Internal Audit Committee Annual Report 2017-2018

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Foreword from the External Members of the Committee

It is with great pleasure that we submit the Annual Report from the external members of the Audit Committee (AC) of the Office of the Privacy Commissioner of Canada (OPC), for the year ended March 31, 2018. The report reflects a summary of the oversight work carried out by the Committee together with associated insight and advice provided.

As it has done over the past nine years, the OPC has continued over the year to make significant enhancements to its management practices. Notably, these include a renewed focus on results and performance through a significant re-design of the OPC’s Results Framework, the conduct of an organizational review and changes to the Office’s organizational structure. These were informed by the OPC’s key priorities in serving the privacy needs of Canadians and by strategic planning and risk management practices that continue to mature and be integrated into various facets of the organization’s work.

The soundness of OPC’s accounting and financial reporting practices is evidenced by the results of the testing of the controls over financial reporting and the thirteenth straight unmodified (i.e. ‘clean’) audit opinion the Office of the Auditor General rendered on the 2016-2017 financial statements.

We sincerely appreciate the Commissioner’s continued interest and support for the Audit Committee. We would also like to thank OPC’s Executive team, and in particular, the Corporate Services Branch for their continued hard work and support for the Audit Committee.

The Audit Committee would like to take this opportunity to recognize its former Chair, Laurel Murray, for her strong leadership and high level of dedication. Ms. Murray served as inaugural Chair of the OPC’s Audit Committee, providing invaluable expertise during nine years of service up to June 2017.

1.0 Introduction

The external members of the Office of the Privacy Commissioner Audit Committee (AC) prepared this annual report for the Commissioner to summarize the Audit Committee’s activities, observations and advice in the fiscal year 2017-2018, pursuant to the approved AC Terms of Reference.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Consistent with prior years, our focus has been to identify and assess risk, to oversee control and governance processes as well as best practices across the OPC. Our aim throughout our work has been to provide the Commissioner with objective, clear and constructive advice.

The Audit Committee’s observations of, and advice on, each of the Committee’s oversight areas^{Footnote 1} are detailed in Section 4 of this report.

2.0 Role and Membership of the Committee

The role of the Audit Committee (AC)’s external members is to provide the Commissioner with independent advice and recommendations about the overall quality and functioning of the OPC’s risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities and accountability reporting.

The AC is composed of the following members:

• Suzanne Morris, CPA, CA, Chair, external member
• Elisabeth Nadeau, external member
• Daniel Therrien, Commissioner, ex-officio member

In addition, the following OPC staff attend AC meetings:

• Chief Audit Executive, Daniel Nadeau, who is also the Chief Financial Officer
• Secretary to the Committee, Chantale Roussel, who is also the Director, Business Planning and Management Practices

The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference (TOR) document. These TOR are periodically reviewed, updated as required, and reaffirmed by the Commissioner. The most recent review of the TOR was completed in 2017 following the implementation of changes to the Treasury Board’s Internal Audit policy suite.

To deliver on its approved Terms of Reference, the Audit Committee developed a 2017-2018 Work Plan that was reviewed and approved at the Committee’s June meeting. Progress against the plan is monitored throughout the year to ensure the Committee delivers on its commitments.

As part of the annual discussion of the Audit Committee’s Annual Report, members review and attest to them being free of any real or perceived conflicts of interest that could impede their independence and objectivity. No issues have been noted.

3.0 Summary of 2017-2018 Audit Committee Activities

The sections that follow summarize key activities and areas of focus for 2017-2018, together with advice provided to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held four meetings during the year as follows:

• June 27, 2017;
• August 22, 2017;
• December 18, 2017; and
• March 22, 2018.

At the start of each AC meeting, members engaged in an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefed members on key happenings across the organization since the last meeting as well as possible issues or opportunities that may impact the organization. These discussions provided members with valuable context and insights that promoted a better understanding and appreciation of the changing work and environment within which the organization operates. These discussions also provide an opportunity for AC members to provide the Commissioner with strategic advice on new or emerging areas or issues facing the OPC.

There was 100% attendance by AC members at meetings held during 2017-2018. Minutes were prepared for each meeting and circulated electronically between meetings for review and recommended approval. Following the Committee’s recommendation, the Chair formally signed them to clearly convey this approval.

As part of the Committee meetings, the external Committee members held in-camera discussions with the Commissioner, the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG when in attendance. In-camera meetings were also held with external providers of internal audit related services. These in-camera segments provide an opportunity for these officials and representatives to raise and discuss any sensitive issues in confidence. The external members also meet in camera at each meeting to discuss issues as required.

The external members attended the annual Departmental Audit Committee (DAC) Symposium organized by the Treasury Board (TB) in November, to enhance their understanding of the OPC’s environment and of relevant issues and developments across the public service. The Chair also participated in a related meeting of all DAC Chairs.

3.2 Transparency

Audit Committee information is publicly available on the OPC website. This includes bios of the AC members, the Committee’s Terms of Reference, annual reports and approved internal audit reports. The Audit Committee believes that the proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office. In response to the AC most recent self-assessment, work is underway to enhance the electronic availability of AC information on the OPC’s intranet site.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC’s activities during the year to discharge its responsibilities in providing the Commissioner with advice that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

Values and Ethics continues to be an area of importance for management and the AC. During the year, the Committee reviewed and discussed the annual report on values and ethics, conflict of interest (COI) and post-employment measures, together which summarize the OPC’s activities related to its Values and Ethics program. No areas of concern were noted; however, the external members made two recommendations to help provide greater context, namely in terms of increasing the level of granularity of certain information reported and briefing orally the AC on mitigation measures taken to address any related values and ethics matters.

4.2 Risk Management

A key element of OPC’s formalized risk management arrangements continues to be the Corporate Risk Profile (CRP) that is reviewed and refined each year as part of the strategic planning process. The CRP provides a summary of the organization’s strategic risks requiring ongoing management and monitoring and is a key input into the organization’s strategic planning process and the development of the OPC’s Departmental Plan (DP), a key accountability document in the Estimates process.

During the year, the Audit Committee reviewed and discussed the draft CRP, recognizing that further work was being undertaken to identify controls in relation to the key risks and associated mitigation strategies and to align the process with the development of the OPC’s new Results Framework and organizational review. The external members concurred with the strategic risks while offering recommendations to help clarify the associated risk statements. As in prior years, as management monitors its key risks throughout the year, the external members looked to be apprised of any changes to the key risks as well as the effectiveness of risk mitigation strategies.

At its June meeting, the AC received an overview of the most recent Threat Risk Assessment carried out by management, pertaining to its technical, procedural and physical infrastructure risks, measures and practices. The overall results were positive, with no significant issues identified. Management continues to improve its practices in this area in the context of the OPC’s work environment.

4.3 Management Control Framework (MCF)

While not subject to the Management Accountability Framework (MAF) assessment undertaken by Treasury Board of Canada Secretariat, the OPC utilizes the TBS tool in carrying out a self-assessment of the organization’s management control processes and practices. The external members continued to be pleased with management’s commitment to build on the strengths evidenced through this assessment, and to continually strive to improve in an efficient and effective manner. In 2017-2018, the focus was on making progress on the continued implementation of plans with respect to the Directive on Open Government.

In addition to the MAF, the following is a summary of other areas of the MCF examined and advice and recommendations provided by the external members.

4.3.1 Internal Controls over Financial Reporting (ICFR)

Using an outside consulting firm, OPC tested key internal controls over financial reporting for 2016-2017, namely payroll, procure to payment, and financial close and reporting. The AC discussed the results of this testing noting that the majority of controls tested were operating effectively. The testing highlighted that OPC has knowledgeable and competent Finance personnel who continue to be proactive and open to strengthening the control environment. Members reviewed the action plan developed to address recommendations for improvement, notably with respect to payroll administration (MyGCHR and Phoenix), which involves issues that are not unique to the OPC. The Committee was pleased with the overall results of the ICFR testing and management’s commitment to continuous improvement and looks forward to monitoring progress against the action plan as part of the Committee’s review of the 2017-2018 ICFR testing. As part of the governance process, the external members of the AC met in-camera with representatives of the external audit firm who performed the ICFR testing.

With respect to the payroll-related processes and controls, these will be tested again as part of the ICFR plan in 2018-2019. The AC also discussed with management the additional monitoring and correction practices that have been implemented by OPC’s Finance and HR functions to stay on top of issues with the payroll system, including weekly oversight meetings with the CFO.

4.3.2 Financial Resource Management

Financial resource management continues to be critical to supporting the organization in effectively managing its resources. The AC received an update on the OPC financial situation at each meeting, as well as a briefing on the financial results and carry forward for 2017-2018. This review highlights the due diligence and rigour OPC management undertakes to manage an expanding mandate with no additional resources.

4.3.3 Results-based Accountability and Reporting Framework

As an Agent of Parliament, OPC is not subject to monitoring or oversight by TBS but rather the Commissioner is responsible for ensuring compliance with TB policies and directives. Work continued this year in developing a Results-based Accountability and Reporting Framework that supports the organization in understanding and complying with the full suite of required policies and directives. Where there is discretion in how the OPC complies with policy requirements, the external members concur with an approach that is consistent with the work necessary to deliver on the core mandate while providing sufficient safeguards that policy objectives are met. This recognizes that OPC is a very small organization with limited resources to deliver on its mandate while also complying with the multitude of requirements that are required of much larger federal departments and agencies.

4.3.4 OPC’s Results Framework and Organizational Review

With the implementation of the new TB Policy on Results, OPC has invested significant effort to renew its strategic results framework. The new Departmental Results Framework (DRF) was finalized during the year, following consultation with management and review by the external members of the AC. The members found that the DRF is well designed. It is streamlined and reflective of the difference the OPC is seeking to make in terms of privacy protection.

Along with the redefinition of its desired outcomes through the new DRF, in 2017-2018 the Office consolidated its programs and conducted an organizational review to ensure greater alignment and integration of activities and clarity of roles and responsibilities. External members were briefed at each meeting on the progress of these initiatives and will continue to monitor the change management strategy throughout their implementation, which is expected to carry through much of 2018-2019.

The Chair of the AC attended the OPC’s January 2017 Strategic Planning session as an observer, where the new Results Framework and results indicators were rolled out in concert with the draft corporate risk profile, and discussed with all levels of OPC management. At this session, managers also provided input into the plan for implementing OPC’s new organizational structure.

4.3.5 Quarterly Financial Reporting

The AC reviewed and provided feedback and advice on the OPC’s 1^st, 2^nd and 3^rd 2017-2018 Quarterly Financial Reports. While the format of these reports is prescribed by Treasury Board Secretariat, members did not note any concerns but rather once again commend management for the clarity and conciseness of these reports.

4.4 Internal Audit Function

The Audit Committee plays an active oversight role of the OPC’s internal audit function. The mandate, roles and responsibilities and authority of the internal audit function are detailed in the OPC’s Internal Audit Charter that is recommended for approval by the Audit Committee and formally approved by the Commissioner. In 2017-2018, the Charter, along with the terms of reference of the AC, were reviewed and revised following the April 1, 2017 implementation of a revised TB Policy on Internal Audit.

While no longer a reporting requirement under the new policy, the Audit Committee agreed that its external members would continue tabling an annual report on the AC’s activities, given that it provides useful information on the work of the committee and their independent perspective on the OPC’s risk management, control and governance processes.

A renewed emphasis on the independence of the Internal Audit function was noted in the TB policy. The Committee concurred with the mechanisms in place at the OPC to ensure the independence of the function, a model which has served the Commission well over several years and which was confirmed by an external practice inspection conducted in 2014-2015 as being in conformity with the Institute of Internal Auditors’ Professional Practices Framework. There will be an opportunity to validate this model once more in the context of the upcoming practice inspection, scheduled for 2019-20.

The OPC’s in-house internal audit capacity consists of a Director, Business Planning and Management Practices, with oversight by the Chief Audit Executive (CAE). The CAE, who is also the Director General, Corporate Services and Chief Financial Officer, reports directly to the Commissioner. To augment the in-house capacity and support the independence of the audit function, OPC continues to periodically co-source the development of the Risk-based Audit Plan (RBAP). In addition, individual internal audit engagements are co-sourced with an outside professional services firm. This arrangement enables OPC to retain oversight of the internal audit function while leveraging the independent expertise and experience of internal audit professionals. The AC Chair, who is a Chartered Professional Accountant, Chartered Accountant (CPA, CA), with significant internal audit expertise, also provides expertise, as well as guidance to support the enhancement of this function and its independence and oversight throughout the year. In addition, the external members of the Committee meet in camera with representatives of the outside professional services firm. They also hold quarterly in-camera sessions with the CAE and an annual in-camera discussion with the Commissioner to provide input into the performance appraisal of the CAE.

At the August meeting, members were briefed on the results of the review of the Technology and Analysis Directorate (TAD) carried out during the year as part of the Internal Audit Plan. TAD is a key resource in enhancing organizational capacity and agility as the OPC’s mandate continues to expand in an environment of technological change and complexity. The project reviewed TAD’s capacity to meet policy, research and compliance activities and its operational processes to support OPC priorities. The external review noted several strong management and operational practices related to the delivery of TAD’s services and no high-risk issues were identified. Findings and recommendations for improvement were made and the AC reviewed and was satisfied with management’s action plan to address them. In keeping with their oversight role, external members of the AC also met in-camera with the audit firm that carried out the TAD review, and recommended the report for approval by the Commissioner.

An update on the 2017-2018 to 2019-2020 RBAP was presented to the AC at its March meeting. The operating context and key risks were discussed, highlighting no major changes in the external environment or key corporate risks since the RBAP was created. Important changes to the OPC’s internal environment were noted, in the Office’s redefinition of its desired outcomes and conduct of its organizational review. Against this backdrop, the Audit and Evaluation Directorate carried out an assessment of the current RBAP, in consultation with all OPC executives. AC members concurred with the recommendation that the area of human resources will be the subject of the next internal audit project and that the scope and objective of this work will be defined in 2018-2019, to commence following the OPC’s implementation of the results of its organization review.

4.5 External Assurance Providers

As in past years, the Office of the Auditor General (OAG) carried out an audit of the OPC’s financial statements with the objective of rendering an audit opinion on these statements. Representatives from the OAG attended the Committee’s March meeting to discuss the plan for the annual audit of OPC’s 2017-2018 financial statements.

The OAG Audit Principal and Audit Project Leader attended the AC’s August 2017 meeting to review and discuss the audited Financial Statements and the Management Representation Letter, including the related Annex with respect to internal control over financial reporting. The OAG’s report to the AC highlighting the annual audit results for the year ended March 31, 2017 was also a key document reviewed and discussed at this meeting. For the thirteenth (13^th) straight year, the OAG rendered an unmodified audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG nor did they issue a Management Letter.

4.6 Follow-up on Management Action Plans

The AC monitors management’s progress in implementing management action plans stemming from internal audit reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a semi-annual basis, the Committee receives and reviews a report on management’s progress in implementing outstanding actions. There were no outstanding management actions from previous year internal audits, and in 2017-2018 five new management actions came on stream from the TAD review. Four of these were completed by the end of 2017-2018, and progress is underway on the remaining item.

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the Office of the Auditor General (OAG) each year. At the August meeting, AC members reviewed and discussed the OPC’s 2016-2017 audited financial statements with the Deputy CFO, CFO and representatives from the OAG. Following these discussions, the AC recommended the Commissioner approve these financial statements.

4.8 Accountability Reports

The external members reviewed the OPC’s draft 2016-2017 Departmental Performance Report (DPR) and the draft 2018-2019 Departmental Plan (DP). AC members provided advice and recommendations to management prior to these reports being approved by the Commissioner.

5.0 TB Policy Reset Initiative

During the year, the AC continued to be briefed on the Treasury Board Policy Reset Initiative. This included insight into role and collaboration OPC and the Agents of Parliament Working Group (WG) are undertaking to actively engage in this process. At its June 2017 meeting, the AC reviewed the changes to the new Policy on Internal Audit and accompanying Directive as well as management’s approach to comply with the new requirements.

6.0 Looking Ahead

Over the coming year, the Committee looks forward to provide oversight as well as advice to the Commissioner with a particular focus on the following activities:

• Implementation of the new OPC Results Framework and organization structure, including integration of changes into key business processes (i.e. planning, monitoring, financial resource allocation/reallocation).
• Finalization of the scope and objectives of the next internal audit project, which will focus on Human Resources.
• Completion of outstanding action from the Technology and Analysis Directorate (TAD) Review.
• Implementation of new/revised TB policies and OPC’s compliance with associated requirements.
• Results of monitoring activities in relation to the implementation of the new Public Service Commission staffing model.
• Further update on the implementation of the Open Government Directive.

The Audit Committee will also be vigilant with regards to how OPC implements risk management approaches and decision-making to address its expanding mandate and the rapid evolution of privacy issues in the digital environment, albeit without additional resources.