2023-24 Chief Audit Executive Annual Report

Office of the Information Commissioner

Prepared by France Labine, Chief Audit Executive

Presented at the June 13, 2024 Audit & Evaluation Committee Meeting

Meetings

The Chief Audit Executive (CAE) was the Secretary of the Audit & Evaluation Committee for four quarterly meetings:

  • June 7, 2023
  • September 20, 2023
  • November 23, 2023
  • February 22, 2024

Record of Meetings

Policy on Internal Audit

As per the Treasury Board Secretariat Policy on Internal Audit, the CAE confirms the following:

  • She has not been assigned any management or operational responsibilities that may compromise her independence* and objectivity with respect to her internal audit responsibilities.
  • She has unrestricted access to the AEC.
  • She has unrestricted access to all records, databases, workplaces and employees to carry out the risk-based audit plan.
  • She has unimpaired ability to carry out his responsibilities, including reporting issues to the Commissioner, to the AEC and, as appropriate, to the Comptroller General of Canada.

* Due to the size of the organization the CAE is also combining other corporate services functions such as IT, HR, Security and Finance.  CAE will use external auditor’s or evaluator’s to perform key QA, audits and assessments.

Role of the Chief Audit Executive

Provides assurance of:

  • Proper oversight of public resources.
  • Oversight informed by a professional and objective internal audit function.
  • Guidance that is independent of management.
  • Responsible stewardship to Canadians.

Audits, Reviews, Assessments

2022-23 Financial Statements

  • Office of the Auditor General (OAG)
  • Completed and approved in September 2023

2023-24 Complaints Consultation

  • Performed by third party contractor to seek input from complainants on OIC’s investigations program.
  • Findings of the consultation will help OIC develop and refine is communication and accessibility strategies, identify process improvements and further optimize its operations.
  • Final report along with the management action plan will be presented to the Committee in 2024-25.

2023-24 Cyber Maturity Self Assessment

  • As part of the Departmental Security Plan and Risk Based Audit and Evaluation Plan, OIC is performing a self-evaluation of its cyber security process using the TBS Cyber Maturity Self-Assessment tool
  • OIC has also hired an external consultant to evaluate OIC’s self assessment and a technical writer to assist with the development of policies and procedures.
  • Final report along with the management action plan will be presented to the Committee in 2024-25.

Important items Reviewed by the AEC

  • Risk-based Audit and Evaluation Plan
  • Follow-up on Management Action Plans
    • Phase I – OIC Program Evaluation (Registry)
    • Phase II – OIC Program Evaluation (Investigations)
    • HR PSC Staffing File & Monitoring Exercise
    • Evaluation of Internal Controls over Salaries and Employee Benefits
  • OAG Financial Statement Audit
  • Mutli-year Internal Control Testing Plan and Results
  • Regular Budgets and Financial Results
  • Investigation inventory, processes and performance
  • Litigation files
  • Parliamentary Activities and Communications

Risk-based Audit and Evaluation Plan – Updated Items

Risk-based Audit and Evaluation Plan – Updated Items
YearAudit Project NamePrimary EntityAudit Scope, Objective and Rationale
2024-25 (Originally Planned)Real-Time Internal Audit of the IT project management  Framework (CSEMP)IT/IM & Security Management

Objective

Assess the immediate risks and impacts associated with the absence of a formal IT project framework within the organization and provide real-time actionable recommendations for its development and implementation. The real-time nature of the engagement will ensure that valuable time and effort is not expended in a sub-optimal manner or direction (i.e. documenting our current IT and Cyber security practices, IT standards, and IT project action plan.

2024-25 (Proposed)Cybersecurity table top exerciseIT/IM & Security Management

Objective

Enhance preparedness by identifying weaknesses and testing incident response plans. Improves internal and external coordination, builds team competency, and evaluates existing processes. The exercise also helps analyze various cyberattack scenarios, ensures regulatory compliance, and fosters a culture of security. Post-exercise, lessons learned are used to refine strategies and improve overall resilience against cyber threats.

Rational for conducting a cybersecurity table top exercise VS Real-Time Internal Audit of the IT project management Framework (CSEMP)

The 2023-24 Cyber Maturity Self-Assessment identified a key area for improvement for the OIC: documenting its cybersecurity business processes. To address this, resources will be allocated to create comprehensive documentation, thereby enhancing OIC’s cybersecurity posture. Subsequently, the Security Centre of Excellence (Privy Council Office) will conduct a tabletop exercise to simulate various cyberattack scenarios. This exercise will culminate in an after-action report, detailing observations and providing recommendations for further strengthening our cybersecurity defenses.

2025-26Internal Audit of Employee RetentionHuman Resources Management

Objective

The objective is to assess OIC’s employee retention practices and factors. The internal audit aims to identify strengths, weaknesses, and underlying causes of turnover and factors influencing employee engagement. Recommendations will be provided on improving employee retention rates and enhance overall workforce satisfaction and commitment.

Scope

The scope of the engagement will include all factors influencing employee retention will likely take the form of:

  • Reviewing and analyzing historical employee retention data, including turnover rates, reasons for departure, and demographic trends. Identify significant patterns or changes over time.
  • Assessing the OIC's human resources policies and practices related to employee retention.
  • Evaluating employee engagement within the OIC.
  • Assessing the effectiveness of leadership and management practices in promoting employee retention.
  • Reviewing the OIC's compliance with relevant employment laws, regulations, and policies.
  • Comparing the OIC's retention practices and outcomes with Government of Canada benchmarks and leading practices when available.
  • Assessing the effectiveness of previous retention initiatives and programs implemented by the OIC. Review outcomes, impact, sustainability, and employee feedback on these initiatives. 

Rationale

Like most Government of Canada organizations, the OIC workforce is the most important asset to delivers on its mandate. OIC appears to have some difficulty in retaining high performing employees and has difficulty on knowing is this is due the size of its organization. Nevertheless, an engagement of this nature will provide senior management with valuable observations and recommendations on which actions can be taken to improve matters.

Date modified:
Submit a complaint