Risk-based Audit and Evaluation Plan 2025-26 to 2028-29

Executive Summary

Introduction

This document outlines the Risk-Based Audit and Evaluation Plan (RBAEP) for the Office of the Information Commissioner of Canada (OIC), which was updated in September 2025. The RBAEP encompasses both the internal audit plan and the evaluation plan, covering the period up to the end of 2028/29. The primary aim of the RBAEP is to allocate assurance and evaluation resources to the areas of the OIC that pose the most significant risks and align with the priorities at the OIC. This RBEAP was developed in accordance with the Treasury Board Secretariat (TBS) Policy on Results and Policy on Internal Audit.

This RBAEP is based on the OIC’s Corporate Risk Profile that was finalized in April 2025. Furthermore, the RBAEP builds upon the OIC's previous RBAEP and the Office of Comptroller General's (OCG’s) Risk-based Internal Audit Plan for 2024-25 to 2025-26.

As an Agent of Parliament, the OIC reports directly to Parliament and is excluded from the traditional oversight by TBS. However, the OIC recognizes the importance of an audit and evaluation committee and views its internal oversight mechanisms and governance structure as essential in ensuring that adequate management practices are in place.

Proposed Audits and Evaluations

Proposed Audits and Evaluations
Year	Audit Project Name	Primary OIC Entity
2025-26	Planning and information gathering for Internal Audit of Human Resources (Employee Retention)	Human Resources
2026-27	Internal Audit of Human Resources (Employee Retention)	Human Resources
2027-28	One year planned hiatus for internal audits and evaluations and Management action plan for 2026-27 HR Audit (Employee Retention)
2028-29	Internal Audit of Procurement	Finance & Procurement at Canadian Human Rights Commission (CHRC)

Planning Context

Background

The Information Commissioner is an Agent of Parliament appointed under the Access to Information Act. The Office of the Information Commissioner was established in 1983 under the Access to Information Act to support the work of the Information Commissioner of Canada.

OIC staff carry out confidential investigations into complaints against federal institutions about matters related to an access request or any other matters related to requesting and accessing records under their control giving complainants and any other parties the opportunity to present their positions. OIC counsel handle litigation in reviews before the Federal Court of matters that are the subject of a complaint or of an order from the Commissioner.

OIC strives to maximize compliance with the Act, using the full range of tools, activities and powers at the Commissioner’s disposal. These include negotiating with complainants and making recommendations and/or orders when complaints are well founded.

Caroline Maynard was re-appointed to the position of Information Commissioner of Canada for a second seven-year term beginning on March 1, 2025.

OIC Strategic Priorities

As stated in the OIC’s updated strategic plan, the organization will pursue three strategies to achieve its vision, mission and values:

Investing our resources effectively
Innovate and optimize operations
Maintain and enhance credibility

OIC Structure and Resources

The OIC’s financial and human resources are shown in the table below.

OIC Strategic Priorities
OIC’s Voted and Statutory Items (thousands of dollars)	Planned Spending 2025-26	Planned Spending 2026-27	Planned Spending 2027-28	Planned Spending 2028-29
Government Transparency	$12.4 million	$12.4 million	$12.4 million	$12.4 million
Internal Services	$5.3 million	$5.3 million	$5.3 million	$5.3 million
Total	$17.7 million	$17.7 million	$17.7 million	$17.7 million
Total full-time equivalents (FTE)	124	124	124	124

The senior management organizational structure is shown in the diagram below.

Text version

This hierarchal chart shows the organizational chart at the Office of the Information Commissioner. The Information Commissioner is at the top of the hierarchy as the head of the organization. On the second level, there are the Deputy Commissioner of Investigations and Governance, the Deputy Commissioner of Legal Services, the Deputy Commissioner of Corporate Services, Strategic Planning and Transformation Services and the Senior Director, Communications and Public Affairs.

Progress on Implementation of the 2021-22 to 2024-25 OIC Audit and Evaluation Plan

The progress made on the engagements identified in the previous RBAEP is stated in the table below.

