Audit Committee Annual Report 2023-2024

1.0 Introduction

The external members of the OPC’s Audit Committee (AC) prepared this annual report for the Commissioner to summarize the Audit Committee’s activities in the fiscal year 2023/2024, pursuant to the approved AC Terms of Reference.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Consistent with prior years, our focus has been to oversee control and governance processes and best practices across the OPC. Our aim throughout our work has been to provide the Commissioner with objective, clear and constructive input.

The Audit Committee’s review of, and observations on, each of the Committee’s oversight areas^{Footnote 1} are detailed in Section 4 of this report.

2.0 Role and Membership of the Committee

The role of the Audit Committee (AC)’s external members is to provide the Commissioner with independent and objective guidance and advice about the overall quality and functioning of the OPC’s risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities, and accountability reporting.

The AC is composed of the following members:

• Suzanne Morris, CPA, CA, Outgoing Chair, external member
• Carmen Vierula, FCPA, FCA, CIA, Incoming Chair, external member
• Liette Dumas-Sluyter, CPA, CMA, CIA, external member
• Philippe Dufresne, Commissioner, ex-officio member

In addition, the following OPC staff attend AC meetings:

• Richard Roulx, Deputy Commissioner, Chief Audit Executive (CAE) and Chief Financial Officer (CFO)
• Chantale Roussel, Secretary to the Committee and Director, Business Planning, Performance, Audit and Evaluation.

The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference (TOR) document. These TOR are periodically reviewed, updated as required, and reaffirmed by the Commissioner. To deliver on its approved Terms of Reference, the AC developed a 2023/2024 Work Plan. Progress against the plan is monitored throughout the year to ensure the Committee delivers on its commitments. In the Fall of 2023, the Audit Committee also performed a self-assessment exercise and developed an action plan to continue strengthening its performance and impact.

As part of the annual discussion of the Audit Committee’s work plan, members review and attest to being free of any real or perceived conflicts of interest that could impede their independence and objectivity. No issues have been noted in this regard. A process for declarations of conflict of interest is in place, whereby members complete a written annual declaration form, which is reviewed by the CAE.

3.0 Summary of 2023/2024 Audit Committee Activities

The sections that follow summarize key activities and areas of focus in 2023/2024, together with advice provided to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held four formal meetings relating to the fiscal year as follows:

• June 1, 2023
• September 29, 2023
• December 13, 2023; and
• March 26, 2024

At the start of each AC meeting, members engaged in an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefed members on key developments since the last meeting as well as emerging matters or opportunities that could impact the OPC. These included briefings on the Office’s strategic and operational plans, and a discussion of corresponding measures put in place to manage risks. Ongoing updates were provided concerning significant legislative reform developments and their potential operational impacts, including their influence on the workforce and workplace of the future. These continue to be areas of focus for the Committee, as the Office develops its state of readiness in preparation for the anticipated implementation of new privacy legislation. 

As part of the Audit Committee meetings, the external Committee members held in-camera discussions with the Commissioner, the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG when in attendance. These in-camera segments provide an opportunity for these officials and representatives to raise and discuss any sensitive issues in confidence.

In addition to the formal AC meetings, the external members of the Audit Committee held periodic check-in calls with the Deputy Commissioner, Corporate Management Sector and CFO/CAE, and the Secretary to the Committee/Director, Business Planning, Performance, Audit and Evaluation.  

Through these calls, external members received further updates on the evolving operating context, along with a discussion of the impact of these developments on the Office’s plans, priorities, finances, operations and people.

All of these discussions provided members with valuable perspective and insights that allowed them to stay current on the OPC’s key areas of business and to provide the Commissioner and senior management with independent advice on new or emerging areas or issues facing the OPC.

Following their appointment in 2023/2024, new external Audit Committee members benefited from orientation meetings with the Deputy Commissioners and the Director of Legal Services. This onboarding program included an overview of the responsibilities, priorities and operational plans of each sector, and were also attended by the Audit Committee Chair.

The AC Chair attended the annual Departmental Audit Committee (DAC) Symposium, organized remotely by the Treasury Board Secretariat (TBS) in November 2023. This informative event enhances DAC members’ understanding of relevant issues and developments across the federal public service and fosters the sharing of governance best practices. The Chair also participated in a related meeting of all DAC Chairs. Key messages and highlights of these meetings were shared with the other members of the Audit Committee.

3.2 Transparency

Audit Committee information is publicly available on the OPC website. This includes biographies of the AC members, the Committee’s Terms of Reference, annual reports, and internal audit reports. The Audit Committee believes that the proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC’s activities during the year to discharge its responsibilities in providing the Commissioner with input that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

Values and Ethics (V&E) continues to be an area of importance for management and the AC. At its June meeting, the Committee discussed with management the 2022/2023 annual report on values and ethics, conflict of interest (COI) and post-employment measures. This report is shared with all OPC employees and is presented to the AC to inform members of the mechanisms in place to promote and ensure compliance with V&E at the OPC. No areas of concern were noted. An overview of the V&E activities planned for the coming year was also provided.

The Committee was subsequently briefed on an all-staff meeting held in January 2024, the purpose of which was to discuss values and ethics matters in conjunction with the review of the Public Service Code of Values and Ethics.

4.2 Risk Management

A key element of OPC’s formalized risk management arrangements continues to be the Corporate Risk Profile (CRP) that is reviewed and refined each year as part of the strategic planning process. The CRP provides a summary of the organization’s strategic risks requiring ongoing management and monitoring and is a key input into the organization’s strategic planning processes and the development of its operational plans. The OPC faces a confluence of factors, including the impact of digital acceleration and the growing complexity of privacy issues, legislative reform, and a changing workplace. Against this backdrop, the CRP and resulting mitigation and action items serve as an important touchstone as the Office navigates through change.

At its March meeting, the AC reviewed and discussed the draft CRP, which also serves as a key input into developing the Office’s annual Risk-based Internal Audit Program. As in prior years, as management monitors its key risks throughout the year, the external members looked to be apprised of any changes to the key risks as well as the effectiveness of risk mitigation strategies.

As part of its 2023/2024 Audit Committee meetings, the AC received verbal updates on corporate risks. As previously described, recurring check-in meetings were also held during the year to monitor the impact of continuing developments on OPC’s plans, processes, and operations.

These briefings included updates on strategic initiatives and consultations with employees during the year. The AC was briefed on an all-staff meeting held in September. During this session, employees’ perspectives were obtained on how the OPC can best operationalize its strategic priorities. Results of the most recent Public Service employee survey were also discussed with a view to developing actions to continually improve the workplace. The Clerk of the Privy Council also joined the Commissioner for a fireside chat on issues of leadership, values and ethics, and the important role of the public service. Employees were invited to ask questions and engage with the Clerk on these important topics. This session was followed by an environmental scan exercise and a senior management planning session geared to articulating the OPC’s strategic direction and plans to meet its strategic goals.

4.3 Management Control Framework (MCF)

On a regular basis, management updates the AC on its key management control processes, along with procedures adopted to mitigate any concerns towards achieving results. A summary of the areas of the MCF examined and input provided by the external members follows.

4.3.1 Internal Controls over Financial Reporting (ICFR)

As part of its cyclical ICFR testing plan, work was carried out by external professional services firms in 2023/2024 on the OPC’s controls over the procure to pay process and the payroll process, with testing expected to be completed and reported to the Audit Committee in the first half of 2024/2025.

4.3.2 Financial Resource Management

In light of the increasing complexity and volume of privacy protection issues, the growing digital economy and expected privacy legislation reform, financial resource management continues to be critical to supporting the organization in effectively managing its resources in an environment of significantly growing workloads. The AC received an update on the OPC financial situation at each of its meetings. Briefings were also provided regarding the approach to assessing the financial and operational implications of potential legislative reform for the Office. These updates highlighted the due diligence with which OPC management strives to manage an expanding and evolving mandate.

4.3.3 Quarterly Financial Reporting

The AC reviewed and provided feedback on the OPC’s 2023/2024 1st, 2nd, and 3rd Quarterly Financial Reports. Treasury Board Secretariat prescribes the format of these reports, and members did not note any concerns but rather once again commended management for the clarity and conciseness of the reporting. 

4.4 Internal Audit Function

The Audit Committee plays an active oversight role with respect to the OPC’s internal audit function. The mandate, roles and responsibilities, and authority of the internal audit function are detailed in the OPC’s Internal Audit Charter which is periodically reviewed and recommended for approval by the Audit Committee and formally approved by the Commissioner. Following the introduction of an updated Treasury Board Policy on Internal Audit which came into effect in 2023, the Committee reviewed and updated both its Terms of Reference and the Internal Audit Charter at its December meeting. While the policy changes were relatively minor in nature, they provide flexibility as organizations adopt a broader set of assurance services to meet their evolving needs.

The Committee concurs with and continues to monitor the mechanisms in place at the OPC to ensure the independence of the internal audit function. The Office’s model has served it well over several years and was reaffirmed by an External Practice Inspection conducted in 2019-2020, with the OPC Internal Audit function receiving the highest rating of “Generally conforms” in all areas of inspection.

The OPC’s in-house internal audit capacity consists of a Senior Analyst, Results, Audit and Evaluation, a Director, Business Planning, Performance, Audit and Evaluation, with oversight by the Chief Audit Executive (CAE). The CAE, who is also the Deputy Commissioner, Corporate Management Sector and Chief Financial Officer, reports directly to the Commissioner. To augment the in-house capacity and support the independence of the audit function, OPC continues to periodically co-source the development of its Risk-based Audit Plan (RBAP). In addition, individual internal audit and ICFR engagements are co-sourced with outside professional services firms. This approach enables OPC to retain oversight of the internal audit function while leveraging the independent expertise and experience of internal audit professionals. The AC Chair, who is a Chartered Professional Accountant with significant internal audit experience, also provides guidance to support the enhancement of this function and its independence and oversight throughout the year. In addition, the external members of the Committee meet in camera with representatives of the outside professional services firms. They also hold quarterly in-camera sessions with the CAE and an annual in-camera discussion with the Commissioner to provide input into the performance appraisal of the CAE. 

The Office’s 2023/2024 updated Risk Based Internal Audit Plan (RBAP) was presented to the Committee for approval at its March 2023 meeting. The plan was developed taking into consideration key organizational risks, the operational context and the level of change and transition taking place in the coming year. Given the strategic importance of strengthening organizational capabilities in a rapidly evolving privacy landscape, employee training and development was the chosen area of focus for 2023/2024. Work is underway on the Review of the Management Framework for Employee Training and Development, which is being conducted by an external professional services firm, which is expected to be completed in 2024/2025.

4.5 External Assurance Providers

As in past years, the Office of the Auditor General (OAG) carried out an audit of the OPC’s financial statements with the objective of rendering an audit opinion on these statements. 

The OAG Audit Principal attended the AC’s September meeting to review and discuss the audited Financial Statements and the Management Representation Letter, including the related Annex with respect to internal control over financial reporting. The OAG’s report to the AC highlighting the annual audit results for the year ended March 31, 2023 was a key document reviewed and discussed at this meeting. For the nineteenth (19th) straight year, the OAG rendered an unmodified audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG.

The Audit Principal from the OAG also attended the Committee’s March 2024 meeting to present the plan for the annual audit of OPC’s 2023/2024 financial statements.

4.6 Follow-up on Management Action Plans

The AC monitors management’s progress in implementing management action plans stemming from internal audit and internal control reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a periodic basis, the Committee receives and reviews a report on management’s progress in implementing outstanding action items. At its December meeting, the Committee received and reviewed a status update on the action plans resulting from two previous internal audit reports, the 2020 cybersecurity audit and maturity assessment, and the 2022 internal audit of information management (IM). The Committee noted the progress made since its last update and will continue to monitor progress on implementing action plans in these important and evolving areas.

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the Office of the Auditor General (OAG) each year. As noted in section 4.5 of this report, at their September meeting AC members reviewed the OPC’s 2022/2023 audited financial statements and discussed them with the Director of Finance, the CFO, and the OAG Audit Principal. Following the discussions, the AC recommended that the Commissioner approve the financial statements.

4.8 Accountability Reports

The external members reviewed the OPC’s draft 2022/2023 Departmental Results Report (DRR) and the draft 2024/2025 Departmental Plan (DP). AC members provided comments to management prior to these reports being approved by the Commissioner.

5.0 Looking Ahead

The Committee looks forward to continuing to provide advice to the Commissioner regarding the oversight of the Office’s risk management, governance, and control processes.

As referenced throughout this report, the years ahead will continue to be a pivotal time for privacy developments. Going forward, as the Office contributes to the development and adoption of new Canadian privacy laws, a key area of focus will be the optimization of its organizational capacity to deliver value to Canadians. Concurrently, the continued development and implementation of a hybrid work model forms part of a new reality where it remains imperative for the organization to respond nimbly and effectively as it adapts to the workplace of the future. 

In 2023/2024, the Commissioner laid out three key strategic priorities for the OPC which form the pillars of the Office’s strategic plan: protecting and promoting privacy with maximum impact, addressing and advocating for privacy in this time of technological change, and championing children’s privacy rights. Committee members will follow with interest how the decision-making processes may evolve to support these priorities.

An important area of focus for the Committee will be to help ensure that potential control gaps are addressed in an effective and timely manner. In this context, the Committee looks forward to monitoring, through its regular meetings and periodic check-ins, the Office’s progress on managing risks identified in its Corporate Risk Profile (CRP) and action plans related to projects under its Risk Based Audit Plan (RBAP).

Considering the challenging and uncertain environment, the Committee will continue encouraging the organization to maintain a strategic approach to implementing its HR and IM/IT plans.

Privacy legislation reform is expected to bring increased focus on strengthening capabilities, as well as on attracting and retaining talent within a strong and flexible governance model. In this regard, the Office’s HR Strategy will be particularly important to effectively support people management. It is expected to be a continued focus area for the AC.

Similarly, the organization needs to be able to keep pace with the evolution and challenges associated with new and evolving technologies. Ongoing progress in implementing action plans associated with both the cyber security audit and maturity assessment, as well as the IM audit will continue to be important areas of focus, as will the Office’s continuing development of its business intelligence strategy.

The Committee will receive with interest the results of the Office’s annual ICFR testing, including the results of testing of the procure to pay process expected in June 2024. Further, significant new guidance and requirements in this area have recently been issued by the Government of Canada to strengthen the management and oversight of government procurement. Updates to the Directive on the Management of Procurement include new Mandatory Procedures for Business Owners When Procuring Professional Services. The Committee looks forward to being briefed on these updates and new measures, and on the Office’s plans to address them. The Committee will also monitor the implementation of any other new/revised applicable Treasury Board policies.

The Committee will continue to pay attention to how the OPC responds to all of the above challenges through its risk management, decision-making, people management, financial management, program delivery, business continuity, change management and communications processes.