2023-24 Audit and Evaluation Committee Annual Report

Table of Contents

• Foreword from the Chair
• Introduction
• Committee Role and Membership
• Meetings
• Activities
  • Values and Ethics
  • Risk Management
  • Management Control Framework
  • Internal Audit
  • Evaluation
  • Follow-up on Management Action Plans
  • Financial Statements and Public Accounts Reporting
  • Accountability Reporting
  • External Assurance Provider
• Overall Assessment of Risk Management, Control and Governance
• Audit and Evaluation Committee Effectiveness
• Forward Planning

Foreword from the Chair

2023-24

This report marks the first of my tenure as Chair of the Audit and Evaluation Committee for the Office of the Information Commissioner.  Graham Fraser stepped down as chair and passed the role to me.  OIC and the Committee are grateful for his enormous contributions during his time as Chair.

In my first year as Chair I have been impressed by the leadership provided by the Commissioner, and the dedication and hard work of the executives and staff of the organization. This has enabled the Office to deal with a large volume of complaints received on an annual basis and to make significant progress in tackling the backlog of cases  

The Audit and Evaluation Committee has been in a privileged position to see how the executive has responded effectively to the unique problems faced by the organization. The Office of the Information Commissioner is a small organization, and I have been impressed by the scrupulous and responsible management of its budget and the competence of the management team

I wish to acknowledge the continued contribution of fellow Committee member, André Grondines, who brings rigour and expertise to the Committee. 

Janine Sherman
Chair, Audit and Evaluation Committee, 

Introduction

The external members of the Audit ad Evaluation Committee (AEC) of the Office of the Information Commissioner (OIC) have prepared this report as a summary for the Information Commissioner of the Committee’s work from April 1, 2023 to March 31, 2024.

The report is also a vehicle for the external members to present their thoughts on areas for improvement at the OIC, based on the Committee’s assessments and deliberations over the last years. The previous Audit and Evaluation Committee Report for FY 2021 – 22 was approved at the AEC meeting on February 8, 2023.

Committee Role and Membership

The Committee’s role is to provide the Commissioner with objective advice, guidance and recommendations on the adequacy of the OIC’s control and accountability processes, as well as the use of evaluation within the OIC, in order to support management practices, decision-making and program performance.

To offer this support, the Committee exercises active oversight of core areas of the OIC’s management control and accountability framework. In so doing, Committee members address high-level strategic issues, as well as ongoing operational ones, to support the independence of internal audit activities within the OIC and the impartiality of the evaluation function. The Committee’s input also helps ensure that internal audit and evaluation results are incorporated into the OIC’s priority setting, and business and planning processes.

Committee members, as strategic resources for the Commissioner, also provide such advice and recommendations as she may request on specific emerging priorities, concerns, risks, opportunities and/or accountability reporting. This activity was largely carried out not only during the four Committee meetings held during the past years, but also during meetings with the Commissioner outside of the formal meetings.

The Committee has three members, two of whom are external to the federal government. The external members during 2023-2024 were Janine Sherman (chair) and André Grondines. Together, the external members have broad knowledge and experience in the areas of audit, management controls and risk management in both the public and private sectors, as well as in the operations and responsibilities of Agents of Parliament. Information Commissioner Caroline Maynard is the third member of the Committee.

Permanent Committee members attended meetings during the reporting period:

• France Labine, Chief Financial Officer, Chief Audit and Evaluation Executive and Deputy Commissioner of Corporate Services, Strategic Planning and Transformations Services
• Layla Michaud, Deputy Commissioner of Investigations and Governance
• Gino Grondin, Deputy Commissioner of Legal Services and Public Affairs or Natacha Bernier, Acting Deputy Commissioner of Legal Services and Public Affairs
• Sébastien Lafond, Deputy Chief Financial Officer (DCFO) and Senior Director, Finance, Procurement, Administration and Security
• Bojana Terzic, Team lead - Strategic Planning, Policy and Program Evaluation and Audit who served as the AEC secretary, or Michael Walsh, Financial Management Advisor and
• Catherine Lapalme, a senior representative of the Office of the Auditor General (OAG)

Various OIC other staff members were also in attendance to present reports and other deliverables, or to give Committee members updates on the OIC’s business and other activities.

Meetings

The Audit and Evaluation Committee met four times between April 1, 2023 and March 31, 2024:

• June 7, 2023
• September 20, 2023
• November 23, 2023
• February 22, 2024

The Commissioner met with the external members in camera at the conclusion of each meeting. The OIC posted the approved Committee meeting minutes on its website.

Activities

The Committee’s activities fall under nine categories, as set out below. These areas of responsibility are linked in many ways—particularly with regard to risk and strategic priorities —and Committee members take this into account when carrying out their assessments and providing advice.

Values and Ethics

In 2021, the Committee approved a new Code of Values and Ethics for the Office of the Information Commissioner. The Code expanded on the five values set out in the Strategic Plan 2020-21 to 2024-25: Respect, Collaboration, Transparency, Accountability and Conflict of Interest, and advised employees on the use of caution and good judgment in their personal use of social media. 

 The Committee reviews any measures OIC management puts in place to exemplify and promote public service values and to ensure compliance with laws, regulations and policies, and standards of ethical conduct. The AEC was satisfied with the degree of which ethics and values are embedded and assessed within OIC operations. There was no report or cases of wrong doing and the value and ethics code is being respected. This included violence in the workplace and conflict of interest. 

Risk Management

Risk assessment and mitigation are ongoing focuses of the Committee’s work, including reviewing the OIC’s corporate risk profile and risk management strategies and activities.

Committee members, with the assistance of the OIC’s Chief Audit Executive, reviewed and adjusted the schedule of upcoming audits and evaluations.

Management Control Framework

Activities and discussions pertaining to the management control framework, which is linked to all other areas of responsibility, are ongoing including presentations on the OIC’s internal control mechanisms.

At the June 7, 2023 meeting, the key controls implemented to ensure the proper calculation of pay as a result of the strike by members of the Public Service Alliance of Canada union were presented.  A post payment verification exercise showed a 98% accuracy rate related to the calculation of the pay for employees impacted by the strike. 

At the September 30, 2023 meeting OIC’s first multi-year internal control testing plan was presented.  The testing performed in the first year focused on payroll & benefits and the procure to pay process.  There were no significant issues identified during the testing. 

At the November 23, 2023 meeting the steps that OIC has taken to resolve over and under payments caused by the Phoenix pay system was presented.  It highlighted the work under taken by the HR and Finance teams at OIC, and that an MOU was signed with PSPC to provide services to help resolve issues with pay files. 

Internal Audit

The Committee’s responsibilities with regard to internal audit include reviewing plans for and reports on internal audits, and their resulting management action plans.  The updated RBAEP and Risk Management Framework were presented at the September 30, 2023 meeting. 

Evaluation

The Committee’s responsibilities with regard to evaluations include reviewing and approving the OIC’s RBAEP, reports on individual evaluations and management action plans, and receiving status updates on how the OIC implementing the recommendations. The AEC also monitors the Treasury Board Policy on Evaluation for any changes to that policy direction. Like the Policy on Internal Audit, the OIC is not mandated to adhere to either policy as an independent Agent of Parliament, but chooses to follow the spirit of the policies.

Follow-up on Management Action Plans

The Committee received regular updates from management on action plans on the status and effectiveness of management follow-up actions. Follow up briefings were provided at each of the four meetings held during the year and included such management areas as: Corporate Services; Investigations; Legal Services; and Public Affairs.

At the September 30, 2023 meeting the final updates to Management Action Plan were presented on the Phase I – OIC Program Evaluation (Registry) and Phase II – OIC Program Evaluation (Investigations)

As of March 31, 2024, follow-up actions highlighted during senior staff briefings on the above management areas noted above were either nearing completion or had been completed for the Human Resources – PSC Staffing File & Monitoring Exercise and the Evaluation of Internal Controls over Salaries and Employee Benefits. The AEC was in approval management actions taken to address the identified risks or functions.

At each AEC meeting, members were provided with the minutes and an update of action items arising from those meetings and were satisfied that all actions had been satisfactorily addressed.

Financial Statements and Public Accounts Reporting

The OAG presented its annual Financial Audit Report for 2022–2023 with an unmodified opinion, finding no significant deficiencies in internal controls and requiring no significant financial statement adjustments. The major risk for this audit (and not limited only to the OIC) is related to the Phoenix system. The risk remains high but controls in place ensure that the risk is very limited. Based on the test samples, the OAG was comfortable. The 2023-24 Audit Plan of the OAG was presented by the OAG Principal at the Committee meeting on February 22, 2024 and the approach was approved. The AEC confirmed to the OAG that there were no changes in management’s fraud prevention and detection responsibilities and that there was no knowledge of any fraud.

Throughout the year, the CFO and the DCFO briefed Committee members on the status of the current years budget (2023-24 and 2024-25), and the preparation of the budget allocation exercise.

Accountability Reporting

The Committee reviewed various corporate accountability reports and provided advice to the Commissioner during the year.

External Assurance Provider

The Committee carried out objective assessments regarding the OIC’s operations, results, risks, stewardship and governance.

The Committee carried out its role during the year of satisfactorily providing advice and recommendations on matters for which the Commissioner, as the Deputy Head, serves as the Accounting Officer for the organization.

The Committee received all the information it deemed necessary to fulfil all its mandate obligations.

Two external service provider exercises were started during the reporting period. Regular updates were provided at each of the meetings on the OIC management response and progress so far.  

1. Complaints Consultation

OIC hired an external consultant to seek input from complainants on its investigations program.  The findings of the consultation will help OIC develop and refine is communication and accessibility strategies, identify process improvements and further optimize its operations.   The final report along with the management action plan will be presented to the Committee in 2024-25. 

2. Cyber Maturity Self Assessment 

As part of the Departmental Security Plan and Risk Based Audit and Evaluation Plan, OIC is performing a self-evaluation of its cyber security process using the TBS Cyber Maturity Self-Assessment tool.  OIC has also hired an external consultant to evaluate OIC’s self assessment and a technical writer to assist with the development of policies and procedures.  The evaluation is expected to be completed by March 31, 2024 and Information Technology team will start working on 3-year action plan to address the findings.  The final report along with the management action plan will be presented to the Committee in 2024-25. 

Overall Assessment of Risk Management, Control and Governance

Based on reviews conducted and discussions held throughout 2023-24, the Committee is reasonably satisfied that the OIC’s risk management, control and governance processes are functioning well.

The Committee appreciates the due diligence the OIC has exercised in the development of sound management and internal control processes and practices, and is encouraged that management strives for constant improvement.

Audit and Evaluation Committee Effectiveness

The Committee’s external members are pleased with the Committee’s ongoing development and maturity in its advisory role. Members were provided with complete, timely and accurate information to enable them to discharge their mandate. Members were pleased with the professionalism of staff, their candour concerning the challenges they face and their willingness to implement suggestions.

The Committee has established itself as an integral part of the OIC’s governance system. Despite the pressures of competing priorities and the multitasking typical of small organizations, the commitment and engagement of senior officials and functional specialists have been invaluable in helping the Committee fulfill its role. Based on our observations over the past year, the two external members of the Committee conclude that the OIC has a systematic and rational approach to addressing its mandate, to monitoring results and to reporting publicly.

The Committee also performed a self assessment which indicated that members believe they have the information, tools and knowledge required for their roles.

Forward Planning

The Committee is scheduled to meet four times during the 2024-25. Its goals are to continue to provide advice that reflects core public sector principles and values, take into account the independence of Agents of Parliament, and encompass innovative and creative perspectives.

The Audit and Evaluation Committee conducted its annual review of next fiscal year (2024-25) and approved the Calendar of Activities on February 22, 2024.

As noted above, the final reports and management action plan for the two external consultations started in 2023-24 will be presented in 2024-25. 

OIC looks forward to working with the members of the Committee, to support Caroline Maynard, OIC Commissioner for the remainder of her mandate.