Audit of the ECCC Application and Implementation of the Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police – Leave Without Pay

Executive summary

Context

This report presents the findings of an internal audit of the Environment and Climate Change Canada (ECCC) application and implementation of the consequences of non-compliance (Section 7) provisions of the Policy on COVID-19 Vaccination for the Core Public Administration (Vaccination Policy) – Leave without Pay conducted between February 2022 and April 2022. This audit is included in the Audit and Evaluation Plan 2022 to 2027. The audit objective was to assess the application of the management control framework developed to support Vaccination Policy implementation, with a focus on the governance and the application of procedures established to administer the Section 7 provisions.

Why it is important

COVID-19 vaccination has been a priority for the federal government, to support employee health and safety and the effective administration of the Vaccination Policy at the departmental level was the responsibility of each department. 2 key elements developed to support the achievement of the Vaccination Policy objectives and expected results were robust governance and oversight mechanisms and effective application of processes to support the placement of employees who did not comply on administrative leave without pay in a timely manner. At ECCC, the Human Resources Branch has been instrumental in supporting the Deputy Minister in implementing the policy and in particular with the application of the consequences of non-compliance provisions.

The Policy was suspended as of June 20, 2022, following a review of the public health situation. However, vaccines continue to be one of the most effective ways to protect against COVID-19. The Government of Canada will continue to monitor and assess the need for additional public health measures, including the possible reintroduction of vaccination mandates. This audit provides timely insights and opportunities for consideration as the Department proceeds with reinstating employees subject to administrative leave without pay as a result of the vaccination policy, and potentially preparing for a reintroduction of the vaccination policy.

What we found

The department developed a management control framework to support the administration of the Vaccination Policy. The policy had to be implemented within 1 month of becoming effective. The framework was therefore developed very quickly to support the timely implementation of a policy that affected all departmental employees.

The governance structure and processes put in place supported the timely provision of guidance and advice to delegated managers and employees. The internal controls put in place were adequate to support policy implementation. The quick implementation of this policy required a reliance on established internal controls in place. As such, the audit identified some limitations with regard to specific elements of the administration of the consequences of non-compliance provisions of the policy. For example, it was difficult to obtain information on the timeliness of actions taken to restrict employee network and facility access. In addition, since the department has buildings and facilities across Canada, there was no centralized tool to provide assurance whether employee access to facilities had been restricted properly, and in a timely manner. While the audit was informed that employee access to physical workplaces had been restricted, there is no audit trail to verify this.

Opportunities for consideration

The report does not put forward recommendations for action. Rather, it presents 2 areas for consideration for similar future initiatives:

• Enhancing the monitoring and reporting over the complete lifecycle of the administration of decisions – including the advice provided to delegated managers, to their decisions and the processes put in place to fully administer the consequences of non-compliance provisions
• Enhancing the logging and monitoring of employee network access and pursuing the implementation of a centralized access system

1. Background

On August 13, 2021, the Government of Canada announced its intent to require vaccination for all employees across the federal public service. The announcement was based on advice from public health authorities who continued to advise that, combined with the existing safety measures; vaccination is the most effective tool to reduce the risk of COVID-19 for Canadians.

In an effort to protect the health and safety of employees, and to improve vaccination rates among employees in the core public administration, the Treasury Board of Canada issued the Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police (Vaccination Policy), which came into effect on October 6, 2021. As per the policy, all employees of the core public administration, including the Royal Canadian Mounted Police, must be vaccinated. This requirement applies whether employees are teleworking, working remotely, or working on-site. The Vaccination Policy also applies to contract personnel who require access to federal government worksites to perform work for the Government of Canada.

Human Resources Branch officials had to work very quickly, under tight timelines, to develop a governance framework, processes and procedures, and to collaborate with corporate services and communications officials to develop a communication and implementation plan. To conform to the requirements of the policy, all employees were to attest to their vaccination status within 23 calendar days of the policy coming into effect. Under the policy, employees were required to formally attest to their vaccination status and delegated managers were to make sure their employees knew how to enter their vaccine attestation and any associated data or information in the Government of Canada’s Vaccine Attestation Tracking System (GC-VATS).

