2015-2016 Audit and Evaluation Committee Annual Report
Office of the Information Commissioner
The external members of the Office of the Information Commissioner’s (OIC) Audit and Evaluation Committee (Committee) prepared this report for the Information Commissioner as a summary of the Committee’s work from April 2015 to March 2016.
The report is also a vehicle for the external Committee members to present their thoughts on areas for improvement, based on the Committee’s assessments and deliberations over the year.
2. Committee role and membership
Independent from OIC management, the Audit and Evaluation Committee plays an advisory role to the Information Commissioner. Committee members provide objective advice and recommendations regarding the sufficiency, quality and results of assurance activities related to the OIC’s risk management, control and governance frameworks and processes.
The Committee has three members, two of whom are external to the federal government. The external members are David Rattray and Dyane Adam, who serves as chair. Mrs. Adam was first appointed in October 2008 and M. Rattray joined the Committee in April 2015. Together, they have a breadth of knowledge and experience, in the areas of audit, internal controls and risk-management in both the public and private sectors. Information Commissioner Suzanne Legault is the third member of the Committee.
The OIC’s Chief Financial Officer and Acting Assistant Commissioner, Layla Michaud, and a senior representative of the Office of the Auditor General attended all meetings during the year.
The Committee is also mindful that the Office of the Comptroller General (OCG) continues to develop and update internal audit practices in the federal government: to the extent feasible, while respecting the need to guard the independence of OIC, the Committee conforms to OCG preference. See the Audit and Evaluation Committee Charter, which sets out the Committee’s responsibilities and operations, and the Directive on Internal Auditing in the Government of Canada.
The Audit and Evaluation Committee met three times in person and one time by teleconference between April 1, 2015 and March 31, 2016. In camera sessions involving only the Commissioner and the external committee members were held at every Committee meeting.
Approved minutes of each meeting can be found on the OIC’s website – Record of minutes.
4. Summary of activities
The Committee’s activities fall under eight categories, and are summarized below. Note, however, that these areas of responsibility are linked in many ways, which Committee members take into account when carrying out their assessments and providing advice.
4.1 Values and ethics
The Committee reviews any measures OIC management takes to exemplify and promote public service values and to ensure compliance with laws, regulations, policies and standards of ethical conduct.
During the November 2015 meeting, the OIC Champion for the Code of Values and Ethics discussed the changes that were made in the OIC’s Code of Values and Ethics.
4.2 Risk management
Risk assessments and mitigation strategies constitute an ongoing focus of the Committee’s work.
The Committee met with representatives from the Office of the Auditor General (OAG) to discuss the OIC’s risk of fraud and error, in anticipation of the audit of the OIC’s annual financial statements. This is done in compliance with standard practice of the OAG.
The Acting Assistant Commissioner regularly presents an update on the inventory of files in investigations since OIC has identified a risk in consistently ensuring efficient investigations and quality resolution of complaints.
During fiscal year 2015–2016, the members were constantly concerned about the limited budget and the fact that OIC had little financial flexibility, and no contingency funds. Members considered this as a major risk for the organization, which has also been reported in clear terms in the OIC’s performance reports. The Director Financial Services, Security and Administration kept the members informed by presenting frequent budget updates at the meetings. For their part, the members kept this as a recurring discussion item.
The Integrated Risk-Based Internal Audit and Evaluation Plan was discussed by the Chief Audit Executive and it was identified in January 2016 that it needs to be reviewed and updated. This will be done in 2016–2017.
The members were kept informed of the progress in the migration of the financial system to GX in April 2015 as this was identified as a significant risk by the OAG.
4.3 Management control framework
Activities and discussions pertaining to the management control framework, which is linked to all other areas of responsibility, were numerous and are ongoing.
4.4 Internal audit function
Nathalie Houle presented her 2014–2015 annual report as the Chief Audit Executive and it was approved by the Audit Committee members at the January 2016 meeting.
The Committee was consulted concerning the procurement process and the scope of the IT Audit which started in March 2016.
The Committee is monitoring the work of the internal audit function as part of its responsibilities.
4.5 Supports to audits conducted by OAG or other organizations
AEC members were presented with the results from the 2014–2015 OAG Annual Financial Audit. The Committee recognized the OAG Principal and her team for their professionalism.
