Audit Committee Annual Report 2018-2019

Foreword from the External Members of the Committee

It is with great pleasure that we submit the Annual Report from the external members of the Audit Committee (AC) of the Office of the Privacy Commissioner of Canada (OPC), for the year ended March 31, 2019. The report reflects a summary of the oversight work carried out by the Committee together with associated insight and advice provided.

While no longer a reporting requirement under the Treasury Board (TB) policy, the Audit Committee’s external members chose to table an annual report on the AC’s activities, which provides useful information on the work of the committee and their independent perspective on the OPC’s risk management, control and governance processes. The views expressed in this report are entirely those of the external AC members.

As it has observed over the past ten years, the AC noted the significant enhancements made by OPC to its management practices over the year as well as the Office’s continued focus on results and performance. Notably, the OPC updated its Results Framework and implemented the results of a major organizational review, which involved a realignment of the Office’s organizational structure. These changes were informed by the OPC’s key priorities in serving the privacy needs of Canadians and by strategic planning and risk management practices that continue to mature and be integrated into various facets of the organization’s work. These are crucial governance elements as the Office navigates the increasing demands of a dynamically evolving privacy landscape and a challenging strategic and operating environment.

The soundness of OPC’s accounting and financial reporting practices is evidenced by the results of the testing of the controls over financial reporting and the fourteenth straight unmodified (i.e. ‘clean’) audit opinion the Office of the Auditor General rendered on the 2018-2019 financial statements.

We sincerely appreciate the Commissioner’s continued strong interest and support for the Audit Committee. We would also like to thank OPC’s Executive team, and in particular, the Corporate Management Sector for their continued hard work and assistance to the Audit Committee.

1.0 Introduction

The external members of the Office of the Privacy Commissioner Audit Committee (AC) prepared this annual report for the Commissioner to summarize the Audit Committee’s activities, observations and advice in the fiscal year 2018-2019, pursuant to the approved AC Terms of Reference.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Consistent with prior years, our focus has been to identify and assess risk, to oversee control and governance processes as well as best practices across the OPC. Our aim throughout our work has been to provide the Commissioner with objective, clear and constructive advice.

The Audit Committee’s observations of, and advice on, each of the Committee’s oversight areas^{Footnote 1} are detailed in Section 4 of this report.

2.0 Role and Membership of the Committee

The role of the Audit Committee (AC)’s external members is to provide the Commissioner with independent advice and recommendations about the overall quality and functioning of the OPC’s risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities and accountability reporting.

The AC is composed of the following members:

• Suzanne Morris, CPA, CA, Chair, external member
• Elisabeth Nadeau, external member
• Daniel Therrien, Commissioner, ex-officio member

In addition, the following OPC staff attend AC meetings:

• Chief Audit Executive (CAE), Daniel Nadeau, who is also the Chief Financial Officer (CFO)
• Secretary to the Committee, Chantale Roussel, who is also the Director, Business Planning, Performance, Audit and Evaluation.

The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference (TOR) document. These TOR are periodically reviewed, updated as required, and reaffirmed by the Commissioner. The most recent review of the TOR was completed in 2017 following the implementation of changes to the Treasury Board’s Internal Audit policy suite. The next review is scheduled for 2019-2020.

To deliver on its approved Terms of Reference, the Audit Committee developed a 2018-2019 Work Plan that was reviewed and approved at the Committee’s June 2018 meeting. Progress against the plan is monitored throughout the year to ensure the Committee delivers on its commitments.

As part of the annual discussion of the Audit Committee’s Annual Report, members review and attest to being free of any real or perceived conflicts of interest that could impede their independence and objectivity. No issues have been noted in this regard. Further, an enhanced process for declarations of conflict of interest was implemented during the year. Going forward, members will be asked to complete a written annual declaration form, to be reviewed by the CAE.

3.0 Summary of 2018-2019 Audit Committee Activities

The sections that follow summarize key activities and areas of focus for 2018-2019, together with advice provided to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held four meetings during the year as follows:

• June 15, 2018;
• August 21, 2018;
• December 17, 2018; and
• March 27, 2019.

At the start of each AC meeting, members engaged in an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefed members on key developments across the organization since the last meeting as well as possible issues or opportunities that could impact the organization. These discussions provided members with valuable context and insights that promoted a better understanding and appreciation of the swiftly changing environment within which the organization operates. These discussions also allow an opportunity for AC members to provide the Commissioner with strategic advice on new or emerging areas or issues facing the OPC.

Minutes were prepared for each meeting and circulated electronically between meetings for review and recommended approval. Following the Committee’s recommendation, the Chair formally signed them to clearly convey this approval.

As part of the Committee meetings, the external Committee members held in-camera discussions with the Commissioner, the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG when in attendance. In-camera meetings were also held with external providers of internal audit related services. These in-camera segments provide an opportunity for these officials and representatives to raise and discuss any sensitive issues in confidence. The external members also meet in camera at each meeting to discuss issues as required.

The external members attended the annual Departmental Audit Committee (DAC) Symposium organized by the Treasury Board (TB) in November 2018, to enhance their understanding of the OPC’s environment and of relevant issues and developments across the public service. The Chair also participated in a related meeting of all DAC Chairs.

3.2 Transparency

Audit Committee information is publicly available on the OPC website. This includes biographies of the AC members, the Committee’s Terms of Reference, annual reports and approved internal audit reports. The Audit Committee believes that the proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office. Work also continues to enhance the electronic availability of AC information on the OPC’s intranet site.

In 2019-20, the Audit Committee plans to conduct a self-assessment of its effectiveness, complemented with input from management and external reviewers.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC’s activities during the year to discharge its responsibilities in providing the Commissioner with advice that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

Values and Ethics (OPC) continues to be an area of importance for management and the AC. During the year, the Committee reviewed and discussed the annual report on values and ethics, conflict of interest (OPC) and post-employment measures, together which summarize the OPC’s activities related to its Values and Ethics program. This included a discussion of the governance model around V&E, and related promotion and awareness efforts at the OPC, as well as plans to continue enhancing internal communications.

No areas of concern were noted in the annual report. External members made recommendations on the reporting format to help provide greater clarity. Members also recommended that the OPC consider using the results of the Public Service Employee Survey to help inform the V&E activities and consider using the V&E-related questions in the survey to gauge progress on related matters at the OPC.

4.2 Risk Management

A key element of OPC’s formalized risk management arrangements continues to be the Corporate Risk Profile (CRP) that is reviewed and refined each year as part of the strategic planning process. The CRP provides a summary of the organization’s strategic risks requiring ongoing management and monitoring. It is a crucial input into the organization’s strategic planning process and the development of the OPC’s Departmental Plan (DP), a key accountability document in the Estimates process.

The Chair of the AC attended the OPC’s January 2019 Strategic Planning session as an observer, where key corporate risks were reviewed and discussed by all levels of OPC management. As in prior years, as management monitors developments throughout the year, the external members looked to be apprised of any changes to key risks as well as the effectiveness of risk mitigation strategies. Further, at its March meeting, the AC received an updated assessment of corporate risks in order to establish the Office’s updated multi-year Internal Audit plan.

4.3 Management Control Framework (MCF)

On a regular basis, management updates the AC on its key management control processes, along with procedures adopted to mitigate any concerns towards achieving results.

As an Agent of Parliament, OPC is not subject to the Management Accountability Framework (MAF) assessment undertaken by Treasury Board of Canada Secretariat. Notwithstanding this, the OPC utilizes the TBS tool in carrying out a self-assessment of the organization’s management control processes and practices. The external members continued to be pleased with management’s commitment to build on the strengths evidenced through this assessment, and to continually strive to improve in an efficient and effective manner. In 2018-2019, the focus was on three areas of management: People Management, Financial Management and Information Management and Information Technology (IM/IT). At the December AC meeting, management presented draft results of the assessment, focusing in particular on areas with noted gaps. Committee members provided advice on optimizing planned follow-up activities. Specific improvement plans were prepared by management and subsequently provided to AC members, who will follow progress on their implementation in 2019-20.

Members also indicated an interest in updates, in the coming year, on management’s progress related to implementing Open Government and on the OPC’s IM/IT strategy, with a particular focus on initiatives related to data governance.

A summary of other areas of the MCF examined and advice and recommendations provided by the external members follows.

4.3.1 Internal Controls over Financial Reporting (ICFR)

Using an outside consulting firm, OPC tested key internal controls over financial reporting for 2017-2018, namely with regards to the contributions, budgeting and forecasting processes. At its June meeting, the AC received the results of this work, noting that the controls tested were operating effectively. The testing highlighted that OPC has knowledgeable and competent Finance personnel who continue to be proactive and open to strengthening the control environment. Some opportunities for improving records management were identified and will be addressed by management.

For the 2018-2019 financial reporting cycle, it was agreed that given Phoenix related issues, the ICFR work would focus on the documentation and testing of the payroll process. The AC also discussed with management the additional monitoring practices that continue to be in place so that OPC’s Finance and HR functions can stay on top of issues with the payroll system, including weekly oversight meetings with the CFO.

As part of the governance process, the external members of the AC met in-camera with a representative of the external firm who performed the ICFR testing.

The AC was pleased with the overall results of the ICFR testing and management’s commitment to continuous improvement. Looking ahead, the Committee recommended that management review and update its ICFR monitoring plan, as the last review of residual financial reporting risks was conducted approximately four years ago. Consequently, at the December meeting, management presented, and the Committee provided advice on, an updated multi-year plan and revised risk-based monitoring schedule for the testing of controls over financial reporting.

4.3.2 Financial Resource Management

In an environment of growing workloads, financial resource management continues to be critical to supporting the organization in effectively managing its resources. The AC received an update on the OPC financial situation at each meeting, as well as a briefing on the financial results, funding situation and carry forward for 2018-2019. These updates highlighted the due diligence and rigour OPC management undertakes to manage an expanding mandate with limited additional resources.

4.3.3 OPC’s Results Framework and Organizational Structure

With the implementation of the new TB Policy on Results and in line with the difference the OPC is seeking to make in terms of privacy protection, the Office invested significant effort to renew and streamline its strategic results framework. Following finalization of the Departmental Results Framework (DRF) last year, the Office consolidated its programs. It implemented a new organizational structure in 2018-2019, to ensure greater alignment and integration of activities and clarity of roles and responsibilities.

External members were briefed at each of their meetings during the year on the progress of these important initiatives. This included a discussion in December with the newly appointed Deputy Commissioner of the Compliance Sector, on his vision, as well as on the key structural changes, enhancements to information flows and staff engagement activities in his areas of responsibility. A similar discussion on priorities and risks took place with the new Deputy Commissioner of the Policy and Promotion Sector in March. The AC will continue to monitor the change management strategy as operationalization continues throughout the coming year.

As previously noted, the Chair of the AC attended the OPC’s January 2019 Strategic Planning session as an observer, where management at all levels of the Office took stock of work to date in advancing the Office’s strategic privacy priorities, DRF and organizational structure. At this session, managers also provided input into the OPC’s corporate priorities and environmental trends.

4.3.4 Public Service Employee Survey

At its June meeting, the Committee received an overview of the results of the most recent Public Service Employee Survey (PSES), noting that the response rate for this survey had been positive. Management presented and discussed results by theme at the organizational level, along with actions undertaken under each of these themes.

As of the next survey, organizations will be able to analyze results by sector. A new survey was launched in August 2018. The Committee requested that the results of this important process be presented at its June 2019 AC meeting.

4.3.5 Quarterly Financial Reporting

The AC reviewed and provided feedback and advice on the OPC’s 2018-2019 1^st, 2^nd and 3^rd Quarterly Financial Reports. Treasury Board Secretariat prescribes the format of these reports, and members did not note any concerns but rather once again commend management for the clarity and conciseness of these reports.

4.4 Internal Audit Function

The Audit Committee plays an active oversight role of the OPC’s internal audit function. The mandate, roles and responsibilities and authority of the internal audit function are detailed in the OPC’s Internal Audit Charter that is periodically reviewed and recommended for approval by the Audit Committee and formally approved by the Commissioner.

The Committee concurs with and continued to monitor the mechanisms in place at the OPC to ensure the independence of the internal audit function, a model which has served the Office well over several years and which was confirmed by an external practice inspection conducted in 2014-2015 as being in conformity with the Institute of Internal Auditors’ Professional Practices Framework. There will be an opportunity to validate this model once more in the context of the upcoming external practice inspection, scheduled for 2019-2020.

The OPC’s in-house internal audit capacity consists of a Director, Business Planning, Performance, Audit and Evaluation, with oversight by the Chief Audit Executive (CAE). The CAE, who is also the Deputy Commissioner, Corporate Management Sector and Chief Financial Officer, reports directly to the Commissioner. To augment the in-house capacity and support the independence of the audit function, OPC continues to periodically co-source the development of the Risk-based Audit Plan (RBAP). In addition, individual internal audit and ICFR engagements are co-sourced with outside professional services firms. These arrangements enable OPC to retain oversight of the internal audit function while leveraging the independent expertise and experience of internal audit professionals. The AC Chair, who is a Chartered Professional Accountant, Chartered Accountant (CPA, CA), with significant internal audit expertise, also provides guidance to support the enhancement of this function and its independence and oversight throughout the year. In addition, the external members of the Committee meet in camera with representatives of the outside professional services firms. They also hold quarterly in-camera sessions with the CAE and an annual in-camera discussion with the Commissioner to provide input into the performance appraisal of the CAE.

At the March meeting, an updated RBAP was presented to the AC. The operating context and key risks were discussed, highlighting changes in the environment and key corporate risks since the last RBAP was developed. Important changes to the OPC’s internal environment were noted, in the Office’s redefinition of its desired outcomes and conduct of its organizational review. Against this backdrop, the external service provider developed a new RBAP, informed through consultations with all OPC executives and the AC Chair. AC members concurred with the proposed plan and recommendation that the area of cyber security be the subject of the next internal audit project in 2019-2020, to be followed by human resource management in the subsequent year as implementation progresses on the new organizational structure and updated HR strategic plan.

4.5 External Assurance Providers

As in past years, the Office of the Auditor General (OAG) carried out an audit of the OPC’s financial statements with the objective of rendering an audit opinion on these statements. Representatives from the OAG attended the Committee’s March meeting to discuss the plan for the annual audit of OPC’s 2018-2019 financial statements.

The OAG Audit Principal and Audit Project Leader attended the AC’s August 2018 meeting to review and discuss the audited Financial Statements and the Management Representation Letter, including the related Annex with respect to internal control over financial reporting. The OAG’s report to the AC highlighting the annual audit results for the year ended March 31, 2018 was also a key document reviewed and discussed at this meeting. For the fourteenth (14th) straight year, the OAG rendered an unmodified audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG nor did they issue a Management Letter.

OPC management and the AC periodically look for opportunities to leverage lessons learned in other areas of government. At the request of the AC, a summary report was prepared and discussed at its March meeting, covering relevant system-wide audit engagements performed by external service providers in 2018-2019. These included the Office of the Comptroller General’s report on the horizontal audit of business continuity planning in large and small organizations; Public Service Commission audits of system-wide staffing; and the Office of the Auditor General’s audits of the Phoenix pay system’s development and implementation, and on the disposal of surplus materiel. This was a useful exercise, which validated the OPCs practices and also provided valuable insights on opportunities to continue enhancing business processes.

4.6 Follow-up on Management Action Plans

The AC monitors management’s progress in implementing management action plans stemming from internal audit reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a semi-annual basis, the Committee receives and reviews a report on management’s progress in implementing outstanding actions. There was one outstanding management action from previous year internal audits, which was completed during 2018-2019.

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the Office of the Auditor General (OAG) each year. At the August meeting, AC members reviewed and discussed the OPC’s 2017-2018 audited financial statements, as well as new Public Sector Accounting Board accounting standards, with the Deputy CFO, CFO and representatives from the OAG. Following these discussions, the AC recommended the Commissioner approve these financial statements.

4.8 Accountability Reports

The external members reviewed the OPC’s draft 2017-2018 Departmental Results Report (DRR) and the draft 2019-2020 Departmental Plan (DP). AC members provided advice and recommendations to management prior to these reports being approved by the Commissioner.

5.0 TB Policy Reset Initiative

During the year, the AC continued to be briefed on the Treasury Board Policy Reset Initiative. This included insight into role and collaboration OPC and the Agents of Parliament Working Group (WG) are undertaking to actively engage in this process. Among the areas being discussed and closely followed are expected policies relating to the management of digital information.

6.0 Looking Ahead

Over the coming year, the Committee looks forward to provide oversight as well as advice to the Commissioner with a particular focus on the following activities:

• Continued implementation of the newly implemented OPC Results Framework and organization structure, including integration of changes into key business processes (i.e. planning, monitoring, financial resource allocation/reallocation).
• Funding and its impact on OPC’s work.
• Finalization of the scope and objectives of the next internal audit project, which will focus on cyber security.
• Development of OPC’s IT/IM Strategy.
• Follow-up on management’s action plans under its Management Accountability Framework (MAF) and ICFR initiatives.
• Implementation of new/revised TB policies and OPC’s compliance with associated requirements.
• Further update on the implementation of the Open Government Directive.

The Audit Committee will also be vigilant with regards to how OPC implements risk management approaches and decision-making to address its expanding mandate and the rapid evolution of privacy issues in the digital environment