Progress on Implementation of the 2021-22 to 2024-25 OIC Audit and Evaluation Plan
Planned Year	Audit Project Name	Primary OIC Entity	Status
2021-22 and 2022-23	Program Evaluation of Investigations	Senior Management and Complaints Resolution	Completed Phase I – Evaluation of Registry 2021-22 Phase II – Evaluation of the Investigation and Governance (rest of the program) 2022-23
2021-22	Performance and Talent Management Review	Human Resources (HR)	Completed Replaced by Public Service Commission Staffing Evaluation which was done by External Quality Assurance Provider in 2021-22
2022-23	Audit of Information Management and Physical Security	Corporate Services	Removed. Activity was Replaced by Development of Departmental Security Plan (DSP) and Business Continuity Plan (BCP).
2023-24	Cyber Security Maturity Assessment	IT/IM & Security Management	Recommendations of the Management Action Plan are in progress
2023-24	Complainant Consultation regarding the Office of the Information Commissioner’s Investigations Program	Investigations	Completed – will reassess certain findings once OIC transfers to a cloud environment
2024-25	Real-Time Internal Audit of the Cyber Security Event Management Action Plan (CSEMP)	IT/IM & Security Management	Recommendations of the Management Action Plan in progress

OIC Key Organizational Risks (2025-26)

The OIC’s key risks are documented in the Corporate Risk Register included in the OIC Corporate Risk Profile which was developed with the input from Senior Management and the Audit & Evaluation Committee. The OIC’s key risks are summarized in the following Risk Assessment Matrix:

Text version

This Risk Assessment Matrix ranks key organization risks based on their likelihood and magnitude. The risks were ranked on a scale of 1 (low) to 10 (high) for their potential likelihood and magnitude. The risks were scored as follow:

For volume of complaints, the score was magnitude 7.5 and likelihood 5.

For volume of litigations, the score was magnitude 6 and likelihood 6.

For cybersecurity, the score was magnitude 8 and likelihood 4.

For human resources and resource planning, the score was magnitude 5 and likelihood 4.

For aging information technology systems, the score was magnitude 5.5 and likelihood 3.5.

For public trust, the score was magnitude 5 and likelihood 3.

For independent funding mechanism, the score was magnitude 3.25 and likelihood 3.

OCG Audit Areas for Small Department Risks

The OCG is responsible for providing central audit and oversight to a group of small government departments and regional development agencies. These departments and agencies, which have fewer than 500 employees and a maximum of an annual approved expenditure of $300 million, are overseen by a Small Departments and Agencies (SDA) audit committee consisting of externally appointed members. While the OIC, as an independent Agent of Parliament, is not subject to this oversight, it does, nonetheless, choose to consider the SDA high-risk categories that the OCG has established in its audit plan as priorities. The OCG has identified eight key risk areas:

Text version

This graphic shows the eight government-aide risk areas identified by the Office of the Comptroller General. The eight areas are procurement, human resources (diversity, inclusion, accessibility), human resources (general), cyber security, climate action, digital, change management, and real property.

For the period 2024-25 to 2025-26, the OCG is conducting the following horizontal audit engagements:

For the period 2024-25 to 2025-26, the OCG is conducting the following horizontal audit engagements
Planned Year	Audit Project Name	Preliminary Objective
2024-25	Horizontal Audit of Procurement Governance	To determine whether: Procurement Management Frameworks (PMF) within selected departments are established, aligned with applicable TB policies, directives, and guides, and are implemented. Support the understanding and fulfillment of departmental and shared procurement-related roles, responsibilities, and accountabilities between departments. Are established to enable information and data collection, with tools to inform decision making.
2024-25	Human Resources – Duty to Accommodate	To determine whether selected lead departments provide clear direction, guidance, support, tools, and training for the identification and removal of individual workplace barriers across the government. Selected line departments have designed and implemented management control frameworks that support equipping employees with the tools and support needed to remove individual workplace barriers and contribute to their full potential.
2025-26	Going Digital	To determine whether TBS has developed and shared standards and guidance on going digital that are aligned with best practices, and that departments have taken action to adopt and implement the applicable standards and requirements.
2025-26	Core Control Self-Assessment Tools Consolidated Results Report	To help raise awareness of key financial management core controls in SDAs; empower departments to assess, maintain and improve core controls, as needed, in between audit cycles; and help individual SDAs (covered under the OCG mandate) gain further perspective on how their results stand relative to the SDA community.

