Audit Committee Annual Report 2022-2023

Foreword from the External Members of the Audit Committee (AC)

We submit herewith the Audit Committee’s Annual Report to the Office of the Privacy Commissioner of Canada (OPC), for the year ended March 31, 2023. The report presents an overview of the activities carried out by the Committee consistent with its practice to be transparent and to provide useful information on its work in support of OPC’s risk management, control, and governance processes. The views expressed in this report are entirely those of the External Members of the Committee.

This is the first report submitted by these External Members since the beginning of Commissioner Dufresne’s tenure. As in previous years, we endeavored to provide independent competent advice and to make a useful contribution to support the Commissioner in his role as accounting officer.

This was a challenging year for the organization. Against a backdrop of increasingly complex privacy issues, the Office navigated through the planning uncertainty created by the pandemic’s evolving impact on the workplace. It also devoted time to the organizational changes it would need to make to deliver on eventual new responsibilities under proposed reforms to Canada’s private sector privacy law, following the tabling of Bill C-27 during the year. As evidenced by our report, we believe the Office of the Privacy Commissioner responded well to these challenges while maintaining an effective regime of risk management, control, and governance processes.

We are thankful to benefit from the strong endorsement of our mandate by Commissioner Dufresne and look forward to offering our ongoing support to him as he and his leadership team steer the OPC through an ever-evolving landscape.

We would also like to thank OPC’s Executive team, and in particular, the Corporate Management Sector for their ongoing diligence and assistance to the Audit Committee.

Finally, the OPC and the Audit Committee Chair wish to express their gratitude to Elisabeth Nadeau, who will be completing her tenure as a member of the Committee later in 2023. For the past eight years, Ms. Nadeau has contributed her independent perspective and extensive experience, providing much appreciated insights and constructive advice to the organization.

1.0 Introduction

The external members of the OPC’s Audit Committee (AC) prepared this annual report for the Commissioner to summarize the Audit Committee’s activities in the fiscal year 2022-2023, pursuant to the approved AC Terms of Reference.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Consistent with prior years, our focus has been to oversee control and governance processes as well as best practices across the OPC. Our aim throughout our work has been to provide the Commissioner with objective, clear and constructive input.

The Audit Committee’s review of, and observations on, each of the Committee’s oversight areas^{Footnote 1} are detailed in Section 4 of this report.

2.0 Role and Membership of the Committee

The role of the Audit Committee (AC)’s external members is to provide the Commissioner with independent advice and recommendations about the overall quality and functioning of the OPC’s risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities, and accountability reporting.

The AC is composed of the following members:

• Suzanne Morris, CPA, CA, Chair, external member
• Elisabeth Nadeau, external member
• Philippe Dufresne, Commissioner, ex-officio member

In addition, the following OPC staff attend AC meetings:

• Chief Audit Executive (CAE), Richard Roulx, Deputy Commissioner, who is also the Chief Financial Officer (CFO)
• Secretary to the Committee, Chantale Roussel, who is also the Director, Business Planning, Performance, Audit and Evaluation.

The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference (TOR) document. These TOR are periodically reviewed, updated as required, and reaffirmed by the Commissioner. To deliver on its approved Terms of Reference, the Audit Committee developed a 2022-2023 Work Plan. Progress against the plan is monitored throughout the year to ensure the Committee delivers on its commitments.

As part of the annual discussion of the Audit Committee’s workplan, members review and attest to being free of any real or perceived conflicts of interest that could impede their independence and objectivity. No issues have been noted in this regard. Further, a process for declarations of conflict of interest is in place, whereby members complete a written annual declaration form, which is reviewed by the CAE.

3.0 Summary of 2022-2023 Audit Committee Activities

The sections that follow summarize key activities and areas of focus for 2022-2023 to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held four formal meetings relating to the fiscal year as follows:

• May 27, 2022
• October 12, 2022
• December 21, 2022; and
• March 30, 2023

At the start of each AC meeting, members engaged in an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefed members on key developments since the last meeting as well as emerging issues or opportunities that could impact the OPC. These included briefings on the evolving operating context and a discussion of corresponding measures put in place by management to manage risks, including key considerations as staff transitioned to an evolving and flexible work model. Of highly strategic importance, briefings also included updates concerning significant legislative reform developments and their potential operational impacts, including their influence on the workforce and workplace of the future. This will continue to be an area of focus for the Committee, as the Office continues to develop its state of readiness in preparation for the eventual implementation of new legislation.

In addition to the formal AC meetings, the external members of the Audit Committee held periodic check-in calls with the Deputy Commissioner, Corporate Management Sector and CFO/CAE, and the Secretary to the Committee/Director, Business Planning, Performance, Audit and Evaluation. Through these calls, external members received further updates on the evolving operating context, along with a discussion of the impact of these developments on the Office’s plans, priorities, finances, operations and people.

All these discussions provided members with valuable perspective and insights that allowed them to stay current on the OPC’s key areas of business and to gain a better understanding and appreciation of the changing operational context within which the organization operates, as the acceleration of digital transformation increases the complexity and number of privacy risks facing Canadians. These discussions also allow an opportunity for AC members to provide the Commissioner and senior management with strategic but independent advice on new or emerging areas or issues facing the OPC.

As part of the Audit Committee meetings, the external Committee members held in-camera discussions with the Commissioner, the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG when in attendance. In-camera meetings were also held with external providers of internal audit-related services. These in-camera segments provide an opportunity for these officials and representatives to raise and discuss any sensitive issues in confidence. The external members also met in camera to discuss issues as required.

Again this year, the external members attended the annual Departmental Audit Committee (DAC) Symposium, organized remotely by the Treasury Board Secretariat (TBS) in November 2022. This valuable event enhanced members’ understanding of relevant issues and developments across the public service and fostered the sharing of best practices. The Chair also participated in a related meeting of all DAC Chairs.

3.2 Transparency

Audit Committee information is publicly available on the OPC website. This includes biographies of the AC members, the Committee’s Terms of Reference, annual reports, and internal audit reports. The Audit Committee believes that the proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC’s activities during the year to discharge its responsibilities in providing the Commissioner with input that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

Values and Ethics (V&E) continues to be an area of importance for management and the AC. During the year, the Committee discussed with management the annual report on values and ethics, conflict of interest (COI) and post-employment measures, which summarize the OPC’s activities related to its V&E program. This report is shared with all OPC employees. No areas of concern were noted.

In 2022-2023 the OPC participated in the Public Service Employee Survey, which includes questions on values and ethics. The Committee looks forward to reviewing the survey results in the coming year.

4.2 Risk Management

In keeping with its practice in prior years, and as management monitored organizational risks throughout the year, the external AC members looked to be apprised of changes to key risks and the effectiveness of risk mitigation strategies. As part of its 2022-2023 Audit Committee meetings, the AC received verbal updates on corporate risks. As previously described, recurring check-in meetings were held during the year to monitor the impact of continuing developments on OPC’s plans, processes, and operations.

These briefings included updates on change management initiatives and consultations with employees during the year. In 2022-2023, the Office held a management retreat geared towards equipping managers with the tools to effectively lead through change. The organization also conducted surveys, and held all-staff meetings during which employees’ perspectives were obtained regarding what the workplace of the future could look like as the Office experimented with a hybrid work model and prepared for new requirements.

The Committee was also briefed on the implications of the Government’s Budget 2023 decisions on the OPC, including the allocation of transitional funding to address the operational impacts the organization faces as it prepares for a new private sector privacy law and deals with high operational workloads.

A key element of OPC’s formalized risk management arrangements continues to be the Corporate Risk Profile (CRP). In 2022-2023, corporate risks were reviewed as part of the Risk-based Audit Plan (RBAP) process. This involved discussions about the ranking of key organizational risks and measures that are planned and underway to manage them. The OPC faces a confluence of factors, including the impact of digital acceleration and the growing complexity of privacy issues, legislative reform, and a changing workplace. Against this backdrop, the updated CRP and resulting mitigation and action items will serve as an important touchstone as the Office navigates through change. The CRP also informs the internal audit priorities for the coming year, and both an update on the CRP and the proposed RBAP for 2023-2024 were tabled at the AC’s March 2023 meeting.

4.3 Management Control Framework (MCF)

On a regular basis, management updates the AC on its key management control processes, along with procedures adopted to mitigate any concerns towards achieving results.

As an Agent of Parliament, OPC is not subject to the Management Accountability Framework (MAF) assessment undertaken by Treasury Board of Canada Secretariat. Notwithstanding this, the OPC periodically utilizes the TBS tool to carry out a self-assessment of the organization’s management control processes and practices. The external members continued to be pleased with management’s commitment to build on the strengths evidenced through previous assessments, and to continually strive to improve in an efficient and effective manner.

Informed by a prior years’ MAF self-assessment in the area Information Management and Information Technology (IM/IT), the Office continued to implement its IM/IT Strategy and action plans. Key areas of focus include business process automation, business intelligence, mobility, cloud opportunities, collaboration tools, as well as security and privacy. Given the scope and importance of this area, and the ongoing implementation of the IM/IT strategy, the organisation also carried out an internal audit of Information Management during 2022-2023, as described under section 4.4 of this report.

A summary of other areas of the MCF examined and input provided by the external members follows.

4.3.1 Internal Controls over Financial Reporting (ICFR)

As part of its cyclical ICFR testing plan, work was carried out by external professional services firms in the previous year on the OPC’s payroll process, as well as on its entity level controls including the Office’s governance and risk management processes. The next ICFR areas to be tested under the plan will be the controls over the procure to pay process and the payroll process, with testing expected to be completed in 2023-2024. Future plans also include a review of the Office’s overall Internal Controls over Financial Management (ICFM) framework, with a view to integrating ICFR and ICFM, in accordance with current Treasury Board policies and guidelines.

4.3.2 Financial Resource Management

In the face of the exponential growth of the digital economy and of expected privacy legislation reform, financial resource management continues to be critical to supporting the organization in effectively managing its resources in an environment of significantly growing workloads. The AC received an update on the OPC financial situation at each of its meetings. Briefings were also provided regarding the approach to assessing the financial and operational implications of potential legislative reform for the Office. These updates highlighted the due diligence with which OPC management strives to manage an expanding and evolving mandate.

4.3.3 Quarterly Financial Reporting

The AC reviewed and provided feedback on the OPC’s 2022-2023 1st, 2nd, and 3rd Quarterly Financial Reports. Treasury Board Secretariat prescribes the format of these reports, and members did not note any concerns but rather once again commended management for the clarity and conciseness of the reporting.

4.4 Internal Audit Function

The Audit Committee plays an active oversight role of the OPC’s internal audit function. The mandate, roles and responsibilities and authority of the internal audit function are detailed in the OPC’s Internal Audit Charter that is periodically reviewed and recommended for approval by the Audit Committee and formally approved by the Commissioner.

The Committee concurs with and continues to monitor the mechanisms in place at the OPC to ensure the independence of the internal audit function. The Office’s model has served it well over several years and was reaffirmed by an External Practice Inspection conducted in 2019-2020, with the OPC Internal Audit function receiving the highest rating of ‘Generally conforms’ in all areas of inspection.

The OPC’s in-house internal audit capacity consists of a Director, Business Planning, Performance, Audit and Evaluation, with oversight by the Chief Audit Executive (CAE). The CAE, who is also the Deputy Commissioner, Corporate Management Sector and Chief Financial Officer, reports directly to the Commissioner. To augment the in-house capacity and support the independence of the audit function, OPC continues to periodically co-source the development of its Risk-based Audit Plan (RBAP). In addition, individual internal audit and ICFR engagements are co-sourced with outside professional services firms. This approach enables OPC to retain oversight of the internal audit function while leveraging the independent expertise and experience of internal audit professionals. The AC Chair, who is a Chartered Professional Accountant, Chartered Accountant (CPA, CA), with significant internal audit experience, also provides guidance to support the enhancement of this function and its independence and oversight throughout the year. In addition, the external members of the Committee meet in camera with representatives of the outside professional services firms. They also hold quarterly in-camera sessions with the CAE and an annual in-camera discussion with the Commissioner to provide input into the performance appraisal of the CAE.

The Office’s 2022-2023 updated Risk Based Internal Audit Plan (RBAP) was presented to the Committee for approval at the beginning of the year. The plan was developed taking into consideration key organizational risks, the operational context and the level of change and transition taking place in the coming year. Given the strategic importance of information management (IM) practices in this evolving context, this was the area of focus in 2022-2023. The Internal Audit of Information Management (the audit) was conducted by an external professional services firm and completed during the year. The objectives of the audit were to provide assurance on the soundness of the Office’s IM framework, including governance, processes, tools, controls, and resource planning, and to provide recommendations to advance the OPC’s IM and business intelligence (BI) objectives.

The Committee received the results of the audit at its December meeting. Overall results were positive, with the scope having focused on both the design of the IM framework as well as its implementation. Recommendations for improvement focused on the quality control of information and the clarification of related roles and responsibilities. The audit also added value as a foundational step in the development of Business Intelligence (BI) at the OPC.

At its March meeting, the Audit Committee received and approved management’s proposed action plan to address the recommendations of the IM audit. The Committee noted that the planned actions will contribute to advancing the Office’s objectives relating to the sound management of its business information. Progress on implementing the action plan will be monitored over the coming year.

4.5 External Assurance Providers

As in past years, the Office of the Auditor General (OAG) carried out an audit of the OPC’s financial statements with the objective of rendering an audit opinion on these statements.

The OAG Audit Principal attended the AC’s October meeting to review and discuss the audited Financial Statements and the Management Representation Letter, including the related Annex with respect to internal control over financial reporting. The OAG’s report to the AC highlighting the annual audit results for the year ended March 31, 2022 was a key document reviewed and discussed at this meeting. For the eighteenth (18th) straight year, the OAG rendered an unmodified audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG.

The Audit Principal from the OAG also attended the Committee’s March 2023 meeting to present the plan for the annual audit of OPC’s 2022-2023 financial statements.

4.6 Follow-up on Management Action Plans

The AC monitors management’s progress in implementing management action plans stemming from internal audit and internal control reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a periodic basis, the Committee receives and reviews a report on management’s progress in implementing outstanding action items. At its March meeting, the Committee received and reviewed a status update on the action plans resulting from the 2020 cybersecurity audit and maturity assessment. The Committee noted the progress made since its last update and will continue to monitor progress on implementing action plans in this important area.

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the Office of the Auditor General (OAG) each year. As noted in section 4.5 of this report, at their October meeting AC members reviewed the OPC’s 2021-2022 audited financial statements and discussed them with the Director of Finance, the CFO, and the OAG Audit Principal. Following the discussions, the AC recommended that the Commissioner approve the financial statements.

4.8 Accountability Reports

The external members reviewed the OPC’s draft 2021-2022 Departmental Results Report (DRR) and the draft 2023-2024 Departmental Plan (DP). AC members provided recommendations to management prior to these reports being approved by the Commissioner.

5.0 Looking Ahead

The Committee looks forward to continuing to provide advice to the Commissioner regarding the oversight of the Office’s risk management, governance, and control processes.

As referenced throughout this report, the years ahead are expected to be a pivotal time for privacy developments. Going forward, as the Office contributes to the development and adoption of new Canadian privacy laws, a key area of focus will be the optimization of its organizational capacity to deliver value to Canadians. Concurrently, the effects of the COVID years continue to define a new reality where it remains imperative for the organization to respond nimbly and effectively as it adapts to the workplace of the future.

The uncertainties of the “next normal” will test the organization’s governance, its operational agility and control framework. The Committee will continue to pay attention to how the OPC responds to these challenges through its risk management, decision-making, people management, financial management, program delivery, business continuity, change management and communications processes.

An important area of focus for the Committee will be to help ensure that potential control gaps are addressed in an effective and timely manner. In that context, the Committee looks forward to monitoring, through its regular meetings and periodic check-ins, the Office’s progress on action plans related to its Corporate Risk Profile (CRP) and projects under its Risk Based Audit Plan (RBAP).

Considering the challenging and uncertain environment, the Committee will continue encouraging the organization to maintain a strategic approach to implementing its HR and IT/IM plans.

Privacy legislation reform is expected to bring increased focus on strengthening capabilities, as well as on attracting and retaining talent within a strong and flexible governance model. In this regard, the Office’s HR Strategy will be particularly important to effectively support people management. It is expected to be a continued focus area for the AC. Also, as previously mentioned the OPC participated in the Public Service Employee Survey and the Committee looks forward to reviewing the results of the survey in 2023-2024.

Similarly, the organization needs to be able to keep pace with the evolution and challenges associated with new and evolving technologies. Progress in implementing action plans associated with both the cyber security audit and maturity assessment, as well as the IM audit will continue to be important areas of focus.

As the Commissioner lays out the Office’s longer term strategic priorities, Committee members will follow with interest how these priorities will be integrated into the OPC’s decision-making processes.

The Committee will also follow with interest the implementation of any new/revised Treasury Board policies and the OPC’s compliance with associated requirements, along with plans to address the Open Government Directive, while recognizing that the timelines of some of these activities may continue to evolve and need to be adjusted.

Finally, the Committee looks forward to welcoming a new Audit Committee member to replace Elisabeth Nadeau who, as previously noted in this report, will be completing her tenure in 2023.