Internal Audit Committee Annual Report 2012-13

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Foreword from the External AC Members

It is our pleasure to provide you with the fourth AC Annual Report for the year ending March 31, 2013.

We wish to say again this year how pleased we are with the manner in which the AC has operated. The continuing engagement of the Commissioner, the leadership of the Chief Audit Executive and support from the OPC’s staff have all contributed to the success of the Committee's work. We feel this function works well for a small organization and we are pleased to be a part of it.

Over the past four years, the OPC has continued to strengthen management processes and practices across the organization. Over the past year alone, this has included establishing risk management practices that are integrated into strategic planning, a new Code of Conduct that clearly articulates the organization’s values and ethics aligned with its mandate and consistent with those of the federal government. Various improvements to the OPC’s management control framework have been made over the past four years. The results of the recent MAF self-assessment illustrate management’s commitment to continuous improvement of its key controls. In 2012-2013, 100% of OPC’s assessed management practices ‘met expectation’ whereas in 2008-2009, just 60% of the assessed practices achieved this rating. The OPC continues to have strong financial controls as evidenced by the clean audit opinion it received once again on its financial statements with no associated concerns noted by the OAG.

The internal audit function continues to support management in ensuring the effectiveness of risk management, governance and control processes, including financial control. Through the 8 internal audit engagements carried out over the past four years, the function has provided a high level of assurance to management in those areas of greatest risk and significance for the organization. The process has also provided to the OPC constructive recommendations that have been well received and implemented.

Laurel Murray, CA Jocelyne Coté-O’Hara

1.0 Context

This Annual Report to the Commissioner is prepared by the Office of the Privacy Commissioner Audit Committee (AC), pursuant to the requirements as set out in the Treasury Board’s 2012 Policy on Internal Audit and the approved AC Terms of Reference. This is the Committee’s fourth Annual Report.

This Report describes the activities carried out by the AC and provides the Committee members’ perspectives and observations based on the work undertaken during the 2012-2013 fiscal year.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Our focus has been to identify and assess risk, to oversee control and governance processes as well as best practices across the OPC. Finally our aim has been to provide the Commissioner with objective, clear and constructive advice.

2.0 Committee Mandate, Membership and Infrastructure

2.1 Mandate

The AC provides the Commissioner with independent advice and recommendations about the overall quality and functioning of the OPC’s risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities and accountability reporting.

2.2 Membership

The AC is composed of the following members:

Laurel Murray, CA, Chair, external member
Jennifer Stoddart, Commissioner (ex-officio member)
Jocelyne Coté-O’Hara C.M., external member

The Required attendees for all 2012-2013 AC meetings included the:

Chief Audit Executive, Daniel Nadeau, who is also the Chief Financial Officer
Secretary to the Committee, Chantale Roussel, who is also the Director, Business Planning and Management Practices

2.3 Terms of Reference and Annual Plan

The oversight responsibilities of the AC encompass the following eight areas, as identified in the Audit Committee’s Terms of Reference:

Values and ethics;
Risk management;
Management control framework;
Internal audit;
Office of the Auditor General and other central agencies;
Follow-up on management’s actions;
Financial Statements; and
Accountability reporting.

The Terms of Reference were revised during the year to ensure consistency with the amended Treasury Board Policy on Internal Audit. They were subsequently approved by the Commissioner in May 2012. A copy of the approved Terms of Reference is included in Annex A.

To ensure that the responsibilities as outlined in the Terms of Reference were effectively discharged during the year, the Committee developed its 2012-2013 Audit Committee Annual Plan. A copy of the Plan is included in Annex B.

2.4 AC Self-Assessment

During the year, the Audit Committee undertook self-assessment of its performance so as to identify areas of strength and opportunities for continued improvement. This assessment focused on the mandate and composition of the Committee, roles and responsibilities and management support. A five point scale was used with a score of ‘5’ indicating ‘very strong’ and a score of ‘1’ indicating an area where significant improvements are needed. We found this exercise to be a useful opportunity to reflect on our various roles and the value added by the Committee through its work.

The results of the self-assessment were very positive as denoted by the overall score of 4.3 out of a maximum of 5. The assessment highlighted a few areas where improvements could be made (i.e. formalize members’ input into the CAE’s performance appraisal, build some flexibility into meeting agendas to support more fulsome discussions by members as required; reflect on succession planning for the AC and provide advice to the Commissioner; support members in keeping abreast of new and emerging challenges facing OPC (policies, changing legislative framework, technology impacts on privacy) and the Committee is making adjustments to address the noted areas improvements.