To avoid duplication of effort and burden on the organization, the OIC considers the work of the OCG in the planning of its own assurance activities. In addition, observations and recommendations from OCG engagements – even if the OIC is not in scope – will be assessed for applicability and incorporated into the operations of the organization.

Planning Approach

Internal Audit Plan

Internal audits provide independent^Footnote¹, objective and substantiated conclusions on the effectiveness of risk management, control and governance processes. The focus is on all management systems, processes and practices, including the integrity of financial and non-financial information. Internal audit assurance services provide evidence-based opinions on the extent to which the system of internal controls is adequate and effective to support the following imperatives:

achievement of operational objectives
safeguarding of assets
economy and efficiency of operations
reliability and integrity of financial and operational information
compliance with legislation, policies and procedures

In accordance with TBS policy, internal audit plans must ensure coverage of areas of higher risk and significance. The internal audit plan should also have the following characteristics:

be risk-based
be reviewed by the audit committee
be focused predominantly on the provision of assurance services
have a multi-year horizon
address risks and internal audits identified by the Comptroller General as part of government-wide coverage
support annual assurance reporting on the overall state of organizational risk management, control and governance processes

Planning Approach

The approach taken to develop the plan complies with the recommended methodology of the Institute of Internal Auditors’ International Professional Practices Framework. The diagram below shows the main elements of the approach.

Planning Approach
Review & Update of Audit & Evaluation Universe Review and update of potential areas that could be subject to an internal audit engagement or program evaluation.
Environmental Scan of Audit & Evaluation Universe Enterprise-wide risk assessment and consultations with stakeholders.
Prioritization of Audit & Evaluation Universe Rated assessment of impact and probabilities used to drive prioritization
Project Selection & Plan Development Develop plan for the conduct of engagements based on previous audits, resource constraints and timing.

Prioritization of Audit and Evaluation Projects

When determining the areas to be covered by internal audits or evaluations, the OIC looked at:

Key risks identified in OIC’s Corporate Risk Profile
Key risks identified by the OCG in their Risk Based Audit Plan
OIC’s strategic priorities, resources, and structure
Input from Senior Management and the Audit and Evaluation Committee

The OCG’s key risk areas and OIC’s key risks from the Corporate Risk Profile are shown above.

Project Selection and Plan Development

Audit and evaluation projects were selected to be included in the OIC RBAEP with the highest audit priorities identified serving as the starting point and providing the main but not only consideration for project selection. The top priority risks topics were examined against a variety of constraints and opportunities, including the following:

recently completed audits (for example cybersecurity is a key risk for both OIC and OCG, but significant work was carried out in this area under the last RBAEP)
feasibility of conducting an audit or evaluation (for example the volume of complaints and funding mechanism are key risks for the OIC but difficult to audit)
availability of audit and evaluation resources over the three-year period
other reviews providing oversight (i.e. OCG evaluations, Office of the Auditor General (OAG) audits)
areas already covered by internal control testing
mandated audit projects (i.e. follow-ups, OAG, OCG and Public Service Commission obligations for horizontal audits)
risk tolerance
management requests
Audit & Evaluation Committee and senior management direction

In finalizing the RBAEP, care was taken to ensure the audit and evaluation universe was appropriately covered. The RBAEP reinforces the integration of audit and evaluation projects, when feasible, while ensuring evaluation coverage of all direct program spending.

Audit and Evaluation Plan and Summary

Given the relatively small size of the OIC and the associated resource constraints, it is realistic to target the undertaking of one assurance-type engagement per year. This approach considers the available financial and human resources within the OIC. It also ensures that the necessary time and effort can be dedicated to conducting a thorough and comprehensive audit or evaluation.

The limited size of the organization necessitates a focused and prioritized approach to the allocation of resources for assurance engagements. By conducting one engagement per year, the OIC can concentrate its efforts on addressing key risks and priorities, while still maintaining its day-to-day operational demands. This approach allows for the necessary planning, execution, and reporting phases of the engagements to be carried out effectively, ensuring quality and comprehensive results.

