Internal Audit and Enterprise Risk Management branch

From: Employment and Social Development Canada

The Chief Audit Executive supports the Department by providing independent, objective assurance and advice on the adequacy and effectiveness of the design and operation of control frameworks, risk management, and governance processes. The Chief Audit Executive also manages the Enterprise Risk Management function within the Department as well as liaison services with the Office of the Auditor General and Central Agencies.

Key activities underway in the branch are:

Enterprise risk management

  • Various reviews / studies have noted the need to strengthen risk management in the department (audits, assessment by PricewaterhouseCoopers, review of project management by the Chief Financial Officer Branch).
  • Starting in FY 2019-20, the Enterprise Risk Management (ERM) function was allocated additional resources to address this issue and the function was transferred to the Internal Audit Services Branch. With this move, the Chief Audit Executive also took on the role of Chief Risk Officer. (ESDC did not have a Chief Risk Officer until that point.)
  • The mandate of the ERM unit is to achieve, over time, the following:
    • Provide an integrated, enterprise view of risk information and effectively use the risk information to enable evidence-based, risk-informed decision making
    • Challenge the measures taken to manage risk at ESDC, and monitor their implementation
    • Align risk management activities across ESDC to ensure corporate coherence
    • Monitor that risk is managed within the defined risk appetite of the organization (to be developed)
    • Promote a culture where risk considerations are embedded in day-to-day decision making
  • The ERM team has developed a strategic plan for the enhancement of the function, including a road map that lays out the work to be completed over a three-year time-frame
  • The work of the ERM team is focused on four areas:
    • The Practice, which involves the standardization of the risk management practice across the organization through the development of a departmental risk management framework, risk management policy, risk appetite and tolerances, and processes and tools
    • Governance, which involves the development of a clear governance model for risk management, including roles and responsibilities
    • The delivery of Advisory Services to support the systematic and consistent application of risk management in the department (e.g., ongoing advice to the risk analysts and planners network on the proper application of the risk management framework, advice on the risk information to be provided in Treasury Board submissions)
    • The development of a Training curriculum to enhance risk management capabilities and delivery of targeted training across stakeholder groups
  • The team has also been working on a new approach for the next Corporate Risk Profile (CRP). Work is currently underway to produce an initial version of the new CRP by end of March 2020
  • The focus of the ERM team’s efforts will next be put on the development of an integrated risk management framework for the department

Status of audit activity impacting Service Canada branches as of December 2019

Office of the Auditor General of Canada (OAG) engagements

Engagement

Engagement to update on results measures

Stage

Reporting Phase: July - December, 2019

Tabling date

Publication on OAG internet site: Winter (March) 2020

Implicated program(s) / branch(es)
  • CPP-Disability
  • BDS; ISSD
Comments

The engagement will review results of 15 selected performance audits tabled at Parliament between November 2014 and November 2017, including the OAG’s audit on the Canada Pension Plan Disability (CPPD) Program (tabled in February 2016). This is a horizontal engagement implicating multiple departments.

The OAG shared a draft version of the draft extract pertaining to ESDC on July 24, 2019. Departmental results related to CPPD are positive.

Engagement

Audit of Procurement of Information Technology Solutions

Stage

Planning Phase: November – December, 2019

Tabling date

Parliament Tabling: Fall (October) 2020

Implicated program(s) / branch(es)
  • Benefits Delivery Modernization (BDM)
  • TISMB; CFOB
Comments

Along with ESDC, Public Services and Procurement Canada (PSPC), Shared Services Canada (SSC), and Treasury Board Secretariat (TBS) are included in the audit. The objective of the audit is to determine whether PSPC’s new procurement methods are helping departments meet business outcomes, and whether PSPC and SSC with selected departments have procurement practices that are fair, open and transparent.

Engagement

2019-20 Financial Statement Audits – ESDC Public Accounts (PA), Canada Pension Plan (CPP), Employment Insurance Operating Account (EIOA), and Government Annuities Account (GAA)

Stage

Planning Phase

Tabling date

ESDC Departmental Audit Committee (DAC) Tabling: August 2020

Implicated program(s) / branch(es)
  • EI; OAS; CPP; CSLP; Gs and Cs
  • CFOB; BDS; ISB; Regions; HRSB; Learning; ISSD; SEB; POB
Comments

The OAG launched their 2019-20 Financial Statement audits on September 27, 2019. These audits occur annually within the Department and culminate with a report to management on the results at the August Departmental Audit Committee and contribute to the finalization of departmental Financial Statements shortly thereafter.

Office of the Comptroller General of Canada (OCG) engagements (in collaboration with ESDC Internal Audit)

Engagement

Horizontal Internal Audit of Project Management

Stage

Reporting phase

Tabling date

GoC Audit Committee Tabling: June 2020

ESDC DAC Tabling: June 2020

Implicated program(s) / Branch(es)
  • OAS (Service Improvement Strategy); Passport (modernization project)
  • TISMB; CFOB; CSB
Comments

The audit objective is to determine whether sound governance was established and implemented as intended for a sample of in-flight projects. In addition to ESDC, Immigration, Refugees and Citizenship Canada (for their lead role in the Passport modernization project), TBS (for their project oversight role) and SSC (for another selected project) are included within the audit’s scope. The OCG is undertaking the Passport component of the audit which is being done in collaboration with both CSB officials and officials from IRCC.

The Secretary of the TB expressed interest in including the OAS-SIS project within the scope of this audit. ESDC’s Internal Audit followed-up on selected recommendations in the Deloitte report, “OAS SIS Review of Project Management Risk and Mitigation Strategy” dated May 30, 2018, and our findings would be included in the final OCG Report.

Fact validation and preliminary findings briefings with management will commence in January 2020.

Internal Audit Engagements (underway)

Engagement

Follow-Up Audit of Temporary Foreign Workers Program (TFWP)

Stage

Reporting Phase

Tabling date

ESDC DAC Tabling: March 2020

Implicated program(s) / Branch(es)
  • Temporary Foreign Worker Program
  • POB; ISB; Regions; SEB
Comments

Following the OAG TFWP audit in 2017, an internal audit was launched in spring 2019 to assess progress in implementing the Management Action Plan responding to recommendations issued by the OAG.

Fact validation and preliminary findings briefings with management will commence in January 2020.

Engagement

Audit of Canada Pension Plan Program Delivery

Stage

Reporting Phase

Tabling date

ESDC DAC Tabling: June 2020

Implicated program(s) / Branch(es)
  • CPP
  • BDS; Regions; DGSRDS
Comments

The internal audit commenced in May 2019 and its objective is to determine whether the Department manages the delivery of the CPP effectively and efficiently.

Fact validation and preliminary findings briefings with management are planned to commence in February 2020.

Engagement

Assessment of Insider Threats

Stage

N/A

Tabling date

ESDC DAC Tabling: December 2019 and June 2020

Implicated program(s) / Branch(es)
  • Departmental and IT Security
  • ISB; IITB
Comments

Internal audit undertook an initial assessment of Insider Threats in October 2019 to identify potential events which may be performed by trusted individuals that could occur due to missing or insufficient controls. Several risk scenarios were identified that were derived from the Communications Security Establishment’s harmonized threat and risk assessment methodology. A discussion with DAC members occurred in December 2019 which outlined past audit coverage of the identified risk scenarios.

Next steps will be to further analyze areas of risk to identify known weaknesses to management as well as assurance engagements. Internal audit will also work with ISB as they are also undertaking work in the area

Engagement

Audit of Emergency Preparedness

Stage

Planning Phase

Tabling date

November 2020

Implicated program(s) / Branch(es)
  • Departmental Security
  • ISB; Regions
Comments

The internal audit was initiated in November 2019, with a preliminary objective to provide reasonable assurance on the overall adequacy of the Department’s Emergency Management Framework and practices.

Audit planning is expected to be completed by February 2019.

Engagement

Audit of Controls around Payment Processes: Program Payments

Stage

Pre-planning Phase

Tabling date

ESDC DAC Tabling: Nov. 2020

Implicated program(s) / Branch(es)
  • EI, CPP, OAS, CSLP
  • BDS; Regions; CFOB; Learning
Comments

The internal audit is expected to be initiated in January 2020, with a preliminary objective to provide assurance that adequate controls are in place over the payment processes (section 34 and 33) of the Canada Pension Plan, the Canada Student Loans Program, the Employment Insurance program and the Old Age Security in accordance with Treasury Board Secretariat policies and directives.

Engagement

Independent Review of the Benefits Delivery Modernization Programme

Stage

Planning Phase

Tabling date

ESDC DAC Tabling: Nov. 2020

Implicated program(s) / Branch(es)
  • BDM
  • TISMB; CFOB
Comments

The review is expected to be initiated in February 2020, with an objective to gain independent, timely, and experienced insight of the BDM programme’s ability to successfully achieve its business outcomes and benefits prior to launching the Tranche 1 implementation phase of the programme. The Review will identify critical risks or issues that require response (i.e. governance, project management frameworks, resourcing), as well as assess and comment on critical success factors. This Review is a TB requirement for Benefits Delivery Modernization’s next TB Submission targeted for Fall 2020.

Internal Audit Engagements (completed; to be published)

Engagement

Audit of Identity Management Practices

Stage

Publication Phase

Tabling date

ESDC DAC Tabling: June 2019

Implicated Program(s) / Branch(es)
  • EI; CPP; OAS; SIN; Apprenticeship Grants; Wage Earner Protection; Parents of Young Victims of Crime; CESP; CSLP; Canada Disability Savings
  • ISB; Regions; BDS; CSB; IITB;
Comments

The audit concluded that identity management practices have been developed, implemented but have not achieved the expected level of consistency across programs and service delivery channels. Management agreed with all three audit recommendations and developed a responding action plan that was approved by the Deputy following DAC recommendation.

Tentative publication date is January 31, 2020. Communications risk assessment identified no contentious issues. Media lines are prepared in the event they are required.

Engagement

Follow-up Review on Project Management and Oversight

Stage

Publication Phase

Tabling date

ESDC DAC Tabling: June 2019

Implicated Program(s) / Branch(es)
  • Enterprise Project Management Office
  • TISMB; Regions; CFOB; SSPB; HRSB;
Comments

The audit concluded that three out of seven actions included in the MAP related to the 2017 Review on the Project Management and Oversight have been completed, whereas four actions have been partially implemented. No additional recommendations were made within this follow-up audit.

Tentative publication date is January 31, 2020. Communications risk assessment identified no contentious issues.

Engagement

Audit of Personnel Security Screening

Stage

Publication Phase

Tabling date

ESDC DAC Tabling: Dec. 2019

Implicated Program(s) / Branch(es)
  • Departmental Security Office
  • ISB
Comments

The audit concluded that the Department is adequately managing security screening processes and has developed appropriate procedures and practices to support those processes that are overseen by the DSO. No recommendations were issued.

Tentative publication date is January 31, 2020. Communications risk assessment identified no contentious issues.

Page details

Date modified: