2019–2020 Audit and Evaluation Committee Annual Report
Office of the Information Commissioner
- Foreword from the Chair
- Committee role and membership
- Overall assessment of risk management, control and governance
- Committee effectiveness
- Forward planning
Foreword from the Chair
The year 2019-2020 has been a period of transition for the Audit and Evaluation Committee and for the Office of the Information Commissioner. After more than ten years, Dyane Adam stepped down as chair, passing the role to me. This is, in fact, the second time I have taken her place; I succeeded her as Commissioner of Official Languages in 2006 and, once again, she has left me an institution in healthy condition. Once again, I am grateful for her rigour, her determination and her commitment to public service.
This was also the first full year that Caroline Maynard spent as Commissioner, and she stepped into the role of an Agent of Parliament with vigour and grace. Agents of Parliament are guardians of value, and as a protector and promoter of the values of the Access to Information Act — openness and transparency — she has been an exemplary leader.
The Office of the Information Commissioner is a small organization, and I have been impressed by the scrupulous and responsible management of its budget and the competence of the management team, As the organization adapts to the changes in the legislation that were debated during the 2019-20 fiscal year and adopted at the end of the Parliamentary session, there will be new pressures and new challenges. I am confident in the ability of the Commissioner and her team to respond to the pressures and meet the challenges.
Graham Fraser O.C.
Chair, Audit and Evaluation Committee
The external members of the Audit and Evaluation Committee (AEC) of the Office of the Information Commissioner (OIC) have prepared this report as a summary for the Information Commissioner of the Committee’s work from April 1, 2019, to March 31, 2020.
The report is also a vehicle for the external members to present their thoughts on areas for improvement at the OIC, based on the Committee’s assessments and deliberations over the year. The previous Audit and Evaluation Committee Report for 2018-2019 was approved by the Commissioner at the AEC meeting on August 15, 2019.
Committee Role and Membership
The Committee’s role is to provide the Commissioner with independent and objective advice, guidance and recommendations on the adequacy of the OIC’s control and accountability processes, as well as the use of evaluation within the OIC, in order to support management practices, decision-making and program performance.
To offer this support, the Committee exercises active oversight of core areas of the OIC’s management control and accountability framework. In so doing, Committee members address high-level strategic issues, as well as ongoing operational ones, to support the independence of internal audit activities within the OIC and the neutrality of the evaluation function. The Committee’s input also helps ensure that internal audit and evaluation results are incorporated into the OIC’s priority setting, and business and planning processes.
Committee members, as strategic resources for the Commissioner, also provide such advice and recommendations as she may request on specific emerging priorities, concerns, risks, opportunities and/or accountability reporting. This activity was largely carried out not only during the four Committee meetings held during the past year, but also in during meetings with the Commissioner outside of the formal meetings.
The Committee has three members, two of whom are external to the federal government. The external members during 2019–2020 were David Rattray and Dyane Adam, who served as chair. Ms. Adam was first appointed in October 2008 and completed her term as Chair of the Committee in August 2019. She was replaced as Chair by former Commissioner of Official Languages Mr. Graham Fraser. Mr. Rattray joined the Committee in April 2015 and was appointed for a second term to August 30, 2020. Together, the external members have broad knowledge and experience in the areas of audit, management controls and risk management in both the public and private sectors, as well as in the operations and responsibilities of Agents of Parliament. Information Commissioner Caroline Maynard is the third member of the Committee.
The OIC’s Chief Financial Officer, Chief Audit and Evaluation Executive and Deputy Commissioner of Corporate Services, Strategic Planning and Transformations Services, France Labine, Deputy Commissioner of Investigations and Governance Layla Michaud, Deputy Commissioner of Legal Services and Public Affairs Gino Grondin, Director, Financial Management, Procurement and Audit, Stephen Campbell and a senior representative of the Office of the Auditor General attended all meetings during the reporting period. Various OIC other staff members were also in attendance to present reports and other deliverables, or to give Committee members updates on the OIC’s business and other activities.
