2019-2020 Chief Audit Executive Annual Report
Prepared by France Labine
Chief Financial Officer
November 26, 2020 Meeting
Chief Audit Executive – France Labine
Secretary of Audit and Evaluation Committee (AEC) for four quarterly meetings
- May 16, 2019
- August 15, 2019
- November 7, 2019
- January 30, 2020
New Policy on Internal Audit
As per the Policy on Internal Audit, the CAE confirms the following:
- She has not been assigned any management or operational responsibilities that may compromise her independence and objectivity with respect to her internal audit responsibilities.
- She has unrestricted access to the AEC.
- She has unrestricted access to all records, databases, workplaces and employees to carry out the risk-based audit plan.
- She has unimpaired ability to carry out his responsibilities, including reporting issues to the Commissioner, to the AEC and, as appropriate, to the Comptroller General of Canada.
Chief Audit Executive Report
Provides assurance of:
- Proper oversight of public resources.
- Oversight informed by a professional and objective internal audit function.
- Guidance that is independent of management.
- Responsible stewardship to Canadians.
Audits, Reviews, Assessments
- Office of the Auditor General (OAG)
- Completed and approved in August 2019
Audit 2018-19 procurement and contracts
- Performed by Samson
- Report completed in May 2019
- Implemented audit report recommendations
Information Technology (IT) and Information Management (IM)
- Threat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA)
- On-going and to be completed in 20-21
Important items Reviewed by the AEC
- Risk-based Audit and Evaluation Plan
- OAG Financial Audit (Key controls)
- Audit of Procurement and Contracts
- Regular Budgets and Financial Results
- IM/IT Threat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA)
- Strategic Plan and OIC Direction
- Governance Structure (ie terms of reference, committees)
- Roles and Responsibilities of key stakeholders for decision making processes: Senior Management, BCP, Innovation, Departmental Security, Occupational Health, Safety and Mental Health Committees
- Departmental Plan (DP) and Departmental Results Report (DPR)
- Departmental Security and Business Continuity Plans
- Integrated Planning Process (HR plan, quarterly financial reviews and multi-year investment plans)
- Enhanced Corporate Services Capacity
- Investigation inventory, processes and performance
- Litigation files
- Parliamentary Activities and Communications
Treat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA) – Wide Scope
Information Technology (IT)
Scope: OIC network analysis and gather information
Objective: To assess the level of vulnerability of the OIC network with relation to external threats i) conduct interviews of stakeholders and system owners at the OIC; ii) conduct penetration testing; and iii) provide a report and conduct an on-site debriefing.
Rationale: High audit requirement, 4.1 Impact and 2.6 Probability. This audit is seen as essential as the OIC launches the document upload functionality for the online complaint form.
Evaluation of Investigations
Complaints Resolution and Compliance
Scope: The Investigations program.
Objective: Address, as per the TB Policy on Results, the relevance and performance of the investigations program. The evaluation should consider the evolving nature of investigations through an analysis of the portfolio of complaints (e.g. source, targeted institution, complaint type), as well as the new context in which the program is operating (e.g. C-58 legislative changes).
Rationale: High evaluation requirement, 4.2 Impact and 3.6 Probability. Given unprecedented circumstances of COVID-19, the OIC has experienced procurement delays however there may be an opportunity to develop/improve plans to ensure both a smooth transition and an adoption of more efficient processes. Therefore, an evaluation extended into 2021-22 would be more beneficial and valuable, as it will produce better results.
Considering that the Investigations program is the key program at the OIC, an evaluation of this activity is recommended every 5 years.
Performance and Talent Management Review
Human Resources (HR)
Scope: A review of OIC HR practices
Objective: Not an in-depth audit, but a review of the following OIC HR practices i) effectiveness of employee performance evaluation; ii) effectiveness of Talent Management program, iii) employee turnover, and iv) exit interviews.
Rationale: High audit requirement, 3.3 Impact and 3.4 Probability. During the interviews of Management and the Strategic Planning meeting, the need to recruit high performing employees in several key positions was identified as a high priority. Given unprecedented circumstances of COVID-19, there may be an opportunity to develop/improve plans to ensure both a smooth transition and an adoption of more efficient processes. A review postponed to 2021-22 would be more beneficial and valuable, as it will produce better results.
Audit of Information Management and Physical Security
Scope: Management practices and assessment of controls related to information management.
Objective: Assess the operational effectiveness of information management practices and compliance with recommendations made in the RHEA audit, notably as they relate to the retention and disposition of sensitive and restricted documents.
Rationale: High audit requirement, 3.2 Impact and 2.3 Probability. Considering the sensitivity of the information retained by the OIC, and the reputational risk to the OIC in the case of improper management of private or restricted information, an audit of this activity is highly recommended.