Audit Committee Annual Report 2021-2022

Foreword from the External Members of the Audit Committee (AC)

We submit herewith the Audit Committee’s Annual Report of the Office of the Privacy Commissioner of Canada (OPC), for the year ended March 31, 2022. The report presents an overview of the activities carried out by the Committee consistent with its practice to be transparent and to provide useful information on its work in support of OPC’s risk management, control, and governance processes. The views expressed in this report are entirely those of the External Members.

This is the fifth report submitted by these External Members before Commissioner Therrien completes his tenure at the end of June. Throughout these years we have endeavored to provide independent competent advice and hope we have made a useful contribution to support the Commissioner in his role as accounting officer.

This year was particularly challenging for the organization. In addition to the planning uncertainty created by the pandemic and its elusive ending which, like mirages, never materialized, the COVID-19 context continued to place demands for new initiatives and advice to protect privacy. At the same time, following the tabling of Bill C-11 to reform Canada’s private sector privacy law (which died on the order paper when the federal election was called), the organization had to give serious consideration and devote time to the organizational changes it would have to make to deliver eventual new responsibilities. As evidenced by our report, we believe the Office of the Privacy Commissioner responded well to these challenges while maintaining an effective regime of risk management, control, and governance processes.

Going forward, the Office will continue to develop its state of readiness in preparation for the eventual introduction and implementation of new legislation. In addition, it will prepare the transition to welcome a new Commissioner as well as a new Deputy Commissioner/CFO/CAE, further to the pending retirement of the incumbent.

We sincerely appreciated the Commissioner’s respect for the work of the Audit Committee and are grateful for having had the opportunity to support him. We would also like to thank OPC’s Executive team, and in particular, the Corporate Management Sector for their continued hard work and assistance to the Audit Committee.

1.0 Introduction

The external members of the Office of the Privacy Commissioner Audit Committee (AC) prepared this annual report for the Commissioner to summarize the Audit Committee’s activities, observations, and advice in the fiscal year 2021-2022, pursuant to the approved AC Terms of Reference.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Consistent with prior years, our focus has been to identify and assess risk, to oversee control and governance processes as well as best practices across the OPC. Our aim throughout our work has been to provide the Commissioner with objective, clear and constructive input.

The Audit Committee’s review of, and observations on, each of the Committee’s oversight areas^{Footnote 1} are detailed in Section 4 of this report.

2.0 Role and Membership of the Committee

The role of the Audit Committee (AC)’s external members is to provide the Commissioner with independent advice and recommendations about the overall quality and functioning of the OPC’s risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities, and accountability reporting.

The AC is composed of the following members:

• Suzanne Morris, CPA, CA, Chair, external member
• Elisabeth Nadeau, external member
• Daniel Therrien, Commissioner, ex-officio member

In addition, the following OPC staff attend AC meetings:

• Chief Audit Executive (CAE), Daniel Nadeau, Deputy Commissioner, who is also the Chief Financial Officer (CFO)
• Secretary to the Committee, Chantale Roussel, who is also the Director, Business Planning, Performance, Audit and Evaluation.

The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference (TOR) document. These TOR are periodically reviewed, updated as required, and reaffirmed by the Commissioner. To deliver on its approved Terms of Reference, the Audit Committee developed a 2021-2022 Work Plan that was reviewed and approved at the Committee’s June 2021 meeting. Progress against the plan is monitored throughout the year to ensure the Committee delivers on its commitments. Further, given the pandemic situation, the Office’s evolving operating context continued to be a standing item at each AC meeting.

As part of the annual discussion of the Audit Committee’s workplan, members review and attest to being free of any real or perceived conflicts of interest that could impede their independence and objectivity. No issues have been noted in this regard. Further, a process for declarations of conflict of interest is in place, whereby members complete a written annual declaration form, which is reviewed by the CAE.

3.0 Summary of 2021-2022 Audit Committee Activities

The sections that follow summarize key activities and areas of focus for 2021-2022 to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held three formal (but virtual) meetings during the fiscal year as follows:

• June 1, 2021
• August 31, 2021; and
• December 20, 2021.

In addition, a fourth formal quarterly meeting, typically held in March, took place on April 8, 2022.

At the start of each AC meeting, members engaged in an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefed members on key developments across the organization since the last meeting as well as emerging issues or opportunities that could impact the organization. These included briefings on the evolving operating context due to COVID, a discussion of corresponding measures put in place by management to manage risks, and considerations for a flexible work model. Of highly strategic importance, briefings also included updates concerning significant legislative reform developments and their potential organizational and operational impacts, including their influence on the workforce and workplace of the future.

In addition to the formal AC meetings, the external members of the Audit Committee held periodic check-in calls throughout the year with the Deputy Commissioner, Corporate Management Sector and CFO/CAE, and the Secretary to the Committee/Director, Business Planning, Performance, Audit and Evaluation. Through these calls, external members received further updates regarding legislative developments, as well as the ongoing impact of the pandemic on the Office’s plans, priorities, finances, operations and people.

Further, as part of the process for updating the Corporate Risk Profile, a discussion on key organizational-wide risks and mitigation strategies was held in February 2022 between the external member of the Audit Committee, the three Deputy Commissioners, the Director of Legal Services and the Director of Business Planning.

All these discussions provided members with valuable context and insights that allowed them to stay current on the organization’s key areas of business and to gain a better understanding and appreciation of the swiftly changing operational context within which the organization operates as the acceleration of digital transformation increases the complexity and number of privacy risks facing Canadians. These discussions also allow an opportunity for AC members to provide the Commissioner and senior management with strategic but independent advice on new or emerging areas or issues facing the OPC.

As part of the Audit Committee meetings, the external Committee members held in-camera discussions with the Commissioner, the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG when in attendance. In-camera meetings were also held with external providers of internal audit related services. These in-camera segments provide an opportunity for these officials and representatives to raise and discuss any sensitive issues in confidence. The external members also met in camera to discuss issues as required.

Again this year, the external members attended the annual Departmental Audit Committee (DAC) Symposium, organized remotely by the Treasury Board Secretariat (TBS) in December 2021. This important event enhanced members’ understanding of relevant issues and developments across the public service and fostered the sharing of best practices. The Chair also participated in a related meeting of all DAC Chairs.

3.2 Transparency

Audit Committee information is publicly available on the OPC website. This includes biographies of the AC members, the Committee’s Terms of Reference, annual reports, and internal audit reports. The Audit Committee believes that the proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC’s activities during the year to discharge its responsibilities in providing the Commissioner with input that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

Values and Ethics (V&E) continues to be an area of importance for management and the AC. In advance of its June 2021 meeting, the Committee received and reviewed the annual report on values and ethics, conflict of interest (COI) and post-employment measures, which summarize the OPC’s activities related to its V&E program. No areas of concern were noted in the annual report. The Committee was also provided with information concerning the Government’s new policy regarding harassment as well as a new directive on conflict of interest including the Office’s workplan for implementation.

4.2 Risk Management

In keeping with its practice in prior years and as management monitored organizational risks throughout the year, the external AC members looked to be apprised of changes to key risks and the effectiveness of risk mitigation strategies. As part of its 2021-2022 Audit Committee meetings, the AC received verbal updates on corporate risks, and as previously described, recurring check-in meetings were held during the year to monitor the impact of continuing developments on OPC’s plans, processes, and operations.

These briefings included updates on communication with employees during the year. Through several all-staff meetings, management consulted employees on important matters including law reform, Official Languages, and employee wellness. Employees’ perspectives were also obtained regarding near-term and longer-term scenarios for what the workplace of the future could look like.

A key element of OPC’s formalized risk management arrangements continues to be the Corporate Risk Profile (CRP). In 2021-2022, corporate risks were reviewed as part of the Risk-based Audit Plan (RBAP) process. As previously mentioned, a discussion on key organizational-wide risks and mitigation responses was held in February 2022 between members of the senior management team and the external AC members. These discussions involved the ranking of key organizational risks. The OPC faces a confluence of factors, including the likelihood of significant legislative change, pending executive management departures, continued uncertainty relating to the pandemic recovery, and the ongoing impact of digital acceleration. Against this backdrop, the updated CRP and resulting mitigation and action items will serve the organization well as a touchstone over the coming year. The CRP also informs the internal audit priorities for the coming year, and both the CRP and the RBAP for 2022-2023 were subsequently tabled at the AC’s early April 2022 meeting.