By setting this realistic target, the OIC can optimize the use of its limited resources and achieve meaningful outcomes from each assurance engagement. It allows for a thorough examination of the identified risks and priorities within the organization, while still considering the constraints and capacity of the OIC as a small-sized entity.

The OIC also performs annual testing of internal controls which supplements the internal audit and evaluations.

Detailed Audit and Evaluation Plan (2025/26-2028/29)

The table below provides the objective, scope and rationale for each of the planned projects proposed for 2025-26 to 2028-29. It should be noted that these may be modified depending on the results of the planning phases of each of the respective projects. In addition to the audit projects below, internal auditors will continue to attend key management and Audit and Evaluation Committee meetings, and conduct follow-ups on previous audits (as appropriate).

Detailed Audit and Evaluation Plan (2025/26-2028/29)
Year	Audit Project Name	Primary Entity	Audit Scope, Objective and Rationale
2026-27 (originally planned in 2025-26)	Internal Audit of Human Resources practices (Employee Retention)	Human Resources Management	Objective The objective is to assess OIC’s employee retention practices and factors. The internal audit aims to identify strengths, weaknesses, and underlying causes of turnover and factors influencing employee engagement. Recommendations will be provided on improving employee retention rates and enhance overall workforce satisfaction and commitment. Scope Reviewing and analyzing historical employee retention data, including turnover rates, reasons for departure, and demographic trends. Identify significant patterns or changes over time. Assessing the OIC's human resources policies and practices related to employee retention. This includes reviewing onboarding procedures, performance management practices, career development programs, and workplace policies affecting retention. Evaluating employee engagement within the OIC. Review employee satisfaction surveys, conduct interviews or focus groups, and assess feedback mechanisms to understand employee perceptions, motivations, and commitment. Assessing the effectiveness of leadership and management practices in promoting employee retention. Evaluate the capabilities of supervisors and managers in creating a positive work environment, providing support, recognition, and growth opportunities, and addressing employee concerns. Reviewing the OIC's adherence to the Value and Ethics Code, both of the public sector and the OIC by promoting a healthy workplace culture impacting retention. Comparing the OIC's retention practices and outcomes with Government of Canada benchmarks and leading practices when available. Rationale Like most Government of Canada organizations, the OIC’s workforce is its most important asset in delivering on its mandate. An engagement of this nature will provide senior management with valuable observations and recommendations to help identify opportunities for improvement and strengthen employee retention and engagement. An internal audit with a related objective and scope was previously planned for the 2021-22 fiscal year. However, it was replaced by an external assurance review that was conducted by the Public Service Commission of Canada and external expert advisor.
2027-28	There is a one year planned hiatus for formal internal audit and evaluations in 2027-28. The justification for this decision is: The significant number of internal audits and evaluations completed over the last several years The OIC will continue with planned internal control testing for the year The decision will be reassessed if any significant risks are identified
2028-29	Internal Audit of Procurement	Finance & Procurement at CHRC	Objective The objective is to assess OIC’s procurement policies & procedures and ensure compliance with government-wide procurement policies & best practices. The internal audit aims to identify strengths, weaknesses, and any issues that impact procurement at the OIC. Recommendations will be provided on improving procurement practices at the OIC. Scope The scope of the engagement will include all factors impacting procurement and will likely take the form of: Compliance with government-wide government policies Management of special procurement authorities granted to Agents of Parliament Roles, Responsibilities and Accountabilities Oversight Governance Bodies Procurement Management Frameworks Procurement Data for Monitoring, Reporting and improvements Integrity-Focused Procurement Training and tool Direction and Guidance Rationale This is a high-risk area across government as identified by the OCG. Issues with procurement have been highlighted in recent OAG audit reports and in media coverage which cause reputational problems for organizations impacted. In addition, as an Agent of Parliament the OIC is granted additional procurement independence from Public Services & Procurement Canada and it is important that the OIC exercise these additional procurement powers responsibly.