3.0 Summary of 2012-2013 Audit Committee Activities

The sections that follow summarize key activities and areas of focus for 2012-2013, together with advice provided to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held four regular meetings during the year as follows:

May 24, 2012
July 26, 2012
December 14, 2012
March 4, 2013

At the start of each meeting, the Committee undertakes an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefs members on key happenings across the organization since the last meeting as well as possible issues or opportunities that may impact the organization. These discussions provide members with valuable context and insights that promote a better understanding and appreciation of the changing work and social environment.

There was 100% attendance by all AC members and required attendees at these meetings. Minutes were prepared for each meeting and approved by members at the subsequent meeting. The Chair formally signed the minutes to clearly convey their approval by the Committee.

As part of each Committee meeting, the external Committee members held in-camera discussions with the Chief Financial Officer, who is also the Chief Audit Executive, and officials from the OAG when in attendance. This provides an opportunity for these officials to raise and discuss sensitive issues in confidence. The external members also meet in camera at each meeting to discuss issues as required.

3.2 Annual Report

At its May meeting, the Audit Committee reviewed and approved its 2011-2012 Annual Report.

3.3 Professional Development

In November 2012, one of the members attended the Office of the Comptroller General Department Audit Committee (DAC) symposium focused on leveraging members’ collective expertise in a cost containment environment. The other member attended an OPC symposium dealing with privacy matters.

3.4 Transparency

DAC information is publicly available on the OPC website. This includes bios of the AC members, the Committee’s Terms of Reference and approved internal audit reports. The proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC’s activities during the year to discharge its responsibilities in providing the Commissioner with advice that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

The Audit Committee was pleased to note the many areas in which the OPC further to strengthened its values and ethics arrangements throughout the year and this critical area continued to be a priority for the Committee in 2012-2013. This included reviewing the new Values and Ethics Code for the Office of the Privacy Commissioner of Canada that management implemented in May 2012. The OPC Code is consistent with the Values and Ethics Code for the Federal Public Service and defines the values and expected behaviours that guide OPC employees in all areas related to their professional duties. The Code articulates its ethical ideals, aligned to its mandate, giving priority attention to the management of personal information entrusted to the Office, ensuring protection and confidentiality in an effective manner.

The Audit Committee also reviewed the detailed workplan developed to support the implementation of the TB Policy on Conflict of Interest and Post Employment Measures. This policy is closely aligned with the new Values and Ethics Code in that it provides direction and measures to assist the OPC and its employees in effectively dealing with real, potential or apparent conflict of interest situations that may arise during and after their employment in the public service. Members found the workplan very comprehensive and clear, noting the inclusion of a risk assessment exercise to identify business functions at risk, the establishment of procedures and a governance structure for managing conflict of interest. It also included post-employment measures as well as consultations and communications with staff and stakeholders and a post-implementation evaluation to identify lessons learned.

Through the review of the organization’s Management Accountability Framework (MAF) self-assessment exercise, Committee members noted that with the implementation of the new Policy on Harassment Prevention and Resolution that came into force on October 1, 2012, management held mandatory workshops for staff during the year to establish and maintain a harassment-free and respectful workplace.

In addition to developing and implementing policies and a Code, the Committee noted that management agreements (PMAs) now include performance expectations to support executives’ compliance and promotion with values and ethics principles. Through this process, executives are also assessed against leadership competencies that include values and ethics.

The Audit Committee members were pleased to see the leadership and commitment management has made to define and embed sound values and ethics throughout the organization.

4.2 Risk Management

A key element of OPC’s formalized risk management arrangements continues to be the Corporate Risk Profile (CRP) that is reviewed and refined each year. The CRP provides a summary of the organization’s strategic risks requiring ongoing management and monitoring and is a key input into the organization’s strategic planning process. The Committee is pleased to note that this review and refinement is not a standalone, isolated undertaking, but is integrated into the strategic planning process carried out in the late Fall. This ensures that the key risks identified can be factored into the establishment of organizational priorities for the coming year.

