2014-2015 Chief Audit Executive Annual Report

Office of the Information Commissioner of Canada

August, 2015

1. Introduction

This report of the Chief Audit Executive of the Office of the Information Commissioner (OIC) reviews the activities of the OIC’s Internal Audit function from April 1, 2014 to March 31, 2015.

The Chief Audit Executive (CAE) provides an annual overview assurance report on the effectiveness and adequacy of risk management, internal controls and governance.

Section 6.6.1.1 of the Treasury Board of Canada Secretariat (TBS) Directive on Internal Auditing in the Government of Canada stipulates that the CAE prepares an annual report addressing:

1. The Internal Audit's independence, proficiency, performance and results relative to its plan including resource utilization, lessons learned and influences on future years' plans; and
2. The results of the follow-up on the implementation of management action plans.

The Audit and Evaluation Committee (AEC) continues to be an important pillar in supporting the independent and objective appraisal function of OIC’s risk management, control and governance processes. This year, the Committee welcomed a new external member.

2. Overview of OIC’s Internal Audit Function

2.1 General

The Internal Audit function helps the OIC accomplish its objective of bringing a systematic and disciplined approach to assessing and improving the effectiveness of risk management, control and governance processes. The Internal Audit function relies on an organizational structure headed by the Commissioner, and supported by the AEC and the CAE, for the authority to carry out its audit activities.

The work of the Internal Audit function focuses primarily on providing an independent assessment of the soundness of risk management strategies and practices, and the management control frameworks and practices in achieving OIC’s objectives.

2.2 Internal audit function in 2014–2015

The OIC is a small entity with a unique mandate defined by legislation. It has a small workforce and a limited volume of financial transactions. The OIC has an independent Audit and Evaluation Committee and has outsourced its key systems of human resources management to Shared Services Canada (SSC) and its financial data processing to the Office of the Privacy Commissioner (OPC). Effective April 01, 2015 the OIC also entered into an MOU with the Canadian Human Rights Commission (CHRC) for the provision of Financial Management Services, including the processing of all claims and invoices for payment.

Furthermore, the OIC is subject to annual audits by the Office of the Auditor General (OAG). Considering these factors, a full-time position for a Chief Audit Executive was not warranted.

The Internal Audit function has been able to provide the Information Commissioner with information and advice on whether important management systems and processes, and administrative services are appropriately designed and effectively operating to comply with policies and guiding principles.

 2.3 CAE working framework and Independence

In February 2013, the OIC assigned the CAE responsibilities to Bernard Bougie, an external member of the Audit and Evaluation Committee. The CAE is supported by the Director General, Corporate Services, OIC. Effective May 27, 2015, Nathalie Houle, Senior Financial Services Officer at the OIC, assumed the responsibilities of the CAE.

For 2014–2015, the OIC has opted to have one independent member of its Audit and Evaluation Committee to assume the responsibilities of the CAE. This activity was discontinued in May 2015 with the appointment of new member David Rattray, FCPA, CIA who will exert a strong oversight role over the internal audit activities and mentor the newly appointed CAE with her duties.

The Director General, Corporate Services, ensures the CAE has access to all the OIC records, databases, workplaces and employees required to conduct her work. The CAE has a direct line to the Information Commissioner and the external members of the Audit and Evaluation Committee throughout the conduct of audits.

Moreover, it is important to note that the Office of the Auditor General conducts an independent financial audit of the OIC each year, and presents the results to the Audit and Evaluation Committee.

Within this framework, the CAE retains the independance and integrity required by the internal audit function. Furthermore, in order to execute the Risk-Based Internal Audit and Evaluation Plan (RBAEP), mitigation strategies have been put in place, such as contracting audit professionals to conduct its audit engagements and regularly update its Risk-Based Audit Plan. A midpoint review and update of the RBAP is scheduled for January 2016.

Independent members of the Audit and Evaluation Committee will play a greater role in defining the committee’s agenda, reviewing management of risk and implementation of controls.

The CAE is guided and relies on the 2014-2018 Integrated Risk-Based Internal Audit and Evaluation Plan approved by the Information Commissioner.

2.4 Quality assurance

In conducting internal audits for the OIC, audit professionals are required to comply with the Internal Auditing Standards of the Government of Canada. Each internal audit report includes an attestation that the audit was conducted in accordance with these standards.

3. Performance and results

3.1 Results of Follow-Up on the Implementation of Management Action Plans

In 2013–2014, as a result of the outsourcing to Shared Services Canada, the OIC updated all documentation related to these controls and processes.

The objective of this project was to validate the human resources internal controls that the OIC had already documented and to update these controls, as required, based on any new processes. In particular, the review looked at controls related to the input into the Human Resources Information System (used by the OIC only) and to the information the OIC sends to SSC for input into the Regional Pay System. This review was conducted to provide management with reasonable assurance that these controls were in place such that employees were paid according to the terms and conditions of employment, collective agreements, and Treasury Board and OIC policies. In addition, Samson & Associates reviewed controls related to approvals under sections 32, 33 and 34 of the Financial Administration Act throughout the pay administration cycle.

Samson & Associates, a contracted firm, found that even though the OIC had modified its human resources practices and control framework, including redefining roles and responsibilities of stakeholders, key controls related to the management of human resource functions were in place. It noted that only minor improvements were required and made a series of recommendations to further strengthen overall stewardship and accountability, and improve the effectiveness of the OIC’s human resources and pay administration processes. The recommendations took into account the OIC’s small size and the resulting difficulty of having a high level of segregation of duties, along with available resources and the transition to SSC – to strengthen the effectiveness of the controls while ensuring that it is feasible to implement the proposed solutions.

The final results of the Human Resources Controls Review were discussed by the Audit and Evaluation Committee in November 2014.

3.2 Office of the Auditor General audit

The Office of the Auditor General reviewed the OIC’s financial statements and gave the OIC an unqualified opinion from for 2013–2014. The audit report is available on the OIC website.

3.3 Risk-Based Audit and Evaluation Plan

The Risk-Based Audit and Evaluation Plan for the OIC combines both the internal audit and evaluation plans for the next five years (2014 to 2018). The objective of the RBAEP is to allocate resources to the areas of most significant risk and priority to the OIC, as well as to align the organization with the requirements of Treasury Board policies on internal audit and evaluation.

The audit and evaluation coverage proposed by the RBAEP strives to achieve an effective balance between a number of requirements and considerations in the context of the budget constraint assumption on which the plan is based. The RBAEP allows for the OIC to carry out one or two projects per year.

Two audits were identified for 2014–2015: The Audit of Information Technology and Physical Infrastructure Security and the Evaluation of Complaints Resolution and Investigations. Considering other priorities and availability of resources, the AEC recommended that the Audit of Information Technology and Physical Infrastructure Security be postponed to 2015–2016.

The OIC retained the services of Raymond Chabot Grant Thornton, an independent audit firm, to assist in the Evaluation of Complaints Resolution and Investigations. The evaluation criteria related to the effectiveness and efficiency of operations, and recommended improvements to the investigation process. These recommendations included a more streamlined approach. These recommendations were adopted and were put in place.

3.4 Capacity and resource utilization

The main resources for the Internal Audit function were acquired under contract for professional auditors to conduct both the audit engagements and the update of the Risk-Based Audit Plan.

The OIC is working with other Agents of Parliament to find better and more efficient solutions for internal audit projects. For example, the OIC and the Office of the Commissioner for Official Languages (OCOL) have begun sharing various documents, such as their respective audit charters, policies and RBAEPs.

4. Conclusion

The CAE believes that the system of management control is satisfactory for the Office’s needs.

5. The year ahead

For 2015–2016, the RBAEP calls for an audit of procurement and contracting. Also, as previously mentioned, the audit of Information Technology and Physical Infrastructure Security was postponed from 2014–2015 to 2015–2016.

The OIC will continue to share information with other Agents of Parliament on the subject of Internal Audit to build expertise and capacity among these offices. Furthermore, the CAE and the Audit and Evaluation Committee will continue to provide expert advice and to deliver assurance that processes and services are effective in the area of audit and in other areas of operation.