By October 29, 2021, all employees in the core public administration, including employees on Other Leave with Pay (699) for reasons related to the pandemic, needed to attest to their vaccination status in the GC-VATS system or provide their status to their managers if they did not have access to the system. Other attestation deadlines were defined depending on whether an employee was already on leave on the date the Vaccination Policy came into effect, had requested an accommodation or for other reasons related to their current position.

Section 7.1.2 of the policy outlines the consequences of non-compliance for employees unwilling to be fully vaccinated or unwilling to disclose their vaccination status at 2 weeks after the attestation deadline of October 29, 2021. The consequences are as follows:

• Restricting the employee’s access to the workplace, off-site visits, business travel and conferences
• Placing the employee on administrative leave without pay advising them not to report to work or to stop working remotely and taking the required administrative action to place them on leave without pay

On June 14, 2022, the Government of Canada announced that the Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police is suspended effective June 20, 2022. Therefore, ECCC employees will no longer be required to be fully vaccinated as a condition of employment. This announcement follows a review of the current public health situation about the evolution of the COVID-19 virus and of the vaccination rates throughout Canada.

As a consequence, as of June 20, 2022, all ECCC employees who were subject to administrative leave without pay, as a result of the vaccination policy, may resume regular work duties with pay and have their access to facilities and networks reinstated. The Government of Canada will continue to monitor the evolution of the COVID-19 virus and could reinstate the mandates as appropriate, depending on the situation.

This audit provides timely insights and opportunities for consideration as the Department proceeds with reinstating employees subject to administrative leave without pay as a result of the vaccination policy, and potentially preparing for a reintroduction of the vaccination policy.

Key roles and responsibilities

The following paragraphs provide an overview of key roles and responsibilities for employees, delegated managers, as well as human resources, corporate security, and administration officials.

Employees. ECCC employees are responsible for disclosing their vaccination and testing status. Employees who request accommodation based on medical contraindications, religion, or another prohibited ground of discrimination as defined under the Canadian Human Rights Act, were informed to talk to their managers and submit the required documentation to support their requests.

Employees that were not willing to be vaccinated or to disclose their vaccination status were required to attend an online training session on the COVID-19 vaccination within 2 weeks after the attestation deadline. After that 2 week period, employees who remained unvaccinated or who did not attest, or who did not obtain an accommodation request approval, were to be placed on administrative leave without pay and have their pay suspended and their access to departmental networks and physical workplaces restricted. As well, employees who were partially vaccinated had 10 weeks to receive their second vaccination dose. If they did not received the second dose within this time, they were also to be placed on administrative leave without pay with similar restrictions imposed. Finally, employees who were placed on administrative leave without pay and subsequently became partially vaccinated were to be reinstated and have their pay access to networks and physical workplaces reinstated.

Delegated managers. Delegated managers are responsible for ensuring that their employees have access to information and knowledge they need to meet policy requirements and enter their vaccine attestations and any associated data or information in GC-VATS. They are also responsible for reviewing vaccine attestations and any associated data or information entered by their employees to ensure that the information complies with the requirements. In addition, prior to the November 15, 2021 deadline, delegated managers were required to remind their employees, in writing, of the consequences of not attesting to their vaccination status or of being unvaccinated and required that they attend an online training session on COVID-19 vaccination.

Delegated managers are also required to respond to employee accommodation requests by informing them of their obligations, gathering relevant information, rendering a decision as soon as possible, implementing the decision by identifying the appropriate accommodation measures, which may include mandatory testing, and documenting the process.

As part of the process, delegated managers are required to consult their Labour Relations Advisor for assistance. This is particularly important in supporting delegated managers as they follow the process for placing employees on administrative leave without pay in cases of non-compliance. It helps to ensure the process is applied in a consistent manner. Delegated managers are responsible for initiating the consequence of non-compliance provisions by informing their employees that they will be placed on administrative leave without pay until such time as they become compliant with the Vaccination Policy. To place an employee on administrative leave without pay, delegated managers must submit a completed and signed employee leave request form (GC-178) to the ECCC Trusted Source team within the Human Resources Branch. The Trusted Source team is responsible for entering the leave without pay transaction into MyGCHR, which results in the suspension of the employee’s pay. The Trusted Source team member will then communicate the relevant information to the Pay Centre which performs residual work related to the leave without pay (for example, sending leave without pay benefits letters). Delegated managers are also responsible for informing the Departmental Security Division and the Service Management Division, to ensure that access to networks and physical workplaces are restricted in a timely manner.

Human Resources Branch. The Human Resources Branch is responsible for supporting the Deputy Minister with the overall implementation of the Vaccination Policy within ECCC, which includes the application of the consequences of non-compliance provisions. The Human Resources Branch established a Human Resources Expert Review Committee to review all employee accommodation requests and provide advice to delegated managers to support their decision-making process. The Human Resources Branch also developed guidance for employees and delegated managers in support of the administration of policy requirements. The guidance was posted on the Department’s Intranet site under the heading, COVID-19 Vaccination and Rapid Testing Program.

The Labour Relations team, within the Human Resources Branch provided advice and assistance to delegated managers as they carried out their roles and responsibilities to administer the consequences of non-compliance provisions.

Corporate Services and Finance Branch, Departmental Security Division and Service Management Division. The Departmental Security Division and the Service Management Division are responsible for taking measures to restrict access to the network and physical workplace buildings for employees on administrative leave without pay. The restrictions are temporary until the employee meets Vaccination Policy requirements.

2. Objective, scope and methodology

Objective

The audit objective was to assess the application of the management control framework developed to support the implementation of the Treasury Board Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police. Specifically, the audit assessed the governance and application of procedures established to administer the consequences of non-compliance provisions (section 7 of the policy).

Scope

The audit focused on:

• The effectiveness of the governance and monitoring practices established, as well as, the controls put in place to support the application of the policy.
• A review of all cases of employees placed on administrative leave without pay as a consequence of non-compliance, including restricting access to facilities and networks, as well as, their reinstatement should they become partially vaccinated.

The lines of enquiry and criteria are in Appendix A.

The audit covered the period from November 15, 2021 to January 21, 2022 and examined 55 cases (100%) of employees placed on administrative leave without pay as a consequence of non-compliance. Subsequently, 6 of these employees received a first dose of the vaccine and were reinstated during the scope period. The reinstatement process was also assessed as part of this audit. It should be noted that for the period under review, ECCC had approximately 8,530 employees (which includes 389 employees on leave). Excluding the employees on leave, the vast majority (99%) attested as fully vaccinated and 89 employees made requests for accommodation.

This is the first of 2 internal audits being conducted on the implementation of the Vaccination Policy. The next audit will focus on the management control framework that was established to support the processing of employee accommodation requests.

The audit scope did not include the following elements:

• requests for accommodation based on medical contraindications, religion or other prohibited grounds of discrimination defined under the Canadian Human Rights Act, which will be covered through a separate audit
• monitoring online attendance for the required training session on COVID-19 vaccination
• monitoring the administration of the policy following a second vaccination dose for those employees who decided to become partially vaccinated during the period covered
• the application of the Vaccination Policy for employees who were already on leave when it came into effect
• activities performed by external parties outside of ECCC’s purview, such as the Pay Centre, as a result of employees being placed on administrative leave without pay
• any dispute with the application of the consequences for non-compliance
• any case where the attestation deadline is different from October 29, 2021, as specified in Appendix A of the Policy
• the validity of the vaccine attestations and supporting documentation for employee accommodation requests

Methodology

The methodology included:

• a review of relevant documentation, including policies, guidelines, procedures and communication materials
• interviews and walkthroughs with key personnel from the Human Resources Branch and the Corporate Services and Finance Branch
• a review of 55 case files of employees placed on administrative leave without pay because of non-compliance 100 percent of cases between November 15, 2021 and January 21, 2022

Statement of conformance

The audit conforms to the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.

3. Findings and conclusions

3.1 Governance to support Vaccination Policy implementation

What we examined

The audit sought to determine whether a governance framework was in place to support the implementation of the Vaccination Policy, including the administration of the consequences of non-compliance provisions. Through interviews with key personnel from the Human Resources Branch and the Corporate Services and Finance Branch and a review of documents, the audit team assessed whether:

• oversight functions were adequately established to support the administration of the policy – including the consequences of non-compliance provisions
• roles, responsibilities and authorities related to the consequences of non-compliance provisions were clearly defined, documented, communicated and understood
• processes related to the administration of the consequences of non-compliance provisions were clearly defined, documented, communicated, understood, and applied.

What we found

The audit found that the governance structure adequately supported Vaccination Policy implementation. Although no formal Terms of Reference were available for all established committees or working groups, the roles and mandates were complementary to support the administration of the policy. Records of decisions reviewed showed that the meetings were timely, more frequent during the 2 weeks prior to the attestation deadline, and had the appropriate departmental officials in attendance.

The governance structure in place involved the departmental Chief Human Resources Management Officer and different bodies, at different levels, to support the Vaccination Policy implementation, including the application of the consequences of non-compliance. This includes the elements described below.

Chief Human Resource Management Officer. The Chief Human Resources Management Officer was the departmental lead in supporting the Deputy Minister in implementing the policy at ECCC. The Human Resources Branch is the central point and primary lead responsible for implementation within the Department.

Assistant Deputy Minister – Director General COVID Task Team. This governance bodywas established at the onset of the pandemic to provide advice and recommendations to the Deputy Ministers and the Executive Management Committee. It is co-chaired by the Assistant Deputy Minister, Corporate Services and Finance Branch and the Chief Human Resources Management Officer, and includes membership from each branch. The Task Team is an important mechanism for sharing information, including vaccination guidance and for discussing and identifying solutions to issues as they have arisen during the pandemic. For the purposes of the Vaccination Policy, the Task Team was a useful forum for discussing implementation issues such as data discrepancies related to the actual number of employees in each branch, and mitigation measures to ensure that the Department obtained attestations from all employees within the timelines prescribed in the policy.

Vaccination and Rapid Testing Implementation Working Group. The Human Resources Branch established this working group, co-chaired by the Director General, Workforce Development and Wellness Service and the Director, Labour Relations, Health and Safety and Disability Management. Members included representatives from each branch at the manager and / or director level. The purpose of the working group was to share information and quickly identify and address any issues related to Vaccination Policy implementation. The working group met at least weekly during the period under review and meetings were used effectively to update branches on policy implementation address concerns related to processes in place to support accommodation requests and potential administrative leave without pay cases.

Human Resources Expert Review Committee (HRERC). This committee was created to support implementation. It is composed of the Chief Human Resources Management Officer and her senior advisor, the Director General, Workforce Development and Wellness Service, the Director of Labour Relations, Health and Safety and Disability Management, the Director, Wellness Programs and the Departmental Lead for the Vaccination File (Labour Relations Manager). The departmental legal representative from the TBS Centre for Labour and Employment Law (CLEL) also attended all HRERC meetings. The mandate was to review all accommodation requests and formulate advice to the appropriate delegated managers (with Section 34 delegation) to support their decision-making. The committee also informed the Deputy Ministers and the Senior Legal Counsel of the advice provided to delegated managers. The effectiveness of this committee will be assessed as part of our upcoming audit on the processes in place to support duty to accommodate requests.

The governance structure was complemented by the Section 34 delegated managers (DG level and above) and officials from 5 enabling services in the Human Resources Branch and Corporate Services and Finance Branch that supported the implementation of the non-compliance provisions. These include the following:

• HR Labour Relations staff supported delegated managers in their administration of cases where employees did not comply with policy requirements by providing advice at each step of the process and by providing communication tools that could be used to discuss implementation with employees
• HR Pay Liaison (Trusted Source) staff were responsible for ensuring that employee pay was temporarily suspended when they were placed on administrative leave without pay and for working with the Pay Centre to ensure that employees who subsequently complied with the Vaccination Policy resumed receiving their pay in a timely manner
• HR Business Transformation staff were responsible for developing reports and a dashboard to support the monitoring of the implementation of the policy within the department
• Security Management Division staff were responsible for restricting access to departmental physical workplaces for the employees placed on administrative leave without pay
• Information Technology Service Management Division staff were responsible for restricting access to departmental networks, including the electronic mail system for employees placed on administrative leave without pay

The audit also found that Labour Relations played a key role in supporting delegated managers in the administration of the 55 cases of non-compliance identified during the period under review. Interviewees identified this as a good practice that contributed to the consistent application of the consequences of non-compliance.

Key consideration for similar future initiatives

Monitoring the complete lifecycle of the administration of decisions that have important consequences is a key element of governance. For the implementation of the Vaccination Policy, there was effective monitoring and reporting process in place up to the advice to delegated managers to support their decision-making on potential administrative leave without pay cases.

Similar future initiatives may wish to consider putting in place a monitoring and reporting process that extends to the complete lifecycle of the administration of decisions – from advice provided to delegated managers, to their decisions and the processes in place to fully administer the consequences of non-compliance provisions. This was particularly the case for actions that had to be taken to place employees on administrative leave without pay, which included suspending their pay and restricting access to departmental networks and physical workplaces. Because various functions are responsible for supporting these actions, an overarching governance element or process to monitor, confirm, and report on whether all actions were performed correctly and in a timely manner is important. Having such a governance process would support the management and mitigation of risks associated with the actions that had to be taken to enact the consequences of non-compliance provisions.

Roles and responsibilities

The Vaccination Policy defines the roles and responsibilities of the deputy heads, managers and employees. Human Resources Branch officials documented and communicated the roles and responsibilities related to the Vaccination Policy implementation. Initially, the Human Resources Branch communicated the roles and responsibilities, as well as, the authorities for implementing the policy and consequences for non-compliance to branch heads by email, and subsequently published them on the departmental Intranet site along with related guidance. Departmental officials carried out these roles in accordance with their responsibilities.

The audit noted that in the early stages of implementation, communication regarding the level of delegation required to approve placing employees on administrative leave without pay for non-compliance was inconsistent, varying from director to director-general level and above. The Human Resources Branch quickly corrected this inconsistency by publishing formal guidance on the departmental Intranet site, which clearly identified that these decisions are required to be taken at the director general level or higher.

Our file review revealed that Labour Relations staff played an active role in the implementation of the consequences of non-compliance policy elements. For example, they assisted delegated managers with some of the tasks. This included initiating the administrative process by submitting a completed leave request form (GC-178) to the ECCC Trusted Source team to suspend employee pay; and, advising Information Technology Service Management and Security that an employee was to be placed on administrative leave without pay and that their access to networks and physical workplaces should be restricted.

While those actions were inconsistent with documented roles and responsibilities, they likely contributed to the timely and consistent implementation of the consequences of non-compliance policy elements. This is particularly important since the majority of administrative leave without pay requests were submitted at the end of the attestation deadline period. The Human Resources Branch developed and implemented a Leave without Pay Operational Plan with specific steps and timelines for processing requests, and specific roles assigned to various Human Resources Branch employees involved in this process. This is an example of how the tight timeframe given to implement the policy required departmental officials to be agile in their approaches to ensure that policy requirements were met in a timely manner.

Processes in place to administer the consequences of non-compliance

Overall, the processes in place to administer the Vaccination Policy, including the consequences of non-compliance, were adequately developed, communicated and implemented.

The Vaccination Policy defines the consequences of employee non-compliance. The Treasury Board of Canada Secretariat and Office of the Chief Human Resources Officer provided further guidance to departments through the Treasury Board of Canada Secretariat Framework for the Implementation of the Policy, as well as a Managers’ Toolkit that was developed and published to support implementation.

The ECCC process is described on the departmental Intranet site and informs employees and delegated managers on the implementation of the Policy. Appendix B provides a summary of the process in place for delegated managers to place employees on administrative leave without pay because of non-compliance with the Vaccination Policy.

The Human Resources Branch developed guidance regarding employees and managers who were on approved leave during the key implementation period. This guidance pertained specifically to placing an employee on administrative leave without pay due to non-compliance, as well as, key steps to support an efficient return to work once an employee becomes compliant. This information is available on the departmental Intranet site.

The audit found that the ECCC guidance developed to administer the consequences of non-compliance aligned with Vaccination Policy requirements and related guidance.

For each situation, Human Resources Branch officials developed template letters to help delegated managers communicate with their employees and inform them about what they needed to do to comply with the policy requirements and about the consequences of non-compliance.

Finally, although the audit did not specifically evaluate the efficiency of the communication processes, interviewees identified several good practices that contributed to the successful implementation of the policy within such short timelines. These include the following:

• The Human Resources Branch created and managed a generic electronic mailbox specifically for Vaccination Policy related matters. This was a ʺ1 stop-shopʺ for managers and employees to ask questions related to the vaccination attestation processes. For example, they could ask questions concerning how to use the GC-VATS system, and how to submit paper form attestations.
• The Human Resources Branch offered several ECCC live events for employees and delegated managers. These were intended to inform employees and managers of their responsibilities and to respond, in real time, to questions and / or comments prior to the attestation deadline. These events were very well attended.
• Interviewees mentioned the channels, flow, and frequency of communication; and, the collaboration that took place within the Human Resources Branch and with other branch representatives as key success factors that contributed to the successful implementation of the policy.
• The process developed for the application of the policy within ECCC to place non-compliant employees on administrative leave without pay in accordance with consequences provisions stipulated that delegated managers must always consult their Labour Relations Advisor for assistance with the process to follow. Although, this is not a Vaccination Policy requirement, this practice was found to be a good approach to ensure that the steps were taken appropriately and consistently for all cases.

3.2 Application of the Policy for non-compliant cases

What we examined

The audit assessed whether internal controls were in place and monitored to support the application of the consequences of non-compliance. Through interviews with key personnel from the Human Resources Branch and the Corporate Services and Finance Branch and a file review of the 55 cases of employees placed on administrative leave without pay, the following elements were assessed, whether:

• employees were placed on administrative leave without pay in a timely manner
• employee physical access to facilities and networks was restricted in a timely manner for those placed on administrative leave without pay due to non-compliance
• employees placed on administrative leave without pay due to non-compliance, and who subsequently became compliant by attesting as partially vaccinated, were reinstated in a timely manner (resumption of pay, and access to networks and physical workplaces) and,
• monitoring and reporting were conducted in an on-going, consistent manner to support the successful application of the consequences of non-compliance provisions

What we found

Suspension of pay

The processes established to place employees on administrative leave without pay and suspend pay functioned as intended in all 55 cases reviewed. Furthermore, departmental officials processed 53 of the 55 cases in a timely manner. In 2 cases, documentation was provided to the Trusted Source after the administrative leave without pay period should have begun (respectively 10 and 24 business days after the specified deadline).

The audit team observed the following during the file review:

• In all cases (55 cases), the Labour Relations team provided advice to delegated managers on the application of consequences of non-compliance provisions that supported a consistent and timely application of the policy
• Delegated managers who approved administrative leave without pay actions held the appropriate Section 34 delegation responsible for the employees in all the cases (55 cases),
• A letter advising an employee they would be placed on administrative leave without pay was sent in 50 of the 55 cases. Delegated managers with the appropriate level of authority (director general or equivalent) signed the letters. In 5 instances, letters were not on file. As such, we were unable to determine whether letters were sent to these employees.
• Reminder letters were sent by email to 52 of 55 employees in accordance with established procedures. Explanations were provided to the audit team for the 3 cases for which remainder letters were not sent.
• Delegated managers signed and submitted the required leave request form (GC-178) in all cases (55 cases). About half of the forms were provided by the deadline of November 15, 2021. In the cases where forms were provided after the deadline, acceptable rationales were provided. These include processing accommodation requests, grievances, and / or employees who had been on approved leave.
• In 2 instances, administrative leave without pay forms were not provided to the Trusted Source staff in a timely manner, suggesting the concerned employees would have remained on the payroll for a longer period than expected.

The audit did not review administrative leave without pay requests that resulted from partially vaccinated employees not obtaining a second vaccine dose after the allowed 10-week period. These types of cases were outside the scope period. Human Resources Branch staff interviewed confirmed that they monitor these types of cases and plan to send reminder emails to delegated managers. The audit team may review the timeliness of the processing of these types of requests (if any) as part of our next audit on the application and implementation of the Vaccination Policy.

Employee access to the network

The Information Technology Service Management Division, Corporate Services and Finance Branch provided a system-generated list that included expired networks accounts. The audit team reviewed the list for evidence that access had been restricted for employees placed on administrative leave without pay, and in a timely manner. Access was restricted as intended for all employees placed on administrative leave without pay. In addition, we found that employees who subsequently became compliant with the policy had their access to networks reinstated.

The access logs provided to the audit team did not include the date upon which employee access to the network was restricted, since the access log script program did include an expiry date. The audit team was informed that the access log scripts have since been modified to include the date upon which an individual’s system access is restricted. As such, the information became available only after the period under review.

Timeliness is important from a policy compliance perspective. As such, the audit team sought information from other sources on the timeliness of access restriction actions via other sources. These included trying to obtain confirmation emails that accesses had been restricted. Information Technology Service Management officials informed us that they do not normally provide confirmation to a delegated manager or Labour Relations that employee access has been restricted.

The Information Technology Service Management team confirmed that all requests to restrict employee network access were performed and completed in a timely manner. That said, given the limitations stated above, the audit could not conclude on whether employee network access had been restricted in a timely manner.

Employee access to physical workplaces

The Department has a number of office buildings and facilities located across Canada. ECCC does not own all of these buildings and facilities and employee access varies by location. The Department manages some buildings and various proprietors manage other locations. These proprietors have their own access control systems. For example, some locations require a physical key to enter the building rather than an electronic pass.

Interviewees noted that the Department does not have a centralized system in place to track employee access to buildings and physical workplaces across Canada. Interviewees also noted that the need for a centralized access system has been formally identified and included in the departmental IT investment plan, and will be reassessed in alignment with direction provided by the department on the future of the workplace. In an attempt to capture that information, the Security team developed, and manually updated a list that did not contain the necessary information confirming that facility access privileges had been restricted for all 55 cases reviewed. Specifically, there was no information included on the actual date and time when an employee building access card becomes active or inactive. As such, the audit team could not rely on the information obtained to provide assurance on whether employee access to physical workplaces had been restricted properly and in a timely manner.

Based on our file review, the audit team noted that in 22 of the 55 cases reviewed, the Labour Relations team copied the Security team on secure emails sent to the Trusted Sources. For the remaining cases, the Labour Relations team sent secure emails only to the Trusted Sources without copying the Security team. In a few cases, the delegated manager sent the email to the Trusted Source and provided the information to the Labour Relations team as well. While this provides an indication that the Security team was informed and aware of the requests, from an audit perspective it provides limited assurance that access was appropriately restricted, and that it was done in a timely manner.

The Departmental Security Officer provided verbal confirmation that all the requests received to restrict employee access to physical workplaces and facilities had been processed with the exception of employees hired during the pandemic and who never had access to the workplace as they were working remotely. Given the limitations stated above, the audit could not confirm that employee access to physical workplaces was appropriately restricted, and whether it had been done in a timely manner.

Reinstatement of employees who subsequently became compliant

Reinstating employees who subsequently became complaint is the responsibility of delegated managers and involves communicating with pay liaison, Information Technology and Service Management and building security functions to reactivate their access. Appendix C provides information on this process.

Of the 55 cases reviewed of employees who had been placed on administrative leave without pay following the attestation deadline, 6 subsequently became compliant by receiving at least 1 vaccine dose during the period under audit. Of these, 3 employees were reinstated within 3 working days of receiving their first vaccine dose. For the remaining 3 cases, we found that employees were reinstated as they had valid access to the network, but information was missing to assess when it occurred. The access reports reviewed did not include sufficient data for us to provide assurance on the timeliness of reinstatement actions.

Monitoring and reporting

The speed required to implement the Vaccination Policy was unprecedented. The Department had to quickly ensure that it accounted for all active employees and provide them the information and knowledge to attest in GC-VATS before the deadline. The HR Business Transformation Directorate, Human Resources Branch was responsible for data management and reporting. The first step was to confirm the accuracy of ECCC employee data. The team completed this confirmation exercise by consolidating information from multiple sources including GC-VATS, the MyGCHR application, the Public Service Performance Management Application, and the Salary Forecast Tool.

The HR Business Transformation team built a dynamic data visualization dashboard to track and monitor policy compliance. The dashboard includes data collected from various sources using an algorithm to automatically populate the various data fields. The automation of the dashboard made it possible to update it frequently. This proved to be useful given the time sensitivity associated with the attestation process. During the attestation period, the team updated the dashboard twice daily to monitor policy compliance in real time. Branch heads received reports for validation purposes. After the initial attestation period, the dashboard was maintained and used to monitor various policy elements, including cases of partially vaccinated employees and compliance after the 10-week period.

The audit found that this reporting tool provided adequate information to senior management to support the review of policy compliance. As mentioned previously, monitoring could have been enhanced by establishing an oversight function or process to follow the actions taken through to completion of all actions required to administer consequences of non-compliance provisions.

Key consideration for similar future initiatives

As mentioned in the governance section of this report, the file review results reinforce the need to strengthen governance when conducting future similar initiatives in order to monitor and confirm the timely completion of all actions associated with placing an employee on administrative leave without pay.

Furthermore, there may be an opportunity to enhance the logging and monitoring of network access and to pursue the implementation of a centralized access system as per the departmental investment plan.

4. Conclusion

The Department developed a management control framework to support the administration of the Treasury Board Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police. This framework was developed very quickly to support the application and implementation of a policy that affected all departmental employees.

The governance structure and processes put in place supported the timely provision of guidance and advice to delegated managers and employees. The controls put in place were adequate to support policy application and implementation. Given the quick implementation of this policy, reliance was also placed on controls that were already in place. As such, there were some limitations identified with regard to specific elements of the administration of the consequences provisions of the policy. For example, it was difficult to obtain information on the timeliness of actions taken to restrict employee network and facility access. In addition, since the Department has buildings and facilities all across Canada using different systems for access control, there was no centralized system view into whether employee access to facilities had been restricted properly, and in a timely manner. While the audit team was informed that employee access to physical workplaces had been restricted, there is no audit trail to verify that this action had indeed been carried out.

The report does not put forward recommendations for action. Rather, it presents 2 areas for consideration for similar future initiatives:

• Enhancing the monitoring and reporting over the complete lifecycle of the administration of decisions including the advice provided to delegated managers, to the decisions taken, and the processes put in place to fully administer the consequences of non-compliance provisions
• Enhancing the logging and monitoring of employee network access and pursuing the implementation of a centralized access system

Appendix A: Lines of enquiry and criteria

The following criteria were developed to ensure an appropriate level of assurance in meeting the audit objectives.

Audit Criteria

Line of Enquiry 1: Governance is in place to support the application and implementation of the Vaccination Policy, including the administration of the consequences of non-compliance provisions.

Line of Enquiry 2: Controls are in place and monitored to support the application and implementation of the consequences of non-compliance.

Appendix B: Process for placing an employee on leave without pay due to non-compliance with the Policy

The following provides a summary of steps required by delegated managers (at the director general level or above) in administering the consequences of non-compliance provisions:

• Consult their Labour Relations advisor for advice and assistance about the steps to take as part of the process.
• Send the employee a reminder letter that states the consequences of non-compliance prior to placing an employee on administrative leave without pay. The letter should inform the employee that they were required to attest to their vaccination status by October 29, 2021 and that they had not complied with this requirement. It should also mention that the employee is required to attend training on the benefits of receiving the COVID-19 vaccination and to obtain a first vaccination dose prior to November 15, 2021. In addition, the letter should advise the employees that they will be placed on administrative leave without pay should they not comply with the policy by that date.
• Should the employee remain unwilling to comply with the policy requirements, delegated managers should send a letter advising them that they will be placed on administrative leave without pay and that they should immediately cease working – either in physical workplaces or remotely. The letter should also inform the employee that their accesses to networks and physical workplaces would be restricted.
• Delegated managers is to inform the Trusted Source team through secure email that the employee is being placed on administrative leave without pay and include a completed and signed leave request form (GC-178) on behalf of the employee using the leave code, “Leave Without Pay for Administrative Reason”. The Trusted Source team member should review the request, ensure that it is complete and includes all relevant documentation, and forward the information package to the Pay Centre for processing.
• In addition, the delegated manager is to inform Information Technology Service Management Division staff and Departmental Security Office staff through secure email that the employee is being placed on administrative leave without pay. These 2 areas were responsible for restricting the employee’s access to departmental networks and physical workspaces for the duration of time that the individual is on leave without pay for administrative reason.

Appendix C: Process for reinstating employees who subsequently become compliant

The following provides a summary of steps required by delegated managers (at the director general level or above) to reinstate an employee who was on administrative leave without pay and subsequently became compliant with the Vaccination Policy requirements:

• On the employee’s first day back, send a secure email titled “Return from Leave Without Pay for Administrative Reason” to ECCC Trusted Source staff to ask that the employee’s pay be reactivated.
• Send a secure email to Information Technology Services Management and Security, confirming the date of the employee’s return to work from administrative leave without pay to support the reactivation of their access to departmental networks and physical workplaces.
• For an employee who is only partially vaccinated, send them a secure email informing them that they are no longer on administrative leave without pay and that they would be working with temporary measures (to specify) until 2 weeks after they receive their second vaccine dose. The employee is also to be advised that they must attest to receiving their second vaccine dose by 10 weeks after receiving the first vaccine dose. Failure to do so will result in being placed again on administrative leave without pay.