Evergreen Risk-based Audit and Evaluation Plan 2025 to 2030

On this page

• Introduction
• Summary of Planning Approach
• Internal Audit and Evaluation Plans
• Annex A: RBAEP Methodology
• Annex B: Core Responsibilities and Corporate Risks
• Annex C: Coverage of Organizational Spending and the Programs for Fiscal Year 2025 to 2030

© His Majesty the King in Right of Canada,
as represented by the Minister of Public Safety, 2025

Catalogue No. PS81-33E-PDF
ISSN 2819-6880

Introduction

Purpose

The purpose of the evergreen RBAEP is to identify internal audit and evaluation engagements for fiscal years (FY) 2025 to 2026 and 2029 to 2030 that consider departmental and program risks, priorities and the information needs of major stakeholder and is in-line with central agency requirements. In turn, implementation of the plan will ensure that the Internal Audit and Evaluation Sector (IAES) supports the Correctional Service of Canada (CSC) in the achievement of its objectives.

Since 2022, the IAES has been developing a joint evergreen RBAEP. It covers a 2-year period for internal audit engagements and a 5-year period for evaluation engagements, consistent with the requirement of the Treasury Board (TB) Policy on Internal Audit and Policy on Results.

As part IAES’s continued efforts to further integrate the audit, evaluation and performance measurement functions, and to gain efficiencies in committee operations, as of April 1, 2025, CSC is piloting the amalgamation of its Departmental Audit Committee (DAC) and Performance Measurement and Evaluation Committee (PMEC) under a joint DAEPMC. As a result, and in compliance with the Policy on Internal Audit and the Policy on Results, the RBAEP is being submitted to the DAEPMC for recommendation for approval to the Commissioner.

Overview of CSC

As part of the criminal justice system and respecting the rule of law, CSC’s mission is to contribute to public safety by actively encouraging and assisting offenders to become law-abiding citizens, while exercising reasonable, safe, secure and humane control.

CSC is responsible for administering sentences of a term of 2 years or more, as imposed by the court. It contributes to public safety through its core responsibilities that include the care and custody of inmates, correctional interventions, and the community supervision of offenders. CSC focuses on making its correctional facilities safe environments that support offenders in addressing their needs and risk factors, through rehabilitation and successful reintegration into the community as law-abiding citizens.

CSC focusses on 6 strategic priorities that are equally important:

• Safe management of eligible offenders during their transition from the institution to the community, and while on supervision
• Safety and security of the public, victims, staff and offenders in institutions and in the community
• Effective, culturally appropriate interventions and reintegration support for First Nations, Métis and Inuit offenders
• Effective and timely interventions in addressing mental health needs of offenders
• Efficient and effective management practices that reflect values-based leadership in a changing environment
• Productive relationships with diverse partners, stakeholders, victims’ organizations, and others involved in support of public safety

Internal Audit and Evaluation Sector

The IAES is a key provider of assurance and advice on departmental practices and activities. Reporting directly to the Commissioner, we make recommendations to improve governance, controls, risk management, performance, efficiency, and effectiveness of CSC’s operations.The Chief Audit and Evaluation Executive (CAEE) leads the 3 divisions of the IAES: Internal Audit, Evaluation, and Practice Management.

Internal audit is a professional, independent, and objective assurance and consulting activity designed to add value and improve CSC’s operations. It supports CSC by bringing a systematic, disciplined approach to assessing and improving the effectiveness of risk management, control, and governance processes. The Internal Audit division is comprised of 15 full time employees (FTEs).

Evaluation seeks to systematically and neutrally gather and analyze evidence to assess whether, why and how a program, initiative or policy works, with the aim of informing decision-making, improvement, innovation, and accountability. It determines the extent to which a program or initiative has achieved its expected results. The Evaluation division is comprised of 17 FTEs.

The Internal Audit and Evaluation divisions are supported by a Practice Management division, which operates independently. Practice Management is responsible for providing assurance to the CAEE that the IAES operates in compliance with professional standards and applicable TB policy frameworks. As such, Practice Management designs and implements a Quality Assurance and Improvement Program, leads the evergreen RBAEP process, monitors and reports on the implementation of CSC Management Action Plans (MAPs), manages the secretariat activities of the DAEPMC, and is responsible for liaison with external assurance providers. The Practice Management division is comprised of 6 FTEs .

The IAES initial budget allocation for fiscal year 2025 to 2026 is $4,568,820 in salary and $269,962 for operations and maintenance.

IAES accomplishments

Internal Audit Division

In FY 2024 to 2025, the following internal audit engagements were completed or substantially completed (in this case, were recommended for approval by the Departmental Audit Committee):

• Audit of Offender Management System Modernization – Phase 3 (approved)
• Joint Audit and Evaluation of Structured Intervention Units (recommended for approval)
• Review of the Complaint and Grievance Resolution Review Committee (recommended for approval)
• Audit of Fire Safety (recommended for approval)
• Audit of the Mother-Child Program (recommended for approval)

The Internal Audit division launched or continued work on 4 engagements:

• Audit of the Procurement and Contracting Process
• Audit of Conditions of Confinement
• Audit of Injury on Duty Leave
• Review of Evacuation of the Port-Cartier Institution

Of the planned projects scheduled to launch in FY 2024 to 2025 as per the 2024 to 2029 RBAEP, the Audit of the Management of Offenders with Special Needs (now the Audit of the Management of the Aging Population) was delayed, and the preliminary objective was modified.

Evaluation Division

In FY 2024 to 2025, the following evaluation engagements were completed or substantially completed (in this case, were recommended for approval by the Performance Measurement and Evaluation Committee):

• Evaluation of Correctional Officer Recruitment Allowance (approved)
• Joint Audit and Evaluation of Structured Intervention Units (recommended for approval)
• Review of the Complaint and Grievance Resolution Review Committee (recommended for approval)

The Evaluation division launched or continued work on 6 engagements, as planned:

• Evaluation of Case Management – Readiness for Parole
• Evaluation of Case Management – Community Transitions
• Advisory Evaluation Engagement – Logic Model and Theory of Change Development - Maximum Security (formerly titled Evaluation of Maximum Security Part I)
• Advisory Evaluation Engagement – Logic Model and Theory of Change Development – Black Offender Strategy (formerly titled Evaluation of the Black Offender Strategy Part I)
• Evaluation of CORCAN Employment and Employability.
• Review of Evacuation of the Port-Cartier Institution.

Practice Management Division

The Practice Management team plays a central role in ensuring the integrity, effectiveness and continual improvement of the audit and evaluation functions. In addition to leading the development of the RBAEP, the team was also responsible for leading on various key files throughout the year. In 2024 to 2025, the Practice Management team:

• Strengthened oversight and quality assurance functions through the continued integration of the evaluation function into QA processes, including the development of the draft evaluation manual
• Played a central role in the coordination of the neutral assessment of the evaluation function and led the development of a comprehensive MAP in response to its recommendations
• Updated, socialized and implemented a revised QA process and manual for internal audit, ensuring enhanced procedural rigor across engagements
• Conducted a detailed gap analysis to prepare for implementation of the new Institute of Internal Auditors (IIA) Standards
• Reviewed the MAP monitoring and validation process, and ensured results of these were reported to the DAC/PMEC members in October 2024 and February 2025.
• Oversaw the nomination of a new DAC member, the renewal of the DAC Chair, and the renewal of contracts for the 2 external PMEC members
• Planned and executed meetings for both the DAC (7 meetings) and PMEC (4 meetings)
• Coordinated a week-long site visit to the Pacific Region for external DAC and PMEC members to enhance contextual understanding of departmental operations
• Proposed and oversaw the creation of a pilot initiative to amalgamate the DAC and PMEC committees in the next fiscal year. This initiative was developed through careful consideration of existing policies and thorough consultations with key stakeholders, ensuring that the new proposed structure would align with strategic priorities while enhancing operational efficiency
• Continued to support CSC through its liaison function with external assurance providers, namely with the Office of the Auditor General during the conduct of its Strategic Plan, and its Update on a Past Audit – Community Supervision, as well as with the Public Service Commission during its System Wide Staffing Audit, and its Audit on the Application of the Order of Preference for Veterans. For each of these engagements, the team provided the necessary interface with external auditors to ensure the engagements were performed in a professional manner and that results were reviewed and challenged from a departmental perspective and for working with program and/or operational managers to ensure findings were understood and that appropriate responses to those findings were developed, approved and implemented
• Provided advice and recommendations on several TB submissions, performance measurement and monitoring strategies and HR Plans

Summary of planning approach

Given the numerous ongoing engagements at the end of 2024 to 2025 and the limited number of available resources to initiate new engagements in the short-term, the 2025 to 2030 iteration of the RBAEP is a “refresh” of the previous Plan. A detailed description of the methodology is available in Annex A.

While assessing risks is key in the identification of possible engagements to conduct, other factors also play an important role in shortlisting projects, such as government-wide and departmental priorities, environmental context, and historic coverage. To help in the identification of engagements, IAES conducted an environmental scan, and surveyed Directors General, Institutional Heads, Assistant Deputy Commissioners - Correctional Operations, and Assistant Deputy Commissioners - Integrated Services conducted. IAES also consulted Executive Committee (EXCOM) members, and DAC and PMEC external members. Using this information, IAES reviewed last year’s risk assessment to ensure the continued relevance of previously identified engagements and adapt it to emerging risks and priorities.

As part of the RBAEP development process, IAES also considers plans and/or ongoing work performed by external assurance providers to avoid duplication of effort and ensure that IAES resources are focused on under-serviced high-risk areas. External services providers include, but are not limited to:

• Office of the Auditor General
• Office of the Comptroller General
• Public Service Commission
• Office of the Correctional Investigator

The suitability of evaluation or internal audit as a means to reduce risk versus other tools available to CSC was also considered. Selection of evaluation engagements also took into consideration materiality, value to management, program risk, and the year in which the program was last evaluated.

Internal audit and evaluation plans

Internal audit and evaluation engagements that were selected based on risk, coverage, and priority have been included below in the respective 2 year and 5 year schedules. The variety of engagements ensures comprehensive coverage of the CSC core responsibilities, departmental priorities, and corporate risks.

2025 to 2027 Audit plan at a glance

• Review of Evacuation of the Port-Cartier Institution (Underway)
• Audit of the Procurement and Contracting Process – Phase I (Underway)
• Audit of Conditions of Confinement (Underway)
• Audit of Injury on Duty Leave (Underway)
• Audit of the Procurement and Contracting Process – Phase II
• Institutional Reviews – Development of Methodology and Tools
• Advisory Audit Engagement – OMS-M Risk Assessment
• Audit Engagement – Health Centre of Excellence
• Audit of the Management of the Aging Offender Population
• Institutional Reviews – Pilot

2025 to 2030 Evaluation plan at a glance

• Advisory Evaluation Engagement – Logic Model and Theory of Change Development – Black Offender Strategy
• Advisory Evaluation Engagement – Logic Model and Theory of Change Development – Maximum-Security
• Evaluation of Offender Case Management - Readiness for Parole
• Review of Evacuation of the Port-Cartier Institution (Underway)
• Evaluation of Offender Case Management - Community Transition
• Evaluation of CORCAN Employment and Employability
• Evaluation of Victims Services
• Evaluation of Maximum-Security
• Evaluation of Pilot Initiatives within the Black Offender Strategy
• Evaluation of Food Services
• Advisory Evaluation Engagement – Logic Model and Theory of Change Development – Drug Strategy
• Evaluation of Mental Health Services
• Institutional Reviews – Pilot
• Evaluation of Facilities Management Accommodation Services
• Evaluation of Community-based Residential Facilities
• Evaluation of Community Correctional Centres
• Evaluation of the Exchange of Service Agreement with Ontario
• Evaluation of the Black Offender Strategy
• Evaluation of Offender Education
• Evaluation of Social Programs
• Evaluation of the Drug Strategy
• Community Management and Security
• Evaluation of Community Health Services

Table C – 2025 to 2026 External assurance at a glance

• Office of the Auditor General – Audit of the Government’s Consolidated Financial Statements
• Office of the Auditor General – Public Service Pension Plan Triennial Valuation for FY 2023 to 2024

Annex A: RBAEP methodology

The RBAEP is led by the Practice Management division with support from the Internal Audit and Evaluation divisions. A common risk-based planning pathway was developed following the steps below.

Step 1 – Audit and evaluation universe

The audit and evaluation universe, which acts as an organizational blueprint to identify areas of risk within a program or activity, is based on CSC’s Core Responsibilities, and then mapped to each sub-responsibility. This universe formed the basis upon for a coordinated document review process that includes a comprehensive review of corporate information and reports prepared by various internal and external assurance providers.

Step 2 – Understanding the current and future risk environment

Several activities are undertaken to gather organizational, program, and process risk information including document reviews, surveys, and consultations.

Document reviews

Documentation that are generally reviewed include key corporate documents, including the Departmental Plans, Departmental Results, and CSC financial information. The division also reviews previous oversight work to ascertain CSC program activity coverage. This includes a review of corporate reporting, reports from external assurance providers, plans from external assurance providers, previous audits and evaluations, management reviews, planned Compliance and Operational Risk Report activity, program information, identified program needs and recommendations from TBS and the DAEPMC.

Surveys

Surveys typically focus on identifying organizational changes and solicit management views of the relevance and timeliness of the previous year’s planned internal audit and evaluation engagements. The results are used to inform and/or validate planned engagements, and to identify new areas for consideration.

Consultations

Using the results of the survey, follow-up interviews are typically conducted to gain a more nuanced view of survey responses and inquire about upcoming changes and existing issues across various program areas and CSC at-large. DAEPMC and Executive Committee members are also consulted to gain their perspective on risk and areas where the IAES work could bring the most value for CSC.

Step 3 – Risk assessment

The results of the document reviews, survey, and interviews are mapped to the audit and evaluation universe elements. The synthesized risk information is shared with the CAEE, the Director of Audit Operations, and the Director of Evaluation. Practice Management conducts a risk assessment of each element of the audit and evaluation universe using a common risk assessment. The risk factors typically included for the are CSC’s corporate risks (see Annex B), and other risk factors (for example, implementation, materiality, and importance), as well as values and ethics and official languages risk. Additionally, value to management, program risk, and the year in which the program was last evaluated are also taken into consideration. The results are consolidated and the average risk score for each audit and evaluation universe element is used as the final risk ranking for each program and internal services area.

Step 4– Project selection and confirmation

An initial list of projects is developed based on high-risk audit and evaluation universe elements with low historic coverage and those areas that are required by TBS. These projects are assessed for suitability and alignment with the CSC core responsibilities. A more focused list of audits and evaluations was developed for which the team developed project profiles.

Step 5 – Approval

A draft of the RBAEP is presented to DAEPMC to obtain a recommendation for approval by the Commissioner. The RBAEP is then approved by the Commissioner, as required by the TB Policy on Internal Audit and Policy on Results.

Annex B: Core responsibilities and corporate risks

Core responsibility 1: Care and custody

CSC provides for the safety, security and humane care of inmates, including day-to-day needs of inmates such as food, clothing, accommodation, mental health services, and physical health care. It also includes security measures within institutions such as drug interdiction, and appropriate control practices to prevent incidents.

Core responsibility 2: Correctional interventions

CSC conducts assessment activities and program interventions to support federal offenders’ rehabilitation and facilitate their reintegration into the community as law-abiding citizens. CSC also engages Canadian citizens as partners in its correctional mandate, and provides services to victims of crime.

Core responsibility 3: Community supervision

CSC supervises offenders in the community and provides structure and services to support their safe and successful reintegration into the community. Services include accommodation options, community health services, and the establishment of community partnerships. CSC manages offenders on parole, statutory release, and long-term supervision orders.

^{Note: at the time of the development of the 2025 to 2030 RBAEP, CSC was still in the process of updating its Corporate Risk Profile (CRP). The corporate risks identified above are from the 2023 to 2024 CRP.}