4.3 Management Control Framework (MCF)

On a regular basis, management updates the AC on its key management control processes, along with procedures adopted to mitigate any concerns towards achieving results.

As an Agent of Parliament, OPC is not subject to the Management Accountability Framework (MAF) assessment undertaken by Treasury Board of Canada Secretariat. Notwithstanding this, the OPC periodically utilizes the TBS tool to carry out a self-assessment of the organization’s management control processes and practices. The external members continued to be pleased with management’s commitment to build on the strengths evidenced through previous assessments, and to continually strive to improve in an efficient and effective manner.

During the year, the Committee received updates on management’s implementation of action items resulting from prior years’ MAF self-assessments in the areas of People Management and Information Management and Information Technology (IM/IT).

The OPC’s operations have continued to evolve and legislative reform is expected to bring increased focus on strengthening capabilities, and attracting and retaining talent within a strong and flexible governance model. In this regard, the implementation of the Office’s 2020-2023 HR Strategy will be particularly important to effectively support people management and is a continued focus area for the AC. In 2021-2022, with a view to evaluating its hiring practices, the Office participated in a pilot project with the Public Service Commission (PSC). PSC provided professional support to complete the mandatory cyclical evaluation of the OPC’s staffing framework and of its compliance with related laws, regulations, and delegations. At the AC’s June 2021 meeting, PSC representatives presented the results of their evaluation, describing these as very positive. The AC members were pleased to note that the OPC’s staffing framework met the requirements of the instrument of delegation, and that a testing of files indicated a high level of compliance. Recommendations were made in certain areas including ongoing surveillance activities by senior management and an action plan has been developed to address these. As the OPC was the first organization to participate in this pilot project, the PSC representatives expressed their appreciation for the support of the OPC HR team and for the feedback received, which they indicated will allow them to review and enhance their evaluation approach.

Progress also continues towards the implementation of OPC’s 2020-2022 IM/IT Strategy and action plans. Key areas of focus include business process automation, business intelligence, mobility, cloud opportunities, collaboration tools, as well as security and privacy. The Director of Information Technology joined an external AC members’ check-in meeting in April 2021 and provided a status update on progress in implementing the Office’s Information Management/IT strategy. This included an overview of priorities, projects completed over the last year, and the workplan for 2021-2022. Further, at its December meeting the AC received a status update on the implementation of recommendations resulting from the 2020 internal audit of Cybersecurity.

The AC will follow the progress as well as the development of future initiatives in these critical areas.

A summary of other areas of the MCF examined and input provided by the external members follows.

4.3.1 Internal Controls over Financial Reporting (ICFR)

Using the services of an outside consulting firm, OPC tested key internal controls over financial reporting with respect to payroll processes for the 2020-2021 reporting cycle. At its August meeting, the AC received the positive results of this work, noting that there were no recommendations for improvement flowing from the testing. The AC noted that payroll monitoring practices continue to be in place, including regular oversight meetings with the CFO.

Work was also carried out by an external firm in 2021 involving the cyclical testing of entity level controls, which include the Office’s governance and risk management processes. The results of this work were presented at the AC’s December meeting. Overall results were very positive, with a high level of controls in these areas considered to be effective. A few recommendations to further strengthen these processes were presented and the AC members reviewed management’s related action plans.

As part of the governance process, the external members of the AC met in-camera with the representatives of the external firms who performed the ICFR testing. The AC was pleased with the overall results of the ICFR testing and management’s commitment to continuous improvement.

The controls over the procure to pay cycle will be the next area to be tested, with work expected to be completed in 2022-2023. Future plans also include a review of the Office’s overall Internal Controls over Financial Management (ICFM) framework, with a view to integrating ICFR and ICFM, focusing on a strategic risk management perspective.

4.3.2 Financial Resource Management

In the face of the exponential growth of the digital economy, anticipated privacy legislation reform and a recent decree extending public sector privacy laws to foreign citizens, financial resource management continues to be critical to supporting the organization in effectively managing its resources in an environment of significantly growing workloads. The AC received an update on the OPC financial situation at each of its meetings. Briefings were also provided regarding the approach to assessing the financial and operational implications of potential legislative reform for the Office. These updates highlighted the due diligence and rigour with which OPC management strives to manage an expanding and evolving mandate.

4.3.3 Quarterly Financial Reporting

The AC reviewed and provided feedback on the OPC’s 2021-2022 1^st, 2^nd, and 3^rd Quarterly Financial Reports. Treasury Board Secretariat prescribes the format of these reports, and members did not note any concerns but rather once again commended management for the clarity and conciseness of the reporting.

4.4 Internal Audit Function

The Audit Committee plays an active oversight role of the OPC’s internal audit function. The mandate, roles and responsibilities and authority of the internal audit function are detailed in the OPC’s Internal Audit Charter that is periodically reviewed and recommended for approval by the Audit Committee and formally approved by the Commissioner.

The Committee concurs with and continues to monitor the mechanisms in place at the OPC to ensure the independence of the internal audit function. The Office’s model has served it well over several years and was reaffirmed by an External Practice Inspection conducted in 2019-2020, with the OPC Internal Audit function receiving the highest rating of ‘Generally conforms’ in all areas of inspection.

The OPC’s in-house internal audit capacity consists of a Director, Business Planning, Performance, Audit and Evaluation, with oversight by the Chief Audit Executive (CAE). The CAE, who is also the Deputy Commissioner, Corporate Management Sector and Chief Financial Officer, reports directly to the Commissioner. To augment the in-house capacity and support the independence of the audit function, OPC continues to periodically co-source the development of its Risk-based Audit Plan (RBAP). In addition, individual internal audit and ICFR engagements are co-sourced with outside professional services firms. This approach enables OPC to retain oversight of the internal audit function while leveraging the independent expertise and experience of internal audit professionals. The AC Chair, who is a Chartered Professional Accountant, Chartered Accountant (CPA, CA), with significant internal audit expertise, also provides guidance to support the enhancement of this function and its independence and oversight throughout the year. In addition, the external members of the Committee meet in camera with representatives of the outside professional services firms. They also hold quarterly in-camera sessions with the CAE and an annual in-camera discussion with the Commissioner to provide input into the performance appraisal of the CAE.

The 2021-2022 internal audit plan was presented to the Committee for final approval at its June meeting. The plan was the results of an update to the RBAP methodology, guiding principles and process for the selection of projects. This update was completed in the previous year with the assistance and expertise of an external professional services firm and through consultations with OPC executives and the AC members. The plan reflects a new more integrated approach, with projects scoped, where relevant, to include both internal audit and internal control considerations.

In 2021-2022, a major RBAP project was initiated, consisting of an audit of information management (IM) practices. The project was scoped and is being conducted by an external professional services firm. It is being overseen by the Chair of the Audit Committee, supported by internal resources, as it focused on an area that falls within the scope of responsibilities of the CAE in his role as Deputy Commissioner of the Corporate Management Sector. The objectives of the audit are to provide assurance on the soundness of the Office’s IM framework, including governance, processes, tools, controls and resource planning, and to provide recommendations to advance the OPC’s IM and business intelligence (BI) objectives. The audit is expected to add value as a foundational step in the development of BI at the OPC.

4.5 External Assurance Providers

As in past years, the Office of the Auditor General (OAG) carried out an audit of the OPC’s financial statements with the objective of rendering an audit opinion on these statements.

The OAG Audit Principal and Audit Project Leader attended the AC’s August 2021 meeting to review and discuss the audited Financial Statements and the Management Representation Letter, including the related Annex with respect to internal control over financial reporting. The OAG’s report to the AC highlighting the annual audit results for the year ended March 31, 2021 was also a key document reviewed and discussed at this meeting. For the seventeenth (17^th) straight year, the OAG rendered an unmodified audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG, nor did they issue a Management Letter.

Representatives from the OAG attended the Committee’s April 2022 meeting to discuss the status of plans for the annual audit of OPC’s 2021-2022 financial statements. In light of the continuing COVID-19 situation, the OAG representatives will continue to work with OPC management to determine the expected timing of their planned audit procedures.

As part of its 2016 New Direction in Staffing, the Public Service Commission (PSC) introduced a requirement that a cyclical staffing assessment be conducted at least every five years, to provide the Deputy Head and the PSC with a robust review of its staffing system. As a small organization, the OPC established an arrangement with PSC for the conduct of this assessment and, as described in section 4.3 above, the Committee engaged with management and the PSC, receiving the positive results of the assessment at its June 2021 meeting.

OPC management and the AC periodically look for opportunities to leverage lessons learned from external assurance providers in other areas of government. At the request of the AC, a summary report was prepared and circulated to members, covering relevant system-wide audit engagements performed by external service providers across the federal government in 2020-2021. This is a useful exercise, which provides valuable insights on opportunities to continue enhancing business processes.

4.6 Follow-up on Management Action Plans

The AC monitors management’s progress in implementing management action plans stemming from internal audit and internal control reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a periodic basis, the Committee receives and reviews a report on management’s progress in implementing outstanding action items. As previously mentioned, the Committee received and reviewed a status update on the action plans resulting from the 2020 cybersecurity audit and maturity assessment. It also received a report on the cyclical testing of entity level controls, which includes the Office’s governance and risk management processes. The Committee will monitor progress on implementing action plans in these areas.

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the Office of the Auditor General (OAG) each year. As noted in section 4.5 of this report, at their August meeting AC members reviewed the OPC’s 2020-2021 audited financial statements and discussed them with the Director of Finance, the CFO, and representatives from the OAG. Following the discussions, the AC recommended that the Commissioner approve the financial statements.

4.8 Accountability Reports

The external members reviewed the OPC’s draft 2020-2021 Departmental Results Report (DRR) and the draft 2022-2023 Departmental Plan (DP). AC members provided recommendations to management prior to these reports being approved by the Commissioner.

5.0 Looking Ahead

Over a coming year of transitions, the Committee looks forward to providing advice to the current Commissioner and subsequently to his successor, regarding oversight of the Office’s risk management, control and governance frameworks and processes. As Commissioner Therrien’s mandate draws to a close, the external Committee members wish to underscore his strong support of and contribution to the Audit Committee, and our appreciation for the strategic focus he fostered in our discussions.

The Committee also notes the pending retirement of the Office’s Deputy Commissioner/CAE/CFO. We wish to recognize Mr. Nadeau’s robust leadership and foresight throughout his many years at the OPC. The external Committee members will offer their support as Mr. Nadeau transitions responsibilities to his successor.

As referenced throughout this report, the years ahead are expected to bring important developments in public and private sector federal privacy law reform, in an environment of accelerating global digitization. Going forward, as the Office contributes to the development and adoption of new Canadian privacy laws, a key area of focus will be the optimization of its organizational capacity to deliver value to Canadians. Concurrently, the ongoing COVID situation continues to define a new reality where it remains imperative for the organization to respond nimbly and effectively as it adapts to the workplace of the future.

The uncertainties of the “next normal” will test the organization’s governance, its operational agility and control framework. The Committee will continue to pay attention to how the organization responds to these challenges as well as to impacted key areas such as business critical risk management, decision-making, people management, financial management, program delivery, business continuity, change management and communications.

An important area of focus for the Committee will be to help ensure that potential control gaps are addressed in an effective and timely manner. In that context, the Committee looks forward to monitoring, through its regular meetings and periodic check-ins, the Office’s progress on action plans related to its Corporate Risk Profile (CRP) and projects under its Risk Based Audit Plan (RBAP).

Considering the challenging and uncertain environment, the Committee will continue encouraging the organization to maintain a strategic approach to implementing its HR and IM/IT strategies, as well as plans and initiatives to support the OPC’s evolving mandate, and the rapid evolution of privacy issues in the digital environment. Similarly, the progress in implementing action plans associated with the cyber security audit and maturity assessment will continue to be important areas of focus.

Finally, the Committee will follow with interest the implementation of any new/revised Treasury Board policies and OPC’s compliance with associated requirements; implementation of MAF action plans; and plans to address the Open Government Directive, while recognizing that the timelines of some of these activities may continue to evolve and need to be adjusted.