The Audit and Evaluation Committee met four times in person between April 1, 2019, and March 31, 2020: May 16, 2019; August 15, 2019; November 7, 2019 and January 30, 2020. In camera sessions involving only the Commissioner and the external members took place at the conclusion of each meeting.
The Committee’s activities fall under nine categories, as set out below. These areas of responsibility are linked in many ways—particularly with regard to risk and strategic priorities —and Committee members take this into account when carrying out their assessments and providing advice.
Values and Ethics
The Committee reviews any measures OIC management puts in place to exemplify and promote public service values and to ensure compliance with laws, regulations and policies, and standards of ethical conduct. The Committee also received feedback on OIC employee surveys and action plans during the year. The AEC was satisfied with the degree of which ethics and values are embedded and assessed within OIC operations.
Risk assessment and mitigation are ongoing focuses of the Committee’s work, including reviewing the OIC’s corporate risk profile and risk management strategies and activities.
Committee members, with the assistance of the OIC’s Chief Audit Executive, reviewed and adjusted the schedule of upcoming audits and evaluations, as well as some aspects of the OIC’s 2017–2022 Risk- based Audit and Evaluation Plan (RBAEP) based upon risk updates.
Among the changes to the schedule was the addition of an information technology (IT) Threat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA) conducted in 2019. The TRA and TVA were discussed with the AEC at its January 30, 2020 meeting. They presented the current security status of the OIC regarding the assessment of the threats and risks that had been identified in the RBAEP. The presentation also included all the work that had been done by the organization over the past 18 months as well as next steps. The AEC was satisfied with the risk work carried out during 2019–2020.
Committee members considered risk-related input from external agencies such as the OAG, the Office of the Comptroller General (OCG) as well as Treasury Board Secretariat (TBS) and how that might apply to the OIC. This included the list of high risks for small departments prepared by the OCG. The Committee also reviewed the recommendations of the Office of the Auditor General arising from the conduct of the its annual Public Accounts Financial Audit. These discussions included an ongoing dialogue regarding the problems with the Phoenix pay system.
Finally, the Commissioner briefed Committee members at its November 7, 2019 meeting on the progress made on the OIC comprehensive strategic planning exercise in developing medium and long- term objectives and priorities for her mandate. The results were be reflected in the RBAEP approved by the Committee at its meeting on January 30, 2020.
Management Control Framework
The Committee reviews the OIC’s internal control mechanisms, including adequacy of management-led audits.
Activities and discussions pertaining to the management control framework, which is linked to all other areas of responsibility, are ongoing.
Through an agreement with the OIC, the Canadian Human Rights Commission (CHRC) provides financial management and specialized procurement services to the OIC. The OIC relies on CHRC's internal management controls over financial reporting and the financial management system to process the financial data that the OIC has approved, authorized and transmitted to the CHRC for processing.
Each year, the CHRC provides a general outline to the OIC of the oversight it exercises with regard to its system of internal control over financial reporting, reasonable assurance that these controls are being properly managed, and an attestation about the assessment of the CHRC’s system of controls.
As part of the internal control over financial management and reporting, the CHRC performed the following functions:
- Reviewed and updated documentation of business processes and controls to ensure they represent the current processes and controls in place;
- Reviewed the OIC’s transactions for the contracting process and the CHRC’s transactions for the other business processes, which revealed that the key internal controls over these business processes were all strong and operating effectively, with the exception of the payroll-related transactions using the Government of Canada’s Phoenix system; and
- Assessed, for the OIC’s transactions, the operating effectiveness of IT management and security.
The CHRC Assessment demonstrated to OIC that the IT general controls related to systems remain appropriate and can be relied upon. For IT management, the GX financial system was tested with regard to internal controls over financial controls and was assessed as strong.
With regard to the federal government’s central pay system Phoenix, the Office of the Auditor General (OAG) stated in its annual financial audit of 2019-2020 that this system was not always able to accurately process payments, but that the OIC had sufficient compensating controls and processes in place to minimize the impact and ensure that the OIC financial statements were fairly presented. The OAG did not find any exceptions in their controls testing or in their statistical sample. As reported earlier in this report, a senior representative (Principal) participated in all four AEC meetings during the year.
The Committee’s responsibilities with regard to internal audit include reviewing plans for and reports on internal audits, and their resulting management action plans.
Committee members discussed the scope and progress of an internal audit on procurement and contracts that was completed during the reporting period. The results and recommendations were tabled at the May 2019 meeting.
The Audit and Evaluation Committee Charter was reviewed and approved by the Committee at its January 30, 2020 meeting.
France Labine was nominated in February 2019, Chief Financial Officer, Chief Audit and Evaluation Executive and Deputy Commissioner of Corporate Services, Strategic Planning and Transformations Services and replaced Layla Michaud as Chief Audit Executive (CAE) during the reporting period.
The Committee’s responsibilities with regard to evaluations include reviewing and approving the OIC’s RBAEP, reports on individual evaluations and management action plans, and receiving status updates on how the OIC implementing the recommendations. The AEC also monitors the Treasury Board Policy on Evaluation for any changes to that policy direction. Like the Policy on Internal Audit, the OIC is not mandated to adhere to either policy as an independent Agent of Parliament, but chooses to follow the spirit of the policies.
An evaluation of the OIC’s Investigations Program is planned for 2020–2021 and 2021-2022.
Follow-up on Management Action Plans
The Committee received regular updates from management on action plans on the status and effectiveness of management follow-up actions. Follow up briefings were provided at each of the four meetings held during the year and included such management areas as: Corporate Services; Investigations; Legal Services; and Public Affairs.
As of March 31, 2020, follow-up actions highlighted during senior staff briefings on the above management areas noted above were either nearing completion or had been completed. The AEC was impressed with management actions taken.
At each AEC meeting, members were provided with the minutes and an update of action items arising from those meetings and were satisfied that all actions had been satisfactorily addressed.
The Committee also reviewed the recommendations and action plan resulting from the IT risk assessment carried out in late 2017–2018 and were satisfied with the results.
Financial Statements and Public Accounts Reporting
The OAG presented its annual Financial Audit Report for 2018–2019 with an unmodified opinion, finding no significant deficiencies in internal controls and requiring no significant financial statement adjustments. The OIC has always received an annual Financial Statement Audit Report with an unmodified audit opinion from the OAG, since audits of the OIC began in 2003–2004. The 2018-2019 OAG Audit Report was reviewed and approved by the committee at its meeting on August 15, 2019.
The 2019-2020 Audit Plan of the OAG was presented by the OAG Principal at the Committee meeting on January 30, 2020 and the approach was approved. The AEC confirmed to the OAG that there were no changes in management’s fraud prevention and detection responsibilities and that there was no knowledge of any frauds.
Throughout the year, the DCFO briefed Committee members on the status of the current year budget (2019-2020), and the preparation of the 2020–2021 budget, as well as the efforts being undertaken to secure a permanent funding increase for OIC. The Committee meeting of November 7, 2019 received a comprehensive discussion of the results of the mid-year budget review and was satisfied with the review results.
The Committee reviewed various corporate accountability reports and provided advice to the Commissioner during the year.
The Committee reviewed and discussed the following in 2019–2020:
2018–2019 Departmental Results Report (meeting of August 15 2019); and overall direction and observations on Commissioner’s Annual Report to Parliament and OIC Strategic Plan.
External Assurance Provider
The Committee carried out objective assessments of evidence and data to provide an independent opinion or conclusions regarding the OIC’s operations, results, risks, stewardship and governance.
The Committee carried out its role during the year of satisfactorily providing advice and recommendations on matters for which the Commissioner, as the Deputy Head, serves as the Accounting Officer for the organization.
The Committee received all the information it deemed necessary to fulfil all its mandate obligations.
Overall Assessment of Risk Management, Control and Governance
Based on reviews conducted and discussions held throughout 2019–2020, the Committee is reasonably assured that the OIC’s risk management, control and governance processes are functioning well.
The Committee appreciates the due diligence the OIC has exercised in the development of sound management and internal control processes and practices, and is encouraged that management strives for constant improvement.
Audit and Evaluation Committee Effectiveness
The Committee’s external members are pleased with the Committee’s ongoing development and maturity in its advisory role. Members were provided with complete, timely and accurate information to enable them to discharge their mandate. Members were pleased with the professionalism of staff, their candour concerning the challenges they face and their willingness to implement suggestions.
The Committee has established itself as an integral part of the OIC’s governance system. Despite the pressures of competing priorities and the multitasking typical of small organizations, the commitment and engagement of senior officials and functional specialists have been invaluable in helping the Committee fulfill its role. Based on our observations over the past year, the two external members of the Committee conclude that the OIC has a systematic and rational approach to addressing its mandate, to monitoring results and to reporting publicly.
The Committee is scheduled to meet four times during 2020–2021. Its goals are to continue to provide advice that reflects core public sector principles and values, take into account the independence of Agents of Parliament, and encompass innovative and creative perspectives.
The Audit and Evaluation Committee conducted its annual review of next fiscal year obligations (2020–2021) and approved the Calendar of Activities on November 7, 2019.
The table below provides the scope, objective and rationale for each of the audit and evaluation projects proposed for 2020–2021, 2021–2022 and 2022-2023. A change in the proposed audits was approved at the Committee meeting on January 30, 2020 and is reflected in the table below.
A change to the calendar for the RBAEP was proposed, namely, to extend the duration of the Evaluation of Investigations planned for fiscal 2019-20 to fiscal years 2020-21 and 2021-22.
The change was discussed and accepted by the members.
Treat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA) – Wide Scope
Information Technology (IT)
Scope: OIC network analysis and gather information
Objective: To assess the level of vulnerability of the OIC network with relation to external threats i) conduct interviews of stakeholders and system owners at the OIC; ii) conduct penetration testing; and iii) provide a report and conduct an on-site debriefing.
Rationale: High audit requirement, 4.1 Impact and 2.6 Probability. This audit is seen as essential as the OIC launches the document upload functionality for the online complaint form.
Evaluation of Investigations
Complaints Resolution and Compliance
Scope: The Investigations program.
Objective: Address, as per the TB Policy on Results, the relevance and performance of the investigations program. The evaluation should consider the evolving nature of investigations through an analysis of the portfolio of complaints (e.g. source, targeted institution, complaint type), as well as the new context in which the program is operating (e.g. C-58 legislative changes).
Rationale: High evaluation requirement, 4.2 Impact and 3.6 Probability. Given unprecedented circumstances of COVID-19, the OIC has experienced procurement delays however there may be an opportunity to develop/improve plans to ensure both a smooth transition and an adoption of more efficient processes. Therefore, an evaluation extended into 2021-22 would be more beneficial and valuable, as it will produce better results.
Considering that the Investigations program is the key program at the OIC, an evaluation of this activity is recommended every 5 years.
Performance and Talent Management Review
Human Resources (HR)
Scope: A review of OIC HR practices
Objective: Not an in-depth audit, but a review of the following OIC HR practices i) effectiveness of employee performance evaluation; ii) effectiveness of Talent Management program, iii) employee turnover, and iv) exit interviews.
Rationale: High audit requirement, 3.3 Impact and 3.4 Probability. During the interviews of Management and the Strategic Planning meeting, the need to recruit high performing employees in several key positions was identified as a high priority. Given unprecedented circumstances of COVID-19, there may be an opportunity to develop/improve plans to ensure both a smooth transition and an adoption of more efficient processes. A review postponed to 2021-22 would be more beneficial and valuable, as it will produce better results.
Audit of Information Management and Physical Security
Scope: Management practices and assessment of controls related to information management.
Objective: Assess the operational effectiveness of information management practices and compliance with recommendations made in the RHEA audit, notably as they relate to the retention and disposition of sensitive and restricted documents.
Rationale: High audit requirement, 3.2 Impact and 2.3 Probability. Considering the sensitivity of the information retained by the OIC, and the reputational risk to the OIC in the case of improper management of private or restricted information, an audit of this activity is highly recommended.