Risk and compliance process self-assessment of compliance and performance questions

Areas of focus

• Data
• Financial and expenditure management
• Grants and contributions
• Performance management
• Procurement
• Real property
• Security
• Service
• Technology
• Values and ethics
• Workplace health

Data self-assessment questions

Question 1 of 2: What is the maturity level of the organization’s data inventory management in supporting operations, service delivery and decision-making?

Question 2 of 2: Does the organization have processes in place to ensure the information that is required to be proactively published under the Access to Information Act is complete, accurate and timely?

Financial and expenditure management self-assessment questions

Question 1 of 4: Did the organization conduct a full risk assessment or environmental scan of its internal controls over financial management and internal controls over financial reporting in 2024–25 and use the results to inform its internal control monitoring strategy?

Question 2 of 4: What percentage of remediation actions for medium- and high-risk internal control gaps or weaknesses were fully implemented within the established timelines during fiscal years 2022–23 to 2024–25?

Question 3 of 4: What is the organization’s level of maturity in financial governance, particularly in ensuring effective oversight and integrating financial management into decision-making?

Question 4 of 4: What is the organization’s level of maturity in ensuring its financial information is accurate, timely and relevant to support decision-making and meet financial reporting requirements?

Grants and contributions self-assessment questions

Question 1 of 3: Does the organization have and use a risk management framework that applies to all grants and contributions programs?

Question 2 of 3: What percentage of planned recipient audits were conducted during the 2023–24 fiscal year?

Question 3 of 3: Does the organization have a process in place to identify, monitor and manage real or potential conflict of interest in the administration of grants and contributions?

Performance management self-assessment questions

Question 1 of 2: What is the level of maturity of the organization’s executive performance management program?

Question 2 of 2: What is the level of maturity of the organization’s employee performance management program?

Procurement self-assessment questions

Question 1 of 9: How frequently does the deputy head meet with the senior designated official for procurement to discuss procurement matters?

Question 2 of 9: Does the organization have a process in place to identify long-term contracts at least two years before their expiration and to assess whether the associated requirements should be re-solicited or the contracts extended?

Question 3 of 9: Does the organization have risk-based internal controls over procurement that have been reviewed within the past year to confirm that they provide reasonable assurance that procurement transactions are carried out in accordance with the procurement framework, applicable laws, regulations and policies?

Question 4 of 9: Has the organization conducted a capacity assessment within the last three years to assess whether the organization has adequate resources to address its procurement needs?

Question 5 of 9: What is the level of maturity of the organization’s Procurement Management Framework?

Question 6 of 9: What is the level of maturity of the organization’s procurement monitoring and control practices?

Question 7 of 9: What is the level of maturity of the organization’s procurement planning?

Question 8 of 9: What is the level of maturity of the organization’s procurement governance?

Question 9 of 9: What is the level of maturity of the organization’s procurement resource competency and capacity?

Real property self-assessment questions

Question 1 of 8: How frequently does the deputy head meet with the senior designated official for real property to discuss real property matters?

Question 2 of 8: Based on data reported in the Directory of Federal Real Property, how has the condition of the organization’s real property portfolio changed over the last 3 fiscal years?

Question 3 of 8: For transactions completed by the organization in the last fiscal year, what proportion of these transactions have complete documentation to demonstrate compliance with relevant legal and policy requirements?

Question 4 of 8: What is the organization’s actual reinvestment rate for real property compared to its target reinvestment rate?

Question 5 of 8: What is the level of maturity of the organization’s real property governance?

Question 6 of 8: What is the level of maturity of the organization’s management of its real property assets?

Question 7 of 8: What is the level of maturity of the organization’s real property transaction management?

Question 8 of 8: What is the level of maturity of how the organization identifies and tracks against the target reinvestment rate using asset data?

Security self-assessment questions

Question 1 of 10: How frequently do security officials report to the organization’s security governance committees on the performance of security controls?

Question 2 of 10: How frequently does the chief security officer report to the deputy head on the progress in achieving the departmental security plan priorities?

Question 3 of 10: How frequently does the chief security officer receive reports on the effectiveness of security practices and security controls?

Question 4 of 10: Does the organization have a documented process in place to track non-compliance with the Policy on Government Security and its related directives?

Question 5 of 10: How frequently are security awareness materials shared with individuals to reinforce their security responsibilities?

Question 6 of 10: What is the level of maturity of the organization’s security management governance?

Question 7 of 10: What is the level of maturity of departmental security planning?

Question 8 of 10: What is the level of maturity of the organization’s overall guidance and processes in security management?

Question 9 of 10: What is the level of maturity of the organization’s security incident response processes?

Question 10 of 10: What is the level of maturity of the organization’s security awareness and training processes?

Service self-assessment questions

Question 1 of 2: What is the level of maturity in the organization's mechanisms for reviewing and improving services based on client feedback, specifically for internal enterprise and external services?

Question 2 of 2: What is the organization’s level of maturity in ensuring it has the workforce capability to meet departmental and enterprise service, information, data, IT and cyber security requirements in support of effective service delivery?

Technology self-assessment questions

Question 1 of 2: What is the maturity level of the organization’s annual forward-looking three-year departmental plan for the integrated management of service, information, data, IT and cyber security, which aligns with the Chief Information Officer of Canada’s enterprise-wide integrated plan?

Question 2 of 2: Has the organization’s designated official for cyber security informed the deputy head of the results of the organization’s Cyber Maturity Self-Assessment in the past 12 months?

Values and ethics self-assessment questions

Question 1 of 2: What is the organization’s level of maturity in fostering a positive culture of values and ethics?

Question 2 of 2: What is the organization’s level of maturity in providing employees with information, advice and assistance on identifying, preventing and resolving real, apparent or potential conflict of interest situations?

Workplace health self-assessment questions

Question 1 of 1: What is the organization’s level of maturity in developing and implementing measures to prevent workplace harassment, violence and discrimination?

Enquiries

For enquiries or to obtain methodologies for the self-assessment questions, contact the RCP team at RCP_PRC@tbs-sct.gc.ca.