At its December meeting the Audit Committee reviewed, discussed and provided advice on the December 2012 CRP, including the risk mitigation strategies. Members agreed with the key risks identified and the associated ratings assigned to each risk and recommended that benchmarks be established for the risk indicators to ensure clarity of meaning and support effective risk monitoring. The Committee concurred with management’s plan to monitor both its key risks and mitigation strategies, and requested that members be informed of any issues that arise from the monitoring activities or if there are any changes in the key risks identified.

4.3 Management Control Framework

The Audit Committee reviewed the OPC’s management control framework (MCF) in a variety of ways throughout the year. As internal audit engagements often examine one or more elements of the MCF, the associated reports tabled at the DAC meetings provide the primary means through which the members assess key aspects of the control framework. The Committee also examined and provided feedback and advice to the Commissioner on the MCF through its review and discussion of financial resource management updates provided throughout the year as well as through members’ review of the results of the Management Accountability Framework (MAF) self-assessment and the Quarterly Financial Reports.

As noted in the sections that follow, the Committee is impressed and pleased with the many strengths in OPC’s management processes and practices as well as management’s demonstrated leadership and commitment to implement enhancements wherever warranted.

Internal Audits

During the year, the Audit Committee had the opportunity to review, provide advice on and recommend for approval four (4) internal audit reports and one control self-assessment. Each of these reports, including the associated Management Action Plan, provides an independent assessment of the effectiveness of various elements of the OPC’s MCF. As noted in the more fulsome discussion of these reports in section 4.4 that follows, these internal audit engagements noted various strengths in OPC’s MCF. While opportunities to continue to strengthen the MCF were noted in some areas, no material weaknesses were noted.

MAF Self-Assessment

As an Agent of Parliament, the OPC is not subject to the Treasury Board Management Accountability Framework (MAF) assessment. However, recognizing the value in continuing to improve its management processes and practice, management undertakes a MAF self-assessment exercise bi-annually. At its March meeting, AC members reviewed the results of the 2012-2013 MAF self-assessment and the associated action plan to further improve management processes and practices in key areas. The Committee was very pleased to note that the organization ‘meets expectation^{Footnote 1} ’ in all six areas assessed; a 100% rating. This is a marked improvement from the 2010-2011 assessment whereby 77% of the practices assessed were found to ‘meet expectation’ and the 60% that received this rating in 2008-2009 when OPC commenced this exercise. The continued upward trend in these results exemplifies management’s continued focus and commitment to continuous improvement.

Financial Resource Management

Over the past year, the Corporate Service Branch (CSB) put tremendous effort and attention to improve budgetary management across the organization. Part of the motivation has been in response to the results of the recent Internal Audit of Financial Resource Management that highlighted some opportunities for improvement in this area. However, senior management also clearly and proactively recognized the need to more closely monitor and manage resources as it implements the funding reductions flowing from Budget 2012, particularly as it prepares to embark on a very costly move of its headquarters to Gatineau, Quebec in 2013-2014. A key element of the strengthened budgetary management processes is the hands-on support and challenge function provided by Finance staff to managers across the organization. This is helping facilitate a closer review of Branch-level financial results and commitments thereby, identifying opportunities for the timely reallocation of resources to meet strategic and operational/program pressures and priorities.

Quarterly Financial Reporting

The AC reviewed and provided feedback and advice on the OPC’s 1^st, 2^nd and 3^rd 2012-2013 Quarterly Financial Reports. Members found this year’s reports to be succinct and complete, noting that management strengthened the variance analysis and explanations reflected in the reports, as previously recommended by the Committee.

4.4 Internal Audit Function

4.4.1 Governance

One of the biggest challenges for OPC’s internal audit function is that it carries out an Internal Audit function without an internal dedicated capacity. OPC’s in-house internal audit capacity consists of a Director, Business Planning and Management Practices, with oversight by the Chief Audit Executive who is also the Director General, Corporate Services and Chief Financial Officer. To augment the in-house capacity, OPC co-sources both the development of the RBAP and the individual internal audit engagements with an outside professional services firm. This arrangement enables OPC to retain control and oversight of the internal audit function while leveraging the expertise and experience of internal audit professionals. On the advice of the Audit Committee, management strengthened its audit process to ensure that professional service firms provide an attestation that their audit work complies with the Internal Auditing Standards for the Government of Canada.

