Review of the framework governing the management of CSC's responses to internal and external reports

The Review of the Framework Governing the Management of Correctional Service Canada's Responses to Internal and External Reports was conducted as part of the 2014-2017 Risk-Based Audit Plan (RBAP).

The objective of this review was to:

• provide assurance that a framework is in place to effectively receive, respond to, manage and monitor recommendations made to CSC by internal and external stakeholders.

This review links to Correctional Service Canada (CSC) priorities' "efficient and effective management practices that reflect values-based leadership in a changing environment" and "productive relationships with increasingly diverse partners, stakeholders, victims' groups, and others involved in public safety"^{Footnote 1}. It also links to the corporate risk that states: There is a risk that CSC will not be able to manage significant change related to transformation, legislative changes, and fiscal constraints^{Footnote 2}.

CSC's mission is to contribute to public safety by actively encouraging and assisting offenders to become law-abiding citizens while exercising reasonable, safe, secure and humane control. To meet this obligation, CSC's employees operate within a framework of policy, legislation and public service values, and in so doing, are subject to scrutiny by other entities. There are many other stakeholders, victims' group and partners who have a role to play in corrections. As a result of these responsibilities, CSC finds itself the frequent recipient of a large number of recommendations including those that either make direct reference to CSC or impact CSC's mandate within the public safety portfolio. CSC must organize itself in such a manner as to respond in an efficient, effective, timely and consistent way.

Overall, the review found that there are many existing frameworks across CSC governing the management of CSC's responses to internal and external reports. Most of them are effective on their own. However, there is no systematic mechanism currently in place that ensures the consistency and congruence of all CSC's responses across those various frameworks. CSC does not have an integrated central repository or single body responsible for ensuring consistency, timeliness, and quality of all responses to recommendations from all reviews or any other reports. As well, CSC does not have standardized processes to manage CSC's responses to internal and external reports.

The Review of the Framework Governing the Management of Correctional Service Canada's Responses to Internal and External Reports was conducted as part of the 2014-2017 Risk-Based Audit Plan (RBAP). This review links to Correctional Service Canada (CSC) priorities' "efficient and effective management practices that reflect values-based leadership in a changing environment" and "productive relationships with increasingly diverse partners, stakeholders, victims' groups, and others involved in public safety"^{Footnote 3}. It also links to the corporate risk that states: "There is a risk that CSC will not be able to manage significant change related to transformation, legislative changes, and fiscal constraints"^{Footnote 4}.

CSC's mission is to contribute to public safety by actively encouraging and assisting offenders to become law-abiding citizens while exercising reasonable, safe, secure and humane control. To meet this obligation, CSC's employees operate within a framework of policy, legislation and public service values, and in so doing, are subject to scrutiny by other entities. There are many other stakeholders, victims' group and partners who have a role to play in corrections, some of whom include: the Office of the Correctional Investigator, National Joint Boards of Investigation, Coroner's Inquests/Medical Examiner's Investigations, Parole Board of Canada, the Office of the Procurement Ombudsman, the Office of the Auditor General, and the Office of the Commissioner of Official Languages. These entities have responsibilities of their own that may impact corrections such as: contributing to safe, lawful and humane corrections, promoting Canadian linguistic duality, overseeing government activities, and ensuring a fair process with federal procurement, to name a few.

As a result of these responsibilities, CSC finds itself the frequent recipient of a large number of recommendations including those that either make direct reference to CSC or impact CSC's mandate within the public safety portfolio to address the risks associated with the issues raised. CSC must organize itself in such a manner as to respond in an efficient, effective, timely and consistent way. On those grounds, the Review of the Framework Governing the Management of CSC's Responses to Internal and External Reports is material as it informs CSC's Corporate Risk profile and CSC's priorities and highlights areas where risks could be better managed.

All deputy heads of government of Canada organizations are accorded direct legislative responsibilities. Included among these duties are those emanating from Canada's legislation and also from policies approved by the Treasury Board of Canada (TB).

