Internal Audit Committee Annual Report 2013-14

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Foreword from the External AC Members

It is our pleasure to provide you with the fifth Audit Committee (AC) Annual Report for the year ending March 31, 2014.

We wish to convey that we continue to be pleased with the manner in which the AC has operated, particularly during this period of significant change for the organization - changes that include a change in leadership and a move of the OPC's headquarters to Gatineau. The leadership of the Chief Audit Executive and support from the OPC's staff has contributed to the success of the Committee's work. The active engagement of the former Commissioner, Jennifer Stoddart, and the interim Commissioner, Chatal Bernier, was also a key to the success of the Committee and its work over the year. We feel this function works well for a small organization and we are pleased to be a part of it.

Over the past year, the OPC continued to strengthen management processes and practices in a number of areas, including values and ethics, internal controls and performance management. The OPC continues to have strong financial controls as evidenced by the clean audit opinion it received once again on its financial statements with no associated concerns noted by the Office of the Auditor General (OAG). One issue came to the Audit Committee's attention regarding the loss of a small hard drive during the move of OPC's head office to Gatineau, Quebec in March 2014. We appreciate being advised of this incident expeditiously and support management's multi-pronged approach to manage the incident, including notifying the Privacy Commissioner Ad Hoc and carrying out an internal assessment and an independent, external assessment. These assessments should provide an improved understanding of what transpired and offer recommendations, if required, to help prevent a repeat of such a loss in the future.

While no internal audit engagements were undertaken during the year, the results of the internal self-assessment and practice inspection, combined with the approval of the risk-based audit plan for 2014-2015, positions the internal audit function to continue to add value by assessing risk, control and governance practice in those areas of greatest risk and significance to the organization.

Laurel Murray, CA Jocelyne Coté-O'Hara, C.M.

1.0 Introduction

This Annual Report to the Commissioner is prepared by the Office of the Privacy Commissioner Audit Committee, pursuant to the requirements as set out in the Treasury Board's 2012 Policy on Internal Audit and the approved AC Terms of Reference. This is the Committee's fifth Annual Report.

This Report describes the activities carried out by the AC and provides the external members' perspectives and observations based on the work undertaken during the 2013-14 fiscal year.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the OAG. Our focus has been to identify and assess risk, to oversee control and governance processes as well as best practices across the OPC. Finally our aim has been to provide the Commissioner with objective, clear and constructive advice.

As specified in the Treasury Board Directive on Internal Auditing in the Government of Canada, the AC provides oversight in the following key areas:

Values and Ethics
Risk Management
Management Control Framework
Internal Audit Function
External Assurance Providers
Follow-up on Management Action Plans
Financial Statements and Public Accounts Reporting
Accountability Reporting

The Audit Committee's observations of, and advice on, each of the oversight areas are detailed in Section 3 of this report.

2.0 Role and Membership of the Committee

The role of the AC is to provide the Commissioner with independent advice and recommendations about the overall quality and functioning of the OPC's risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities and accountability reporting.

The AC is composed of the following members:

Laurel Murray, CA, Chair, external member
Jocelyne Coté-O'Hara C.M., external member
Chantale Bernier, Interim Commissioner (ex-officio member)^{Footnote 1}

In addition, the following OPC staff were required to attend all 2013-14 AC meetings:

Chief Audit Executive, Daniel Nadeau, who is also the Chief Financial Officer
Secretary to the Committee, Chantale Roussel, who is also the Director, Business Planning and Management Practices

The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference. Since its creation in 2008, the Terms of Reference have been frequently reviewed and updated by the Committee to ensure continued consistency with the Treasury Board of Canada (TB) Directive on Internal Auditing in the Government of Canada and then reaffirmed by the Commissioner. A copy of the current Charter is presented in Annex A.

To deliver on its approved Terms of Reference, the AC developed a 2013-14 Work Plan. A copy of the plan included in Annex B. Progress against the plan is monitored throughout the year to ensure the Committee delivered on its commitments.

3.0 Summary of 2013-14 Audit Committee Activities

The sections that follow summarize key activities and areas of focus for 2013-14, together with advice provided to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held four meetings during the year as follows:

June 4, 2013;
August 22, 2013;
November 14, 2013; and
March 11, 2014.

In addition, the external members attended the OPC's Strategic Planning session on November 13, 2013.

At the start of each AC meeting, members undertook an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefed members on key happenings across the organization since the last meeting as well as possible issues or opportunities that may impact the organization. These discussions provided members with valuable context and insights that promoted a better understanding and appreciation of the changing work and social environment.

There was 100% attendance by all AC members and required attendees at these meetings. Minutes were prepared for each meeting and approved by members at the subsequent meeting. The Chair formally signed the minutes to clearly convey their approval by the Committee.

As part of each Committee meeting, the external Committee members held in-camera discussions with the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG when in attendance. This provides an opportunity for these officials to raise and discuss sensitive issues in confidence. The external members also meet in camera at each meeting to discuss issues as required.

3.2 Professional Development

In November 2013, the external members of the Committee attended the Office of the Comptroller General's Department Audit Committee (DAC) symposium on Providing Value; Embracing Renewal: How DACs can Contribute to the Transformation Agenda.

3.3 Transparency

DAC information is publicly available on the OPC website. This includes bios of the AC members, the Committee's Terms of Reference and approved internal audit reports. The proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC's activities during the year to discharge its responsibilities in providing the Commissioner with advice that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

At the June meeting, members reviewed the OPC's results of the 2011 Public Service Employee Survey. Members noted that the participation rate of 72% was consistent with that of the Public Service average, as were the results in many areas. The survey highlighted that things are working reasonably well, while also identifying areas for improvement. The Committee reviewed the Action Plan developed to address noted areas for improvement as well as the process management undertook to extensively consult with staff from across the organization in developing the plan. Over the coming year, the AC will review management's progress in implementing the action plan

As outlined in the MAF assessment and 2013-14 status update, a key element of the workplan management developed to support the implementation of the TB Policy on Conflict of Interest and Post Employment Measures, includes a Values and Ethics Framework as well as Conflict of Interest and Post-employment measures. The AC was briefed that this work was underway in 2013-14 and members look forward to reviewing both elements at the upcoming June 2014 meeting.

The AC members are pleased with management's continued leadership and commitment to define and embed sound values and ethics throughout the organization.

4.2 Risk Management

A key element of OPC's formalized risk management arrangements continues to be the Corporate Risk Profile (CRP) that is reviewed and refined each year. The CRP provides a summary of the organization's strategic risks requiring ongoing management and monitoring and is a key input into the organization's strategic planning process and the development of the OPC's Report on Plans and Priorities (RPP), a key accountability document in the Estimates process.

For 2013-14, while elements of the CRP, including the environmental scan, were provided to the AC members as part of the November Strategic Planning session, the external members reviewed the document and provided advice electronically. The external members agreed with the identification and assessment of the key risks and mitigation strategies developed. Subsequent to this review, on the advice of the Committee, members were briefed at the March 2014 meeting on the OPC's risk monitoring process, including tracking against key risk indicators included in the CRP and the integration of risk reporting into quarterly reporting and monitoring by SMC.

The Committee is pleased with the risk management arrangements currently in place within OPC. With the shift to new leadership, over the coming year the AC will continue to closely monitor risk management practices and actions being taken or required to effectively manage during this period of transition.

4.3 Management Control Framework

The AC's review of the OPC's management control framework (MCF) during the year focused on internal controls, performance management, results of the Threat Risk Assessment, Management Accountability Framework (MAF), financial resource management and quarterly financial reporting.

Internal Controls

Members reviewed elements of OPC's internal controls throughout the year. At the June meeting, members were briefed on the work underway to document, assess and test OPC's system of internal controls, including controls over financial reporting. AC members were pleased with the results of the initial assessment of entity level controls, IT general controls and business process controls as well as with the corresponding action plan developed to address identified gaps and areas for improvement.

Following the initial assessment, at the November meeting, members were briefed on the work the Corporate Services Branch (CSB) is doing to formalize a risk-based plan to test the effectiveness of OPC's controls over financial reporting as well as test key controls with respect to the following key areas:

Payroll;
Management of the OPC's contribution program;
Shift to a paperless environment; and
Collaborative or shared service arrangements OPC enters into.

The Committee is pleased with the work undertaken to date and will continue to actively monitor it going forward, including the results of control testing undertaken.

One issue came to the AC's attention in relation to the safeguarding of a peripheral information technology device during the move of OPC's head office in March 2014. During the move, a hard drive containing a backup of the OPC's Performance Budgeting for Human Capital (PBHC) was lost. This drive reflected some personal information for approximately 800 current and former OPC and Office of the Information Commissioner (OIC) staff. The hard drive did not have any label indicating its contents and a specialized program is required to read the data. In addition, a review of the data fields by staff indicates that none of the data, either individually or in aggregate, facilitates theft of the affected employee's identity. Immediately upon realizing the disappearance of this drive, management and staff deployed a multi-pronged strategy to manage the incident and its impact on current and former staff. This included exploring all possible scenarios as to the locale of the drive, notifying all current and former staff of the incident, and initiating an internal investigation. Management has also initiated an external investigation into the matter, engaging the services of a leading security expert. The AC was briefed on this matter and management's response on a timely basis and will review the results of the investigations currently underway.

Performance Management

At the strategic level, OPC utilizes its strategic Performance Measurement Framework (PMF) aligned with the Program Alignment Architecture (PAA) to plan and report on its mandate and Parliamentary appropriation each year. At the operational level, management has developed a monthly scorecard to actively monitor the delivery of its programs and services. This scorecard is aligned with strategic PMF in terms of the performance indicators. While this enables Senior Management Committee (SMC) to review actual activity and results, the AC encourages management to enhance the reports to include an explicit articulation of the related performance targets reflected in the Report on Plans and Priorities (RPP). This will enable management to readily zero in on those areas of performance that are on track to meeting performance expectations articulated to Parliament and where corrective action may be required.

Augmenting the monthly scorecard are quarterly reports for Corporate Services and Human Resource Management. These reports are presented at SMC on a quarterly basis. While the Human Resources report includes service standards, Corporate Services Branch is working to develop service standards to support more effective monitoring and management of the services rendered.

The AC supports management in the development of operational performance reporting. In the coming year, the Committee will assess the extent to which management further matures its performance management to support the effectively delivery of results consistent with expectations.

Threat Risk Assessment

At the June meeting, Committee members were briefed on the results of the recent Threat Risk Assessment (TRA) undertaken under the leadership of OPC's Information Management and Information Technology (IT) Branch. The assessment, undertaken by independent consultants, found that while there are some opportunities for improvement, overall OPC's platform and security protection is well managed.

AC members were briefed on OPC's response to the assessment as well as the action plan to address areas for improvement felt to be of medium to high risk, noting that those issues with respect to physical security will largely be addressed through the move to the new premises.

MAF Self-Assessment

As an Agent of Parliament, the OPC is not subject to the Treasury Board Management Accountability Framework (MAF) assessment. However, recognizing the value in continuing to improve its management processes and practice, management undertakes a MAF self-assessment exercise biennially. At the November meeting, AC members reviewed management's progress in addressing four areas noted for improvement in the prior year assessment. With respect to Evaluation, the Committee recommended that management examine a model appropriate for a very small organization, including leveraging existing governance structures to the extent possible and practical. The Committee also recommended that the evaluation of the Contribution Program be undertaken on a timely basis to facilitate the renewal of the program prior to its expiry.

Financial Resource Management

Financial resource management is critical to supporting the organization in effectively managing its resources, particularly in response to increasing demands and changing priorities. Over the past couple of years, the CMB has put in place modified tools and processes to support improved financial resource management across the organization and provided associated mandatory formal training to employees and managers. This has been particularly crucial during this time of fiscal restraint and a costly move of the OPC's headquarters. In addition to the implementation of modified budgeting and forecasting tools and hands-on support and challenge function provided by Finance staff, financial management performance indicators and targets have been integrated into executives' Performance Management Agreements (PMA's).

