2019-2020 Chief Audit Executive Annual Report

Prepared by France Labine
Chief Financial Officer

November 26, 2020 Meeting

Chief Audit Executive – France Labine

Secretary of Audit and Evaluation Committee (AEC) for four quarterly meetings

May 16, 2019
August 15, 2019
November 7, 2019
January 30, 2020

Record of Meetings

New Policy on Internal Audit

As per the Policy on Internal Audit, the CAE confirms the following:

She has not been assigned any management or operational responsibilities that may compromise her independence and objectivity with respect to her internal audit responsibilities.
She has unrestricted access to the AEC.
She has unrestricted access to all records, databases, workplaces and employees to carry out the risk-based audit plan.
She has unimpaired ability to carry out his responsibilities, including reporting issues to the Commissioner, to the AEC and, as appropriate, to the Comptroller General of Canada.

Chief Audit Executive Report

Provides assurance of:

Proper oversight of public resources.
Oversight informed by a professional and objective internal audit function.
Guidance that is independent of management.
Responsible stewardship to Canadians.

Audits, Reviews, Assessments

Financial Statements

Office of the Auditor General (OAG)
Completed and approved in August 2019

Audit 2018-19 procurement and contracts

Performed by Samson
Report completed in May 2019
Implemented audit report recommendations

Information Technology (IT) and Information Management (IM)

Threat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA)
On-going and to be completed in 20-21

Important items Reviewed by the AEC

Risk-based Audit and Evaluation Plan
OAG Financial Audit (Key controls)
Audit of Procurement and Contracts
Regular Budgets and Financial Results
IM/IT Threat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA)
Strategic Plan and OIC Direction
Governance Structure (ie terms of reference, committees)
Roles and Responsibilities of key stakeholders for decision making processes: Senior Management, BCP, Innovation, Departmental Security, Occupational Health, Safety and Mental Health Committees
Departmental Plan (DP) and Departmental Results Report (DPR)
Departmental Security and Business Continuity Plans
Integrated Planning Process (HR plan, quarterly financial reviews and multi-year investment plans)
Enhanced Corporate Services Capacity
Investigation inventory, processes and performance
Litigation files
Parliamentary Activities and Communications

Change to the calendar for the RBAEP
2018-19, 2019-20 and 2020-21	Treat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA) – Wide Scope	Information Technology (IT)	Scope: OIC network analysis and gather information Objective: To assess the level of vulnerability of the OIC network with relation to external threats i) conduct interviews of stakeholders and system owners at the OIC; ii) conduct penetration testing; and iii) provide a report and conduct an on-site debriefing. Rationale: High audit requirement, 4.1 Impact and 2.6 Probability. This audit is seen as essential as the OIC launches the document upload functionality for the online complaint form.
2020-21 and 2021-22	Evaluation of Investigations	Complaints Resolution and Compliance	Scope: The Investigations program. Objective: Address, as per the TB Policy on Results, the relevance and performance of the investigations program. The evaluation should consider the evolving nature of investigations through an analysis of the portfolio of complaints (e.g. source, targeted institution, complaint type), as well as the new context in which the program is operating (e.g. C-58 legislative changes). Rationale: High evaluation requirement, 4.2 Impact and 3.6 Probability. Given unprecedented circumstances of COVID-19, the OIC has experienced procurement delays however there may be an opportunity to develop/improve plans to ensure both a smooth transition and an adoption of more efficient processes. Therefore, an evaluation extended into 2021-22 would be more beneficial and valuable, as it will produce better results. Considering that the Investigations program is the key program at the OIC, an evaluation of this activity is recommended every 5 years.
2021-22	Performance and Talent Management Review	Human Resources (HR)	Scope: A review of OIC HR practices Objective: Not an in-depth audit, but a review of the following OIC HR practices i) effectiveness of employee performance evaluation; ii) effectiveness of Talent Management program, iii) employee turnover, and iv) exit interviews. Rationale: High audit requirement, 3.3 Impact and 3.4 Probability. During the interviews of Management and the Strategic Planning meeting, the need to recruit high performing employees in several key positions was identified as a high priority. Given unprecedented circumstances of COVID-19, there may be an opportunity to develop/improve plans to ensure both a smooth transition and an adoption of more efficient processes. A review postponed to 2021-22 would be more beneficial and valuable, as it will produce better results.
2021-22	Audit of Information Management and Physical Security	Corporate Services	Scope: Management practices and assessment of controls related to information management. Objective: Assess the operational effectiveness of information management practices and compliance with recommendations made in the RHEA audit, notably as they relate to the retention and disposition of sensitive and restricted documents. Rationale: High audit requirement, 3.2 Impact and 2.3 Probability. Considering the sensitivity of the information retained by the OIC, and the reputational risk to the OIC in the case of improper management of private or restricted information, an audit of this activity is highly recommended.