In particular, the Federal Accountability Act designates deputy heads as accounting officers who are accountable to answer questions related to specific areas of management within the framework of ministerial responsibility. This includes responding to the Auditor General and strengthened auditing and accountability functions within departments.

Further, Section 7 of the Financial Administration Act sets out the general administrative policy responsibilities and powers of Treasury Board and section 11 provides directions to deputy heads with regard to the exercise of their powers and responsibilities.

As a further example of TB direction, section 6.1 of the TB Policy on Internal Audit sets out the deputy heads' responsibilities regarding their role in "ensuring that management action plans that adequately address the recommendations and findings arising from internal audit engagements are prepared and implemented."^{Footnote 5} Also, the deputy heads must ensure that, on a timely basis the Office of the Comptroller General and its agents, are provided copies of any management letters resulting from audits conducted by external assurance providers for the purpose of carrying out assigned responsibilities. Accordingly, deputy heads are required to establish means and manners to respond to these requirements.

CSC also has requirements to respond to legislative and policy-generated recommendations. As an agency within the Public Safety portfolio, CSC may be included in responses written by other government departments, agencies or institutions and thereby has the obligation to respond to recommendations related to areas falling within its mandate. For example:

• According to sections 192 and 193 of the Correctional and Conditional Release Act (CCRA), the Correctional Investigator (CI) shall submit to the Minister at the end of each fiscal year an annual report. The Public Safety Minister presents the report before the Parliament. Also, the CI may produce a special report to the Public Safety Minister on matters of urgency or importance at any time during the year. Since 2009, there have been 158 recommendations addressed to CSC by the CI via these reporting mechanisms. The CCRA requires CSC to acknowledge these recommendations (s. 179(3) CCRA).
• section 23 of the Public Service Employment Act, states that the President of the Public Service Commission (PSC President) must prepare and transmit an annual report to the Ministers of each Department with respect to matters under his or her jurisdiction. The purpose of the Public Service Commission is to safeguard the integrity of staffing and the non-partisan nature of the public service and this report demonstrates how this role is met. The report is tabled in the Parliament. As well, at any time, the PSC President may prepare a special report to Parliament on matters deemed urgent and which in his or her opinion cannot wait until the next annual report. In turn, Parliament may oblige CSC or any other department or agency to act on the recommendations of the reports. The PSC President may also consider periodic audits at his or her discretion.
• sections 38 and 39 of the Privacy Act list obligations whereby the Privacy Commissioner of the Office of Privacy Commissioner of Canada (OPC), who is the advocate to protect and promote the privacy rights of individuals, submits an annual report to Parliament on the activities of the Office. The Privacy Commissioner may also present a special report to Parliament at any time on matters within the scope of his or her powers, duties and functions. This annual report may contain recommendations addressed to CSC.
• sections 124 and 125(1)z)(z.10) of the Canada Labour Code states that every federally registered employer, including CSC, shall ensure that the health and safety of every employee is protected. As well, the employer must respond to recommendations made by the policy and work place committees or health and safety representatives after an event involving health and safety of employees to indicate if and when an action will be taken to address the risk to staff.
• section 7 of the Auditor General Act requires the Auditor General to report annually on the activities and finances of government departments to the House of Commons. The Office of the Auditor General (OAG) provides Parliament with its objective, fact-based information and expert advice, on government programs and activities. Parliamentarians use OAG reports to oversee government activities and hold the federal government to account for its handling of public funds. CSC may be the object of any of these audits or could be named in audits of other government entities.
• The TB Policy on Evaluation sets out requirements for CSC's departmental evaluation division to guide the preparation of reports and their ensuing recommendations. The objectives of CSC's Evaluation Division is to ensure management has timely, strategically-focused, objective and evidence-based information on the performance of CSC's policies, programs and initiatives. (See Annex B). The evaluation reports include recommendations specific to CSC. As per the policy, management must prepare action plans in response to recommendations.
• Also, the TB Policy on Internal Audit outlines requirements of CSC's internal audit sector in order to provide a clear and integrated assignment of responsibilities for internal auditing. Furthermore, the Policy provides guidance with respect to internal reports and related management action plans. CSC internal audit sector is responsible to provide independent, timely and objective assurance to management designed to advance CSC objectives achievement efficiently, economically and in compliance with legislation. CSC's internal audit sector regularly produces reports that include recommendations addressed exclusively to CSC (See Annex B).