Briefings provided by the CFO throughout the year, indicate that the organization is reaping the fruits of this work in that OPC managed its 2012-2013 and 2013-14 resources within the target established to support a carryover of any unspent funds into the following year. This was particularly notable for these two years given the uncertainty regarding the final cost of the move of the headquarters, increased demands flowing from a rise in complaints requiring investigations, increased costs with respect to recent collective agreements and a $430,000 reduction in OPC's annualized funding commencing in 2014-2015 in response to Budget 2012.

Quarterly Financial Reporting

The AC reviewed and provided feedback and advice on the OPC's 1^st, 2^nd and 3^rd 2013-14 Quarterly Financial Reports. Members found the year's reports to be succinct and complete, with no substantive concerns noted.

4.4 Internal Audit Function

4.4.1 Governance

OPC's in-house internal audit capacity consists of a Director, Business Planning and Management Practices, with oversight by the Chief Audit Executive (CAE). The CAE, who is also the Director General, Corporate Services and Chief Financial Officer, reports directly to the Commissioner.

To augment the in-house capacity, OPC co-sources both the development of the RBAP and the individual internal audit engagements with an outside professional services firm. This arrangement enables OPC to retain control and oversight of the internal audit function while leveraging the expertise and experience of internal audit professionals. On the advice of the AC, management strengthened its audit process to ensure that professional service firms provide an attestation that their audit work complies with the Internal Auditing Standards for the Government of Canada. The AC Chair, who is a Chartered Accountant with significant internal audit expertise, also provides expertise, guidance and advice to support the enhancement of this function and its independence and oversight throughout the year.

As required under the Policy, the Chief Audit Executive is required to provide an annual report to the AC and the Commissioner. The Committee reviewed the CAE's 2012-2013 Annual Report. While no areas of concern were noted, the issue of redundancy or duplication between the AC Annual Report and the CAE Report was highlighted and discussed. On the recommendation of the CAE, going forward, the CAE report will primarily focus on the performance of the function whereas the AC Annual Report will, based on the work of the Committee, provide an objective assessment or perspective on the quality and functioning of the OPC's risk management, control and governance frameworks and processes.

At the June meeting, during an in-camera meeting with the Commissioner, the external members provided input into the performance appraisal of the CAE.

4.4.2 Internal Audit Engagements and Risk-based Planning

As outlined in the approved 2013-14 to 2015-2016 Risk-based Audit Plan (RBAP), no assurance engagements are scheduled for 2013-14. Over the past four years, the eight internal audit engagements carried out have provided extensive coverage across each of the organization's four program areas outlined in the OPC's audit universe. And during this this time period, management has implemented a wide range of improved management processes and practices in the areas audited as well as other areas of the organization. In addition, 2013-14 was a year of significant change for the organization; changes that included investigations modernization, a move of OPC's headquarters, and a change in leadership.

At the November 2013 meeting, the AC reviewed the Plan, including the proposed projects reflected for 2013-14. Committee members continued to support the decision to forego any audit projects for 2013-14 and rather than proceeding with the previously planned follow-up audit to the Internal Audit of Responding to Inquiries and the Internal Audit of Utilization of Inquiries and Investigations Branch Information for Management Decision-Making, and the audit of service standards, members recommended that the risks associated with these areas be reviewed and assessed through the development of the 2014-2015 RBAP.

AC members were engaged in the development of the 2014-2015 RBAP, including providing direct input to the preparers of the plan in early December. The draft 2014-2015 RBAP was tabled and discussed at the March 2014 meeting. The Plan outlines an audit of Information Management and Information Technology for 2014-15 instead of the proposed audit of service standards. AC supports this change, given that IM/IT is subject to a high degree of change and has a high strategic importance to the OPC. However, as service standards are integral to delivering on results, the Plan has included this element in the 2015-2016 audit of investigations (PA and PIPEDA). The follow-up audit for 2014-2015 noted above was removed from the 2014-2015 RBAP is it no longer was felt to be an area of high risk or priority and given that all previous audit recommendations were closely monitored by the AC and have now been fully implemented. Following the discussion and subject to some editorial changes, the external members recommended the Commissioner approve the 2014-2015 RBAP.