The AC Chair, who is a Chartered Accountant with significant internal audit expertise, also provides expertise, guidance and advice to support the enhancement of this function and its independence and oversight throughout the year.

Effective April 2012, the Treasury Board implemented a revised Policy on Internal Audit. At its May meeting, the Audit Committee reviewed the OPC’s updated Internal Audit Charter and recommended its approval by the Commissioner. As required under the Policy, the Chief Audit Executive is required to provide an annual report to the Audit Committee and the Commissioner. The Committee reviewed the CAE’s 2011-2012 Annual Report noting no areas of concern and during an in-camera meeting with the Commissioner, provided input into the performance appraisal of the CAE.

4.4.2 Internal Audit Engagements

During the year, the Audit Committee reviewed and recommended the approval of five internal audit engagement reports. Committee members provided advice and in some instances recommended revised wording to ensure the context and findings were clearly articulated. Subsequent to the Committee’s recommended approval, the Commissioner approved each of these five reports as follows:

Assurance Engagements:

Privacy Impact Assessment (PIA) Review Process
Financial Resource Management
Procurement and Contract Management

Control Self-Assessment:

Privacy Control Self-Assessment

Review Engagement:

Management Practice Review of Information Sharing Practices

The combination of internal audit engagements with varying levels of assurance has enabled OPC to effectively utilize its scarce internal audit resources to address its areas of highest and moderate risk in an effective and efficient manner.

Various strengths in OPC’s management practices were identified in each of the areas assessed through these engagements. This includes:

a PIA review process that ensures federal government institutions are provided with advice and recommendations that are understandable and actionable;
financial management practices that include templates and instructions to support managers in preparing and reviewing their monthly financial reports, reconciliations and forecasts and a framework for communicating financial results to SMC in support of active monitoring and decision making
Procurement processes and practices that comply with contracting policies and authorizations as well as support and advice provided by the Procurement Group that is clearly valued and appreciated by OPC staff.
Leadership, policies and procedures for the safeguarding of personal information in accordance with the Privacy Act;
Instructions, guidelines and systems that support the effective and efficient sharing and tracking of information across the organization.

While no significant control weaknesses were identified in any of the reports that were reviewed by the DAC during the year and indeed, key areas noted for improvement included improved documentation of processes; clarity of roles and responsibilities; consideration of funding pressures for priority unfunded activities during the planning and budgetary approval process; and strengthened contract monitoring.

As noted in section 4.6 that follows, management is making significant positive strides in implementing actions to address the issues and opportunities noted in these reports.

4.4.3 Risk-Based Internal Audit Plan

In the winter of 2013, Chief Audit Executive (CAE) engaged outside expertise to develop the OPC’s 2013-2014 to 2015-2016 Risk-Based Internal Audit Plan (RBAP). The AC Chair was engaged in this process, including identifying or confirming areas of risk and significance for consideration in the development of the plan.

At its March meeting, the Committee reviewed the draft Plan and recommended its approval by the Commissioner. While internal audit engagements are schedule for years two and three of the plan, the Audit Committee supports management’s plan to not carry out any assurance engagements in 2013-2014. Over the past four years, the eight internal audit engagements carried out have provided extensive coverage across each of the organization’s four program areas outlined in the OPC’s audit universe. And during this this time period, management has implemented a wide range of improved management processes and practices in the areas audited as well as other areas of the organization. Contributing to the decision is the fact that 2013-2014 will be a year of significant change for the organization (i.e. investigations Modernization, move of OPC’s headquarters, leadership transition). Over the coming year, the Audit Committee will review and discuss the change initiatives underway and management’s processes to address the associated risks, and if necessary, provide recommendations with respect to planned projects for the following year.

4.5 External Assurance Providers

Each year, the Office of the Auditor General (OAG) carries out an audit of the OPC’s financial statements with the objective of rendering an audit opinion on these statements. Representatives from the OAG attended the Committee’s May 2012 meeting to discuss the plan for the annual audit of OPC’s 2011-2012 financial statements.

The OAG Audit Principal attended the AC’s July 2012 meeting to review and discuss the audited financial statements, the Management Representation Letter to the OAG and the OAG’s report to the AC highlighting the annual audit results for the year ended March 31, 2012. The OAG rendered a clean audit opinion on the financial statements. It did not note any significant internal control weaknesses and did not issue a Management Letter.

