reviewed various corporate accountability reports and provided advice to the Commissioner during the year.

External Assurance Provider

The Committee carried out objective assessments regarding the OIC's operations, results, risks, stewardship and governance.

The Committee carried out its role during the year of satisfactorily providing advice and recommendations on matters for which the Commissioner, as the Deputy Head, serves as the Accounting Officer for the organization.

The Committee received all the information it deemed necessary to fulfil all its mandate obligations.

Two external service provider exercises were completed during the reporting period. Regular updates were provided at each of the meetings on the OIC management response and progress so far.

1. Complaints Consultation

OIC hired an external consultant to seek input from complainants on its investigations program. The findings of the consultation helped OIC develop and refine is communication and accessibility strategies, identify process improvements and further optimize its operations. The final report along with the management action plan was presented to the Committee at the September 18, 2024 meeting.

2. Cyber Maturity Self Assessment

As part of the Departmental Security Plan and Risk Based Audit and Evaluation Plan, OIC performed a self-evaluation of its cyber security process using the TBS Cyber Maturity Self-Assessment tool. OIC also hired an external consultant to evaluate OIC's self assessment and a technical writer to assist with the development of policies and procedures. The results of this evaluation were presented at the June 13, 2024. The Information Technology team developed a 3-year action plan to address the findings.

Overall Assessment of Risk Management, Control and Governance

Based on reviews conducted and discussions held throughout 2024-25, the Committee is satisfied that the OIC's risk management, control and governance processes are functioning well. The committee also notes the OIC has developed a new corporate risk profile to formalize the identification and management of significant risks at the OIC.

The Committee appreciates the due diligence the OIC has exercised in the development of sound management and internal control processes and practices and is encouraged that management strives for constant improvement.

Audit and Evaluation Committee Effectiveness

The Committee's external members are pleased with the Committee's ongoing development and maturity in its advisory role. Members were provided with complete, timely and accurate information to enable them to discharge their mandate. Members were pleased with the professionalism of staff, their candour concerning the challenges they face and their willingness to implement suggestions.

The Committee has established itself as an integral part of the OIC's governance system. Despite the pressures of competing priorities and the multitasking typical of small organizations, the commitment and engagement of senior officials and functional specialists have been invaluable in helping the Committee fulfill its role. Based on our observations over the past year, the two external members of the Committee conclude that the OIC has a systematic and rational approach to addressing its mandate, to monitoring results and to reporting publicly.

The Committee also performed a self assessment which indicated that members believe they have the information, tools and knowledge required for their roles.

Forward Planning

The Committee is scheduled to meet four times during the 2025-26 fiscal year. Its goals are to continue to provide advice that reflects core public sector principles and values, take into account the independence of Agents of Parliament, and encompass innovative and creative perspectives.

The Audit and Evaluation Committee conducted its annual review of next fiscal year (2025-26) and approved the Calendar of Activities at the meeting April 23, 2025.

OIC looks forward to working with the members of the Committee, to support Caroline Maynard as she starts her second term as the Information Commissioner.