• Reports from the Office of the Comptroller General (OCG), including horizontal internal audits, provide oversight and direction on government-wide efforts to improve the stewardship of taxpayers' dollars and government assets. These audits may include CSC and consequently, have recommendations directed to CSC.
• Reports by the Office of Procurement Ombudsman (OPO). For example, the Review of Procurement Practices–Follow up on 2008-2009 Procurement Practice included recommendations directly aimed at CSC. The role of the OPO is to address issues regarding contracts awarded and administered by the federal government. The OPO receives and investigates procurement-related complaints and resolves disputes between federal departments and suppliers.
• Various reports by the Office of the Commissioner of Official Languages (OCOL) such as the Annual Report of the Commissioner of Official Languages. Follow-up of audits and report cards issued by this office sometimes include CSC. The OCOL is mandated to promote Canadian linguistic duality and oversee the full implementation of the Official Languages Act.
• Recommendations from an Outside Review Board^{Footnote 6} presented in response to a grievance process for offender is the recourse often taken in response to an offender's grievance that was not resolved internally and that CSC must take into consideration. The purpose of the offender complaints and grievances process is to support fair and expeditious resolution of offender complaints and grievances that is consistent with the law and to ensure that the legal obligation to provide timely and impartial resolution of offender complaints and grievances is met (CD 081 and GL081-1). CSC will take the corrective actions that best resolves the grievance and ensures that similar problems do not occur in the future. When a complaint or grievance from an offender is upheld or upheld in part, and corrective action is required, the corrective action will be completed within a set timeframe. The corrective action will be implemented, and the decision maker will be informed in writing. Some examples of corrective action would be taking the necessary action to ensure future compliance with relevant legislation and policy, redress mechanisms, financial compensation.
• Reports from various House and Senate committees such as the Public Safety and National Security Committee or the Public Accounts Committee. The Parliamentary Committees are composed of a group of parliamentarians, from the Senate, the House of Commons or both, selected to consider matters, including bills, referred to it by the Senate or the House of Commons. Some of the more recent reports produced by their committees have included recommendations to CSC, for example;
  • A Study of Electronic Monitoring on the Correctional and Immigration Settings, tabled 2012-09-25; (Report of the Standing Committee on Public Safety and National Security)
  • Mental Health and Drug and Alcohol Addiction in the Federal Correctional System, tabled 2010-12-14; (Report of the Standing Committee on Public Safety and National Security)
  • Chapter 7, Economy and Efficiency of Services –Correctional Service Canada of the December 2008 Report of the Auditor General of Canada; tabled 2009-06-16 (Report of the Standing Committee on Public Accounts).

Beyond the legislative and policy requirements to respond to recommendations and reports, and given its mandate within the Public Safety portfolio, CSC must also respond to internal and external assurance providers and stakeholders who comment on issues that may impact CSC's delivery of its services to the public, to offenders, the victims' group and to other partners and stakeholders. These various parties may provide CSC with recommendations in many of the reports that they produce. For example:

• Documents produced by the National Joint Boards of Investigation (NJBI). The NJBI is a review service that may be used by the Parole Board of Canada (PBC) and the Correctional Service of Canada (CSC) when an offender who is on conditional release is charged with a serious violent offence in the community.
• Reports from Coroners' Inquests/Medical Examiners' Investigations, which are quasi-judicial (court-like) proceeding whereby the facts and circumstances of a particular death are publically examined. Recommendations can stem from these proceedings.
• Reports from The Status of Women Canada such as Women in Canada - A Gender-based Statistical Report. This organization is a federal government organization that promotes equality for women and women's full participation in the economic, social and democratic life of Canada. CSC has a large number of employees working with women offenders and therefore some recommendations from their reports may touch either the employees or the offenders.
• Publications from various provincial legislative bodies that consist of the province's legislative assembly along with the province's Lieutenant Governor. Although there has been no recent report addressed directly to CSC, this may occur. The provincial legislative bodies will participate in various investigations because provinces have a role in the penal system both at intake and in administering sentences for offenders who have a sentence of less than two years. In fact, CSC has a Federal-Provincial/Territorial Relations Division (FPT Relations Division) that enhances collaboration between Federal-Provincial/Territorial governments through the use of Exchange of Services Agreements (ESA), Memoranda of Understanding (MOU) and Information Sharing Agreements (ISA).

• Under section 20 of the CCRA, the Commissioner may convene an investigation and report on any matter relating to the operations of the Service. This is also the case for the death or serious bodily injury of inmates, under section 19 of the CCRA. CSC's Incident Investigations Branch regularly conducts investigations and prepares reports. In so doing, there may be recommendations generated by these reports to which CSC will respond. Since 2013, CSC has been producing Discussion Guides by incident type which include some on deaths in custody (i.e. Suicide, Accidental Deaths including Death by Overdose, Death by Unknown Cause, and some Death by Natural Cause that were not investigated through the Mortality Review process). These Guides are shared with RDCs and ACs.
• In 2007, as part of the Government's commitment to protecting Canadian families and communities, the Minister of Public Safety, announced the appointment of an independent panel to review the operations of CSC. The Report of the CSC Review Panel: A Roadmap to Strengthening Public Safety was then delivered. This initiative resulted in the creation of a Transformation and Renewal Team. This team for a number of years led and oversaw the implementation of CSC's renewal efforts, including physical, human and technical elements.
• The Corporate Staffing, Employment Equity and Official Languages Branch at CSC provides input to the Annual Report on Employment Equity in the Public Service of Canada which is tabled in Parliament by TB. The Employment Equity Office of the Human Resource Management Sector is dedicated to advancing employment equity and diversity at CSC. There may be reports generated by this office with recommendations directed specifically at certain areas within CSC.

The above-mentioned list of legislative responsibilities is not exhaustive, but provides a broad overview of the breadth and type of oversight activities to which CSC is subjected.

For reports that fall under its direct responsibility, CSC responds to the recommendations by using a variety of means. Some external assurance providers such as the Correctional Investigator, the Auditor General of Canada, the Commissioner of Official Languages table their reports in the Parliament. Other organisations produce reports and present them regularly, on a yearly basis or using a risk based assessment to a variety of stakeholders both within CSC and outside (i.e. BC Coroners Service Annual Report from the Ministry of Justice).

This work represents a significant undertaking, given the number of stakeholders, reports and recommendations as listed previously. For illustrative purposes, Annex B shows a sample of reports containing recommendations that CSC received from external and internal stakeholders between 2009 and 2014. For those reports addressed to CSC during that period, a total of 673 recommendations were made.

Not included in the above totals are the recommendations of the Coroner's Inquest Touching the Death of Ashley Smith.