4.6 Follow-up on Management Action Plans

The AC monitors management’s progress in implementing management action plans stemming from internal audit reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a semi-annual basis, DAC receives and reviews a report on management’s progress in implementing outstanding actions. During the year, management implemented 4 of the 8 actions outstanding from the 2010-2011 audits on Utilization of Inquiries and Investigations Branch Information for Management Decision Making. The AC noted that while four actions remain outstanding, significant progress is being made. In some instances, delays are due to enhancements in associated processes and systems and as noted by the CAE, the organization is not exposed to any significant risks as a result of the delays in the full implementation of these four outstanding recommendations.

In addition to the four actions implemented this year as noted above, management has fully implemented the 10 recommendations flowing from this year’s approved internal audit reports on the Privacy Impact Assessment (PIA) Review Process and Financial Resource Management.

The Audit Committee continues to be very pleased with management’s diligence in developing fulsome action plans to address noted areas for improvement and implementing the associated actions in a timely manner.

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the OAG each year. As noted in section 4.5, the AC met with the OAG in July to review and discuss the OPC’s 2011-2012 audited financial statements. The AC recommended the Commissioner approve these financial statements.

4.8 Accountability Reports

AC members reviewed the OPC’s draft 2011-2012 Departmental Performance Report (DPR) and the draft 2013-2014 Report on Plans and Priorities (RPP). AC members provided advice and recommendations to management prior to their approval by the Commissioner.

5.0 Looking Ahead

The following segment if for discussion at the June 4, 2013 AC meeting

Over the coming year the Committee will continue to exercise oversight across all eight areas of responsibility with particularly emphasis on the following:

Possible areas for consideration:

Continued review and advice on financial resource management – recognizes the criticality of the management of the OPC’s scarce financial resources in these economic times and in light of the significant costs associated with the move and increase in complaints.
Move of OPC’s Headquarters to Gatineau, Quebec – recognizes the value in independent advice on key aspects for consideration as OPC works through the move.
Shared Services – as OPC works with other Agents to explore shared services, AC members can provide independent advice that may assist in identifying risks and opportunities for consideration.

ANNEX A – Audit Committee Terms of Reference

Revised in May 2012

1. INTRODUCTION

This document outlines the purpose, responsibilities, membership and operating procedures of the Audit Committee (the Committee) in the Office of the Privacy Commissioner of Canada (OPC).

The Committee is an essential component of the internal audit regime established within OPC and reflective of both the Treasury Board Policy on Internal Audit which came into effect on April 1, 2006^{Footnote 2} and the Joint Agreement of the Working Group of Officers of Parliament.^{Footnote 3} The latter reinforces OPC’s status as an Officer of Parliament.

The Working Group of Officers of Parliament have agreed that the intent of the government’s Internal Audit Policy shall be reflected in the Internal Audit systems, processes and infrastructure within each Office of Parliament, but taking account of their status of independence, their relatively small size and the oversight role played by the Parliamentary Advisory Panel on the funding of Officers of Parliament.

2. MANDATE

The Committee provides objective advice and recommendations to the Commissioner regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the department's risk management, control and governance frameworks and processes (including accountability and auditing systems). This work supports the Commissioner in her role as OPC’s accounting officer before Parliament.

To give the Commissioner this support, the Committee reviews, with a risk guided focus, all core areas of OPC management, control and accountability processes in an integrated way, such that the results of internal audits may be incorporated into the OPC priority-setting and strategic planning processes. Hence, the work of the Committee reinforces the quality and reliability of the financial and other performance information used by OPC managers for decision-making and reporting and, in so doing, contributes to enhanced managerial accountability. The Committee also serves to reinforce the independence, effectiveness and accountability of the Chief Audit Executive.

The Committee also provides advice and recommendations as may be requested by the Commissioner.

3. COMMITTEE REPORTING AND COMPOSITION

3.1 Membership

The Commissioner is responsible for establishing an independent audit committee for the Office consisting of three members. There are two external members who are not currently members of the Federal Public Service and the Commissioner is an ex-officio member. The Chief Audit Executive (CAE)/Chief Financial Officer (CFO) attends all meetings.

The Commissioner is responsible to select the Committee’s Chair, the members and the Secretary. All members of the Committee shall be, or become within the first year of appointment, financially literate and familiar with private- or public-sector financial reporting. At least one member is a financial expert who possesses a professional accounting designation.

