2023-24 Chief Audit Executive Annual Report
Office of the Information Commissioner
Prepared by France Labine, Chief Audit Executive
Presented at the June 13, 2024 Audit & Evaluation Committee Meeting
Meetings
The Chief Audit Executive (CAE) was the Secretary of the Audit & Evaluation Committee for four quarterly meetings:
- June 7, 2023
- September 20, 2023
- November 23, 2023
- February 22, 2024
Policy on Internal Audit
As per the Treasury Board Secretariat Policy on Internal Audit, the CAE confirms the following:
- She has not been assigned any management or operational responsibilities that may compromise her independence* and objectivity with respect to her internal audit responsibilities.
- She has unrestricted access to the AEC.
- She has unrestricted access to all records, databases, workplaces and employees to carry out the risk-based audit plan.
- She has unimpaired ability to carry out his responsibilities, including reporting issues to the Commissioner, to the AEC and, as appropriate, to the Comptroller General of Canada.
* Due to the size of the organization the CAE is also combining other corporate services functions such as IT, HR, Security and Finance. CAE will use external auditor’s or evaluator’s to perform key QA, audits and assessments.
Role of the Chief Audit Executive
Provides assurance of:
- Proper oversight of public resources.
- Oversight informed by a professional and objective internal audit function.
- Guidance that is independent of management.
- Responsible stewardship to Canadians.
Audits, Reviews, Assessments
2022-23 Financial Statements
- Office of the Auditor General (OAG)
- Completed and approved in September 2023
2023-24 Complaints Consultation
- Performed by third party contractor to seek input from complainants on OIC’s investigations program.
- Findings of the consultation will help OIC develop and refine is communication and accessibility strategies, identify process improvements and further optimize its operations.
- Final report along with the management action plan will be presented to the Committee in 2024-25.
2023-24 Cyber Maturity Self Assessment
- As part of the Departmental Security Plan and Risk Based Audit and Evaluation Plan, OIC is performing a self-evaluation of its cyber security process using the TBS Cyber Maturity Self-Assessment tool
- OIC has also hired an external consultant to evaluate OIC’s self assessment and a technical writer to assist with the development of policies and procedures.
- Final report along with the management action plan will be presented to the Committee in 2024-25.
Important items Reviewed by the AEC
- Risk-based Audit and Evaluation Plan
- Follow-up on Management Action Plans
- Phase I – OIC Program Evaluation (Registry)
- Phase II – OIC Program Evaluation (Investigations)
- HR PSC Staffing File & Monitoring Exercise
- Evaluation of Internal Controls over Salaries and Employee Benefits
- OAG Financial Statement Audit
- Mutli-year Internal Control Testing Plan and Results
- Regular Budgets and Financial Results
- Investigation inventory, processes and performance
- Litigation files
- Parliamentary Activities and Communications
Risk-based Audit and Evaluation Plan – Updated Items
| Year | Audit Project Name | Primary Entity | Audit Scope, Objective and Rationale |
|---|---|---|---|
| 2024-25 (Originally Planned) | Real-Time Internal Audit of the IT project management Framework (CSEMP) | IT/IM & Security Management | Objective Assess the immediate risks and impacts associated with the absence of a formal IT project framework within the organization and provide real-time actionable recommendations for its development and implementation. The real-time nature of the engagement will ensure that valuable time and effort is not expended in a sub-optimal manner or direction (i.e. documenting our current IT and Cyber security practices, IT standards, and IT project action plan. |
| 2024-25 (Proposed) | Cybersecurity table top exercise | IT/IM & Security Management | Objective Enhance preparedness by identifying weaknesses and testing incident response plans. Improves internal and external coordination, builds team competency, and evaluates existing processes. The exercise also helps analyze various cyberattack scenarios, ensures regulatory compliance, and fosters a culture of security. Post-exercise, lessons learned are used to refine strategies and improve overall resilience against cyber threats. Rational for conducting a cybersecurity table top exercise VS Real-Time Internal Audit of the IT project management Framework (CSEMP) The 2023-24 Cyber Maturity Self-Assessment identified a key area for improvement for the OIC: documenting its cybersecurity business processes. To address this, resources will be allocated to create comprehensive documentation, thereby enhancing OIC’s cybersecurity posture. Subsequently, the Security Centre of Excellence (Privy Council Office) will conduct a tabletop exercise to simulate various cyberattack scenarios. This exercise will culminate in an after-action report, detailing observations and providing recommendations for further strengthening our cybersecurity defenses. |
| 2025-26 | Internal Audit of Employee Retention | Human Resources Management | Objective The objective is to assess OIC’s employee retention practices and factors. The internal audit aims to identify strengths, weaknesses, and underlying causes of turnover and factors influencing employee engagement. Recommendations will be provided on improving employee retention rates and enhance overall workforce satisfaction and commitment. Scope The scope of the engagement will include all factors influencing employee retention will likely take the form of:
Rationale Like most Government of Canada organizations, the OIC workforce is the most important asset to delivers on its mandate. OIC appears to have some difficulty in retaining high performing employees and has difficulty on knowing is this is due the size of its organization. Nevertheless, an engagement of this nature will provide senior management with valuable observations and recommendations on which actions can be taken to improve matters. |