4.4.3 Internal Audit Self-Assessment

In advance of an external practice inspection as required by the Internal Auditing Standards for the Government of Canada (the Standards), the CAE and his team undertook a self-assessment of the OPC's internal audit function. The assessment found the function generally complies with the Definition of Internal Audit, the Code of Ethics, and the Standards. These results, together with actions being undertaken to address some opportunities for improvement with respect to governance, the Risk-based Audit Plan (RBAP), follow-up activities and, accountability reporting, positions the internal audit function for the practice inspection.

The AC looks forward to reviewing the results of the practice inspection early in the new fiscal year.

4.5 External Assurance Providers

Each year, the Office of the Auditor General (OAG) carries out an audit of the OPC's financial statements with the objective of rendering an audit opinion on these statements. Representatives from the OAG attended the Committee's March meeting to discuss the plan for the annual audit of OPC's 2013-14 financial statements.

The OAG Audit Principal attended the AC's August 2013 meeting to review and discuss the audited financial statements, the Management Representation Letter and the OAG's report to the AC highlighting the annual audit results for the year ended March 31, 2013. For the ninth straight year, the OAG rendered an unmodified^{Footnote 2} audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG nor did they issue a Management Letter.

4.6 Follow-up on Management Action Plans

The AC monitors management's progress in implementing management action plans stemming from internal audit reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a semi-annual basis, the Committee receives and reviews a report on management's progress in implementing outstanding actions.

As outlined in the table that follows, there were 4 outstanding audit recommendations as at April 1, 2013. During the year, a further 16 audit recommendations came on stream from the three audit and review engagements that were approved in 2012-13 and had recommendations outstanding at the end of the last fiscal year. Of these 20 audit recommendations, 16 were fully implemented during the year with the remaining 4 experiencing some delays from the target implementation date. This translates into an implementation rate of 80%.

The AC reviewed the rationale for delays in the remaining four management actions as well as the CAE's attestation that there are no significant risks to the organization as a result of the implementation lag. The Committee paid particular attention to the delay in implementing the remaining management actions stemming from the 2010-2011 Audit Responding to Inquiries, relating to the development of an electronic mechanism and process for the public to request information from the OPC. Management initially planned to implement an email mechanism; however, as this was found to be less than ideal in the long term, management is carrying out a privacy impact assessment (PIA) for the implementation of an on-line tool and process, both of which are expected to be easier for the public to utilize and for the OPC to manage. This is targeted for implementation in the coming year.

**Table 1 - 2013-14 MRAP Implementation Status**
Project Title	Year	# Recs Issued	# Outstanding at Mar 31, 2013	2013-14 Status
Project Title	Year	# Recs Issued	# Outstanding at Mar 31, 2013	Fully Implemented	On-Track	Delayed	# Outstanding at Mar 31, 2014
Audit of the Utilization of Inquiries and Investigations Branch Information for Management Decision Making.	2010-2011	10	3	3			0
Audit Responding to Inquiries	2010-2011	4	1	0		1	1
Audit of Procurement and Contract Management	2012-2013	4	0	4			0
Privacy Control Self-Assessment Report	2012-2013	6	0	6			0
Management Practice Review of Information Sharing Practices	2012-2013	6	0	3		3	3
Total		30	4	16		4	4

The external members are pleased with management's diligence in developing fulsome action plans to address audit recommendations and implementing the vast majority of actions in a timely manner.

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the OAG each year. As noted in section 4.5, the AC met with the OAG in August to review and discuss the OPC's 2012-2013 audited financial statements. The AC recommended the Commissioner approve these financial statements.

4.8 Accountability Reports

AC members reviewed the OPC's draft 2012-2013 Departmental Performance Report (DPR) and the draft 2014-2015 Report on Plans and Priorities (RPP). AC members provided advice and recommendations to management prior to their approval by the Commissioner.

5.0 Additional areas of oversight

In addition to providing oversight of the core areas of responsibility, the AC provided the Commissioner with strategic advice in the following two key areas during 2013-14

5.1 Agents of Parliament

The AC continued to be apprised of discussions between the Agents of Parliament, including the pursuit of possible areas of enhanced collaboration between the Agents. With the move of the headquarters to Gatineau, management worked, and continues to work, closely with the other Agents located in the same building to identify and seize opportunities to share space and services. AC members commend management for implementing shared library space, mailroom and training rooms immediately upon occupying the new locale. Members advised the Commissioner to continue to seize such opportunities where the benefits of shared or collaborative services outweigh the costs of such arrangements.

5.1 Move to Gatineau

The AEC was kept apprised of the plans underway to move the Headquarters to Gatineau in March 2014. Members supported the engagement of a dedicated team to manage the project and the active collaboration with staff throughout the process.

6.0 Looking Ahead

Over the coming year the Committee will continue to exercise oversight across all eight areas of responsibility with particularly emphasis on the following:

Focus on program challenges and opportunities - provide advice on management practices that can help address program challenges and support management in seizing opportunities.
Continued review and advice on financial resource management - recognizes the criticality of the continued diligent management of the OPC's scarce financial resources given the increased costs associated with the new collective agreement, the increasing demands placed on the OPC and the reduction of funding ($430K) in 2014-2015 - may link in with the item above.
Be briefed on internal and external investigations underway to examine the loss of the disc drive during the March move to the new HQs.

ANNEX A – Audit Committee Terms of Reference

Revised in May 2012

1. INTRODUCTION

This document outlines the purpose, responsibilities, membership and operating procedures of the Audit Committee (the Committee) in the Office of the Privacy Commissioner of Canada (OPC).

The Committee is an essential component of the internal audit regime established within OPC and reflective of both the Treasury Board Policy on Internal Audit which came into effect on April 1, 2006^{Footnote 3} and the Joint Agreement of the Working Group of Officers of Parliament.^{Footnote 4} The latter reinforces OPC’s status as an Officer of Parliament.

The Working Group of Officers of Parliament have agreed that the intent of the government’s Internal Audit Policy shall be reflected in the Internal Audit systems, processes and infrastructure within each Office of Parliament, but taking account of their status of independence, their relatively small size and the oversight role played by the Parliamentary Advisory Panel on the funding of Officers of Parliament.

2. MANDATE

The Committee provides objective advice and recommendations to the Commissioner regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the department's risk management, control and governance frameworks and processes (including accountability and auditing systems). This work supports the Commissioner in her role as OPC’s accounting officer before Parliament.

To give the Commissioner this support, the Committee reviews, with a risk guided focus, all core areas of OPC management, control and accountability processes in an integrated way, such that the results of internal audits may be incorporated into the OPC priority-setting and strategic planning processes. Hence, the work of the Committee reinforces the quality and reliability of the financial and other performance information used by OPC managers for decision-making and reporting and, in so doing, contributes to enhanced managerial accountability. The Committee also serves to reinforce the independence, effectiveness and accountability of the Chief Audit Executive.

The Committee also provides advice and recommendations as may be requested by the Commissioner.

3. COMMITTEE REPORTING AND COMPOSITION

3.1 Membership

The Commissioner is responsible for establishing an independent audit committee for the Office consisting of three members. There are two external members who are not currently members of the Federal Public Service and the Commissioner is an ex-officio member. The Chief Audit Executive (CAE)/Chief Financial Officer (CFO) attends all meetings.

The Commissioner is responsible to select the Committee’s Chair, the members and the Secretary. All members of the Committee shall be, or become within the first year of appointment, financially literate and familiar with private- or public-sector financial reporting. At least one member is a financial expert who possesses a professional accounting designation.

Members shall be independent as demonstrated by their absence of real and perceived, direct and indirect, personal and financial interest or that of their family and business associates and competitors AND by their personal capacity and behaviour to engage the management, CAE and external auditors in demanding explorations of practices and areas of concern. It extends to seeing this principle through to standing by one’s challenge to reports and practices held to be incompatible with the facts or to acceptable practices – even when colleagues on the Committee may be inclined to defer. The consequence of this is the duty to inform the Commissioner directly in such a case. Protection of independence may result in a mutual agreement to terminate the appointment.

3.2 Reporting

The Chair represents the Committee in periodic meetings with the Commissioner.

3.3 Length of Term

Members shall be appointed for a term of four years. A member shall serve no more than two terms. To ensure continuity, mandates can be staggered, and some initial terms may be for less than four years.

4. COMMITTEE MEETINGS

4.1 Frequency

The Committee shall meet two or three times a year either in person or by teleconference, with more meetings as deemed necessary by the Chair. The Committee’s meeting schedule will normally be set out six months in advance so that OPC management and internal auditors can prepare the information and reports required to support the Committee’s work. Rescheduling of Committee meetings will be by exception only.

4.2 Quorum

Quorum shall be a majority of the members. No alternates shall be permitted.

4.3 Preparation and Attendance of Members

To enhance the effectiveness of the Committee meetings, each member shall:

Devote the time necessary to prepare for, and participate in, each meeting: this involves reading the reports and reference documents provided for the meeting;
Maintain an excellent record of attendance at meetings.

4.4 Attendance of Non-Members

The Chief Audit Executive shall attend all meetings of the Committee. The Chair may request the attendance of other senior officials. When required, the Chair shall ask a senior representative of the external assurance providers to attend the Committee meetings to discuss the plans, findings and other matters of mutual concern.

4.5 Minutes of meetings

Minutes of each meeting are kept and contain the list of attendees, a summary of the decisions made and an overview of the points discussed. The minutes are approved by the Committee and signed by the Chair on behalf of the Committee.

4.6 In camera meetings

As part of each Committee meeting, the Committee shall meet in camera with the CAE/CFO, representatives of external assurance providers when in attendance and any other officials the Committee decides to call.

4.7 Committee’s Annual Plan

The Chair, in consultation with the other members of the Committee, shall prepare a plan for recommendation to the Commissioner, to ensure that the responsibilities of the Committee are scheduled and fully addressed.

4.8 Examination of the Committee’s Terms of Reference

The Committee shall periodically review its terms of reference and if revised, submit them to the Commissioner for approval.

5. RESPONSIBILITIES

The particular emphasis and priorities from among the Committee’s key areas of responsibility are to be set by the Commissioner in consultation with the Committee. In doing so, consideration is given to the OPC’s mandate, objectives and priorities, as well as the corresponding risks affecting the organization.

Below are the key areas of responsibility that fall within the scope of concern of the Committee, and that will be reviewed with an appropriate risk-guided focus and cycle.

5.1 Values and Ethics

The Committee shall review and provide advice on the OPC’s systems and practices established by the Commissioner to monitor compliance with laws, regulations, policies and standards of ethical conduct and identify and deal with any legal or ethical violations. This may also include the arrangements established by management to exemplify and promote public service values and to ensure compliance with laws, regulations, policies, and standards of ethical conduct.

5.2 Risk Management

The Committee shall review and provide advice on the risk management arrangements established and maintained by the OPC.

5.3 Management Control Framework

The Committee shall review and provide advice on the departmental internal control arrangements, and be informed on all matters of significance arising from the work performed by others who provide assurances to senior management and the Commissioner.

5.4 Internal Audit Function

The Committee shall:

Recommend, and periodically review, the OPC Internal Audit Charter for approval by the Commissioner;
Provide advice to the Commissioner on the sufficiency of resources of the internal audit function;
Review and recommend for approval by the Commissioner the Risk-Based Audit Plan;
Monitor and assess the performance of the Internal Audit function;
Advise the Commissioner on the recruitment and appointment, as well as the performance of the Chief Audit Executive;
Review and recommend for the Commissioner’s approval internal audit reports and corresponding management action plans to address recommendations;
Be advised of audit engagements or tasks that do not result in a report to the Committee and be informed, by the appropriate level of management, of all matters of significance arising from such work;
Review regular reports on progress against the risk-based audit plan.

5.5 External Assurance Providers

The Committee shall be informed of and shall advise the Commissioner on:

All audit work relating to the OPC to be undertaken by external assurance providers, including management’s response; and,
Audit-related issues and priorities raised by external assurance providers.

5.6 Financial Statements and Public Accounts Reporting

The Committee shall review and provide advice to the Commissioner on the key financial management reports and disclosures of the department, including quarterly financial reports, annual financial statements and Public Accounts.

The Committee shall also review the annual Statement of Management Responsibility Including Internal Control over Financial Reporting and provide advice to the Commissioner on the risk-based assessment plans and associated results related to the effectiveness of the departmental system of Internal Control over Financial Reporting.

Since the OPC financial statements are audited by the OAG, the Committee shall review:

The financial statements with the external auditor and senior management, discuss any significant accounting estimates and adjustments therein, any adjustments required to the statements as a result of the audit, as well as any difficulties or disputes encountered with management during the course of the audit;
Management letters arising from the external audit;
The auditor's findings and recommendations relating to the internal controls in place for financial reporting and consider their impact on controls, risk management and governance processes.

5.7 Follow up on Management Action Plans

The Committee shall review regular reports on the progress of the implementation of approved management action plans resulting from prior internal audit recommendations as well as management action plans resulting from the work of external assurance providers.

5.8 Accountability Reporting

The Committee shall receive copies of the Report on Plans and Priorities, the Departmental Performance Report and other significant accountability reports. These reports provide context for the deliberations of the Committee and advice to the Commissioner. Over time, and in the course of successively reviewing these documents, the Committee will be attentive to, and provide advice on, any material misstatements or omissions.

Once the Office has an evaluation function, the evaluation plan and evaluation reports should be tabled with the Committee for information, after they have been approved by the required authority (i.e., another committee or senior management).

6. OPERATIONS

6.1 Access

The Committee has full access to the Chief Audit Executive and the other OPC employees and documents required to fulfill its responsibilities, subject to applicable legislation. The CAE has full access to the Committee and to the Committee Chair.

6.2 Orientation, Training, and Continuing Education of Committee Members

Members shall receive formal orientation and training on the Committee's responsibilities and objectives and on the business of the OPC.

6.3 Support

The Internal Audit function provides the Committee with the necessary support to carry out its responsibilities and fulfill its duties. The Committee also has the power to obtain independent help and advice. The support to the Committee includes among other things:

Administrative duties (i.e., preparation and distribution of meeting agendas, minutes and materials);
Supporting the Committee in executing its work;
Supporting the Committee in assessing its performance;
Supporting the Committee in its accountability reporting;
Supporting the orientation for new members.

6.4 Duty to Inform and Duty to Resign – Disagreement

In the event that a member of the Committee has a difference of opinion with another member that cannot be resolved by the Chair or if the member has an unresolved difference of opinion with the Chair and provided that the difference of opinion, from the perspective of the member, has, or could have, a material, negative impact on the fairness of reported information or on the integrity of operations of the OPC or involves the questionable behaviour of an individual then the member shall bring the issue forward for resolution, as follows:

Bring the issue to the attention of the Commissioner within a reasonable timeframe.
If the Commissioner is unable to resolve the issue and if the member is of the opinion that the issue still remains, the member has a duty to resign.

7. EVALUATION OF THE COMMITTEE’S PERFORMANCE

The Committee shall periodically evaluate its own performance to continually improve how it carries out its responsibilities. The Committee’s performance shall also be part of an external evaluation of the internal audit function that is to be carried out at least every five years, by an independent auditor.

8. ANNUAL REPORT

The independent members of the Committee shall submit an annual report to the Commissioner that shall:

Summarize the results of the Committee's reviews of areas of responsibility;
Provide the independent members’ assessment, and make recommendations as needed on the capacity, independence and performance of the internal audit function; and,
Express views in the annual report and shall be entirely and exclusively those of the independent members, notwithstanding any assistance given by departmental officials in the preparation of the annual report.

9. APPROVAL OF COMMITTEE TERMS OF REFERENCE

Reviewed by the Audit Committee

Date

Approved by the Commissioner