Members shall be independent as demonstrated by their absence of real and perceived, direct and indirect, personal and financial interest or that of their family and business associates and competitors AND by their personal capacity and behaviour to engage the management, CAE and external auditors in demanding explorations of practices and areas of concern. It extends to seeing this principle through to standing by one’s challenge to reports and practices held to be incompatible with the facts or to acceptable practices – even when colleagues on the Committee may be inclined to defer. The consequence of this is the duty to inform the Commissioner directly in such a case. Protection of independence may result in a mutual agreement to terminate the appointment.

3.2 Reporting

The Chair represents the Committee in periodic meetings with the Commissioner.

3.3 Length of Term

Members shall be appointed for a term of four years. A member shall serve no more than two terms. To ensure continuity, mandates can be staggered, and some initial terms may be for less than four years.

4. COMMITTEE MEETINGS

4.1 Frequency

The Committee shall meet two or three times a year either in person or by teleconference, with more meetings as deemed necessary by the Chair. The Committee’s meeting schedule will normally be set out six months in advance so that OPC management and internal auditors can prepare the information and reports required to support the Committee’s work. Rescheduling of Committee meetings will be by exception only.

4.2 Quorum

Quorum shall be a majority of the members. No alternates shall be permitted.

4.3 Preparation and Attendance of Members

To enhance the effectiveness of the Committee meetings, each member shall:

Devote the time necessary to prepare for, and participate in, each meeting: this involves reading the reports and reference documents provided for the meeting;
Maintain an excellent record of attendance at meetings.

4.4 Attendance of Non-Members

The Chief Audit Executive shall attend all meetings of the Committee. The Chair may request the attendance of other senior officials. When required, the Chair shall ask a senior representative of the external assurance providers to attend the Committee meetings to discuss the plans, findings and other matters of mutual concern.

4.5 Minutes of meetings

Minutes of each meeting are kept and contain the list of attendees, a summary of the decisions made and an overview of the points discussed. The minutes are approved by the Committee and signed by the Chair on behalf of the Committee.

4.6 In camera meetings

As part of each Committee meeting, the Committee shall meet in camera with the CAE/CFO, representatives of external assurance providers when in attendance and any other officials the Committee decides to call.

4.7 Committee’s Annual Plan

The Chair, in consultation with the other members of the Committee, shall prepare a plan for recommendation to the Commissioner, to ensure that the responsibilities of the Committee are scheduled and fully addressed.

4.8 Examination of the Committee’s Terms of Reference

The Committee shall periodically review its terms of reference and if revised, submit them to the Commissioner for approval.

5. RESPONSIBILITIES

The particular emphasis and priorities from among the Committee’s key areas of responsibility are to be set by the Commissioner in consultation with the Committee. In doing so, consideration is given to the OPC’s mandate, objectives and priorities, as well as the corresponding risks affecting the organization.

Below are the key areas of responsibility that fall within the scope of concern of the Committee, and that will be reviewed with an appropriate risk-guided focus and cycle.

5.1 Values and Ethics

The Committee shall review and provide advice on the OPC’s systems and practices established by the Commissioner to monitor compliance with laws, regulations, policies and standards of ethical conduct and identify and deal with any legal or ethical violations. This may also include the arrangements established by management to exemplify and promote public service values and to ensure compliance with laws, regulations, policies, and standards of ethical conduct.

5.2 Risk Management

The Committee shall review and provide advice on the risk management arrangements established and maintained by the OPC.

5.3 Management Control Framework

The Committee shall review and provide advice on the departmental internal control arrangements, and be informed on all matters of significance arising from the work performed by others who provide assurances to senior management and the Commissioner.

5.4 Internal Audit Function

The Committee shall:

Recommend, and periodically review, the OPC Internal Audit Charter for approval by the Commissioner;
Provide advice to the Commissioner on the sufficiency of resources of the internal audit function;
Review and recommend for approval by the Commissioner the Risk-Based Audit Plan;
Monitor and assess the performance of the Internal Audit function;
Advise the Commissioner on the recruitment and appointment, as well as the performance of the Chief Audit Executive;
Review and recommend for the Commissioner’s approval internal audit reports and corresponding management action plans to address recommendations;
Be advised of audit engagements or tasks that do not result in a report to the Committee and be informed, by the appropriate level of management, of all matters of significance arising from such work;
Review regular reports on progress against the risk-based audit plan.

5.5 External Assurance Providers

The Committee shall be informed of and shall advise the Commissioner on:

All audit work relating to the OPC to be undertaken by external assurance providers, including management’s response; and,
Audit-related issues and priorities raised by external assurance providers.

5.6 Financial Statements and Public Accounts Reporting

The Committee shall review and provide advice to the Commissioner on the key financial management reports and disclosures of the department, including quarterly financial reports, annual financial statements and Public Accounts.

The Committee shall also review the annual Statement of Management Responsibility Including Internal Control over Financial Reporting and provide advice to the Commissioner on the risk-based assessment plans and associated results related to the effectiveness of the departmental system of Internal Control over Financial Reporting.

Since the OPC financial statements are audited by the OAG, the Committee shall review:

The financial statements with the external auditor and senior management, discuss any significant accounting estimates and adjustments therein, any adjustments required to the statements as a result of the audit, as well as any difficulties or disputes encountered with management during the course of the audit;
Management letters arising from the external audit;
The auditor's findings and recommendations relating to the internal controls in place for financial reporting and consider their impact on controls, risk management and governance processes.

5.7 Follow up on Management Action Plans

The Committee shall review regular reports on the progress of the implementation of approved management action plans resulting from prior internal audit recommendations as well as management action plans resulting from the work of external assurance providers.

5.8 Accountability Reporting

The Committee shall receive copies of the Report on Plans and Priorities, the Departmental Performance Report and other significant accountability reports. These reports provide context for the deliberations of the Committee and advice to the Commissioner. Over time, and in the course of successively reviewing these documents, the Committee will be attentive to, and provide advice on, any material misstatements or omissions.

Once the Office has an evaluation function, the evaluation plan and evaluation reports should be tabled with the Committee for information, after they have been approved by the required authority (i.e., another committee or senior management).

6. OPERATIONS

6.1 Access

The Committee has full access to the Chief Audit Executive and the other OPC employees and documents required to fulfill its responsibilities, subject to applicable legislation. The CAE has full access to the Committee and to the Committee Chair.

6.2 Orientation, Training, and Continuing Education of Committee Members

Members shall receive formal orientation and training on the Committee's responsibilities and objectives and on the business of the OPC.

6.3 Support

The Internal Audit function provides the Committee with the necessary support to carry out its responsibilities and fulfill its duties. The Committee also has the power to obtain independent help and advice. The support to the Committee includes among other things:

Administrative duties (i.e., preparation and distribution of meeting agendas, minutes and materials);
Supporting the Committee in executing its work;
Supporting the Committee in assessing its performance;
Supporting the Committee in its accountability reporting;
Supporting the orientation for new members.

6.4 Duty to Inform and Duty to Resign – Disagreement

In the event that a member of the Committee has a difference of opinion with another member that cannot be resolved by the Chair or if the member has an unresolved difference of opinion with the Chair and provided that the difference of opinion, from the perspective of the member, has, or could have, a material, negative impact on the fairness of reported information or on the integrity of operations of the OPC or involves the questionable behaviour of an individual then the member shall bring the issue forward for resolution, as follows:

Bring the issue to the attention of the Commissioner within a reasonable timeframe.
If the Commissioner is unable to resolve the issue and if the member is of the opinion that the issue still remains, the member has a duty to resign.

7. EVALUATION OF THE COMMITTEE’S PERFORMANCE

The Committee shall periodically evaluate its own performance to continually improve how it carries out its responsibilities. The Committee’s performance shall also be part of an external evaluation of the internal audit function that is to be carried out at least every five years, by an independent auditor.

8. ANNUAL REPORT

The independent members of the Committee shall submit an annual report to the Commissioner that shall:

Summarize the results of the Committee's reviews of areas of responsibility;
Provide the independent members’ assessment, and make recommendations as needed on the capacity, independence and performance of the internal audit function; and,
Express views in the annual report and shall be entirely and exclusively those of the independent members, notwithstanding any assistance given by departmental officials in the preparation of the annual report.

9. APPROVAL OF COMMITTEE TERMS OF REFERENCE

Reviewed by the Audit Committee

Date

Approved by the Commissioner