2023-26 Risk-Based Audit and Evaluation Plan

Table of Contents

Executive Summary


This document outlines the Risk-Based Audit and Evaluation Plan (RBAEP) for the Office of the Information Commissioner of Canada (OIC), which was updated in Q1 2023/2024. The RBAEP encompasses both the internal audit plan and the evaluation plan, covering the period up to the end of 2025/26. The primary aim of the RBAEP is to allocate assurance and evaluation resources on areas of the OIC that pose the most significant risks and hold the highest priorities, in accordance with Treasury Board (TB) policies on Results and Internal Audit.

The RBAEP builds upon the OIC's previous RBAEP and the Office of Comptroller General's (OCG’s) Three-year Risk-based Internal Audit Plan for 2022-23 to 2023-24, integrating evaluation projects in alignment with the TB Policy on Results and Internal Audit.

As an Agent of Parliament, the OIC reports directly to Parliament and is excluded from the traditional oversight by the Treasury Board of Canada Secretariat (TBS). However, the OIC recognizes the importance of an audit and evaluation committee and views its internal oversight mechanisms and governance structure as essential in ensuring that adequate management practices are in place.

Proposed Audits and Evaluations

Proposed Audits and Evaluations
Year Audit Project Name Primary OIC Entity


Cyber Security Maturity Assessment

IT/IM & Security


Real-Time Internal Audit of the Cyber Security Event Management Action Plan

IT/IM & Security


Internal Audit of Employee Retention

Human Resources

Planning Context


The Information Commissioner is an Agent of Parliament appointed under the Access to Information Act.

The Commissioner reviews complaints about how federal organizations apply to Act, so Canadians can receive the information to which they are entitled. The Commissioner is the first level of independent review of government decisions relating to requests for access to public sector information. The Act requires the Commissioner to investigate all the complaints she receives. The Office of the Information Commissioner (OIC) supports her in her work.

The OIC is to conduct efficient and fair investigations, be open and transparent when dealing with institutions and complainants, and provide expert advice to Parliament and other stakeholders on access to information.

The OIC also supports the Commissioner in her advisory role to Parliament and parliamentary committees on all matters pertaining to access to information. The OIC actively makes the case for greater freedom of information in Canada through targeted initiatives such as Right to Know Week and ongoing dialogue with Canadians, Parliament and institutions.

Caroline Maynard was appointed to the position of Information Commissioner of Canada for a seven-year term beginning on March 1, 2018.

OIC Strategic Priorities

As stated in the Strategic Plan 2020-21 to 2024-25, the OIC will pursue three strategies to achieve its vision, mission and values:

  • Invest in and support resources: OIC’s work is challenging and labour-intensive, and requires dedicated, professional staff to carry out. A team of more than 100 investigators, lawyers, communicators, ATIP specialists, and IM/IT, human resources, finance, security and accommodations experts work together to support the Information Commissioner and deliver her mandate under the Access to Information Act.
  • Innovate and transform operations: The ongoing technological advancements, Canadians' strong desire to keep the government in check, and the constant flow of news require the OIC to remain vigilant and not become complacent in its work. To stay adaptable and responsive to challenges, it is crucial for the organization to embrace innovation and revamp its operations. This can be achieved by utilizing technology creatively, implementing intelligent and efficient processes, and leveraging specialized knowledge. Such efforts will enable the organization to improve its ability to assist complainants, fulfill its corporate duties, and enhance overall agility and responsiveness.
  • Maintain and enhance credibility: The OIC's credibility is contingent on taking tangible actions and serving as a role model for other institutions by consistently delivering work that is both prompt and of high quality. Stakeholders, including ordinary citizens, access to information specialists, and parliamentarians, rely on the OIC to provide well-researched facts and informed viewpoints concerning access and transparency.

The development of the RBAEP incorporated these priorities.

OIC Structure and Resources

The OIC’s financial and human resources are shown in the table below.

OIC Structure and Resources
OIC’s Voted and Statutory Items (thousands of dollars) Planned Spending 2023-2024 Planned Spending 2024-2025 Planned Spending 2025-2026

Government Transparency




Internal Services








Total full-time equivalents (FTE)




The senior management organizational structure is shown in the diagram below.

The senior management organizational structure is shown in the diagram below.

Text version

This hierarchal chart shows the organizational chart at the Office of the Information Commissioner. The Information Commissioner is at the top of the hierarchy as the head of the organization. On the second level, there are three Deputy Commissioners. On the left, is the Deputy Commissioner of Legal Services and Public Affairs. In the middle is the Deputy Commissioner of Investigations and Governance and on the right is the Deputy Commissioner of Corporate Services, Strategic Planning and Transformation Services.

Progress on Implementation of the 2017/18-2021/22 OIC Audit and Evaluation Plan

The progress made on the engagements identified in the previous RBAEP is stated in the table below.

Progress on Implementation of the 2017/18-2021/22 OIC Audit and Evaluation Plan
Planned Year Audit Project Name Primary OIC Entity Status


Threat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA) – narrow scope

Information Technology (IT)

Completed in 2020-21


Audit of Contracting and Procurement

Canadian Human Rights Commission (CHRC) and OIC - Finance

Completed in 2021-22

2018-2019, 2019-2020 & 2020-2021

Threat Risk Assessment (TRA) and Threat Vulnerability Assessment (TVA) – wide scope

Information Technology (IT)

Merged with item in the first line.

2021-22 and 2022-23

Program Evaluation of Investigations

Senior Management and Complaints Resolution

Management Action Plan – In progress

Phase I – Evaluation of Registry 2021-22

Phase II – Evaluation of the Investigation and Governance (rest of the program) 2022-23


Performance and Talent Management Review

Human Resources (HR)

Fully Compliant

Replaced by Public Service Commission Staffing Evaluation which was done by External Quality Assurance Provider in 2021-22


Audit of Information Management and Physical Security

Corporate Services

Removed. Activity was Replaced by Development of Departmental Security Plan (DSP) and Business Continuity Plan (BCP).

OIC Key Organizational Risks (2023-24)

Risk management plays a significant role in enhancing an organization's capacity to respond to threats and opportunities in a complex and dynamic environment. It enables the organization to address change and uncertainty by utilizing risk information for decision-making, fostering trust and confidence internally and externally.

To fulfill the OIC’s mandate, the management regime must possess attributes of flexibility, innovation, and be result focused. The Risk Management Framework (RMF) provided offers practices and processes for consistent implementation of risk management, aiding the organization in meeting its business objectives and fulfilling its mandate and priorities.

The RMF defines governance as a combination of processes, structures and organizational behaviours implemented at the OIC. Oversight is recognized as the monitoring activities associated with risk management that occur at all levels of the organization. This approach is based on a tailored version of the Institute of Internal Auditor’s Three Lines of Defence Model.
Below is an illustration of the RMF.

OIC Key Organizational Risks (2023-24)

Text version

This figure illustrates the risk management governance model. The commissioner is at the top. Below, on the left side, are the Supporting Risk Functions, in the centre right are the decision-making bodies and the External Assurance Providers are on the bottom right side.

The Supporting risk functions are composed of the Chief Security and Risk Officer, who:

  1. Support management boards in their role over organizational risk management
  2. Maintain the Organizational Risk Management Framework, guidance and tools
  3. Connect-the-dots between sources of risk information
  4. Lead organizational risk management awareness and training
  5. Identify, analyze and assess organizational risks.
  6. Challenge, monitor and report on organizational risks and mitigation.
  7. Facilitate the setting of organizational risk appetite and tolerance.

And the Horizontal Risk Areas, which:

  1. Support Executive Management Committees by challenging, monitoring and reporting on horizontal risks and mitigation, and reviewing and escalating horizontal risks (e.g., privacy, fraud, programs/project)
  2. Support management and mitigation owners in identifying, analyzing and assessing horizontal risks, and developing risk mitigation.
  3. Advance horizontal risk management awareness, training and practices.
  4. Facilitate setting of risk appetite and tolerance for horizontal risk areas.

The Decision-making bodies are the Senior Management Committee, which provides leadership and oversight over:

  1. OIC’s mandate, objectives and priorities
  2. Enterprise, horizontal and organizational risks and mitigation
  3. Setting organizational risk culture and appetite

And the ExCom, which provides leadership and oversight over:

  1. Sectoral/divisional activities and deliverables
  2. Sectoral/directorate analysis, assessment, control of the organization’s risk areas
  3. Sectoral/directorate maintenance of information, risks and mitigation
  4. Sectoral/divisional input into preparation and maintenance of risk register (taxonomy) and e-scans.

The External Assurance Providers are the Agency Audit Committee, which provides Advice and Guidance and the Chief Audit Executive, which:

  1. Provides independent assurance on the design, adequacy and effectiveness of governance, risk management and controls over business processes.
  2. Undertakes risk-based audit planning to identify areas of risk where Internal Audit could provide value through assurance and advisory engagements.

There are arrows in this image.

One is pointing from the Chief Security and Risk Officer to Advise and Inform the Commissioner.

One is from the Agency Audit Committee to Advise and Inform the Commissioner.

One is from the Chief Security and Risk Officer to Support with Analysis to the Senior Management Committee.

One is from the Horizontal risk areas to inform the Chief Security and Risk Officer.

One is from the Horizontal Risk areas to Support with Analysis to the Senior Management Committee.

One is from the Chief Security and Risk Officer and the Horizontal risk areas to support, Analyze and Train the ExCom.

One is from the ExCom to Inform the Chief Security and Risk Officer.

One is placed between the decision-making bodies and the External Assurance Providers, pointing upwards and called Risk Escalation.

Given the relatively small size of the OIC compared to other GoC organizations, opportunities for efficiencies must not be wasted. Therefore, senior management took the decision to conduct an integrated-risk assessment exercise that served to address the needs of various risk-dependent documents and initiatives, namely: the Organizational Risk Profile, the Risk-based Audit and Evaluation Plan, and the Departmental Security Plan.

The following list of key organizational risks was developed in 2023 based on an enterprise-wide risk assessment exercise, aligned with the new RMF approach. This builds on the foundational risks included in the previous RBAEP and is streamlined to reflect organizational maturity. Simply put, this was based on leading practices in risk management and included an environmental scan, documentary reviews, interviews with key stakeholders, group risk discussions and assessment of risks using ratings associated with impact and likelihood.

The results of this exercise identified the following risk areas:

1. Regulatory Management

This risk include the ongoing increase in access requests and the fact that the OIC will receive more complaints as a result. In addition, as the Commissioner is issuing more orders, there is a risk that the Commissioner's orders will be challenged in Federal Court or ignored by institutions, thereby increasing the need to resort to litigation. Current resources in legal services are insufficient to adjust to this new reality. The fact that the OIC continues to operate with a funding mechanism that is dependant on the Government priorities, that the current level of permanent funding is inadequate to handle the growing level of complaints and litigations, exacerbate the situation. Some, if not all aspects of this risk are outside the OIC’s control. Ultimately, not having the financial flexibility to adjust its resources to increased demand and to properly fulfill its oversight mandate affects the credibility of the Office of the Information Commissioner. It has significant detrimental effects on democracy, the credibility of federal institutions, and the access right of Canadians.

2. Human Resources Management

As an Agent of Parliament who must operate independently with relatively small complement of employees, the risk of having an insufficient number of employees with the breadth and depth of experience necessary to complete volume driven core activities or able to efficiently tackle competing priorities is omnipresent. Furthermore, the loss of qualified employees to larger organizations with more opportunities for advancement could have an impact on the OIC’s ability to deliver its mandate in a timely manner. This risk also includes the challenge to recruit, develop and maintain ongoing capacity in the human resources directorate as well as IT project management functions in order to fully support the program. Risks related to the appropriate management of employees including values and ethics, recruitment, retention, succession planning and capacity building.

3. IM/IT

Risks related to the development of IT infrastructure and critical program applications, maintenance of these assets throughout their life cycle, development of new assets, and security vulnerabilities related to IT networks. The size of the OIC is also affecting our IM/IT capacity and there is a risk that the OIC cannot hire sufficient employees with the necessary breath of experience to tackle the IT projects and innovate. Having a pool of subcontractors who can assist the OIC and offer the necessary services is key to reduce this risk.

4. Security Management

Risks related to controls and operations designed to prevent, detect, respond to and recover from security breaches and infractions that threaten the security of government operations.

5. Program Design & Delivery

Risks related to the development, design and delivery of the OIC mandate at the program level.

6. Organizational Transformation & Change

Risks related to the implementation of structural and procedural changes to the operation of programs and services.

7. Management of Shared/Common Services

Risks related to the quality and availability of shared services.

8. Financial Management, Contracting, Procurement, Personnel & Physical Security, and Asset Management

Risks related to the sound stewardship of financial resources.

All the above risks are managed in accordance with the risk management practices as described in the OIC Risk Management Framework. The assessment and ranking of these risks are discussed later in this document.

OCG Audit Areas for Small Department Risks

The Treasury Board Secretariat (TBS) is responsible for providing central audit and oversight to a group of small government departments and regional development agencies. These departments and agencies, which have fewer than 500 employees and an annual approved expenditure of $300 million, are overseen by a Small Departments and Agencies (SDA) audit committee consisting of externally appointed members. While the OIC, as an independent Agent of Parliament, is not subject to this oversight, it does, nonetheless, choose to consider the SDA high-risk categories that TB has established in its audit plan priorities. TBS has identified twelve areas for audit consideration:

  • Vaccination of Employees in the Core Public Service
  • Digital Strategy / Open Government
  • Organizational Transformation & Change
  • Human Resources Management
  • Program Design & Delivery
  • Management of Shared / Common Services
  • Information Technology
  • Asset Management
  • Regulatory Management
  • Contracting & Procurement
  • Security Management
  • Financial Management

For the period 2022/23 – 2023/24, the OCG is conducting the following horizontal audit engagements:

For the period 2022/23 – 2023/24, the OCG is conducting the following horizontal audit engagements
Planned Year Audit Project Name Preliminary Objective

2022/23 – 2023/24

Horizontal Internal Audit of Departmental Adoption of Digital Standards.

To identify key enablers and barriers to success of departmental adoption of the Digital Standards in order to provide advice to the Treasury Board Secretariat on how they may better support the departments in their adoption and to provide assurance that the expected government-wide results of the Policy on Service and Digital can be achieved.


Horizontal Internal Audit of Human Resources

To determine whether sufficient governance structures and management practices have been put in place to support the work force; and whether the associated human resources risks have been documented and assessed.

2022/23 – 2023/24

Internal Audit of the Implementation of the Core Control Self-Assessment Tool

To help raise awareness of key financial management core controls in departments; and empower departments to assess, maintain and improve core controls, as needed, in between audit cycles.

2022/23 – 2023/24

Horizontal Internal AuditFootnote 1 on the Implementation of the Policy on COVID-19 Vaccination for the Core Public Administration in Small Departments

To assess the implementation of selected elements of the Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police, in a sample of small departments.


Horizontal Internal Audit of Contracting in Small Departments

To identify root causes of contracting core control weakness that were identified during Cycle I of the Core Control Audits.

To avoid duplication of effort and burden on the organization, the OIC considers the work of the OCG in the planning of its own assurance activities. In addition, observations and recommendations from OCG engagements – even if the OIC is not in scope – will be assessed for applicability and incorporated into the operations of the organization.

Planning Approach

Key Audit and Evaluation Requirements

There are a number of TB policies, directives and guidelines that establish the requirements and best practices for audit and evaluation planning in the federal government. These policies, directives and guidelines were used as best practices in the development of the RBAEP. This section highlights some of the key requirements and obligations and presents the approach used to assess and prioritize projects for inclusion in the RBAEP.

Evaluation Coverage and Plan

Evaluation aims to systematically collect and analyze evidence on Government of Canada program outcomes. These evaluations help assess the value for money of programs and explore alternative approaches to achieve similar results.

According to Treasury Board policy, federal institutions are required to develop a rolling five-year evaluation plan. This plan has two main components:

  • The Financial Administration Act (section 42.1) mandates the evaluation of all ongoing grant and contribution programs on a five-year cycle (not applicable to the OIC).
  • Deputy Heads have the responsibility to annually approve and provide the Treasury Board of Canada Secretariat with an evaluation plan. This plan should clearly outline the planned evaluation coverage, including organizational spending and programs listed in the Program Inventory, for the designated planning period. It's important to note that Agents of Parliament are exempt from providing a five-year audit and evaluation plan as per the Policy on Results.

In addition, there are a number of other potential planning requirements. Notably, evaluation plans must also do the following:

  • align with the Departmental Results Framework (DRF);
  • support the Expenditure Management System;
  • include the administrative aspect of major statutory spending (does not apply to the OIC); and
  • include other programs, specific evaluations or elements of the government’s overall evaluation plan, when applicable.

Due to the OIC’s specific mandate, its direct program spending is focused solely on ensuring compliance with access to information obligations under the Act. The internal services program exists to support this main program area. While the OIC has a limited internal evaluation function and relies on external resources in the execution of planned engagements, it has implemented a formal performance measurement strategy. The annual report includes comprehensive analysis, comparing the OIC's performance in both the program area and internal services. In cases where necessary, more thorough reviews are conducted to examine the underlying causes of emerging trends and performance variations related to the protection of access to information rights as mandated by the Act.

Given that the OIC has recently completed an Evaluation of Investigations (2021-22 and 2022-23), and therefore met the program evaluation coverage requirements, the organization will focus its assurance resources on internal audit engagements for the next three years.

Internal Audit Plan

Internal audits provide independentFootnote2, objective and substantiated conclusions on the effectiveness of risk management, control and governance processes. The focus is on all management systems, processes and practices, including the integrity of financial and non-financial information. Internal audit assurance services provide evidence-based opinions on the extent to which the system of internal controls is adequate and effective to support the following imperatives:

  • achievement of operational objectives;
  • safeguarding of assets;
  • economy and efficiency of operations;
  • reliability and integrity of financial and operational information; and
  • compliance with legislation, policies and procedures

In accordance with TB policy, internal audit plans must ensure coverage of areas of higher risk and significance. The internal audit plan should also have the following characteristics:

  • be risk-based;
  • be reviewed by the audit committee;
  • be focused predominantly on the provision of assurance services;
  • have a multi-year horizon;
  • address risks and internal audits identified by the Comptroller General as part of government-wide coverage; and
  • support annual assurance reporting on the overall state of organizational risk management, control and governance processes

Planning Approach

The approach taken to develop the plan complies with the recommended methodology of the Institute of Internal Auditors’ International Professional Practices Framework. The diagram below shows the main elements of the approach.

Review & Update of Audit & Evaluation Universe

Review and update of potential areas that could be subject to an internal audit engagement or program evaluation.>

Environmental Scan of Audit & Evaluation Univserse

Enterprise-wide risk assessment and consultations with stakeholders.

Prioritization of Audit & Evaluation Univserse

Rated assessment of impact and probabilities used to drive prioritization.

Project Selection & Plan Development

Develop plan for the conduct of engagements based on previsous audits, resource constraints and timing.

Identification of the Audit and Evaluation Universe

The OIC’s audit and evaluation universe is directly based on the identified risk areas. It encompasses a comprehensive list of potential audit and evaluation topics, projects, or areas that align with the identified risks. By basing the audit and evaluation universe solely on the identified risk areas, it ensures a targeted and efficient approach for the OIC. In other words, this is a “right-sized” approach for the size of the organization.

To achieve this alignment, the processes within the audit and evaluation universe directly correspond to the specific risk areas, as previously stated in the OIC Key Organizational Risks section. This approach allows for a direct mapping of audit and evaluation activities to the identified risks, ensuring that the focus remains on addressing the highest priority areas.

Furthermore, this approach eliminates any potential gaps between the risk identification process and the audit and evaluation planning. It ensures that the audit and evaluation universe precisely reflects the risk landscape of the organization and enables a seamless transition from risk identification to audit and evaluation execution.

By making the audit and evaluation universe synonymous with the identified risk areas, the OIC can streamline its efforts, focus on the most significant risks, and deliver impactful results that contribute to the overall success and risk management of the organization.

Prioritization of Audit and Evaluation Entities

During the course of the consultations with senior stakeholders, each potential risk area was ranked using two criteria: risk probability of occurrence and risk impact on the OIC on scales of 1 (low) to 5 (high). These scores were then averaged and plotted on the graph below to provide the organization with a visual representation of risk. This “heat map” is shown below.

Prioritization of Audit and Evaluation Entities

Text version

Potential risks were ranked from low (1) to high (5) for Impact (I) and Probability (P). The following was scored as follows:

For Information Technology/Information Management and Human Resources Management, the score was 3.5 for Impact and 3.5 for Probability.

For Regulatory Management, the score was 4.5 for Impact and 4.2 for Probability.

For Program Design & Delivery, the score was 2.3 for Impact and 2.3 for Probability.

For Security Management, the score was 2.5 for Impact and 2.0 for Probability.

For Organizational Transformation and Change, the score was 1.0 for Impact and 1.9 for Probability.

For Management of Shared/Common Services, the score was 1.0 for Impact and 1.0 for Probability.

For Financial Management, Contracting & Procurement, Personnel and Physical Security and Asset Management, the score was 1.4 for Impact and 1.0 for Probability.

Project Selection and Plan Development

Audit and evaluation projects were selected to be included in the OIC RBAEP with the highest audit priorities identified serving as the starting point and providing the main but not only consideration for project selection. The top priority risks topics were examined against a variety of constraints and opportunities, including the following:

  • recently completed audits
  • availability of audit and evaluation resources over the three-year period;
  • feasibility of conducting an audit or evaluation;
  • other reviews providing oversight (i.e. evaluations, Office of the Auditor General (OAG) audits);
  • mandated audit projects (i.e. follow-ups, OAG, OCG and Public Service Commission obligations for horizontal audits);
  • risk tolerance;
  • management requests; and
  • Audit and Evaluation Committee and senior management direction.

In finalizing the RBAEP, care was taken to ensure the audit and evaluation universe was appropriately covered. The RBAEP reinforces the integration of audit and evaluation projects, when feasible, while ensuring evaluation coverage of all direct program spending.

Audit and Evaluation Plan and Summary

Given the relatively small size of the OIC and the associated resource constraints, it is realistic to target the undertaking of one assurance-type engagement per year. This approach considers the available resources within the OIC and ensures that the necessary time and effort can be dedicated to conducting a thorough and comprehensive audit or evaluation.

The limited size of the organization necessitates a focused and prioritized approach to the allocation of resources for assurance engagements. By conducting one engagement per year, the OIC can concentrate its efforts on addressing key risks and priorities, such as those related to cyber security and human resources management, while still maintaining its day-to-day operational demands. This approach allows for the necessary planning, execution, and reporting phases of the engagements to be carried out effectively, ensuring quality and comprehensive results.

By setting this realistic target, the OIC can optimize the use of its limited resources and achieve meaningful outcomes from each assurance engagement. It allows for a thorough examination of the identified risks and priorities within the organization, while still considering the constraints and capacity of the OIC as a small-sized entity.

Detailed Audit and Evaluation Plan (2023/24-2025/26)

The table below provides the objective, scope and rationale for each of the planned projects proposed for 2023-24 to 2025-26. It should be noted that these may be modified depending on the results of the planning phases of each of the respective projects. In addition to the audit projects below, internal auditors will continue to attend key management and Audit and Evaluation Committee meetings, and conduct follow-ups on previous audits (as appropriate).

Detailed Audit and Evaluation Plan (2023/24-2025/26)
Year Audit Project Name Primary Entity Audit Scope, Objective and Rationale


Cyber Security Maturity Assessment

IT/IM & Security Management


The preliminary objective is to assess the maturity of the OIC’s cyber security program and posture to ensure that the organization's cyber risks are effectively managed, identify areas for improvement, and address the heightened risk associated with the post-Covid-19 hybrid work environment.


The preliminary scope of the engagement will include all aspects of the OIC’s cyber security framework and will take the form of:

  • Assessing the maturity of the OIC's cyber security program and posture, including policies, controls, and risk management practices, to identify areas for improvement and address heightened risks in the post-Covid-19 hybrid work environment.
  • Evaluating the alignment of the OIC's cyber security program with recognized leading practice, such as the GC Cyber Security Management Guidelines, to ensure compliance and effectiveness in protecting sensitive information.
  • Reviewing incident response and recovery capabilities to assess readiness in addressing cyber security incidents and mitigating potential impacts in the post-Covid-19 hybrid work environment.
  • Assessing the readiness and response capabilities in handling cyber security events in real-time.
  • Evaluating employee awareness and training programs to ensure staff members possess the necessary skills to identify and respond to cyber threats, promoting a culture of security within the organization.
  • Reviewing data protection measures, including access controls and backup procedures, to safeguard sensitive information and ensure compliance with relevant privacy regulations.


As one of the key risks identified in the OIC’s Departmental Security Plan, a comprehensive assessment of the maturity level of the cyber security assessment is overdue.

Conducting such an assurance activity, will provide important information on how the organization’s cyber risks are being managed and identify areas for improvement. Without a completed maturity assessment, the OIC may not be able to adequately identify and prioritize cybersecurity risks, establish mitigation strategies, and allocate resources effectively.

The elevated risks resulting from the post Covid-19 pandemic hybrid work environment make this risk even more important to address.

Observations made in this engagement will directly feed into next year’s planned Real-Time Internal Audit of the Cyber Security Event Management Action Plan.


Real-Time Internal Audit of the Cyber Security Event Management Action Plan (CSEMP)

IT/IM & Security Management


The preliminary objective is to assess the immediate risks and impacts associated with the absence of a CSEMP within the organization and provide real-time actionable recommendations for its development and implementation. The real-time nature of the engagement will ensure that valuable time and effort is not expended in a sub-optimal manner or direction.


The preliminary scope of the engagement will include all aspects of the OIC’s IT/IM security framework and will take the form of:

  • Evaluating the current cybersecurity framework and policies to identify gaps and vulnerabilities.
  • Assessing the readiness and response capabilities in handling cyber security events in real-time.
  • Reviewing the effectiveness of incident response procedures and mechanisms.
  • Identifying immediate risks and potential consequences arising from the absence of a CSEMP.
  • Examining compliance with relevant GoC cybersecurity regulations, standards, and leading practices.
  • Assessing the allocation of resources and responsibilities for cyber security incident management in real-time.
  • Reviewing the organization's detection, analysis, and response capabilities to cyber security incidents.
  • Assessing the communication and reporting mechanisms for cyber security events.
  • Providing real-time recommendations for the development and implementation of a CSEMP to enhance the OIC’s cyber security posture.


Conducting this internal audit will enable the OIC to proactively address the risks associated with the absence of a CSEMP (a high risk noted in the most recent Departmental Security Plan), identify and provide immediate actions for improvement, and ensure that efforts are aligned with leading practices, TBS standards and regulatory requirements.


Internal Audit of Employee Retention

Human Resources Management


The objective is to assess OIC’s employee retention practices and factors. The internal audit aims to identify strengths, weaknesses, and underlying causes of turnover and factors influencing employee engagement. Recommendations will be provided on improving employee retention rates and enhance overall workforce satisfaction and commitment.


The scope of the engagement will include all factors influencing employee retention will likely take the form of:

  • Reviewing and analyzing historical employee retention data, including turnover rates, reasons for departure, and demographic trends. Identify significant patterns or changes over time.
  • Assessing the OIC's human resources policies and practices related to employee retention. This includes reviewing recruitment and selection processes, onboarding procedures, performance management systems, career development programs, compensation and benefits structures, and workplace policies affecting retention.
  • Evaluating employee engagement within the OIC. Review employee satisfaction surveys, conduct interviews or focus groups, and assess feedback mechanisms to understand employee perceptions, motivations, and commitment.
  • Assessing the effectiveness of leadership and management practices in promoting employee retention. Evaluate the capabilities of supervisors and managers in creating a positive work environment, providing support, recognition, and growth opportunities, and addressing employee concerns.
  • Reviewing the OIC's compliance with relevant employment laws, regulations, and policies. Ensure adherence to legal requirements regarding employment conditions, fair treatment, and employee rights impacting retention.
  • Comparing the OIC's retention practices and outcomes with Government of Canada benchmarks and leading practices when available.
  • Assessing the effectiveness of previous retention initiatives and programs implemented by the OIC. Review outcomes, impact, sustainability, and employee feedback on these initiatives.


Like most Government of Canada organizations, the OIC workforce is the most important asset to deliver on its mandate. OIC appears to have some difficulty in retaining high performing employees. Nevertheless, an engagement of this nature will provide senior management with valuable observations and recommendations on which actions can be taken to improve matters.

An internal audit with a related objective and scope was previously planned for the 2021-22 fiscal year. However, it was replaced by an external assurance review that was conducted by the Public Service Commission of Canada and external expert advisor.

Date modified:
Submit a complaint