Evergreen Risk-based Audit and Evaluation Plan
Deputy Head Confirmation
I approve the evergreen Risk-based Audit and Evaluation Plan (RBAEP) for Correctional Service Canada (CSC) for fiscal years 2024 to 2025 through to 2028 to 2029 with recommendations for approval received from the Departmental Audit Committee (DAC) and the Performance Measurement and Evaluation Committee (PMEC) as required by the Treasury Board (TB) Policy on Results and Policy on Internal Audit.
I confirm that the five-year evergreen RBAEP:
- Plans for the evaluation of all ongoing programs of grants and contributions with five-year average actual expenditures of $5 million or greater per year at least once every five years, in fulfillment of the requirements of subsection 42.1 of the Financial Administration Act
- Meets the requirements of the Mandatory Procedures for Evaluation
- Supports the requirements of the expenditure management system including, as applicable, Memoranda to Cabinet, TB Submissions, and resource alignment reviews, and
- Meets the requirements of the TB Internal Audit Policy Suite and conforms to the International Standards for the Professional Practice of Internal Auditing.
I will ensure that this plan is updated annually, and I will provide information about its implementation to the Treasury Board of Canada Secretariat (TBS), as required.
Anne Kelly
Commissioner
Correctional Service Canada
On this page
List of acronyms
- FY
-
Fiscal year
- CSC
-
Correctional Service Canada
- IAES
-
Internal Audit and Evaluation Sector
- RBAEP
-
Risk-based Audit and Evaluation Plan
- FTEs
-
Full-time equivalents
- CAEE
-
Chief Audit and Evaluation Executive
- TB
-
Treasury Board
- QAIP
-
Quality Assurance and Improvement Program
- MAPs
-
Management Action Plans
- DAC
-
Departmental Audit Committee
- PMEC
-
Performance Measurement and Evaluation Committee
- EXCOM
-
Executive committee
- TBS
-
Treasury Board of Canada Secretariat
Introduction
The Evergreen Risk-based Audit and Evaluation Plan
In fiscal year (FY) 2021 to 2022, Correctional Service Canada (CSC) merged the Evaluation Division with the Internal Audit Sector, creating the now established Internal Audit and Evaluation Sector (IAES). While it is generally recognized that the audit and evaluation divisions provide a continuum of complementary services, the merger leveraged existing resources and best practices, and has created synergistic opportunities.
IAES planning is the responsibility of the Practice Management Division, which is independent from the Audit Operations and Evaluation Divisions. Prior to the merger, the Internal Audit Sector produced a two-year Risk-based Audit Plan, while the Evaluation Division produced a five-year Departmental Evaluation Plan; the periods for each aligning with their respective professional standards and policy frameworks. In 2022, the IAES released its first joint evergreen Risk-based Audit and Evaluation Plan (RBAEP). It covered a two-year period for internal audit engagements and a five-year period for evaluation engagements and identified innovative internal audit and evaluation engagements, including a first joint engagement. While the 2024 to 2029 RBAEP proposes a similar format with regards to coverage for audits and evaluations, IAES has allowed for a bit of flexibility in the latter years for each division in consideration of shifting priorities and evolving risks.
Purpose
The purpose of the evergreen RBAEP is to identify internal audit and evaluation work for FY 2024 to 2025 to 2028 to 2029 that is risk-based and in-line with central agency requirements. In turn, implementation of the plan will ensure that IAES supports CSC in the achievement of its objectives.
Overview of CSC
As part of the criminal justice system and respecting the rule of law, CSC contributes to public safety by actively encouraging and assisting offenders to become law-abiding citizens, while exercising reasonable, safe, secure and humane control.