CSC must align its reporting and responding requirements to a multitude of parties within its complex, stratified and geographically disparate organization. CSC is a national organization operating 43 correctional institutions, 92 community parole offices, and 15^{Footnote 7} community correctional centres across Canada.^{Footnote 8} As an organization, CSC is divided into six geographic regions. Regional Deputy Commissioners, who head the regions, and Assistant Commissioners, who are responsible for sectors, all report to the Commissioner of the CSC. The most senior decision-making body of CSC is the Executive Committee (EXCOM) which is comprised of the Commissioner, Senior Deputy Commissioner, Regional Deputy Commissioners, the Assistant Commissioners and other sector heads. EXCOM supports the Commissioner by reviewing and recommending all strategic and operational policy decisions that are to be implemented across the Service^{Footnote 9}. This may include recommendations from reviews conducted by various internal and external stakeholders for specific cases for which a strategic high risk has been identified. This type of review of recommendations from the EXCOM depends in great part on the significance of the issue under consideration and the source of the recommendation.

All executives at CSC have a commitment within their individual performance agreements to implement approved management plans in response to audit, evaluation, Auditor General, Official Languages, Employment Equity, Office of the Correctional Investigator and other external reports or obligations. Compliance to this agreement is part of the TB Directive on Performance Management, and the Directive on the Performance Management Program for Executives. They provide a framework within which a consistent approach to performance management can be applied.

CSC does not have an integrated central repository or single body responsible for the management of all recommendations from reviews or reports. Given the diverse potential sources of recommendations addressed to CSC and the wide range of topics, the recommendations are forwarded to a variety of CSC staff that has the responsibility for responding to recommendations. Some have clear responsibilities linked to specific oversight bodies, others do not. Those with clear responsibilities include:

• Correctional Investigator Liaison (CIL) Office from the Policy Sector
• Corporate Staffing, Employment Equity and Official Languages Branch, from the Human Resource Management Sector
• Parliamentary Relations Directorate, from the Communication and Engagement Sector
• Incident Investigations Branch from the Senior Deputy Commissioner Sector
• Internal Audit Sector
• Evaluation Division
• Board of Investigation and Mortality Reviews
• All regions and sectors with regard to geographically or topic-specific issues such as provincial inquests.

The Review of the Framework Governing the Management of CSC's Responses to the Internal and External Reports was identified as a high priority and an area of risk to CSC in the Risk-Based Audit Plan, 2014-2017. This assessment was confirmed by preliminary interviews with senior management. They identified the following areas of possible risk related to this topic:

• No response by CSC to recommendations made by various assurance providers thereby leaving potentially important issues or risks unaddressed;
• Issues underlying the recommendations may not be addressed despite CSC's response to them (so inappropriate or insufficient responses);
• Lack of consistency in the responses both in terms of actions and delivery dates;
• Duplication of work by various areas of CSC for the same recommendations;
• High media attention;
• CSC's employees responsible for entering the information concerning recommendations may not have access to a national databank correspondence with regard to any report's recommendations (inefficiencies).
• Lack of understanding of what constitutes an appropriate and well developed action/response.
• No systemic monitoring or follow-up of the level of implementation of the recommendations.

The overall objective of this review was to provide assurance that there is a framework in place to effectively manage the responses made by CSC to internal and external stakeholders. The objective and criteria for this review are detailed in Annex A. The criteria were developed based on the Office of the Comptroller General's Core Management Controls, a risk assessment, and information gathered in anticipation of this review.

The review was national in scope and included reports and recommendations from a variety of internal and external stakeholders, including but not limited to:

• Office of the Correctional Investigator
• Office of the Comptroller General
• Office of the Auditor General of Canada
• Public Service Commission
• Office of Procurement Ombudsman
• Office of Privacy Commissioner of Canada
• Office of the Commissioner of Official languages
• Other Parliamentary Organizations
• Parliamentary Committees
• Boards of Investigation
• Coroner's Inquest/Medical Examiner's Investigations and others
• Status of Women Canada
• Various provincial legislative bodies
• CSC Internal Audit Sector
• CSC Evaluation Sector
• CSC Incident Investigations Sector
• CSC Transformation Agenda
• Board of Investigation and Mortality Reviews
• Employment Equity Office

The objective was to determine whether there was a framework in place to effectively receive, respond to, manage and monitor recommendations made to CSC by internal and external stakeholders.

