2010-2011 Audit and Evaluation Committee Annual Report
Purpose
This annual report to the Information Commissioner was prepared by the external members of the Audit Committee for the Office of the Information Commissioner of Canada (OIC). Its purpose is to present a summary of the work undertaken by the Committee from April 2010 to March 2011.
According to the Committee’s Charter and the Treasury Board Directive on Departmental Audit Committees, the Committee must prepare an annual report that:
- summarizes the Committee’s activities and the results of its reviews;
- provides an assessment of the OIC’s system of internal control;
- documents any significant concerns the Committee may have in relation to the OIC’s risk management, control and governance arrangements;
- provides an assessment of the capacity and performance of the internal audit function;
- provides, as needed, recommendations for the improvement of risk management, control and accountability processes, including recommendations for the improvement of the OIC’s internal audit function; and
This report is also a vehicle for the Committee to present its thoughts regarding areas for improvement based on its assessment of the OIC’s management control, which encompasses all policies, operations and the management of the OIC.
Committee Membership
The Committee is independent from OIC line management and is composed of three members. In accordance with the Treasury Board Policy on Internal Audit, it includes two members who are external to the federal government, including the Chairperson, and the Information Commissioner, Suzanne Legault.
The external members are John McCrea and Dyane Adam, Committee Chair. They were appointed in October 2008, when the Committee was established. Together, they bring a breadth of knowledge and experience, particularly in managing small offices of Agents of Parliament, that provide value-added advice to the Information Commissioner.
Roles and Responsibilities of the Committee
The Committee has an advisory role to the Commissioner. It provides objective advice and recommendations regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the OIC’s risk management, control and governance frameworks and processes.
Among other things, the Committee reviews the assessment of key risks facing the organization, its audit plans and reports of audit engagements, its financial statements and public accounts reporting as well as key management action plans and progress reports. It also advances the organization’s management practices by bringing new perspectives and by challenging existing practices. Senior management can use this information to reduce risks and improve performance.
More specifically, in line with the Directive on Departmental Audit Committees, the Committee’s key areas of responsibility include:
- Values and ethics
- Risk management
- Management control framework
- Internal audit function
- Audits conducted by the Auditor General and other agencies
- Financial statements and Public Accounts reporting
- Follow-up on management action plans
- Reports to Parliament
In the winter of 2010, the Committee reviewed and updated the document describing its role, responsibilities and operations (or terms of reference) to reflect revisions made to the Treasury Board Policy on Internal Audit as of July 2009. The revised committee Charter was adopted and reaffirmed by the Commissioner at the May 2011 meeting. The Charter can be found in Appendix A.
The new document reflects a shift of audit committees’ mandate from an “oversight” to an “advisory” role on a wider range of management practices and issues.It incorporates the policy’s specific provisions for Agents of Parliament. It acknowledges the role of the Comptroller General with respect to horizontal audits involving small organizations and the Committee’s responsibility to ensure that the OIC conduct and report on self-assessments against the findings and recommendations of horizontal audits pertaining to small organizations. It also sets out the competency profile for Committee members.
As Agents of Parliament stated in February 2011 in a joint letter to chairs of parliamentary committees,their respective audit committees play an important role in enhancing accountability to Parliament. The OIC’s Audit Committee does so notably by reporting on its work, including assessments of the organization’s internal audit function, to the House of Commons Standing Committee on Access to Information, Privacy and Ethics in addition to informing the Office of the Comptroller General.
Meetings
During the reporting period, the Committee met three times, with all members participating in all meetings in person or by teleconference. Chairperson Dyane Adam presided over two meetings; the third one was chaired by external member John McCrea.
The second meeting, initially planned for the first week of June 2010, had to be postponed until August 2010 because of Interim Commissioner Legault’s appearances before Parliament as part of the nomination process for the position of Information Commissioner.
Minutes of regular meetings were prepared and approved by committee members at the subsequent meeting.All meetings also included in-camera sessions with auditors and between committee members to allow them to communicate privately and candidly about issues of concern or confidential matters.
Outside meetings, Committee members provided input and comments on various initiatives or documents, as needed. In particular, they took part in a conference call on September 29, 2010 with the Chief Financial Officer and the Audit Team Leader to discuss the scope and timing of the planned audit of the Complaints Resolution and Compliance (CRC) Branch.
In addition to members, meetings were attended by the OIC’s Chief Audit Executive,the interim Chief Financial Officer and Assistant Commissioner responsible for internal services, Audit Team Leader(s) and the Director of Strategic Planning, Finance and Administration, who offers secretariat support to the Committee. Senior representatives of the Office of the Auditor General (OAG) attended all meetings as invitees to discuss audit plans, findings and other matters of mutual concern. Other senior OIC managers or functional specialists were also invited to provide input on specific issues.
Orientation and Development
To be highly effective, committee members must gain a good understanding of their roles and responsibilities and develop a comprehensive knowledge of the organization’s business, challenges and priorities.
Since taking on their responsibilities, external members have attended numerous presentations about the OIC, the investigative procedure, the workload management model, the complaints inventory, case management strategies and caseload statistics. They have examined important planning documents, such as the IM and IT Strategic Plan 2009−2014, the Integrated HR Plan for 2009-2014 and more recently the Strategic Plan 2011–2014.
They review all reporting instruments, a key area of responsibility (See 6.8 Reports to Parliament). They are regularly debriefed on relevant parliamentary activities and appearances. They are informed and consulted about important decisions and strategies, such as the 2010 Treasury Board submission to obtain contingency funding for litigation and complex cases. They have access to all OIC financial documents upon request and without restrictions.
Members also attended presentations from the Office of the Auditor General (OAG), including discussion on key developments in accounting and auditing standards, and their implications for the OIC. They also participated in learning events and activities offered by the Office of the Comptroller General, including the September 2010 Management Control Frameworks Workshop and November 2010 Annual DAAC Symposium. Among other topics, the symposium examined the evolution of departmental audit committees over the past four years and preliminary results of an independent study on their effectiveness.
Summary of Activities and Assessments
This section provides a summary of the Committee’s activities and assessments per key area of responsibility. These areas of responsibility are not independent, but are often linked in one way or another. The Committee constantly takes these linkages into consideration, providing integrated assessments, which enhance the value of its advisory role.
Values and ethics
The Committee has the responsibility to review the arrangements established by management to exemplify and promote public service values and to ensure compliance with laws, regulations, policies and standards of ethical conduct.
During the February 2011 meeting, the Committee heard about the work of a representative group of employees that led to the selection and definition of corporate values for the OIC. The Committee was pleased with the process and the selection of values. It recognized that the challenge for the organization was to keep the momentum and effectively operationalize these values. Suggestions were offered, such as the creation of a permanent committee on values reporting regularly at all-staff meetings, or an award for individuals or initiatives that best embody or reflect the core values.
Risk management
Risk assessments and mitigation strategies constitute an ongoing focus of discussions between committee members and OIC officials. The Committee plays a key role in providing ongoing strategic advice to minimize risks and implement appropriate and effective strategies to reduce the impact of the most detrimental and least avoidable risks.
During 2010–2011, the Committee was kept continuously informed of any new risks and financial pressures on the OIC. In particular, the cost containment measures ushered in with Budget 2010 compounded the inherent risks associated with the unpredictability of the workload. To help alleviate the risks and pressures, members closely monitored the OIC’s budgetary situation and periodic reviews, and provided advice as needed. They also followed the development or proposals of cost-saving solutions for back office services that might benefit the OIC and other Agents of Parliament.
At the August 2010 meeting, the Committee was presented with a draft risk-based audit plan for 2010−2013, including an assessment of the most significant risks facing the OIC.The Committee discussed and generally agreed with the risk assessment. The five most significant risks facing the OIC were defined as the following:
- Efficiency and timeliness of complaints resolution
- Ability to retain corporate memory and organizational momentum in the event of management turnover
- Compliance with the Policy on Government Security
- Effectiveness of information management practices and information technology
- Compliance with the Treasury Board Secretariat’s financial management policy instruments
Given those risks and following further discussions and final feedback from senior managers, the Committee recommended the audit plan for approval as of August 20, 2010. The plan proposes three audit engagements over a three-year period, based on a determination of auditability, management priority and inherent risk level. In addition to a follow-up to the previous audit on the Intake and Early Resolution Unit, the three audits considered for 2010−2013 are:
- An “umbrella” audit of the CRC branch
- An audit of the OIC’s compliance with the 2009 Policy on Government Security
- A post-implementation audit of the new case management system for investigations (InTrac)
Management control framework
Management control is linked to all other areas of responsibility and, therefore, it is difficult to assess as a separate item. The activities and discussions pertaining to the management control framework are numerous and ongoing.
For example, a key requirement for audits of financial statements which stem from the Canadian Auditing Standards consists in obtaining a comprehensive knowledge of the controls in place surrounding the risks of fraud and error, related party transactions, and the evaluation of estimates. At the February 2011 meeting, committee members had an opportunity to discuss the risks of fraud and error within the OIC. They were of the view that those risks were small. The risk of material fraud and error, in particular, was considered even smaller or close to nil, given the following considerations:
- The OIC is a small organization, with a relatively small budget and no revenue-generating activities.
- Statements and transactions are audited every year by the OAG.
- Individuals overseeing financial management at the OIC are competent, reliable and trustworthy.
- Management has demonstrated its commitment to a strong internal audit function.
- Proactive disclosure of financial and audit reports mitigates the risk of fraud or error.
- AC members consider that they have the means and information to fully exercise their role with respect to risk management, controls and financial reports.
- The planned restructuring of corporate services will facilitate even greater scrutiny and enhanced accountability.
Moreover, as detailed in the Committee’s March 2010 Annual Report, the OIC has introduced a number of measures to enhance internal financial reporting and tracking. In 2010–2011, to ensure compliance with the Policy on Internal Control, it undertook to document, assess and improve, as required, key financial processes and controls, starting with salary and operating expenditures, material management and end of period accounting processes. Only minor improvements were recommended, and they have been implemented.
The results and recommendations from this review, which was conducted by an independent firm, were discussed at the February 2011 meeting. The Committee congratulated management for the endeavour and outcome. With respect to the inventory of assets, they cautioned against the potential burden of cataloguing and tracking lesser-value items, which over time might not be sustainable.
At the February 2011 meeting, the Committee was also provided with a progress report on the work undertaken to assess the OIC’s compliance with the Treasury Board policy suite and provide assurance on the adequacy of controls. The Committee welcomed the initiative and looks forward to future updates.
Internal audit function
An internal audit function aims to provide independent, objective assurance and consulting services designed to add value and improve the effectiveness of risk management, control and governance arrangements. At their first meeting in October 2008, members reviewed, discussed and recommended for approval the organization’s Internal Audit Charter.
The OIC has since made substantial progress in terms of its internal audit capacity and performance. (See 7. Capacity and Performance Assessment) This is partly due to the strong leadership and culture of compliance and continuous improvement that characterize the organization. Committee members encourage the OIC to maintain the momentum.
The Committee agreed to postpone the update of the Internal Audit Charter to align it with the revised Policy on Internal Audit until the restructuring of corporate services is completed.
Audits conducted by the Auditor General and other agencies
As an Agent of Parliament, the OIC must have its transactions and financial statements audited by the Office of the Auditor General (OAG) each year. The Committee met with OAG representatives to review and discuss the OIC’s audited financial statements for the year ended March 31, 2010. Members were also briefed extensively on the new requirements stemming from the introduction of the Canadian Auditing Standards, starting in 2010−2011.
The OAG audit provided opportunities to make recommendations to further strengthen the OIC’s internal controls. However, no significant adjustments to the statements were required as a result. For the fourth consecutive year since the OIC has been subject to OAG audits, the Auditor’s Report to Parliament confirmed that its financial position was presented fairly, the results of its operations and cash flows were in full accordance with accepted accounting principles, and all financial transactions “have, in all significant respects, been in accordance with the Financial Administration Act and regulations and the Access to Information Act.” Based on the OAG’s attestation and the Committee’s recommendation, the Commissioner approved the OIC financial statements for the year ended March 31, 2010.
The Committee also discussed recent horizontal audits conducted by the Office of the Comptroller General on small departments and agencies. The Chair recommended that OIC self-assessments against the findings and recommendations of such audits be included as a standard item in the Committee’s schedule of activities.
Financial Statements and Public Accounts reporting
The Committee examined and provided advice on the OIC’s financial statements. They reviewed the first installment of the unaudited, future-oriented financial statements, which were introduced with the 2011–2012 Report on Plans and Priorities. They also periodically advised on the development and production of quarterly financial reports, to be launched in August 2011. The Committee is satisfied that the OIC is meeting its responsibilities in providing accurate and complete financial statements and reports.
Follow-up to management action plans
At the August 2010 meeting, the Committee received a detailed status report on the progress achieved as a result of a previous audit of complaints intake and early resolution processes. Members were satisfied that most action plans had been completed with encouraging outcomes.
Reports to Parliament
During the reporting period, the Committee reviewed and discussed various reports and accountability instruments, including:
- 2009−2010 Departmental Performance Report
- 2011−2012 Report on Plans and Priorities
- Risk-Based Audit Plan 2010−2013
- Strategic Plan 2011−2014
Committee members provided suggestions to strengthen the content and improve the format of the reports to Parliament. They also commented on the performance measurement framework as a process was under way to review and update the organization’s expected results and performance indicators in line with the Strategic Plan. The review of these reports contributed to furthering external members’ knowledge of the OIC’s goals and priorities and to opportunities for improvement.
Evaluation of the Policy on Internal Audit
As key stakeholders, committee members were consulted as part of the mandated five-year evaluation of the Policy on Internal Audit. This evaluation was launched in September 2010 by Treasury Board to assess the relevance and performance of the Policy.
Among other things, committee members provided their opinions on the appropriate appointment process for external members of audit committees. They also agreed that Agents of Parliament should be included within the “Large Departments and Agencies” category, subject to modifications to the general policy, to reflect their particular status and independence from government.
A report was submitted to the Office of the Comptroller General in January 2011. With respect to the OIC’s experience, the Committee agrees with the following findings:
- The Policy increased the independence of the internal audit function significantly by requiring audit committees with external membership, and chief audit executives reporting to deputy heads.
- The Policy has made a significant contribution to improved risk management, governance, control and stewardship.
- Deputy heads have confidence in audit committee advice.
- The Policy has significantly increased the effectiveness and capacity of the internal audit function.
- The implementation of the Policy has significantly increased management action on internal audit report recommendations.
- The Policy has had a significant impact on strengthening professionalism of the internal audit function.
Capacity and Performance Assessment of Internal Audit
Capacity assessment
As part of its responsibilities, the Committee is required to assess and report on the capacity and performance of the internal audit function in its annual report. The challenge for the OIC in this area is its limited internal capacity given the organization’s size and resources.
The in-house internal audit capacity consists of the Director, Strategic Planning, Finance and Administration, who shares the Chief Audit Executive responsibilities with an external firm. The OIC Director assumes administrative responsibility for the internal audit function and in this capacity reports directly to the Information Commissioner. The external firm assumes responsibility for preparing and updating the OIC’s Risk-Based Audit Plan and conducting the subsequent audits dictated by the plan. With this arrangement, the OIC retains control of the function while leveraging the expertise of a wider range of audit professionals as required.
Since November 2009, Secretariat responsibilities for the Committee have been assigned to a Senior Analyst, who also fulfills strategic planning and reporting functionswithin the Strategic Planning, Finance and Administration Division. This assignment helps to maintain the separation between Secretariat function and the OIC’s management of the internal audit function. On the other hand, the dual responsibility of the Senior Analyst facilitates the alignment between internal audit and strategic planning. It ensures that committee findings and recommendations serve to inform strategic planning considerations.
The secretary to the Committee schedules and organizes committee meetings and related activities, prepares agendas and minutes, and coordinates the preparation and distribution of required or relevant documentation. He or she also prepares various reports and performs other duties, as needed.
Vulnerability due to workload and financial pressures
In September 2010, committee members were informed that management was considering postponing the audit of the Complaints Resolution and Compliance (CRC) Branch from 2010–2011 to the next fiscal year. This measure was contemplated to address unforeseen financial pressures arising from important court proceedings as well as complex and priority investigations. The Audit Team Leader was also of the opinion that the fourth quarter was not a good time to conduct the audit as managers and investigators would be busy completing as many cases as possible before year end.
Committee members expressed their concerns that delaying the CRC audit could jeopardize the momentum achieved since the OIC established its internal audit function. They invited management to re-examine all other options to preserve the integrity of the latest Risk-Based Audit Plan.
Following further discussions and given the approval by Treasury Board Ministers of emergency funding for litigation and complex cases, the CRC audit was launched in March 2011. It was conducted in tandem with the planned IERU follow-up to maximize savings and efficiencies. Committee members discussed a high-level workplan at their February 2011 meeting.
Performance assessment
Delivery against the Risk-Based Audit Plan 2008–2010
The Risk-Based Audit Plan 2008–2010 had identified the need for an internal audit of the complaints intake and early resolution processes as an essential component of the new business model introduced in 2008. Effective processes in this area are crucial to ensuring timely case management, application of appropriate due diligence, and mitigating the risk of new inventories building up over time. The objective was to assess the management risk and control framework in place, while identifying potential areas for process improvement.
Deloitte & Touche LLP carried out the Intake and Early Resolution Unit (IERU) audit during the winter of 2009. Following a presentation of the audit reportand discussion of its findings and recommendations, the Committee recommended for approval the corresponding management action planat its September 2009 meeting.
During the August 2010 meeting, committee members were updated on the progress achieved within the IERU. They were satisfied that most action plan items had been completed with encouraging outcomes, notably with respect to the time needed to complete administrative complaints. The new case management system for investigations, which was designed to fulfill several important requirements, was set to be introduced by April 2011.
Updated risk assessment and audit plan for 2010–2013
The OIC’s Risk-Based Audit Plan was updated in the winter of 2010. The Committee examined and discussed the risk assessment and proposed audit engagements at the August 2010 meeting. (See 6.2 Risk Management). It recommended the audit plan for approval as of August 20, 2010.
Progress in implementing the Policy on Internal Audit
OIC has made significant progress on implementing the Treasury Board Policy on Internal Audit while taking into account its independence from government as established by the Working Group of Officers of Parliament. Specifically, the Office:
- Established a stable and maturing internal audit function.
- Established an independent Audit Committee that has now gained an intimate and comprehensive knowledge and understanding of the OIC’s business requirements and challenges.
- Delivered on its first risk-based audit plan with a “just-in-time” audit of a new investigative unit and management action plan fully implemented.
- Developed a second risk-based audit plan with a critical, umbrella audit of the investigative branch now completed.
- Developed and implemented an effective process to quickly identify and contract with qualified specialists when required.
Overall Assessment of Risk Management, Control and Accountability
The Committee’s main responsibility is to provide independent, objective advice, guidance and assurance on risk management, control and governance processes. Based on its reviews and discussions throughout 2010-2011, the Committee is reasonably assured that significant weaknesses were not evident in the OIC’s risk management, control and governance processes. More specifically, committee members did not observe any breakdowns in the organization’s system of internal control. The Committee appreciates the due diligence the OIC has exercised in the development of sound processes and practices, and is encouraged that management strives for constant improvement.
Committee’s Work
The Committee has established itself as an integral part of the OIC’s governance regime. Despite the pressures from competing priorities and multitasking of personnel typically experienced by small organizations, the commitment and engagement from senior officials and functional analysts have been invaluable in helping the Committee achieve its mandate.
As an Agent of Parliament, OIC needs a strong, credible internal audit function, which is fundamental to the implementation of the Treasury Board Policy on Internal Audit. The Committee has been instrumental in helping the OIC build up the internal audit function, independent from line management and with the capacity to fulfill the organization’s risk-based audit plans as well as other policy requirements. The Committee will continue monitoring the work of the internal audit function as part of its responsibilities.
Forward planning
The Committee is scheduled to meet four times during 2011−2012. Its goal is to continue to provide advice that reflects core public sector principles, takes into account the independence of Agents of Parliament and contributes innovative and creative perspectives.
Among other responsibilities, members will examine the results of the CRC audit, advise on the need for improvements and oversee the implementation of recommendations. They will also closely monitor the impact of fiscal restraint policies and provide advice, as needed, regarding the OIC’s strategic and operation review and any shared services initiatives. The Committee will also examine how the organization promotes, implements and integrates public service values and ethics within each area of activity.
In addition, specific topics were earmarked for discussion in 2011–2012. These include the Strategic Plan, the new security program and a comprehensive human resources overview—including the Departmental Staffing Accountability Report and Public Service Commission’s feedback, OIC demographics, work relations, performance program, workplace initiatives, and talent management framework. Members also added a fourth section to their Forward Calendar of activities to include regular briefings and discussion on the OIC’s “Business Context, Planning and Implementation.”
| June 20101 | August 2010 | January 2010 | February 2010 | |
|---|---|---|---|---|
| 1. Organizational Matters | ||||
| Audit Committee Charter | R | |||
| Annual Forward Calendar | R | |||
| Audit Committee Annual Report2 | ||||
| 2. Key Responsibilities | ||||
| Values and Ethics | ||||
| Risk Management, Control Framework, Follow-up | R | R | R | |
| Reports of Wrong-Doing | As reported | |||
| Financial Statements & Public Accounts Reporting | R | R | ||
| OAG Financial Statements Audit Plan | I | |||
| OAG Financial Statements Audit Report & Management Action Plan | R | |||
| Other OAG or Central Agency Audit Reports and Management Action Plans | As audits planned (I) and action plans developed (A) | |||
| Internal Audit Charter | ||||
| Risk-Based Audit Plan3 | R | |||
| Internal Audit Reports, Management Action Plans, Follow-ups | I | I | ||
| Report on Plans and Priorities | R | |||
| Departmental Performance Report | R | |||
| In-camera Meetings | I | I | I | I |
| 3. Other Responsibilities | ||||
| Parliamentary Activities – Annual Calendar | I | I | I | I |
Legend
A – Approval / Action Required
R – Review
I – Information / Discussion
Notes
1 Meeting postponed — Interim Commissioner’s appearances before Parliament
2 First Audit Committee Annual Report approved at August 2010 meeting
3 Risk-Based Audit Plan 2008−2010 reviewed during first Audit Committee meeting Updated Risk-Based Audit Plan for 2010−2013 approved at August 2010 meeting
4 Conference call held on September 29, 2010 regarding the scheduling of the CRC audit
Peter Larson and David Zussman, “Departmental Audit Committees: An Evaluation,” Optimum Online, vol. 41, no. 4, December 2011.
Accountability of Agents of Parliament, Letter to Chairs of parliamentary committees, February 16, 2011 http://fairwhistleblower.ca/files/fair/docs/opsic/2011-02-16_Accountability-of-Agents-of-Parliament.pdf
Meetings were held on: August 5, 2010, January 19, 2011, and February 17, 2011. A conference call also regarding the CRC audit took place on September 29, 2010.
After referral to the Standing Committee on Access to Information, Privacy and Ethics, the nomination of Suzanne Legault as Information Commissioner was agreed to in the House by unanimous consent on June 10, 2010.
Starting with fiscal year 2011−2012, minutes of committee meetings will be posted on the OIC’s website, under Corporate Information/Audit Committee.
OIC’s Risk-Based Audit Plan, 2010-2013, http://www.oic-ci.gc.ca/eng/risk-based-audit-plan-plan-verification-fonction-du-risque-2010-2013.aspx
Prior to April 2011, given the size and resources of the organization, the Chief Audit Executive responsibilities were shared between the Director, Strategic Planning, Finance and Administration—who reported directly to the Information Commissioner with respect to the audit function—and an Internal Audit Team belonging to an external firm (Centre for Public Management Inc. in 2010–2011). With the restructuring of internal services scheduled for April 2011, it is expected that the Director General of Corporate Services/Chief Financial Officer will also assume the responsibilities of Chief Audit Executive jointly with an internal audit firm.
Peter Larson and David Zussman, “Departmental Audit Committees: An Evaluation,” Optimum Online, vol. 41, no. 4, December 2011.
In the spring of 2010, as a result of a competitive process, Centre for Public Management Inc. (CPM) was selected in replacement of Deloitte & Touche LLP to update the OIC’s risk-based audit plan and perform subsequent audit engagements.
http://www.oic-ci.gc.ca/eng/abu-ans_cor-inf-inf-cor_int-aud-ver-int_del-rep-rap-del.aspxIERU Audit Report
Action Plan related to the IERU Audit Report