Internal Audit Committee Annual Report 2014-15

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

September 2, 2015

Foreword from the External Members of the Committee

It is with great pleasure that we submit the Annual Report from the external members of the Audit Committee (AC) of the Office of the Privacy Commissioner of Canada (OPC), for the year ended March 31, 2015.

We wish to say how pleased we are with the enhancements OPC continues to make to its management practices. The 2014-2015 year was one of challenges and change: challenges in delivering on results and priorities during a period of continued fiscal constraint and changes that included the implementation of Canada's Anti-Spam Legislation (CASL) and the appointment of the new Commissioner. Diligent attention and the financial forecasting process throughout the year supported management in prudently managing resources to deliver on priorities and expected results. The soundness of OPC's accounting and financial reporting practices is evidenced by the tenth straight clean/unmodified audit opinion the Office of the Auditor General rendered on the 2013-2014 financial statements. The completion of the internal audit on Information Management/ Information Technology (IT) Governance and the commencement of the Privacy Act Investigations program review illustrate how the organization leverages its internal audit function effectively to provide the Commissioner and management with assurance on governance, risk management and control practices and offer practical and helpful recommendations to address areas for improvement.

Over the past year we engaged members of the Executive team at each meeting. These conversations provided us with a valuable opportunity to learn more about OPC's business, challenges and accomplishments and to further management's understanding of the Audit Committee and its work. We look forward to continuing these discussions in the coming year.

Commissioner, we sincerely appreciate your continued interest in and support for the Audit Committee. We would also like to thank your Executive team and, in particular, the Corporate Services Branch for their continued hard work and support for the AC. In the coming year, the Committee will continue to review management practices, offering advice and practical recommendations that support improvement while also providing strategic advice to support the finalization and implementation of the new privacy priorities.

Laurel Murray, CPA, CA

Jocelyne Coté-O'Hara, C.M.

1.0 Introduction

This Annual Report to the Commissioner is prepared by the Office of the Privacy Commissioner Audit Committee (AC), pursuant to the requirements as set out in the Treasury Board's 2012 Policy on Internal Audit and the approved AC Terms of Reference.

This Report describes the activities carried out by the AC and provides the external members'^{Footnote 1} perspectives and observations based on the work undertaken during the 2014-2015 fiscal year.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Consistent with prior years, our focus has been to identify and assess risk, to oversee control and governance processes as well as best practices across the OPC. Finally our aim has been to provide the Commissioner with objective, clear and constructive advice.

As specified in the Treasury Board Directive on Internal Auditing in the Government of Canada, the Audit Committee provides oversight in the following key areas:

Values and Ethics
Risk Management
Management Control Framework
Internal Audit Function
External Assurance Providers
Follow-up on Management Action Plans
Financial Statements and Public Accounts Reporting
Accountability Reporting

The Audit Committee's observations of, and advice on, each of the oversight areas are detailed in Section 3 of this report.

2.0 Role and Membership of the Committee

The role of the Audit Committee (AC) is to provide the Commissioner with independent advice and recommendations about the overall quality and functioning of the OPC's risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities and accountability reporting.

The AC is composed of the following members:

Laurel Murray, CA, Chair, external member
Jocelyne Coté-O'Hara C.M., external member
Daniel Therrien, Commissioner, ex-officio member

In addition, the following OPC staff were required to attend all 2014-2015 AC meetings:

Chief Audit Executive, Daniel Nadeau, who is also the Chief Financial Officer
Secretary to the Committee, Chantale Roussel, who is also the Director, Business Planning and Management Practices^{Footnote 2}

The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference. Since its creation in 20-0-8, the Terms of Reference have been frequently reviewed and updated by the Committee to ensure continued consistency with the Treasury Board of Canada (TB) Directive on Internal Auditing in the Government of Canada and then reaffirmed by the Commissioner. A copy of the Audit Committee Terms of Reference, as approved in November 2014, is presented in Annex A.

To deliver on its approved Terms of Reference, the Audit Committee developed a 2014-2015 Work Plan that was approved at the June meeting. A copy of the plan included in Annex B. Progress against the plan is monitored throughout the year to ensure the Committee delivered on its commitments.

3.0 Summary of 2014-2015 Audit Committee Activities

The sections that follow summarize key activities and areas of focus for 2014-2015, together with advice provided to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held four meetings during the year as follows:

June 20, 2014;
August 22, 2014;
November 18, 2014; and
March 24, 2015.

In addition, the external members also attended the OPC's November Strategic Planning session focused on establishing the organisational priorities going forward, along with the key commitments to start implementing the priorities in the coming year.

At the start of each AC meeting, members undertook an open discussion of emerging issues facing the organization as well as the evolution of the new privacy priorities being developed under the leadership of the Commissioner. During these discussions, the Commissioner briefed members on key happenings across the organization since the last meeting as well as possible issues or opportunities that may impact the organization. These discussions provided members with valuable context and insights that promoted a better understanding and appreciation of the changing work and social environment. They also provide an opportunity for AC members to provide the Commissioner with strategic advice in new or emerging areas or issues facing the OPC. For example, following a discussion of the impact of the passage of Bill C-51 on the Office's business, members suggested that the Commissioner consider conducting reviews of information controls of the seventeen (17) departments and agencies that will be impacted by this legislation as a proactive approach to helping monitor compliance and share good practices.

The Committee also received briefings from members of the Executive teams throughout the year. These sessions provided an opportunity for the members to continue to strengthen their understanding of the OPC's programs, including emerging issues and challenges. While members had previously received ad hoc briefings or updates on elements of the OPC's business, the Committee implemented a more regularized briefing process in 2014-2015. For example, at the June meeting, the Committee received an overview of the OPC's responsibilities under Canada's Anti-Spam Legislation (CASL). Members discussed key challenges, risks and mitigation strategies with the CASL team, including required changes to the organization's enforcement approach with respect to PIPEDA as a result of this new legislation. At the November meeting members were briefed on PIPEDA investigations including the 'Boost' initiative undertaken to streamline the related investigation process and reduce processing times and progress and early learnings from the implementation of CASL.

There was 100% attendance by all AC members and required attendees at meetings held during 2014-2015. In recognition of the elapsed time between meetings, a new minutes of meeting approval process was implemented during the year. This entails Audit Committee members electronically reviewing and approving the minutes within weeks following the AC meeting, while retaining the ability to defer such approval if necessary to the following meeting. This has resulted in efficiencies to the process as well as the ability to inform management of the AC's work and advice on a timely basis. Following the Committee's' approval of the minutes, the Chair formally signed them to clearly convey this approval.

As part of each Committee meeting, the external Committee members held in-camera discussions with the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG when in attendance. This provides an opportunity for these officials to raise and discuss sensitive issues in confidence. The external members also meet in camera at each meeting to discuss issues as required.

3.2 Professional Development

In November 2014, one of the external members of the Committee attended the Office of the Comptroller General's Department Audit Committee (Contribute DAC) symposium on innovation and excellence.

3.3 Transparency

DAC information is publicly available on the OPC website. This includes bios of the AC members, the Committee's Terms of Reference, annual reports and approved internal audit reports. The Audit Committee believes that the proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC's activities during the year to discharge its responsibilities in providing the Commissioner with advice that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

Throughout the year, the Committee reviewed various elements of the OPC's values and ethics practices. This included a review of the OPC's Values and Ethics (V&E) program, the new Directive on Conflict of Interest and the results of the Public Service Employee Survey (PSES).

The committee was pleased to learn about work undertaken to strengthen the organization's V&E program. This program, comprised of training and communication, program and policy alignment, and management consolidates both existing and newly developed V&E practices and processes. For example, the new program consolidates the existing requirement for new employees to undertake V&E training as part of their orientation to the OPC. It also includes the current requirement for all employees to confirm their adherence to the Values and Ethics Code as part of the annual performance agreement process.

The new Directive on Conflict of Interest that the organization launched in 2014 is an example of a new V&E element that is included in the overarching program. This Directive is designed to provide employees with clarity and consistency on how to identify and address situations where there is, or may be, a real or perceived conflict of interest. The members recommended that management seek to tease out key messages reflected in the directive and leverage them in internal communications as an ongoing and practical reminder to staff in this area. The Committee looks forward to reviewing the results of the implementation of this new directive in 2016-2017.

By integrated the various V&E practices and processes into a consociated program, the OPC is well positioned to support, encourage and monitor a strong public service culture amongst the employees. The results of the recent PSES results highlight the positive culture in place at the OPC. In the vast majority of areas surveyed, the OPC consistently scored above the Public Service. The only area where there was a notable deviation is with respect to the lack of advancement opportunities at the OPC, an issue that is common in small organizations.

The Audit Committee members are pleased with management's continued leadership and work in developing, implementing and sustaining a sound values and ethics regime that is for the organization.

4.2 Risk Management

A key element of OPC's formalized risk management arrangements continues to be the Corporate Risk Profile (CRP) that is reviewed and refined each year. The CRP provides a summary of the organization's strategic risks requiring ongoing management and monitoring and is a key input into the organization's strategic planning process and the development of the OPC's Report on Plans and Priorities (RPP), a key accountability document in the Estimates process.

During the year, the AC reviewed with management the organization's key risk statements and their integration into the Corporate Risk Profile. Members provided comments and suggestions to clarify certain text and to ensure that the right risk indicators are monitored for each risk.

Over the coming year, the Committee looks forward to providing advice in leveraging and utilizing a risk lens for the development and implementation of action plans to deliver on the Commissioner's new privacy priorities.

4.3 Management Control Framework

The Audit Committee's review of the OPC's management control framework (MCF) during the year focused on internal controls, financial management, results of the Threat Risk Assessment, Management Accountability Framework (MAF), financial resource management and quarterly financial reporting.

Internal Controls

Members monitor elements of OPC's internal controls throughout the year, including Internal Controls over Financial Reporting (ICFR). While the results of current year ICFR testing are expected early in the next fiscal year, members discussed the testing approach. Members encouraged the utilization of previous testing results and current risks in determining the scope and timing of planned testing going forward. Members also recommended that testing results presented to the AC in the coming year focus on any gaps identified and management's proposed actions to address these gaps in a timely manner.

Financial Management Control Framework (FCMF)

Recognizing the criticality of sound financial management, the OPC developed a Financial Management Control Framework (FCMF). This Framework outlines financial management standards and expectations for the organization, consistent with the legislative, policy and related requirements. Members commended management for the development of this document and recommended it be effectively communicated and embedded into the organization via an existing process like the annual planning process.

Threat Risk Assessment

During the year, members were briefed on the events that helped frame the conduct of the Threat and Risk Assessment (TRA), including the internal and external reviews following the incident of a loss hard drive and the enhancements to the OPC's network to address security issues. As a result of the TRA, management identified and addressed noted network security issues with a cost effective solution that meets not only the OPC's needs, but is being reviewed by other departments and agencies as a model for the Government of Canada - a wonderful testament to the ingenuity of the OPC's IM/IT Branch. Management developed an action plan to address other noted areas for improvement on a timely basis and in a manner that strikes the right balance between minimizing risk while still facilitating delivery of operations.

MAF Self-Assessment

As an Agent of Parliament, the OPC is not subject to the Treasury Board Secretariat's (TBS') Management Accountability Framework (MAF) assessment. However, recognizing the value in continuing to improve its management processes and practices, management utilizes the TBS framework to undertake a MAF self-assessment exercise biennially.

In 2014-2015, TBS overhauled the MAF assessment framework, introducing a smaller suite of areas of management that it planned to assess. Using this new framework, OPC's management assessed its current management practices. The members were briefed on this new methodology as well as the results of the self-assessment and were pleased to note that no significant issues or gaps were noted.

Financial Resource Management

Financial resource management is critical to supporting the organization in effectively managing its resources. Over the years, Corporate Services Branch (CSB) has put in a number of enhancements in this area and during the year, the Branch continued to strengthen organizational practices in this area. This included introducing a performance indicator related to financial forecasting in executive's Performance Management Agreements (PMAs). As a result of these efforts the OPC was able to manage its resources for 2014-2015 as planned. A lapse in funding related to the headquarter move was subsequently applied to the related loan so as to reduce the OPC's loan repayment costs going forward.

While resources were managed according to plan, the Audit Committee noted some aspects of the organization's core business (i.e. Privacy Act investigations) appear to be funded through the carryforward and in-year lapsed funds. The members recommended that this be looked at to help OPC avoid creating a structural deficit by using in year lapsed money to fund long-term pressures.

Quarterly Financial Reporting

The AC reviewed and provided feedback and advice on the OPC's 1st, 2nd and 3rd 2014-2015 Quarterly Financial Reports. While the format of these reports is prescribed by Treasury Board Secretariat, members found this year's reports to once again be succinct and complete, with no substantive concerns noted.

4.4 Internal Audit Function

4.4.1 Governance

The OPC's Internal Audit function supports the OPC's program activities and the CAE , who is also the Chief Financial Officer, reports directly to the Commissioner. The mandate, roles and responsibilities and authority of the internal audit function are detailed in the OPC's Internal Audit Charter that is recommended for approval by the Audit Committee and formally approved by the Commissioner. The Charter was reviewed by the Audit Committee in June 2014 and following some minor changes, was recommended for the Commissioner's approval at the November meeting.

The OPC's in-house internal audit capacity consists of a Director, Business Planning and Management Practices, with oversight by the Chief Audit Executive (CAE ). The CAE , who is also the Director General, Corporate Services and Chief Financial Officer, reports directly to the Commissioner.

To augment the in-house capacity and support the independence of the audit function, OPC continues to co-source both the development of the RBAP and the individual internal audit engagements with an outside professional services firm. This arrangement enables OPC to retain control and oversight of the internal audit function while leveraging the expertise and experience of internal audit professionals. The AC Chair, who is a Chartered Accountant with significant internal audit expertise, also provides expertise, guidance and advice to support the enhancement of this function and its independence and oversight throughout the year.

As required under the Policy, the Chief Audit Executive (CAE ) is required to provide an annual report to the Audit Committee and the Commissioner. Recognizing that the internal audit function at the OPC is very small and that there is the risk of duplication between the AC Annual Report and the CAE 's Annual Report, the Committee supported the CAE 's approach to tabling a streamlined annual report. The Committee discussed the CAE 's 2013-2014 Annual Report. While no issues or concerns were noted, the Committee recommended that going forward, the CAE include a brief segment highlighting his perspective on the strengths and opportunities for improvement in OPC's management processes and practices.

At the March meeting, during an in-camera meeting with the Commissioner, the external members provided input into the performance appraisal of the CAE .

4.4.2 Internal Audit Engagements and Risk-based Planning

During the year, the AC reviewed and discussed the 2013-2014 to 2015-2016 Risk-based Audit Plan (RBAP) with a view to determining any required modifications to the plan for 2014-2015. Following a review and discussion of the plan, including management's recommendation to split the audit of PA and PIPEDA into two audits with priority focus on Privacy Act Investigations, members approved the changes to the multi-year plan. During the subsequent planning for this audit, including more fulsome discussions with the Commissioner, it was decided to reframe this project as a higher level diagnostic or review of Privacy Investigation process. The AC was briefed on the rational for this modification and concurred with the approach being taken.

In addition to commencing the above-noted project, the Office completed the audit of Information Management/Information Technology (IM/IT) Governance during the year. Following the planning process, whereby managers from across the organization were engaged to identify and assess the risks with respect to information management and information technology, IT Governance was determined to be the aspect of IM/IT that would be the focus of this internal audit. As this area falls within the Corporate Services Branch, the Audit Committee Chair played a more active role on this engagement. This included participating in the risk workshop as well as reviewing and providing feedback and advice on the Audit Planning Memo and the draft Audit Report. At the March AC meeting, following a discussion on the draft report and accompanying management response and action plan, members recommended that the Commissioner approve the report.

4.4.3 Practice Inspection

An external practice inspection was undertaken in 2014-2015 as required by the Internal Auditing Standards for the Government of Canada (the Standards). The Committee reviewed the results of this inspection undertaken by an external firm with extensive experience in this area. Members were pleased to note that despite the OPC being a small organization, it essentially met the required standards in all areas with just three noted opportunities for improvement. Management tabled and addressed all actions flowing from this inspection by the end of the year. This included a Performance Measurement Framework (PMF) designed to help monitor the performance of the function and address any noted issues on a timely basis.

The AC was, and continues to be, particularly pleased with the work of the Director, Business Planning and Management Practices for her work in effectively managing a cost-effective internal audit function that meets the OPC's needs.

4.5 External Assurance Providers

Each year, the Office of the Auditor General (OAG) carries out an audit of the OPC's financial statements with the objective of rendering an audit opinion on these statements. Representatives from the OAG attended the Committee's March meeting to discuss the plan for the annual audit of OPC's 2014-2015 financial statements.

The OAG Audit Principal and Audit Project Leader attended the AC's August 2014 meeting to review and discuss the audited Financial Statements and the Management Representation Letter, including the related Annex with respect to internal control over financial reporting. The OAG's report to the AC highlighting the annual audit results for the year ended March 31, 2014 was also a key document reviewed and discussed at this meeting. For the tenth straight year, the OAG rendered an unmodified^{Footnote 3} audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG nor did they issue a Management Letter. Following a fulsome discussion, the members recommended reference to the loss of the back-up drive in the Annex together with the key activities undertaken to mitigate the associated risks of this loss. The members then formally recommended the Commissioner approve the 2013-2014 financial statements.

4.6 Follow-up on Management Action Plans

The AC monitors management's progress in implementing management action plans stemming from internal audit reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a semi-annual basis, the Committee receives and reviews a report on management's progress in implementing outstanding actions.

As outlined in the table that follows, there were 4 outstanding audit recommendations as at April 1, 2014. Three of these recommendations were implemented by mid-March with the final recommendation expected to be completed shortly thereafter. The AC reviewed the rationale for the implementation delays as well as management's plans to complete the final outstanding recommendation. In the reporting provided throughout the year and discussion of the status of the outstanding recommendations, the CAE provided assurance that there is no notable risk to the organization as a result of the implementation delay.

**Table 1 - 2014-2015 MRAP Implementation Status**
Project Title	Year	# Recs Issued	# Outstanding at April 1, 2014	2014-15 Status
Project Title	Year	# Recs Issued	# Outstanding at April 1, 2014	Fully Implemented	On-Track	Delayed	# Outstanding at Mar 24, 2015
Audit Responding to Inquiries	2010-2011	4	1	0		1	1
Management Practice Review of Information Sharing Practices	2012-2013	6	3	3			0
Total		10	4	3		1	1

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the OAG each year. The AC met with the OAG in August to review and discuss the OPC's 2013-2014 audited financial statements. The AC recommended the Commissioner approve these financial statements.

4.8 Accountability Reports

AC members reviewed the OPC's draft 2013-2014 Departmental Performance Report (DPR) and the draft 2015-2016 Report on Plans and Priorities (RPP). AC members provided advice and recommendations to management prior to their approval by the Commissioner.

5.0 Looking Ahead

Over the coming year the Committee will continue to exercise oversight across all eight areas of responsibility with particular emphasis on the following:

Risks and performance measurement with respect to the implementation of the new privacy priorities
Provide advice on strategic performance measurement to support executive decision-making
Review of results of ICFR testing and any related management action plans to address any issues of note
Continued review and advice on financial resource management

ANNEX A - Audit Committee Terms of Reference

Revised in November 2014

1. INTRODUCTION

This document outlines the purpose, responsibilities, membership and operating procedures of the Audit Committee (the Committee) in the Office of the Privacy Commissioner of Canada (OPC).

The Committee is an essential component of the internal audit regime established within OPC and reflective of both the Treasury Board Policy on Internal Audit which came into effect on April 1, 2006^{Footnote 4} and the Joint Agreement of the Working Group of Officers of Parliament.^{Footnote 5} The latter reinforces OPC's status as an Officer of Parliament.

The Working Group of Officers of Parliament have agreed that the intent of the government's Internal Audit Policy shall be reflected in the Internal Audit systems, processes and infrastructure within each Office of Parliament, but taking account of their status of independence, their relatively small size and the oversight role played by the Parliamentary Advisory Panel on the funding of Officers of Parliament.

2. MANDATE

The Committee provides objective advice and recommendations to the Commissioner regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the OPC's risk management, control and governance frameworks and processes (including accountability and auditing systems). This work supports the Commissioner's role as OPC's accounting officer before Parliament.

To give the Commissioner this support, the Committee reviews, with a risk guided focus, all core areas of OPC management, control and accountability processes in an integrated way, such that the results of internal audits may be incorporated into the OPC priority-setting and strategic planning processes. Hence, the work of the Committee reinforces the quality and reliability of the financial and other performance information used by OPC managers for decision-making and reporting and, in so doing, contributes to enhanced managerial accountability. The Committee also serves to reinforce the independence, effectiveness and accountability of the Chief Audit Executive.

The Committee also provides advice and recommendations as may be requested by the Commissioner.

3. COMMITTEE REPORTING AND COMPOSITION

3.1 Membership

The Commissioner is responsible for establishing an independent audit committee for the Office consisting of three members. There are two external members who are not currently members of the Federal Public Service and the Commissioner is an ex-officio member. The Chief Audit Executive (CAE)/Chief Financial Officer (CFO) attends all meetings.

The Commissioner is responsible for selecting the Committee's Chair, the members and the Secretary. All members of the Committee shall be, or become within the first year of appointment, financially literate and familiar with private- or public-sector financial reporting. At least one member is a financial expert who possesses a professional accounting designation.

Members shall be independent as demonstrated by their absence of real and perceived, direct and indirect, personal and financial interest or that of their family and business associates and competitors AND by their personal capacity and behaviour to engage the management, CAE and external auditors in demanding explorations of practices and areas of concern. It extends to seeing this principle through to standing by one's challenge to reports and practices held to be incompatible with the facts or to acceptable practices - even when colleagues on the Committee may be inclined to defer. The consequence of this is the duty to inform the Commissioner directly in such a case. Protection of independence may result in a mutual agreement to terminate the appointment.

The external members of the Committee shall declare their independence and absence of conflict of interest annually.

3.2 Reporting

The Chair represents the Committee in periodic meetings with the Commissioner.

3.3 Length of Term

Members shall be appointed for a term of four years. A member shall serve no more than two terms. To ensure continuity, mandates can be staggered, and some terms may be for less than four years.

4. COMMITTEE MEETINGS

4.1 Frequency

The Committee shall meet two or three times a year either in person or by teleconference, with more meetings as deemed necessary by the Chair. The Committee's meeting schedule will normally be set out six months in advance so that OPC management and internal auditors can prepare the information and reports required to support the Committee's work. Rescheduling of Committee meetings will be by exception only.

4.2 Quorum

Quorum shall be a majority of the members. No alternates shall be permitted.

4.3 Preparation and Attendance of Members

To enhance the effectiveness of the Committee meetings, each member shall:

Devote the time necessary to prepare for, and participate in, each meeting: this involves reading the reports and reference documents provided for the meeting;
Maintain an excellent record of attendance at meetings.

4.4 Attendance of Non-Members

The Chief Audit Executive shall attend all meetings of the Committee. The Chair may request the attendance of other senior officials. When required, the Chair shall ask a senior representative of the external assurance providers to attend the Committee meetings to discuss the plans, findings and other matters of mutual concern.

4.5 Minutes of meetings

Minutes of each meeting are kept and contain the list of attendees, a summary of the decisions made and an overview of the points discussed. The minutes are approved by the Committee and signed by the Chair on behalf of the Committee.

4.6 In camera meetings

As part of each Committee meeting, the Committee shall meet in camera with the CAE/CFO, representatives of external assurance providers when in attendance and any other officials the Committee decides to call.

4.7 Committee's Annual Plan

The Chair, in consultation with the other members of the Committee, shall prepare a plan for recommendation to the Commissioner, to ensure that the responsibilities of the Committee are scheduled and fully addressed.

4.8 Examination of the Committee's Terms of Reference

The Committee shall periodically review its terms of reference and if revised, submit them to the Commissioner for approval.

5. RESPONSIBILITIES

The particular emphasis and priorities from among the Committee's key areas of responsibility are to be set by the Commissioner in consultation with the Committee. In doing so, consideration is given to the OPC's mandate, objectives and priorities, as well as the corresponding risks affecting the organization.

Below are the key areas of responsibility that fall within the scope of concern of the Committee, and that will be reviewed with an appropriate risk-guided focus and cycle.

5.1 Values and Ethics

The Committee shall review and provide advice on the OPC's systems and practices established by the Commissioner to monitor compliance with laws, regulations, policies and standards of ethical conduct and identify and deal with any legal or ethical violations. This may also include the arrangements established by management to exemplify and promote public service values and to ensure compliance with laws, regulations, policies, and standards of ethical conduct.

5.2 Risk Management

The Committee shall review and provide advice on the risk management arrangements established and maintained by the OPC.

5.3 Management Control Framework

The Committee shall review and provide advice on the OPC's internal control arrangements, and be informed on all matters of significance arising from the work performed by others who provide assurances to senior management and the Commissioner.

5.4 Internal Audit Function

The Committee shall:

Recommend, and periodically review, the OPC Internal Audit Charter for approval by the Commissioner;
Provide advice to the Commissioner on the sufficiency of resources of the internal audit function;
Review and recommend for approval by the Commissioner the Risk-Based Audit Plan;
Monitor and assess the performance of the Internal Audit function;
Advise the Commissioner on the recruitment and appointment, as well as the performance of the Chief Audit Executive;
Review and recommend for the Commissioner's approval internal audit reports and corresponding management action plans to address recommendations;
Be advised of audit engagements or tasks that do not result in a report to the Committee and be informed, by the appropriate level of management, of all matters of significance arising from such work;
Review regular reports on progress against the risk-based audit plan.

5.5 External Assurance Providers

The Committee shall be informed of and shall advise the Commissioner on:

All audit work relating to the OPC to be undertaken by external assurance providers, including management's response; and,
Audit-related issues and priorities raised by external assurance providers.

5.6 Financial Statements and Public Accounts Reporting

The Committee shall review and provide advice to the Commissioner on the key financial management reports and disclosures of the OPC, including quarterly financial reports, annual financial statements and Public Accounts.

The Committee shall also review the annual Statement of Management Responsibility Including Internal Control over Financial Reporting and provide advice to the Commissioner on the risk-based assessment plans and associated results related to the effectiveness of the OPC's system of Internal Control over Financial Reporting.

Since the OPC financial statements are audited by the OAG, the Committee shall review:

The financial statements with the external auditor and senior management, discuss any significant accounting estimates and adjustments therein, any adjustments required to the statements as a result of the audit, as well as any difficulties or disputes encountered with management during the course of the audit;
Management letters arising from the external audit;
The auditor's findings and recommendations relating to the internal controls in place for financial reporting and consider their impact on controls, risk management and governance processes.

5.7 Follow up on Management Action Plans

The Committee shall review regular reports on the progress of the implementation of approved management action plans resulting from prior internal audit recommendations as well as management action plans resulting from the work of external assurance providers.

5.8 Accountability Reporting

The Committee shall receive copies of the Report on Plans and Priorities, the Departmental Performance Report and other significant accountability reports. These reports provide context for the deliberations of the Committee and advice to the Commissioner. Over time, and in the course of successively reviewing these documents, the Committee will be attentive to, and provide advice on, any material misstatements or omissions.

6. OPERATIONS

6.1 Access

The Committee has full access to the Chief Audit Executive and the other OPC employees and documents required to fulfill its responsibilities, subject to applicable legislation. The CAE has full access to the Committee and to the Committee Chair.

6.2 Orientation, Training, and Continuing Education of Committee Members

Members shall receive formal orientation and training on the Committee's responsibilities and objectives and on the business of the OPC.

6.3 Support

The Internal Audit function provides the Committee with the necessary support to carry out its responsibilities and fulfill its duties. The Committee also has the power to obtain independent help and advice. The support to the Committee includes among other things:

Administrative duties (i.e., preparation and distribution of meeting agendas, minutes and materials);
Supporting the Committee in executing its work;
Supporting the Committee in assessing its performance;
Supporting the Committee in its accountability reporting;
Supporting the orientation for new members.

6.4 Duty to Inform and Duty to Resign - Disagreement

In the event that a member of the Committee has a difference of opinion with another member that cannot be resolved by the Chair or if the member has an unresolved difference of opinion with the Chair and provided that the difference of opinion, from the perspective of the member, has, or could have, a material, negative impact on the fairness of reported information or on the integrity of operations of the OPC or involves the questionable behaviour of an individual then the member shall bring the issue forward for resolution, as follows:

Bring the issue to the attention of the Commissioner within a reasonable timeframe.
If the Commissioner is unable to resolve the issue and if the member is of the opinion that the issue still remains, the member has a duty to resign.

7. EVALUATION OF THE COMMITTEE'S PERFORMANCE

The Committee shall periodically evaluate its own performance to continually improve how it carries out its responsibilities. The Committee's performance shall also be part of an external evaluation of the internal audit function that is to be carried out at least every five years, by an independent auditor.

8. ANNUAL REPORT

The independent members of the Committee shall submit an annual report to the Commissioner that shall:

Summarize the results of the Committee's reviews of areas of responsibility;
Provide the independent members' assessment, and make recommendations as needed on the capacity, independence and performance of the internal audit function; and,
Express views in the annual report that shall be entirely and exclusively those of the independent members, notwithstanding any assistance given by OPC officials in the preparation of the annual report.

9.APPROVAL OF COMMITTEE TERMS OF REFERENCE

Reviewed by the Audit Committee

Date

Approved by the Commissioner