2018–2019 Audit and Evaluation Committee Annual Report
Office of the Information Commissioner
- Committee role and membership
- Overall assessment of risk management, control and governance
- Committee effectiveness
- Forward planning
The external members of the Audit and Evaluation Committee of the Office of the Information Commissioner (OIC) have prepared this report as a summary for the Information Commissioner of the Committee’s work from April 1, 2018, to March 31, 2019.
The report is also a vehicle for the external members to present their thoughts on areas for improvement at the OIC, based on the Committee’s assessments and deliberations over the year.
Committee role and membership
The Committee’s role is to provide the Commissioner with independent and objective advice, guidance and recommendations on the adequacy of the OIC’s control and accountability processes, as well as the use of evaluation within the OIC, in order to support management practices, decision-making and program performance.
To offer this support, the Committee exercises active oversight of core areas of the OIC’s control and accountability framework. In so doing, Committee members address high-level strategic issues, as well as ongoing operational ones, to support the independence of internal audit activities within the OIC and the neutrality of the evaluation function. The Committee’s input also helps ensure that internal audit and evaluation results are incorporated into the OIC’s priority setting, and business and planning processes.
Committee members, as strategic resources for the Commissioner, also provide such advice and recommendations as she may request on specific emerging priorities, concerns, risks, opportunities and/or accountability reporting.
The Committee has three members, two of whom are external to the federal government. The external members during 2018–2019 were David Rattray and Dyane Adam, who served as chair. Ms. Adam was first appointed in October 2008 and will step down from the Committee in August 2019, to be replaced by former Commissioner of Official Languages Mr. Graham Fraser. Mr. Rattray joined the Committee in April 2015 and was appointed for a second term to August 30, 2020. Together, the external members have broad knowledge and experience in the areas of audit, internal controls and risk management in both the public and private sectors, as well as in the operations and responsibilities of agents of Parliament. Information Commissioner Caroline Maynard is the third member of the Committee.
The OIC’s Chief Financial Officer and Deputy Commissioner, Investigations and Governance, Layla Michaud, and a senior representative of the Office of the Auditor General attended all meetings during the reporting period. Various OIC staff members were also in attendance to present reports and other deliverables, or to give Committee members updates on the OIC’s business and other activities.
Effective February 18, 2019, France Labine, the OIC’s new Assistant Commissioner, Corporate Services, Strategic Planning and Transformation Services, and Chief Financial Officer now leads the OIC’s internal audit and evaluation function.
The Audit and Evaluation Committee met three times in person and once via teleconference between April 1, 2018, and March 31, 2019. In camera sessions involving only the Commissioner and the external members took place at the conclusion of every meeting.
The OIC posts the approved Committee meeting minutes (record of meeting) on its website.
The Committee’s activities fall under nine categories, as set out below. These areas of responsibility are linked in many ways—particularly with regard to risk—and Committee members take this into account when carrying out their assessments and providing advice.
Values and ethics
The Committee reviews any measures OIC management puts in place to exemplify and promote public service values and to ensure compliance with laws, regulations and policies, and standards of ethical conduct.
Risk assessment and mitigation are ongoing focuses of the Committee’s work, including reviewing the OIC’s corporate risk profile and risk management strategies and activities.
Committee members, with the assistance of the OIC’s Chief Audit Executive, reviewed and adjusted the schedule of upcoming audits and evaluations, as well as some aspects of the OIC’s 2017–2021 Risk-based Audit and Evaluation Plan.
Among the changes to the schedule was the addition of an information technology (IT) Threat Risk Assessment and Threat Vulnerability Assessment, which was to begin in March 2019 and be completed during 2019–2020.
The OIC’s IT Director also presented his vision for increasing security awareness based on the Communications Security Establishment Canada’s 10 recommended security measures.
Committee members considered risk-related input from external agencies and how it might apply to the OIC. This included the list of high risks for small departments prepared by the Office of the Comptroller General. The Committee also reviewed the recommendations of the Office of the Auditor General regarding the ongoing problems with the Phoenix pay system. The OIC’s Chief Audit Executive presented and later updated an action plan to address the recommendations.
Finally, the Commissioner briefed Committee members on her intention to begin a comprehensive strategic planning exercise in the coming year to develop the medium and long-term objectives and priorities for her mandate. The results will be reflected in the new risk-based audit plan to be developed in 2020, as well as in the OIC’s overall management of risk.
Management control frameworks
The Committee reviews the OIC’s internal control mechanisms, including adequacy of management-led audits.
Activities and discussions pertaining to the management control framework, which is linked to all other areas of responsibility, were numerous and are ongoing.
Through an agreement with the OIC, the Canadian Human Rights Commission (CHRC) provides financial management and specialized procurement services to the OIC. The OIC relies on CHRC's internal controls over financial reporting and the financial management system to process the financial data that the OIC has approved, authorized and transmitted to the CHRC.
Each year, the CHRC provides a general outline to the OIC of the oversight it exercises with regards to its system of internal control over financial reporting, reasonable assurance that these controls are being properly managed, and an attestation about the assessment of the CHRC’s system of controls.
As part of the assessment, the CHRC did the following:
- reviewed and updated documentation of business processes and controls to ensure they represent the current processes and controls in place;
- reviewed the OIC’s transactions for the contracting process and the CHRC’s transactions for the other business processes, which revealed that the key internal controls over these business processes were all strong and operating effectively, with the exception of the payroll-related transactions using the Government of Canada’s Phoenix system; and
- assessed, for the OIC’s transactions, the operating effectiveness of IT management and security.
The assessment found that the IT general controls related to systems remain appropriate and can be relied upon by the OIC. For IT management, the GX financial system was tested with regard to internal controls over financial controls and was assessed as strong.
With regard to Phoenix, the Office of the Auditor General (OAG) stated in its annual audit that this system was not always able to accurately process payments, but that the OIC had sufficient controls and processes in place to minimize the impact and ensure that the financial statements were fairly presented. The OAG did not find any exceptions in their controls testing or in their statistical sample.
The Committee’s responsibilities with regard to internal audit include reviewing plans for and reports on internal audits, and their resulting management action plans.
Committee members discussed the scope of an internal audit on procurement that was completed during the reporting period. The results and recommendations were tabled at the May 2019 meeting. The Committee also reviewed the results of an internal review of retro payments. This review found that the detailed log and key controls were helping reduce the risks related to compliance and data accuracy.
An external Committee member presented a summary of the 2017 updates to the Institute of Internal Auditors’ standards.
Layla Michaud stepped down as Chief Audit Executive during the reporting period and was replaced by Stephen Campbell, Director, Finance, Contract and Audit.
The Committee’s responsibilities with regard to evaluations include reviewing and approving the OIC’s Evaluation Plan, reports on individual evaluations and management action plans, and receiving status updates on how the OIC implementing the recommendations.
An evaluation of the OIC’s investigations program is planned for 2019–2020.
Follow-up on management action plans
The Committee receives regular updates from management on action plans and from the Chief Audit Executive on the status and effectiveness of management follow-up actions.
At each meeting, members were provided with the minutes and an update of the action items from previous meetings. As of March 31, 2019, all follow-up items had been completed.
The Committee also reviewed the recommendations and action plan resulting from the IT risk assessment carried out in late 2017–2018.
Financial statements and Public Accounts reporting
Committee members review the report of the OAG on its annual audit of the OIC's financial statements and recommend the statements’ acceptance to the Commissioner.
The OAG presented its audit report for 2017–2018 with an unmodified opinion, finding no significant deficiencies in internal controls and requiring no significant adjustments. The OIC has always received an annual financial statement audit report with an unmodified opinion from the OAG, since audits of the OIC began in 2003–2004.
Throughout the year, the Head of Finance briefed Committee members on the status of the current year budget, and the preparation of the 2019–2020 budget, as well as the efforts being undertaken to secure permanent funding.
The Committee reviews corporate accountability reports to provide advice to the Commissioner and identify any material misstatement or omissions.
The Committee reviewed and discussed the following in 2018–2019:
- 2017–2018 Departmental Results Report; and
- 2019-2020 Departmental Plan, including information about financial risks related to temporary funding the OIC has received from Treasury Board, and IT infrastructure, network and cybersecurity risks.
The Committee was briefed on the new approach and format for the Commissioner’s annual report to Parliament.
External assurance provider
The Committee carries out objective assessments of evidence and data to provide an independent opinion or conclusions regarding the OIC’s operations, results, risks, stewardship and governance.
Overall assessment of risk management, control and governance
Based on its reviews and discussions throughout 2018–2019, the Committee is reasonably assured that the OIC’s risk management, control and governance processes are functioning well.
The Committee appreciates the due diligence the OIC has exercised in the development of sound processes and practices, and is encouraged that management strives for constant improvement.
The Committee, with the support of the Chief Audit Executive, developed, reviewed and approved a new charter for the Committee that sets out its mandate, membership and areas of responsibility.
The Committee’s external members are pleased with the Committee’s ongoing development and maturity in its advisory role. Members were provided with relevant and transparent information to enable the Committee to discharge its mandate. Members were pleased with the professionalism of staff, their candour concerning the challenges they face and their willingness to implement suggestions.
The Committee has established itself as an integral part of the OIC’s governance system. Despite the pressures of competing priorities and the multitasking typical of small organizations, the commitment and engagement of senior officials and functional analysts have been invaluable in helping the Committee fulfill its mandate. Based on observations over the past year, the Committee concludes that the OIC appears to have a systematic and rational approach to addressing its mandate, to monitoring results and to reporting publicly.
The Committee is scheduled to meet four times during 2019–2020. Its goals are to continue to provide advice that reflects core public sector principles, take into account the independence of agents of Parliament, and encompass innovative and creative perspectives.
The table below provides the scope, objective and rationale for each of the audit and evaluation projects proposed for 2019–2020, 2020–2021 and 2021-2022.
|Year||Audit Project Name||Primary Entity||Estimated Budget||Audit scope, Objective and Rational|
2018-19, 2019-20 and 2020-21
Treat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA) – Wide Scope
Information Technology (IT)
Scope: OIC network analysis and gather information
Objective: To assess the level of vulnerability of the OIC network with relation to external threats i) conduct interviews of stakeholders and system owners at the OIC; ii) conduct penetration testing; and iii) provide a report and conduct an on-site debriefing.
Rationale: High audit requirement, 4.1 Impact and 2.6 Probability. This audit is seen as essential as the OIC launches the document upload functionality for the online complaint form.
Evaluation of Investigations
Senior Management and Complaints Resolution
Scope: The Investigations program.
Objective: Address, as per the TB Policy on Results, the relevance and performance of the investigations program. The evaluation should consider the evolving nature of investigations through an analysis of the portfolio of complaints (e.g. source, targeted institution, complaint type), as well as the new context in which the program is operating (e.g. legislative changes).
Rationale: High evaluation requirement, 4.2 Impact and 3.6Probability. Considering that the Investigations program is the key program at the OIC, an evaluation of this activity is recommended every few years.
Performance and Talent Management Review
Scope: A review of the OIC’s human resources practices
Objective: Not an in-depth audit, but a review of the following OIC human resources practices: i) employee performance evaluation (effectiveness); ii) Talent Management program (effectiveness); iii) employee turnover; and iv) exit interviews.
Rationale: High audit requirement, 3.3 Impact and 3.4 Probability. During management interviews and the strategic planning meeting, the need to recruit high-performing employees in several key positions was identified as a high priority.
Audit of Information Management and Physical Security
Scope: Management practices and assessment of controls related to information management
Objective: Assess the operational effectiveness of information management practices and compliance with recommendations made in the 2017 RHEA audit of information management, notably as they relate to the retention and disposition of sensitive and restricted documents.
Rationale: High audit requirement, 3.2 Impact and 2.3 Probability. Considering the sensitivity of the information retained by the OIC, and the reputational risk to the OIC in the case of improper management of private or restricted information, an audit of this activity is highly recommended.