4.6 Follow-up on management action plans
At each meeting, members were provided with the minutes and an update of the action items from previous meetings. As at March 2016, all follow-up items were completed.
The Committee welcomed Shared Services in May 2015 to discuss their oversight of staffing and Human Resources activities at the OIC; results were excellent.
4.7 Financial statements and public accounts reporting
The OAG 2014–2015 financial audit results were communicated at the August 2015 meeting. Members were satisfied with the FSSA team’s hard work related to the audit and preparation of the financial statements, and their support to the OAG.
Committee members reviewed and recommended for approval the OIC’s Financial Statements for the year ended March 31, 2015. The Office of the Auditor General (OAG) presented an audit report with an unmodified opinion, finding no significant deficiencies in internal controls and requiring no significant adjustments. The OIC has always received an annual financial statement audit report with an unmodified opinion from the OAG, since they started auditing the OIC in fiscal 2003–2004.
The OAG Financial Statement Audit Plan for 2015–2016 was presented at the January 2016 meeting.
4.8 Risk and accountability reporting
At various meetings, the Committee reviewed and discussed several reports and accountability instruments, including the following:
- 2014–2015 Departmental Performance Report
- 2016–2017 Report on Plans and Priorities
- 2014–2018 Risk-Based Audit and Evaluation Plan
5. Overall assessment of risk management, control and governance
Based on its reviews and discussions throughout 2015–2016, the Committee is reasonably assured that the OIC’s risk management, control and governance processes are generally functioning well.
The Committee appreciates the due diligence the OIC has exercised in the development of sound processes and practices, and is encouraged that management strives for constant improvement.
6. Committee effectiveness
The Committee’s external members are pleased with the Committee’s ongoing development and maturity in its advisory role. Members were provided with relevant and transparent information to enable the Committee to discharge its mandate. Members were pleased with the professionalism of staff, their candour concerning the challenges they face and willingness to implement suggestions.
The Committee has established itself as an integral part of the OIC’s governance system. Despite the pressures of competing priorities and the multitasking typical of small organizations, the commitment and engagement of senior officials and functional analysts have been invaluable in helping the Committee fulfill its mandate. Based on observations over the past year the Committee concludes that OIC appears to have a systematic and rational approach to addressing its mandate, to monitoring results and to reporting publicly.
7. Forward planning
The Committee is scheduled to meet four times during 2016–2017. Its goals are to continue to provide advice that reflects core public sector principles, take into account the independence of Agents of Parliament, and encompass innovative and creative perspectives.
The members have a few focuses for the next year:
- Closely monitor the special purpose allotment approved in June 2016, and the progress in the backlog of complaint files inventory;
- Keep close tabs on the possible legislative modifications to the Access to Information Act in 2016–2017;
- Closely monitor the problems related to the transition of the pay system to Phoenix in April 2016;
- Review and discuss the need for future evaluation and audits; and
- Prepare a transition plan for a new Chair of the Audit and Evaluation Committee and the end of the Commissioner’s mandate in June 2017.
Appendix A: Audit Committee calendar of activities, 2015–2016
|May 27, 2015
|August 18, 2015
|November 5, 2015
|January 21, 2016 (Téléconférence)
|1. Organizational Matters
|Audit and Evaluation Committee Charter
|Annual Forward Calendar
|Audit Committee Annual Report
|2. Key Responsibilities
|Values and Ethics
|Risk Management, Control Framework, Follow-up
|Report on inventory of complaints
|Report of Wrong-Doing
|OAG Financial Statement Audit Plan
|OAG Financial Statement Audit Report & Management Action Plan
|Other OAG/Central Agency Audit Reports (incl. OCG Horizontal Audits), OIC Self-Assessments/Action Plans
|As Audits are Planned (I) and Action Plans Developed (R)
|Risk-Based Audit/Evaluation Plan
|Internal Audit Report, Management Action Plan, Follow-ups
|Report on Plans and Priorities
|Departmental Performance Report
|CAE’s quarterly and annual reports
|3. Business Context, Planning and Implementation
|Integrated Operational Plan
|4. Other Issues
|Parliamentary Activities – Annual Calendar
A – Approval / Action required
R – Review / Recommend for approval
I – Information / Discussion