CSC is responsible for administering sentences of a term of two years or more, as imposed by the court. It contributes to public safety through its core responsibilities that include the care and custody of inmates, correctional interventions, and the community supervision of offenders. CSC focuses on making its correctional facilities safe environments that support offenders in addressing their needs and risk factors, through rehabilitation and successful reintegration into the community as law-abiding citizens. It has taken, and will continue to take, concrete steps to improve the correctional and reintegration outcomes for Indigenous, Black, and other racialized offenders in its care.
On a typical day in FY 2022 to 2023, CSC managed 21,384 offenders (13,054 incarcerated and 8,330 supervised in the community). For FY 2024 to 2025, CSC’s Main Estimates are $3.171 billion with 18,826 planned full-time equivalents (FTEs). CSC’s infrastructure includes 43 institutions of various security levels (including four healing lodges and five accredited regional treatment centres), 14 community correctional centres, and 92 parole and sub-parole offices.
CSC IAES
In December 2023, a new Chief Audit and Evaluation Executive (CAEE) was appointed. The CAEE leads the three divisions of the IAES. The IAES initial budget allocation for fiscal year 2024 to 2025 is $4,533,486 in salary and $306,384 for operations and maintenance.
Internal audit at CSC is a professional, independent, and objective assurance and consulting activity designed to add value and improve CSC’s operations. It helps CSC accomplish its objectives by bringing a systematic, disciplined approach to assessing and improving the effectiveness of risk management, control, and governance processes. CSC has an Internal Audit division comprised of 16 FTEs.
Evaluation at CSC is a professional, systematic, and neutral function that collects and analyzes evidence to judge merit, worth, or value of CSC programming and activities. It determines the extent to which a program or initiative has achieved its expected results. Evaluations support evidence-based decision-making, program and policy improvements, innovation, and accountability. Evaluation advice and expertise support program officials in the design and implementation of programming to achieve expected results. CSC has an Evaluation division comprised of 17 FTEs.
The Internal Audit and Evaluation divisions are supported by a Practice Management division. Practice Management is responsible for providing assurance to the CAEE that the IAES operates in compliance with professional standards and applicable Treasury Board (TB) policy frameworks. As such, Practice Management designs and implements a Quality Assurance and Improvement Program (QAIP), leads the evergreen RBAEP process, reports on the implementation of CSC Management Action Plans (MAPs), manages the secretariat activities of the Departmental Audit Committee (DAC) and the Performance Measurement and Evaluation Committee (PMEC), and performs the role of CSC liaison with external assurance providers. CSC has a Practice Management division comprised of seven FTEs.
IAES Accomplishments
Internal Audit Division
In FY 2023 to 2024, the following internal audit engagements were completed and approved:
- Review of EXCOM-Related Governance Committees
- Audit of Indigenous Intervention Centres
- Audit of Offender Management System Modernization – System Under Development – Phase II, and
- Audit of Organizational Culture (recommended for approval by DAC) in March 2024, and approved by the Commissioner in April 2024).
The Internal Audit division launched or continued work on three planned engagements:
- Joint Audit and Evaluation of Structured Intervention Units
- Audit of Fire Safety, and
- Audit of the Mother-Child Program.
Of the planned projects for FY 2023 to 2024, the Audit of the Management of Offenders with Special Needs and the Audit of Conditions of Confinement were delayed.
Evaluation Division
In FY 2023 to 2024, the following evaluation engagements were approved:
- Evaluation of Offender Case Management: Offender Intake Assessment and Institutional Supervision
- Rapid Impact Assessment of Joyceville Assessment Unit Intake Model
- Supplementary Report: Reanalysis of the Evaluation of Correctional Reintegration Programs, and
- Evaluability Assessment: Elder Services Within Indigenous Corrections.
The Evaluation division launched or continued work on five planned engagements:
- Evaluation of Correctional Officer Recruitment Allowance
- Joint Audit and Evaluation of Structured Intervention Units
- Evaluation of Case Management – Readiness for Parole
- Evaluation of Case Management – Community Transitions, and
- Evaluation of Maximum Security.
In addition, as part of its advisory responsibilities, the division provided advice on several TB submissions and performance measurement and monitoring strategies.
Practice Management Division
In FY 2023 to 2024, the Practice Management division introduced a series of improvements to its QAIP and MAP follow-up process and continued to provide secretariat support to the DAC and PMEC.
It also supported CSC through its liaison function with external assurance providers. Key highlights include liaising between the Office of the Auditor General and CSC senior management during the conduct of its Audit of Inclusion in the Workplace for Racialized Employees, its Strategic Audit Planning exercise, and its Update on a Past Audit: the Auditor General’s 2018 Audit of Community Supervision; as well as liaising between the Public Service Commission and CSC senior management during the conduct of its Audit of System-Wide Staffing and its Audit on the Application of the Order of Preference for Veterans.
Summary of Planning Approach
The IAES integrated the internal audit and evaluation risk-based planning processes from previous years. A detailed description of the risk-based methodology is available in Annex A.
While assessing risks is key in the identification of possible engagements to conduct, other factors also play an important role in shortlisting projects, such as government-wide and departmental priorities, environmental context, and historic coverage. To help in the identification of engagements to include in the 2024 to 2029 RBAEP, IAES conducted a risk-assessment, an environmental scan, as well as surveys and consultations with all executive committee (EXCOM) members, and with DAC and PMEC external members.
As part of its process, IAES also considers plans and/or ongoing work performed by external assurance providers to avoid duplication of effort and ensure that IAES resources are focused on under-serviced high-risk areas. External assurance providers include, but are not limited to:
- Office of the Auditor General
- Office of the Comptroller General
- Public Service Commission
- Office of the Correctional Investigator, and
- Independent Advisory Panel (Structured Intervention Units).
The suitability of evaluation or internal audit as a means to reduce risk versus other tools available to CSC was also considered, and significant consultations took place with stakeholders to validate project selection. Selection of evaluation engagements also took into consideration materiality, value to management, program risk, and the year in which the program was last evaluated.
Internal Audit and Evaluation Plans
Internal audit and evaluation engagements that were selected based on risk, coverage, and priority have been included below in the respective two-year and five-year schedules. The variety of engagements ensures comprehensive coverage of the CSC core responsibilities, departmental priorities, and corporate risks.
2024 to 2026 Audit Plan at a Glance:
- Audit of Fire Safety (Underway)
- Audit of the Mother-Child Program (Underway)
- Joint Audit and Evaluation of Structured Intervention Units (Underway)
- Audit of the Procurement and Contracting Process (Underway)
- Audit of the OMS-M – Systems Under Development (Underway) – Phases 3 and 4
- Audit of Conditions of Confinement (Underway)
- Internal Audit Engagement of the Management of Offenders with Special Needs
- Internal Audit Engagement of Leave and Overtime
2024 to 2029 Evaluation Plan at a Glance:
- Evaluation of Correctional Officer Recruitment Allowance (Underway)
- Joint Audit and Evaluation of Structured Intervention Units (Underway)
- Evaluation of Offender Case Management – Readiness for Parole (Underway)
- Evaluation of Maximum Security (Underway) – Parts 1 and 2
- Evaluation of Offender Case Management – Community Transitions (Underway)
- Evaluation of the Black Offender Strategy – Parts 1, 2, and 3
- Evaluation of CORCAN Employment and Employability
- Evaluation of Victim Services
- Evaluation of the Drug Strategy – Parts 1 and 2
- Evaluation of Community-based Residential Facilities
- Evaluation of Mental Health Services
- Evaluation of Facilities Management and Accommodation Services
- Evaluation of Preventative Security and Intelligence
- Evaluation of Offender Education
- Evaluation of Social Programs
- Evaluation of Community Correctional Centres
See Annex C for coverage of organizational spending and the programs for FY 2024 to 2029.
2024 to 2025 External Assurance at a Glance:
- Public Service Commission – System-Wide Staffing Audit
- Public Service Commission – Audit on the Application of the Order of Preference for Veterans
- Environment and Climate Change Canada – Horizontal Evaluation of Federal Contaminated Sites Action Plan
- Office of the Auditor General – Update on a Past Audit: The Auditor General’s 2018 Audit of Community Supervision
Annex A: Methodology
The RBAEP was led by the Practice Management division with support from the Internal Audit and Evaluation divisions. It began with a review of the audit and evaluation universes and a thorough review of corporate reporting tools, previous evaluations and audits, management reviews, planned Compliance and Operational Risk Reports, program information, and identified program needs and recommendations from relevant stakeholders and central agencies.
Upon reviewing the pre-existing internal audit and evaluation planning methodologies, a common risk-based planning pathway was developed following the steps below:
Step One – Audit and Evaluation Universe
The audit and evaluation universe, which acts as an organizational blueprint to identify areas of risk within a program or activity, was based on CSC’s Core Responsibilities, and then mapped to each sub-responsibility. This universe formed the basis upon which, a coordinated document review process unfolded, that included a comprehensive review of corporate information and reports prepared by various internal and external assurance providers.
Step Two – Understanding the Current and Future Risk Environment
Several activities were undertaken to gather organizational, program, and process risk information including document reviews, surveys, and consultations.
Document Reviews
Documentation that was reviewed included key corporate documents, including the Departmental Plans, Departmental Results, and CSC financial information. Furthermore, the division reviewed previous oversight work to ascertain CSC program activity coverage. This included a review of corporate reporting, reports from external assurance providers, plans from external assurance providers, previous audits and evaluations, management reviews, planned Compliance and Operational Risk Report activity, program information, identified program needs and recommendations from Treasury Board of Canada Secretariat (TBS), PMEC, and DAC.
Surveys
A harmonized survey tool was developed for the RBAEP exercise. A web-accessible survey was distributed to members of EXCOM. The survey focused on identifying organizational changes, and solicited management views of the relevance and timeliness of the previous year’s planned internal audit and evaluation engagements. EXCOM members were asked to rank engagements based on their perceptions of priority. The results were used to validate planned engagements, and to identify new areas for consideration.
Consultations
Using the results of the consultation survey, follow-up interviews were conducted with EXCOM members to gain a more nuanced view of their survey responses and inquire about upcoming changes and existing issues across their respective areas and CSC at-large. Additionally, PMEC and DAC members were also consulted to gain their perspective on risk and areas where the IAES work could bring the most value for CSC. The results of this process were then rolled up into a summary document that was used during the RBAEP risk assessment.
Step Three – Risk Assessment
The results of the document reviews, survey, and interviews were mapped to the audit and evaluation universe elements. The synthesized risk information was shared with the CAEE, the Senior Director of Audit Operations, and the Director of Evaluation. Practice Management conducted a risk assessment of each element of the audit and evaluation universe using a common risk assessment. The risk factors for this assessment were the six CSC corporate risks (see Annex B), three other risk factors (implementation, materiality, and importance), and the addition of two new risks (values and ethics, and official languages) which were the result of a desire to ensure proper consideration is being given to those areas. Additionally, value to management, program risk, and the year in which the program was last evaluated were also taken into consideration. The results were consolidated and the average risk score for each audit and evaluation universe element was used as the final risk ranking for each program and internal services area.
Step Four – Project Selection and Confirmation
An initial list of projects was developed based on high-risk audit and evaluation universe elements with low historic coverage and those areas that are required by TBS. These projects were assessed for suitability and alignment with the CSC core responsibilities. A more focused list of audits and evaluations was developed for which the team developed project profiles.
Step Five – Approval
A draft of the 2024 to 2025 RBAEP was presented at DAC and PMEC to obtain a recommendation for approval by the Commissioner. The RBAEP was then approved by the Commissioner, as per the TB Policy on Internal Audit and Policy on Results.
Annex B: Core Responsibilities and Corporate Risks
Core Responsibility 1: Care and Custody
CSC provides for the safety, security and humane care of inmates, including day-to-day needs of inmates such as food, clothing, accommodation, mental health services, and physical health care. It also includes security measures within institutions such as drug interdiction, and appropriate control practices to prevent incidents.
Core Responsibility 2: Correctional Interventions
CSC conducts assessment activities and program interventions to support federal offenders’ rehabilitation and facilitate their reintegration into the community as law-abiding citizens. CSC also engages Canadian citizens as partners in its correctional mandate, and provides services to victims of crime.
Core Responsibility 3: Community Supervision
CSC supervises offenders in the community and provides structure and services to support their safe and successful reintegration into the community. Services include accommodation options, community health services, and the establishment of community partnerships. CSC manages offenders on parole, statutory release, and long-term supervision orders.
Corporate Risks (FY 2024 to 2025)
1 |
There is a risk that CSC will not be able to maintain required levels of operational safety and security in institutions and in the community. |
2 |
There is a risk that CSC will not be able to implement its mandate and ensure the financial sustainability and modernization of the organization. |
3 |
There is a risk that CSC will not be able to respond to the complex and diverse profile of the offender population. |
4 |
There is a risk that CSC will not be able to maintain a safe, secure, healthy, respectful, and collaborative working environment as established by its legal and policy obligations, mission, and values statement. |
5 |
There is a risk that CSC will not be able to maintain public confidence in the federal correctional system. |
6 |
There is a risk that CSC will lose support of partners delivering critical services and providing resources for offenders. |
Annex C: Coverage of Organizational Spending and the Programs for FY 2024-29
Program |
Title of Planned Evaluation |
Date of planned evaluation approval |
Program spending covered by the planned evaluation (based on 2024 to 2025 amounts) |
Comments |
---|---|---|---|---|
P1 Institutional Management and Support |
None planned |
Not applicable |
$0 |
Program was recently evaluated and there are no mandatory evaluation requirements. |
P2 Supervision |
Joint Audit and Evaluation of Structured Intervention Units |
2024 to 2025 |
$876,902,493 |
Not applicable |
Evaluation of Maximum Security Units - Part I |
2024 to 2025 |
Included above |
Not applicable |
|
Evaluation of Maximum Security Units - Part II |
2025 to 2026 |
$876,902,493 |
Not applicable |
|
P23 Preventive Security and Intelligence |
Evaluation of Preventative Security and Intelligence |
2026 to 2027 |
$21,987,710 |
Not applicable |
P23 Preventive Security and Intelligence |
Evaluation on Drug Strategy - Part I |
2026 to 2027 |
Included above |
Not applicable |
Evaluation on Drug Strategy - Part II |
2029 to 2030 or later |
$0 |
Not applicable |
|
P3 Drug Enforcement |
Evaluation on Drug Strategy - Part I |
2026 to 2027 |
$12,277,864 |
Not applicable |
Evaluation on Drug Strategy - Part II |
2029 to 2030 or later |
$0 |
Not applicable |
|
P4 Clinical Services and Public Health |
Evaluation on Drug Strategy - Part I |
2026 to 2027 |
$224,182,646 |
Not applicable |
Evaluation on Drug Strategy - Part II |
2029 to 2030 or later |
$0 |
Not applicable |
|
P5 Mental Health Services |
Joint Audit and Evaluation of Structured Intervention Units |
2024 to 2025 |
$120,920,138 |
Not applicable |
Evaluation of Mental Health Services |
2026 to 2027 |
$120,920,138 |
Not applicable |
|
P6 Food Services |
Evaluation of Food Services |
2029 to 2030 or later |
$0 |
Not applicable |
P7 Accommodation Services |
Evaluation of Facilities Management and Accomodation Services |
2026 to 2027 |
$519,201,099 |
Not applicable |
Horizontal Evaluation of the Federal Contaminated Sites Action Plan |
2024 to 2025 |
$192,131 |
Not applicable |
|
P8 Offender Case Management |
Evaluation of Case Management (Readiness for Parole) |
2024 to 2025 |
$289,123,566 |
Not applicable |
Evaluation of Maximum Security Units - Part I |
2024 to 2025 |
Included above |
Not applicable |
|
Evaluation of Case Management (Community Transitions) |
2025 to 2026 |
$289,123,566 |
Not applicable |
|
Evaluation of Maximum Security Units - Part II |
2025 to 2026 |
Included above |
Not applicable |
|
Evaluation of Black Offender Strategy - Part I (Evaluation Framework) |
2025 to 2026 |
Included above |
Not applicable |
|
Evaluation of Black Offender Strategy - Part II (Implementation) |
2026 to 2027 |
$289,123,566 |
Not applicable |
|
Evaluation of Black Offender Strategy - Part III (Results) |
2028 to 2029 |
$289,123,566 |
Not applicable |
|
P9 Community Engagement |
Evaluation of Victim Services |
2025 to 2026 |
$8,849,206 |
Not applicable |
P10 Chaplaincy |
None planned |
Not applicable |
$0 |
Program was recently evaluated and there are no mandatory evaluation requirements. |
P11 Elder Services |
None planned |
Not applicable |
$0 |
Program was recently evaluated and there are no mandatory evaluation requirements. |
P22 Correctional Programs |
None planned |
Not applicable |
$0 |
Program was recently evaluated and there are no mandatory evaluation requirements. |
P15 Offender Education |
Evaluation of Offender Education |
2027 to 2028 |
$29,345,518 |
Not applicable |
P16 CORCAN Employment and Employability |
Evaluation of CORCAN Employment and Employability |
2025 to 2026 |
$46,357,698 |
Not applicable |
P17 Social Program |
Evaluation of Social Programs |
2028 to 2029 |
$25,271,269 |
Not applicable |
P18 Community Management and Security |
None planned |
Not applicable |
$0 |
There are no mandatory evaluation requirements and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
P19 Community-Based Residential Facilities |
Evaluation of Community Residential Facilities |
2026 to 2027 |
$125,985,787 |
Not applicable |
P20 Community Correctional Centres |
Evaluation of Community Correctional Centres |
2027 to 2028 |
$21,676,808 |
Not applicable |
P21 Community Health Services |
None planned |
Not applicable |
$0 |
No specific requirements for evaluations in internal services and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
ISC1 Management and Oversight Services |
None planned |
Not applicable |
$0 |
No specific requirements for evaluations in internal services and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
ISC2 Communications Services |
None planned |
Not applicable |
$0 |
No specific requirements for evaluations in internal services and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
ISC3 Legal Services |
None planned |
Not applicable |
$0 |
No specific requirements for evaluations in internal services and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
ISC4 Human Resources Management Services |
Evaluation of Correctional Officer Recruitment Allowance (Carried Over) |
2024 to 2025 |
$119,299,297 |
Not applicable |
ISC5 Financial Management Services |
None planned |
Not applicable |
$0 |
No specific requirements for evaluations in internal services and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
ISC6 Information Management Services |
None planned |
Not applicable |
$0 |
No specific requirements for evaluations in internal services and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
ISC7 Information Technology Services |
None planned |
Not applicable |
$0 |
No specific requirements for evaluations in internal services and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
ISC8 Real Property Management Services |
None planned |
Not applicable |
$0 |
No specific requirements for evaluations in internal services and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
ISC9 Material Management Services |
None planned |
Not applicable |
$0 |
No specific requirements for evaluations in internal services and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
ISC10 Acquisition Management Services |
None planned |
Not applicable |
$0 |
No specific requirements for evaluations in internal services and there is currently insufficient capacity to complete evaluations beyond the mandatory requirements. |
Page details
- Date modified: