Coordinated Audit of Physical Security Access at The James Michael Flaherty Building

August 31, 2017

Prepared by:
Internal Audit Directorate

• What we examined
• Why it is important
• What we found

• Objective
• Scope
• Approach
• Statement of conformance

Detailed findings and recommendations

[This information has been severed]

Conclusion

Recommendations, management response and action plan

Appendix A: Audit criteria

Appendix B: Abbreviations

The extent to which government departments can ensure their own security directly affects their ability to ensure the continued delivery of services that contribute to the health, safety, economic well-being, and security of Canadians. To support these requirements, the objectives of Treasury Board Policy on Government Security are to ensure that deputy heads:

• effectively manage security activities within departments
• contribute to the effective government-wide security management

The objective of this internal audit was to provide reasonable assurance to the Deputy Minister that physical security access controls at the James Michael Flaherty Building were operating effectively to safeguard:

• departmental assets
• information
• employees
• authorized visitors
• delivery of service

The scope of the internal audit included the management and operations of physical security access controls at the Flaherty Building but excluded information technology security. The time frame under review was from July 1, 2014, to March 8, 2017.

The internal auditors:

• engaged with Flaherty Building security stakeholders or their representatives
• examined available documentation
• analysed available data
• conducted testing of physical security access controls

The Flaherty Building is located at 90 Elgin Street, Ottawa, and:

• serves as the headquarters for both the Department of Finance Canada (FIN) and the Treasury Board of Canada Secretariat (TBS)
• accommodates senior government and public service officials

The Flaherty Building was built between 2013 and 2015, with occupancy beginning in July 2014 and completed in late 2015. The entire FIN workforce of approximately 750 full-time employees occupies the building, as do approximately 1,230 full-time employees of TBS. TBS is considered the major tenant, and Public Services and Procurement Canada (PSPC) is the custodial tenant. The Flaherty Building is owned by Great-West Life Assurance Company (GWLAC), which is the landlord, and is managed by a wholly-owned subsidiary called GWL Realty Advisors Inc. (GWLRA). A 25-year lease agreement and property management agreement were signed in 2011 by PSPC and GWLAC.

According to the Policy on Government Security, the Departmental Security Officer, who is accountable to the Deputy Minister, was responsible for FIN’s security governance and security program. However, under the terms of the Lease Agreement and Property Management Agreement, the management of physical security access, including base building security, has devolved to the building’s property management firm under broad oversight of the building’s custodian (PSPC).

Both FIN and TBS included the Audit of Physical Security Access in their risk-based audit plans, which reflected the degree of risk attributed to the area by senior management of both departments.

[This information has been severed]

This Coordinated Audit of Physical Security Access at the James Michael Flaherty Building with Treasury Board of Canada Secretariat (TBS) was authorized as part of the Department of Finance Canada’s (FIN’s) Internal Audit Plan for 2016 to 2019 that was approved by the Deputy Minister (DM).

The Flaherty Building is located at 90 Elgin Street, Ottawa, and serves as the headquarters for both FIN and TBS. The entire FIN workforce of approximately 750 full-time employees is housed at the Flaherty Building, as are TBS’s approximately 1,230 full-time employees. Shared Services Canada also has offices in this facility. The building also accommodates a property management office and several private sector businesses, including a financial institution, food establishments and other storefront vendors.

Under provisions in the 25-year Lease Agreement and the Property Management Agreement signed in 2011 by Public Services and Procurement Canada (PSPC) as the custodial tenant and Great-West Life Assurance Company (GWLAC) as the landlord, responsibility for physical security of the building, with the exception of the tenant floor space, was conveyed to the building’s property management firm, GWL Realty Advisors Inc. (GWLRA), which is a wholly-owned subsidiary of GWLAC.

As part of its security management responsibilities, the property management firm managed the guard force, specifically the Canadian Corps of Commissionaires (CCC). The guard force was resourced through a PSPC call-up of the National Master Standing Offer for Commissionaire Services, which PSPC administered. Commissionaire services were funded based on a determination of FIN and TBS needs and the base building needs. PSPC developed a Specific Services Agreement for the transfer of costs from tenant departments to PSPC. Instructions for the guard force (post orders) were issued and administered by the property management firm through consultation with PSPC Base Building Security. Tenant departments also submitted supplemental post orders to meet unique departmental needs for guard services, such as post orders for FIN badging officers, whose job is to validate requests and issue ID cards to employees and contractors.

The Flaherty Building was built between 2013 and 2015, with occupancy beginning in July 2014 and completed in late 2015. FIN moved into the building first, followed by TBS. The Standard for Fire Safety Planning and Fire Emergency Organization defines the department that has the most employees as the major tenant. Since TBS has the most number of employees at the Flaherty Building, it is deemed the major tenant. According to the Treasury Board Operational Security Standard on Physical Security, in multi-tenant facilities, a security committee chaired by the major tenant or the custodian should be organized to coordinate the custodian's and all tenants' requirements for control of access, and to plan safeguards for heightened security situations.

FIN helps the Government of Canada implement strong and sustainable economic, fiscal, tax, social, security, international and financial sector policies and programs. It plays an important central agency role for other departments. All FIN employees have, at a minimum, a secret security clearance level. The Security Services Division of Corporate Services Branch (CSB) led FIN’s security program and supported departmental operations by implementing measures that ensured the security and integrity of its employees, sensitive information and assets.

The building’s physical security access was a combined effort between base building security responsibilities and tenant department security responsibilities. The building is considered a public access facility that has:

• a reception zone controlled by a contracted guard force
• access controls that include proximity card access through turnstiles into operations zones
• card readers to permit authorized staff entry into individual security zones (the floors) of tenant departments

The physical security of building access was intended to ensure that only authorized individuals were permitted beyond the public and reception zones, thereby safeguarding government assets and information and ensuring the safety of employees, as required by the Policy on Government Safety and related standards, directives and guidelines. The role of the Departmental Security Officer (DSO) was assigned to the executive who has fulfilled this role since 2009. At the time of this audit, this individual was the Assistant Deputy Minister, CSB. The DSO leads FIN’s security program and supports departmental operations by implementing measures to ensure the security and integrity of its employees, sensitive information and assets.

Physical security access for the Flaherty Building was identified by both tenant departments as a risk and was included in their respective risk-based audit plans. As a result, this internal audit was a coordinated audit between FIN and TBS to report on the overall audit objective through two separate but coordinated internal audit reports.

Created in 1867, FIN is one of the original departments of the Government of Canada and had as its primary functions bookkeeping, administering the collection and disbursement of public monies, and servicing the national debt. Today, FIN helps the Government of Canada develop and implement strong and sustainable economic, fiscal, tax, social, security, international, and financial sector policies and programs. It plays an important central agency role, working with other departments to ensure that the government’s agenda is carried out and that ministers are supported with high-quality analysis and advice.

The objective of the internal audit was to provide reasonable assurance that physical security access controls at the Flaherty Building were operating effectively to safeguard departmental assets, information, employees, authorized visitors and delivery of service.

The scope of the internal audit engagement covered the management and operations of physical security access controls at the Flaherty Building, including but not limited to base building security zoning and FIN and TBS access security, as determined by a high-level assessment of risks. The internal audit scope was based on a previously-agreed coordinated approach that involved both tenant departments, and assumed the active cooperation of key stakeholders, including PSPC, GWLRA and CCC.

The scope time frame was FIN’s occupancy period at the Flaherty Building, starting July 1, 2014, until March 8, 2017.

The internal audit did not address information technology security or the scope of authority entrusted to other federal partners.

The internal audit engagement was conducted in accordance with:

• the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing
• the Internal Auditing Standards of the Government of Canada

The planning phase included preliminary document reviews and preliminary management interviews to understand the state and status of the building’s physical security. The planning phase produced the terms of reference, which was shared for discussion with the audit client, and included detailed audit criteria that formed an integral part of a detailed audit program.

During the examination phase of the internal audit, we interviewed individuals in FIN, TBS, PSPC, GWLRA and CCC. The internal auditors conducted a walk-through of key access points, including:

• entry doors
• the loading dock
• several roof levels
• the parkade
• the freight elevators.

Documents were reviewed including policy instruments, agreements, meeting minutes and reports. The internal auditors also conducted data analysis on samples of incident reports, authorization files, and alarm reports relevant to the audit time frame.

Field work for this audit was substantially completed by March 8, 2017.

The audit was conducted in accordance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and the Internal Auditing Standards of the Government of Canada, as supported by the results of the quality assurance and improvement program.

[This information has been severed]

[This information has been severed]

[This information has been severed]

The following audit criteria were used in the conduct of this audit:

1. Departmental oversight for security
   1. FIN has a defined Security Management Framework that includes security policy, plan and procedures established to safeguard employees, authorized visitors, information and assets, and to assure the continued delivery of services.
   2. Security committees are established to ensure the coordination and integration of physical security activities, including the monitoring and reporting of incidents.
   3. Accountabilities, delegations, reporting relationships, and roles and responsibilities of personnel who have physical security responsibilities are defined and documented.
   4. A communication strategy is in place to ensure that employees are informed of their security roles and responsibilities.
2. Security operations and controls
   1. Security operations ensure that accurate and timely information is available to provide administrative oversight for departmental resources.
   2. Access controls are implemented to protect building, floors, workplaces and common spaces.
   3. The physical security zoning of the building’s workplaces complies with relevant Treasury Board policies, directives and standards.
   4. Physical security is reviewed and tested periodically.