We expected to find that there were mechanisms in place to identify relevant legislation, policies, directives, standards, guidelines, and procedures with respect to any requirement to respond to and manage CSC's responses to internal and external reports with recommendations.

While some individual sectors have processes in place to respond to recommendations, there is no specific guidance in place stating how sectors should manage this function. As a result, the formalities and strength of mechanisms in place differ.

Overall, the review team found that all regions and sectors in responding to our questionnaire have stated that they all have a process in place to receive and respond to the recommendations from internal and external reports. However, most of these processes are not officially documented or consistent. Some are more organized and formal than others.

When responding to recommendations of internal and external reports, the review team found that each region and sectors had its own system in place or contact person to assist in the responses to reports. However, the review team found that generally, the regions and sectors have not officially documented their processes. Certain entities, such as the OCI, internal audit, OCOL and evaluation have regular recommendations for CSC and in turn, formal systems exist to respond and to track progress against these specific recommendations. For instance, the following sectors have a system in place to manage the recommendations that fall under their purview:

The policy sector has created a CIL office to coordinate responses to recommendations from OCI and other external stakeholders. The CIL is tasked with the coordination of the response prepared by the sector, including the tracking, amalgamation and timely delivery. It also has the responsibility to track, coordinate, amalgamate and finalize the response. Once a draft reply to the recommendation has been prepared, it is then returned to the CIL who finalizes the response for the Commissioner's consideration and approval.

A process is in place with respect to the reports received from the Office of the Commissioner of Official Languages (OCOL), albeit their process appears to be less formal than the process created for the OCI. When the OCOL sends its report to the Corporate Staffing, Employment Equity and Official Languages Branch, the OCOL often forwards accompanying templates to be completed in response to its report. The report and templates are received by the Official Languages Branch at NHQ who in turn, sends it to its counterparts in each region for a response, should this be required. Once the information is returned to the Corporate Staffing, EE and Official Languages Branch, it is integrated and finalized and submitted for the signature of the Assistant Commissioner, Human Resource Management. It is subsequently submitted to the OCOL.

In addition to managing responses to its own recommendations, the Internal Audit Sector (IAS) has the responsibility of coordinating responses to recommendations from external audit functions such as the OAG and the OCG, and other Central Agencies and Agents of Parliament. This work is required by both the TB Directive on Internal Auditing in the Government of Canada and CSC's own Internal Audit Charter.

In accordance with the TB Directive, the CAE periodically (3 times a year) reports to the Departmental Audit Committee on the implementation of management action plans in response to recommendations from CSC's own internal audits as well as external assurance providers. Any deviation by management from the originally agreed upon implementation dates must receive the Commissioner's approval.

The Evaluation Division works with the assigned Office of Primary Interest (OPI) who has the responsibility to develop an appropriate management action plan for each recommendation made through the course of an evaluation. The evaluation report containing recommendations and the management action plan are presented for approval at the same time to the Evaluation Committee. Once approved, the Evaluation Division monitors the progress toward management action plan completion by tracking updates and asking the OPI to present updates to the Evaluation Committee. The follow-up occurs approximately once every 9-12 months and continues until the Evaluation Committee is satisfied that all recommendations have been addressed and the management action plan is subsequently closed.

We expected to find that the organizational structure has an information-sharing process to support an efficient, effective and targeted dissemination of relevant and reliable information to those that need it, including the assignment to those responsible for action, the reception and acknowledgement of the recommendations, a list of the actions taken and the follow-ups on progress.

Communication occurs between management and staff responsible for responding to the recommendation within their area of responsibilities; however there is not always a dissemination of relevant and reliable information to those that need it throughout CSC.

The review team sent questionnaires to the heads of all sectors and the RDCs to obtain information on processes in place for the purposes of managing recommendations. Thirteen out of 16 indicated that their staff has an efficient and effective information-sharing process to support the targeted dissemination of relevant and reliable information to those that need it within their sector.

The review team was informed that the info-sharing process is done formally and informally. In some cases, information will be conveyed either during specific committee meetings, debriefs, regional meetings, managers meetings, conference calls or through standard administrative channels. As well, the Investigations Branch specifically has a system where they use e-mails, memos and national investigations meeting's documentation (Case studies and discussion guides) to share information gathered through investigations.

Moreover, in some cases, it is the role of specific sectors or of a centralized unit within a sector to ensure that any supporting documentation or previous responses are included in CcmMercury^{Footnote 10} upon assigning it to a sector or region. As CcmMercury users only have access to the records they create themselves, or that have been created by their group, and any records that have been assigned to them, they cannot ascertain consistency of their input with previous responses or that of other sectors/regions.^{Footnote 11}

The absence of a systematic, clear and well documented mechanism to share the information to the staff responsible to respond to the recommendations could, among other things, lead to a lack of consistency in the responses as well as a duplication of work by various areas of CSC.

We expected to find that the roles and responsibilities of those employees, who are accountable for the management of recommendations and their responses, are clearly defined and communicated.

CSC employee's roles and responsibilities are clear and well communicated.

The review team were informed through the questionnaires that 12 out of 16 of the regions and sectors have a person assigned for the management of the recommendations and responses thereto. Of the 16 questionnaires sent, 1 region and 2 sectors responded that they do not have a person solely responsible for the process but they do have a key contact staff to assist. Also, the review team found that there are generic job descriptions that underline the roles and responsibilities for specific positions at CSC regarding the management of recommendations and their responses which make the roles and responsibilities regarding the management of recommendations and responses clear and well communicated for those specific positions. However, the means by which those responsibilities are to be met are generally not formally defined, as noted in 3.4 below.

We expected to find that CSC's employees have access to tools, such as software, equipment, work methodologies and procedures in order to effectively meet their responsibilities in regard to the administration and management of responses to internal and external recommendations

CSC's employees have the necessary tools such as software and equipment to execute their work and to meet their responsibilities; however, there are generally not documented formal work methodologies and procedures to manage the responses to internal and external recommendations.

The review team was informed that a variety of tools are used by various CSC staff in different sectors or regions to accomplish effectively their responsibilities in regard to the administration and management of responses. Some of these include:

• CcmMercury (CSC's records documents and information management system)
• Excel spreadsheets
• Infopoint or sharepoint
• Outlook options such as tasks or planning calendar (bring forward system).

All of these tools are working but each process does not speak to each other and there is no generic access to them. Also, the work methodologies and procedures are not documented and they are done mostly on an ad hoc basis. This creates a "tower vision" problem. Management might tend to look within their own silos which reduce their efficiency and can contribute to added risks to CSC such as contradiction in the responses, inconsistency for commitments on the same topic, recommendations not addressed, duplication of work and efforts, etc.

We expected to find that CSC has a system in place to follow-up on recommendations and any responses thereto so as to capture, respond, monitor and report on the completion of actions in response to recommendations.

CSC has numerous systems in place to follow-up on recommendations; however there is no standardized process nor is there a centralized place that can monitor or report on CSC's responses to internal and external reports.

The information gathered by the review team indicated that the sectors and regions do have follow-up processes in place. The systems in place vary from one sector to another and the regions. Here are some brief descriptions of these follow-up processes:

• In some regions it is the person responsible for the specific issue (OPI) who has the responsibility to monitor and respond to NHQ queries on specific recommendations. Regions follow-up on accepted recommendations as instructed through the OPIs. Once bring forward dates are set, regional management follows up with the OPIs to obtain progress updates and to confirm the completion of action plan items;
• In some sectors, a Director monitors the recommendations. Individual managers are assigned as OPIs within the sector;
• Follow-ups are done through CcmMercury; and
• For the management action plans submitted in response to recommendations from CSC internal audits, IAS follows up on its own audit recommendations as well as on external audits. This is the case as well for the evaluation division.

As demonstrated above, there are a variety of methods used, to follow-up on recommendations and any responses thereto.

To test whether this plethora of systems still allowed for consistent responses, the review team selected an overarching topic for a large population of recommendations addressed to CSC since 2009. The topic was risks assessed to select six themes within the topic which were deemed to be of highest risk to the organization. From the selected themes, two to four recommendations were selected from various reports. The review team assessed how the recommendations for each theme were addressed to ensure the consistency, timeliness and congruence of the responses.

The review team looked at 32 recommendations and concluded that all recommendations and associated responses thereto from various stakeholders under the selected topic have been addressed in a consistent, timely and coherent manner with the same type of answers.

To conclude, with respect to the systems to follow-up on recommendations and any responses thereto, the review team was informed that some sectors are presently working on a more systematic approach with respect to information management and tracking or exploring the possibility of using SharePoint to follow-up on recommendations and their associated responses. Once again, all of these systems are functioning independently but each process does not communicate and there is no generic access to them. They all work in silos, which reduce efficiency and can contribute to added risks to CSC.

The review results demonstrated that CSC has numerous management frameworks in place to respond to internal and external reports.

The roles and responsibilities of some staff are defined and clear although the manner in which to deliver on those responsibilities is not always documented, or explicit. There are various ad hoc and formal means to monitor and report on the recommendations made to CSC. The dissemination of relevant and reliable information to those that need it is not readily accessible to all. CSC staff has the necessary tools to execute their work, however there is no consistency throughout CSC.

With respect to follow-ups on recommendations, there is no standardized or integrated process in place that can monitor or report on all CSC's responses to internal and external reports.

Overall, the review found that there are many existing frameworks across CSC governing the management of CSC's responses to internal and external reports. Most of them are effective on their own. However, there is no systematic mechanism currently in place that ensures the consistency and congruence of all CSC's responses across those various frameworks. CSC does not have an integrated central repository or single body responsible for ensuring consistency, timeliness, and quality of all responses to recommendations from all reviews or any other reports. As well, CSC does not have standardized processes to manage CSC's responses to internal and external reports.

In order to assess whether or not a framework was in place to effectively receive, respond to, manage and monitor recommendations addressed to CSC by internal and external stakeholders, the review team gathered the evidence through a number of methods, such as: review of documentation; detailed testing of files; and interviews via a questionnaire.

Interviews/questionnaire: The review team interviewed via a questionnaire, the heads of all sectors and the RDCs. The heads of sectors and the RDCs were invited to forward the questionnaire to various staff members from each sector involved in the management of responses to internal and external reports to explore and define the existing framework and processes at CSC that respond to recommendations from various internal and external reports. As well, the review team asked for sources of recommendations.

Review of documentation: The review team reviewed documented processes to the existing mechanisms to respond to recommendations.

File Review/Testing: In order to further support our assurances the file review testing was accomplished in the following manner. The review team selected an overarching topic for a large population of recommendations made to CSC since 2009 was chosen. The topic was risks assess to select six themes within the topic which are deemed to be of highest risk to the organization. From the selected themes, two to four recommendations were selected from various stakeholders. It was then determined how the recommendations for each themes were addressed and responded to ensure the similarities of the responses.

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established review criteria that were agreed on with management. The opinion is applicable only to the area examined.

The review conforms to the Internal Auditing Standards for Government of Canada, as supported by the results of the quality assurance and improvement program. The evidence gathered was sufficient to provide senior management with proof of the opinion derived from the internal audit.

The following table outlines the review criteria developed to meet the stated review objective and review scope:

The following table shows a sample of reports containing recommendations that CSC received from external stakeholders between 2009 and 2014:

The following table is a sample of recommendations CSC received from internal stakeholders: