Audit Committee Annual Report 2020-2021

Foreword from the External Members of the Audit Committee (AC)

We are pleased to submit the Annual Report of the external members of the Audit Committee to the Office of the Privacy Commissioner of Canada (OPC), for the year ended March 31, 2021. The report reflects a summary of the oversight work carried out by the Committee.

It is the practice of he Audit Committee’s external members to table an annual report on the AC’s activities, as it provides useful information on the work of the committee and their independent perspective on the OPC’s risk management, control and governance processes. The views expressed in this report are entirely those of the external AC members.

As it has observed over the past several years, the AC noted the Office’s continued focus on results, performance and sound organizational practices. Notably, the importance of the Office’s focus on strong and responsive governance and risk management practices became even more evident as the COVID-19 outbreak unfolded during the year. In response, the AC adapted the format and frequency of its meetings, as the organization put enhanced risk, control, and governance processes in place to navigate through this unprecedented time.

Further, the pandemic underscored the importance of compliance with privacy laws in remote work environments, in a landscape where an increase in digitization has created new privacy risks. The 2020-2021 year also saw proposals for public and private sector federal privacy law reform. Going forward, as the Office contributes to the modernization of Canadian privacy laws, it will consider corresponding changes to its operations and structure, to optimize its organizational capacity and agility to focus on results. The OPC’s approach is informed by its results framework in serving the needs of Canadians, as well as by strategic planning and risk management practices that continue to be integrated into various facets of the organization’s work. These remain crucial governance elements as the Office navigates the increasing demands of a dynamic and challenging environment

The Office’s management and financial control frameworks form part of the core areas of oversight by the AC. The soundness of OPC’s accounting and financial reporting practices continued to be evidenced by the results of the testing of the controls over financial reporting and the sixteenth straight unmodified (i.e. ‘clean’) audit opinion the Office of the Auditor General rendered on the 2019-2020 financial statements.

We sincerely appreciate the Commissioner’s continued strong interest and support for the Audit Committee. We would also like to thank OPC’s Executive team, and in particular, the Corporate Management Sector for their continued hard work and assistance to the Audit Committee.

1.0 Introduction

The external members of the Office of the Privacy Commissioner Audit Committee (AC) prepared this annual report for the Commissioner to summarize the Audit Committee’s activities, observations and advice in the fiscal year 2020-2021, pursuant to the approved AC Terms of Reference.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Consistent with prior years, our focus has been to identify and assess risk, to oversee control and governance processes as well as best practices across the OPC. Our aim throughout our work has been to provide the Commissioner with objective, clear and constructive input.

The Audit Committee’s review of, and observations on, each of the Committee’s oversight areas^{Footnote 1} are detailed in Section 4 of this report.

2.0 Role and Membership of the Committee

The role of the Audit Committee (AC)’s external members is to provide the Commissioner with independent advice and recommendations about the overall quality and functioning of the OPC’s risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities, and accountability reporting.

The AC is composed of the following members:

• Suzanne Morris, CPA, CA, Chair, external member
• Elisabeth Nadeau, external member
• Daniel Therrien, Commissioner, ex-officio member

In addition, the following OPC staff attend AC meetings:

• Chief Audit Executive (CAE), Daniel Nadeau, Deputy Commissioner, who is also the Chief Financial Officer (CFO)
• Secretary to the Committee, Chantale Roussel, who is also the Director, Business Planning, Performance, Audit and Evaluation.

The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference (TOR) document. These TOR are periodically reviewed, updated as required, and reaffirmed by the Commissioner. To deliver on its approved Terms of Reference, the Audit Committee developed a 2020-2021 Work Plan that was reviewed and approved at the Committee’s June 2020 meeting. Progress against the plan is monitored throughout the year to ensure the Committee delivers on its commitments. Further, given the pandemic situation, the Office’s evolving operating context became a standing item at each AC meeting.

As part of the annual discussion of the Audit Committee’s Annual Report, members review and attest to being free of any real or perceived conflicts of interest that could impede their independence and objectivity. No issues have been noted in this regard. Further, a process for declarations of conflict of interest is in place, whereby members complete a written annual declaration form, which is reviewed by the CAE.

3.0 Summary of 2020-2021 Audit Committee Activities

The sections that follow summarize key activities and areas of focus for 2020-2021 to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held four formal meetings during the fiscal year as follows:

• April 8, 2020
• June 18, 2020;
• October 28, 2020; and
• March 30, 2021.

At the start of each AC meeting, members engaged in an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefed members on key developments across the organization since the last meeting as well as emerging issues or opportunities that could impact the organization. This included briefings on the evolving operating context due to COVID and a discussion of corresponding measures put in place by management to manage risks. , Important briefings also included legislative reform developments and their potential organizational and operational significance. In addition to the formal AC meetings, the external members of the Audit Committee held periodic check-in calls throughout the year with the Deputy Commissioner, Corporate Management Sector and CFO/CAE, and the Secretary to the Committee/Director, Business Planning, Performance, Audit and Evaluation. Through these calls, external members received updates regarding the impact of the pandemic on the Office’s plans, priorities and operations; remote working capabilities and cybersecurity; and monitoring of employee wellness. The Deputy Commissioner, Compliance Sector, joined one of these meetings in order to provide additional leadership perspective on key risks and areas of focus as compliance operations pivoted to meet COVID-19 related challenges.

All of these discussions provided members with valuable context and insights that allowed them to stay current on the organization’s key areas of business and to gain a better understanding and appreciation of the swiftly changing operational context within which the organization operates. These discussions also allow an opportunity for AC members to provide the Commissioner and senior management with strategic advice on new or emerging areas or issues facing the OPC.

As part of the Audit Committee meetings, the external Committee members held in-camera discussions with the Commissioner, the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG when in attendance. In-camera meetings were also held with external providers of internal audit related services. These in-camera segments provide an opportunity for these officials and representatives to raise and discuss any sensitive issues in confidence. The external members also meet in camera to discuss issues as required.

Again this year, the external members attended the annual Departmental Audit Committee (DAC) Symposium, which in response to the pandemic situation, was organized remotely by the Treasury Board Secretariat (TBS) and included sessions in October and December 2020. These enhanced members’ understanding of relevant issues and developments across the public service and fostered the sharing of best practices. The Chair also participated in related meetings of all DAC Chairs.

3.2 Transparency

Audit Committee information is publicly available on the OPC website. This includes biographies of the AC members, the Committee’s Terms of Reference, annual reports and internal audit reports. The Audit Committee believes that the proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC’s activities during the year to discharge its responsibilities in providing the Commissioner with input that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

Values and Ethics (V&E) continues to be an area of importance for management and the AC. In June, the Committee received and reviewed the annual report on values and ethics, conflict of interest (COI) and post-employment measures, which summarize the OPC’s activities related to its V&E program. No areas of concern were noted in the annual report.

4.2 Risk Management

A key element of OPC’s formalized risk management arrangements continues to be the Corporate Risk Profile (CRP). In 2020-2021, corporate risks were reviewed as part of the Risk Based Audit Plan (RBAP) process. An external professional services firm was retained to update internal audit priorities, and through this exercise completed an update of guiding principles, methodologies, key risks and major sources of risk. These were discussed with the AC at its March 2021 meeting.

As in prior years, as management monitors developments throughout the year, the external members looked to be apprised of any changes to key risks as well as the effectiveness of risk mitigation strategies. As part of its 2020-2021 Audit Committee meetings, the AC received verbal updates on corporate risks, with a particular focus on the evolving COVID-19 situation and legislative reform developments. As previously described, recurring check-in meetings were added during the year to monitor continuing developments with respect to the pandemic, and its impact on OPC’s plans, processes, and operations.

These briefings included updates on consultations with employees during the year. Through all staff meetings, pulse checks and discussions, management surveyed employee wellness and determined the approaches and tools needed for employees to work from home. Employees’ perspectives were also obtained regarding near term and longer term scenarios for what the office of the future could look like.

4.3 Management Control Framework (MCF)

On a regular basis, management updates the AC on its key management control processes, along with procedures adopted to mitigate any concerns towards achieving results.

As an Agent of Parliament, OPC is not subject to the Management Accountability Framework (MAF) assessment undertaken by Treasury Board of Canada Secretariat. Notwithstanding this, the OPC utilizes the TBS tool to carry out a self-assessment of the organization’s management control processes and practices. The external members continued to be pleased with management’s commitment to build on the strengths evidenced through this assessment, and to continually strive to improve in an efficient and effective manner.

During the year, the Committee received updates on management’s implementation of action items resulting from prior years’ MAF self-assessments in the areas of People Management and Information Management & Information Technology (IM/IT).

As the OPC’s operations continue to evolve and as workloads increase, the Office’s 2020-2023 HR Strategy will be particularly important to effectively support people management. AC members were pleased to note that progress continues in the implementation of the Office’s plans in this area. In March, management provided an update on completed and ongoing initiatives designed to strengthen talent management and development, leadership skills, language training, inclusive services and a number of other important areas.

Progress also continues towards the implementation of OPC’s 2020-2022 IM/IT Strategy. Key areas of focus include business process automation, business intelligence, mobility, cloud opportunities, collaboration tools, as well as security and privacy. Updated plans and results to date will be presented to the Audit Committee in 2021-2022.

The AC will follow the progress as well as the development of future initiatives in these critical areas.

A summary of other areas of the MCF examined and input provided by the external members follows.

4.3.1 Internal Controls over Financial Reporting (ICFR)

Using the services of an outside consulting firm, OPC tested key internal controls over financial reporting with respect to payroll processes for the 2019-2020 reporting cycle. At its October meeting, the AC received the results of this work, noting that there were no significant recommendations flowing from the testing and that recommendations focused on process refinements.The AC also noted that payroll monitoring practices continue to be in place, including regular oversight meetings with the CFO.

The Committee noted that for the 2021 reporting period, work will focus on the cyclical testing of entity level controls, which include governance and risk management processes. In addition, there are plans to continue working with the external consultant on the implementation of payroll process refinements coming out of the most recent testing work.

As part of the governance process, the external members of the AC met in-camera with the representative of the external firm who performed the ICFR testing. The AC was pleased with the overall results of the ICFR testing and management’s commitment to continuous improvement.

4.3.2 Financial Resource Management

In the face of the exponential growth of the digital economy, and with growing workloads and anticipated privacy legislative reform, financial resource management continues to be critical to supporting the organization in effectively managing its resources. The AC received an update on the OPC financial situation at each meeting, as well as a briefing on financial results and the management of funding carry forward/reprofiling requests for 2020-2021 Briefings were also provided regarding the approach to assessing the financial and operational implications of potential legislative reform for the Office. These updates highlighted the due diligence and rigour OPC management undertakes to manage an expanding and evolving mandate.

4.3.3 Quarterly Financial Reporting

The AC reviewed and provided feedback on the OPC’s 2020-2021 1^st, 2^nd, and 3^rd Quarterly Financial Reports. Treasury Board Secretariat prescribes the format of these reports, and members did not note any concerns but rather once again commend management for the clarity and conciseness of the reporting.

4.4 Internal Audit Function

The Audit Committee plays an active oversight role of the OPC’s internal audit function. The mandate, roles and responsibilities and authority of the internal audit function are detailed in the OPC’s Internal Audit Charter that is periodically reviewed and recommended for approval by the Audit Committee and formally approved by the Commissioner.

The Committee concurs with and continued to monitor the mechanisms in place at the OPC to ensure the independence of the internal audit function. The Office’s model has served the Office well over several years and was reaffirmed by an External Practice Inspection conducted in 2019-2020 as being in conformity with the Institute of Internal Auditors’ International Professional Practices Framework. At its April 2020 meeting, the AC received the results of the External Practice Inspection and action plan, with the OPC Internal Audit function receiving the highest rating of ‘Generally conforms’ in all areas of inspection. The practice reviewers commented on the nimbleness of the function, its effectiveness in carrying out its mandate with limited resources, and on how it is well respected within the organization.

The OPC’s in-house internal audit capacity consists of a Director, Business Planning, Performance, Audit and Evaluation, with oversight by the Chief Audit Executive (CAE). The CAE, who is also the Deputy Commissioner, Corporate Management Sector and Chief Financial Officer, reports directly to the Commissioner. To augment the in-house capacity and support the independence of the audit function, OPC continues to periodically co-source the development of the Risk-based Audit Plan (RBAP). In addition, individual internal audit and ICFR engagements are co-sourced with outside professional services firms. This approach enables OPC to retain oversight of the internal audit function while leveraging the independent expertise and experience of internal audit professionals. The AC Chair, who is a Chartered Professional Accountant, Chartered Accountant (CPA, CA), with significant internal audit expertise, also provides guidance to support the enhancement of this function and its independence and oversight throughout the year. In addition, the external members of the Committee meet in camera with representatives of the outside professional services firms. They also hold quarterly in-camera sessions with the CAE and an annual in-camera discussion with the Commissioner to provide input into the performance appraisal of the CAE.

In 2020-2021, a major RBAP project was completed, consisting of a cybersecurity audit and maturity assessment. The project was scoped and conducted by an expert external professional services firm. The audit was overseen by the Chair of the Audit Committee, supported by internal resources, as it focused on an area that falls within the scope of responsibilities of the CAE in his role as Deputy Commissioner of the Corporate Management Sector. The objectives of the project were to assess the current state of cybersecurity maturity, provide assurance over the effectiveness of existing controls, and provide recommendations to help the OPC reach its desired future state for cyber security maturity. The project also included a workshop with key OPC stakeholders. Results and action plans this were presented and discussed at the June 2020 AC meeting.

In 2020-2021 the RBAP methodology and the guiding principles for the selection of projects were updated with the assistance and expertise of an external professional services provider, informed through an in-depth review of the current process, operational context, key organizational risks and consultations with OPC executives and the AC members. The major orientations of the RBAP and potential assurance and advisory projects were identified and discussed at the AC’s March 2021 meeting. A finalized plan will be presented to the Committee for approval early in 2021-2022.

4.5 External Assurance Providers

As in past years, the Office of the Auditor General (OAG) carried out an audit of the OPC’s financial statements with the objective of rendering an audit opinion on these statements.

The OAG Audit Principal and Audit Project Leader attended the AC’s October 2020 meeting to review and discuss the audited Financial Statements and the Management Representation Letter, including the related Annex with respect to internal control over financial reporting. The OAG’s report to the AC highlighting the annual audit results for the year ended March 31, 2020 was also a key document reviewed and discussed at this meeting. For the sixteenth (16^th) straight year, the OAG rendered an unmodified audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG nor did they issue a Management Letter.

Representatives from the OAG attended the Committee’s March 2021 meeting to discuss the status of plans for the annual audit of OPC’s 2020-2021 financial statements. In light of the continuing COVID-19 situation, the OAG representatives will continue to work with OPC management to determine the expected timing of their planned audit procedures.

As part of its 2016 New Direction in Staffing, the Public Service Commission (PSC) introduced a requirement that a cyclical staffing assessment be conducted at least every five years, in order to provide the Deputy Head and the PSC with a robust review of its staffing system. As a small organization, the OPC established an arrangement with PSC for the conduct of this assessment and the work was carried-out during the year. Committee members look forward to engaging with management and the PSC on the results of the assessment in early 2021-2022.

OPC management and the AC periodically look for opportunities to leverage lessons learned from external assurance providers in other areas of government. At the request of the AC, a summary report was prepared and circulated to members, covering relevant system-wide audit engagements performed by external service providers across the federal government in 2020-2021. This is a useful exercise, which provides valuable insights on opportunities to continue enhancing business processes.

4.6 Follow-up on Management Action Plans

The AC monitors management’s progress in implementing management action plans stemming from internal audit reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a semi-annual basis, the Committee receives and reviews a report on management’s progress in implementing outstanding actions. In June 2020, the Committee received and reviewed the results of the cybersecurity audit and maturity assessment, including the management response and action plans. At its March 2021 meeting, the AC received and discussed a progress report and was pleased to note that management was on track in the implementation of action plans resulting from this audit project.

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the Office of the Auditor General (OAG) each year. As noted in section 4.5 of this report, at their October meeting AC members reviewed the OPC’s 2019-2020 audited financial statements, and discussed them with the Deputy CFO, CFO, and representatives from the OAG. Following the discussions, the AC recommended that the Commissioner approve the financial statements.

4.8 Accountability Reports

The external members reviewed the OPC’s draft 2019-2020 Departmental Results Report (DRR) and the draft 2021-2022 Departmental Plan (DP). AC members provided recommendations to management prior to these reports being approved by the Commissioner.

5.0 Looking Ahead

Over the coming year, the Committee looks forward to providing oversight as well as advice to the Commissioner. Ongoing developments in the COVID-19 situation are defining a new reality in the face of which it continues to be imperative for the organization to respond quickly and effectively and to determine what a post-pandemic workplace of the future will look like. In addition, the years ahead are expected to bring important developments in public and private sector federal privacy law reform. Going forward, as the Office contributes to the development and adoption of new Canadian privacy laws, a key area of focus will be the optimization of its organizational capacity to deliver value to Canadians.

The “new normal” will test the organization’s governance, its operational agility and control framework. The Committee will continue to pay attention to how the organization responds to these challenges as well as to impacted key areas such as business critical risk management, decision-making, people management, financial management, program delivery, business continuity, change management and communications.

An important area of focus for the Committee will be to ensure that potential control gaps are quickly and effectively addressed. In that context, the Committee looks forward to discussing how the organization plans to recalibrate both its Corporate Risk Profile (CRP) and Risk Based Audit Plan (RBAP).

In light of the challenging environment, the Committee will encourage the organization to adopt a strategic approach to implementing its HR and IM/IT strategies, as well as plans and initiatives to support the OPC’s evolving mandate, and the rapid evolution of privacy issues in the digital environment. Similarly, the progress in implementing action plans associated with the cyber security audit and maturity assessment will continue to be important priorities.

Finally, the Committee will follow with interest the implementation of new/revised Treasury Board policies and OPC’s compliance with associated requirements; implementation of MAF action plans; and plans to address the Open Government Directive, while recognizing that the timelines of some of these activities may continue to evolve and need to be adjusted.