Internal Audit of the Framework for the Management of Compliance

Audit Report
Internal Audit and Accountability Branch
Citizenship and Immigration Canada
January 2014


Table of Contents


Executive Summary

The objective of the audit was to provide assurance to senior management that effective practices are in place within Citizenship and Immigration Canada (CIC) for the management of compliance with Treasury Board policy requirements.

The audit was not designed to assess compliance with individual Treasury Board policies; it examined whether a framework was established for risk-based oversight, monitoring, and reporting on compliance requirements.

Why This Is Important

A tenet of public sector management holds that the means by which an objective is achieved is as important as the objective itself. Legal and Treasury Board policy requirements, including applicable codes of conduct, underpin a minimum standard of behaviour and conduct that, in the opinion of legislators and Ministers, is necessary to safeguard the public trust.

Having a risk-based compliance oversight regime can provide assurance to the Accounting Officer (Deputy head) and to senior management team that CIC is meeting all of its Treasury Board policy requirements and can rely on the results of monitoring and reporting to be able to take appropriate actions when required.

Key Findings

In 2012, CIC launched an exercise through which functional authorities could attest to their compliance to policy suites, acts, and regulatory requirements. To initiate this, an analysis was performed to determine which Treasury Board policies apply to CIC, and accountabilities by functional area were assigned. An annual compliance attestation exercise has been established to inform the Department’s management of compliance. The self-assessments requested as part of the compliance attestation exercise were not formally challenged or based on risk. Performance requirements against compliance are not formalised. Issues related to non-compliance are addressed on an ad hoc basis.

Conclusion

With the completion of this first exercise to assess compliance, CIC has initiated activities to formally assign accountability for Treasury Board policy domains, but a comprehensive framework for oversight, monitoring or reporting on compliance has not been established. Two recommendations address areas to further develop a reliable compliance framework through greater risk-based oversight.

Management has accepted the audit findings and developed an action plan to address the audit recommendations.Footnote 1

Statement of Conformance

The conduct of this engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. We examined sufficient, relevant evidence to support the conclusions reached.

Gibby Armstrong
Chief Audit Executive, CIA, CA
Citizenship and Immigration Canada

Background

Treasury Board policy requirements underpin a standard of behaviour and conduct that is necessary to safeguard the public trust. The Framework for the Management of Compliance - along with the Foundation Framework for Treasury Board Policies and the Framework for the Management of Risk - is one of the key architectural elements of the Treasury Board suite of policies. Specifically, the Framework for the Management of Compliance establishes principles for managing and monitoring compliance to Treasury Board policy suites.

Core responsibilities of the Deputy head within a department include ensuring compliance with legal and Treasury Board policy requirements. This is to be done while fostering an organizational environment conducive to innovation and informed risk-taking to deliver better value to Canadians. A compliance management framework should identify the best methods to align behaviour with expectations and risk tolerance. In their capacity as Accounting Officer, the Deputy head should monitor internal management practices and, where issues arise, take action to maintain a robust environment of internal control. Although the Treasury Board Framework for the Management for Compliance has been in effect since April 2009, the Treasury Board Secretariat has left it up to individual departments to determine how to develop departmental frameworks to manage compliance to Treasury Board policies. Treasury Board Secretariat to date has not required central agency monitoring or reporting on the framework. In 2012, CIC took the initiative to begin assessing departmental compliance to all applicable policies.

The Management Accountability Office (MAO) within CIC leads efforts to strengthen management practices and align accountability for Treasury Board policies. In this regard, the MAO oversees the Department's Management Accountability Framework (MAF) assessments and associated action plans, in addition to coordinating the activities for the Framework for the Management of Compliance. The MAO has not been assigned responsibility to ensure risk-based oversight, monitoring, or if reporting is in place.

Audit Objectives and Scope

The objective of the audit was to provide assurance to senior management that effective practices are in place within CIC for the management of compliance with Treasury Board policy requirements.

The audit examined whether an oversight regime exists at CIC to meet all Treasury Board policy requirements relevant to its operations, along with supporting risk-based monitoring practices, reporting, and control systems.

In order to limit the scope, the audit did not include legislative requirements specific to CIC or a subset of government departments, but rather focused on government-wide policy requirements issued by Treasury Board.

The audit examined activities from June 1, 2012 to August 31, 2013. It also reviewed documents from 2009-2012 related to central and independent agency reporting requirements and Policy Suite Renewal, a departmental exercise launched in 2009-10 to simplify and reduce the number of CIC Frameworks, Policies and tools.

The audit criteria developed for this audit are included in Appendix A.

Findings and Recommendations

An annual compliance attestation exercise exists, further work is required to build a comprehensive framework to manage compliance with Treasury Board policies.

We examined if a framework had been established at CIC to manage compliance with the Treasury Board policy suite. We examined if an analysis had been done to determine policies relevant to CIC and if accountability had been assigned. We assessed if the results of monitoring of Treasury Board policy compliance were reliable, risk-based and were reported to those with an oversight responsibility. And finally, we assessed whether performance management includes compliance considerations, and if CIC has measures in place to address non-compliance.

Without a framework to manage compliance, a department may not be in a position to know whether policies are being followed and respected in a manner consistent with expectations. In order to ensure a framework is comprehensive, a department must first determine which policies are applicable, and to whom the accountability should be assigned. Without formal oversight, including a challenge function, senior management is not in a position to understand its risk related to compliance with requirements.  A risk-based approach to determine requirements of monitoring and reporting of compliance ensures that resources are allocated to those areas that require them the most. Managing compliance through performance agreements or performance reporting ensures that those with accountability are measured on their adherence to policy requirements.

An analysis has been performed to determine which Treasury Board policies apply to CIC, and accountabilities have been assigned.

Treasury Board policy instruments (including Frameworks, Directives, and Guidelines) are designed for government operations, and may not apply to every department. CIC has performed the crosswalk to determine which policy instruments are applicable to CIC.

Accountability for each applicable policy domain has been assigned to a functional authority (ie. a Director General or Director) who is responsible for the implementation of a subset of Treasury Board policies, for example those related to Human Resources, Finance or other functional area.

An annual compliance attestation exercise to manage compliance has been established.

In 2012, CIC launched a compliance attestation exercise, through which all functional authorities performed a compliance self-assessment and signed an attestation to confirm compliance against the relevant policy domain. In interviews, functional authorities were aware of the responsibilities related to their functional areas but in many cases no documentation was provided to clearly establish the Treasury Board policies that fell under their area of responsibility. Substantiation to support the attestations ranged from none, to a comprehensive analysis aligning policy requirements to CIC procedures. For some policies there is an identification of reporting requirements outside CIC, for example, to central or independent agencies, to support policy compliance. In situations wherein responsibilities for policies were shared between functional areas, no documentation was provided to demonstrate how accountability was divided.

According to the Treasury Board Secretariat, CIC was the first department to analyze the requirements of the Framework for the Management of Compliance. The compliance attestation exercise is designed to be completed on an annual basis, with the results reported to senior management committees and the Departmental Audit Committee.

The self-assessments requested as part of the compliance attestation exercise were not formally challenged or based on risk.

The attestation used to demonstrate compliance was provided by the functional authorities with no formal independent challenge of the conclusions. As a result, the amount of information provided to substantiate compliance varied significantly between functional areas. While a template and standardised guidance were provided, the level of assurance that could have been gained from the exercise was not optimal, as the level of detail varied significantly and was not based on risk tolerance.

All functional authorities were requested to participate in the exercise, regardless of the results of past assurance exercises, oversight instruments in place, or the potential impacts to the Department of non-compliance. While in its current form the exercise was designed to produce a whole-of-department self-assessed snapshot of compliance, it may have been insufficient for those functional areas of higher risk.

No risk-based oversight requirements exist for compliance.

Oversight mechanisms can take different forms and might involve: regular testing and reporting of controls; reliance on external oversight; or no formal activities, as the policy area is considered low risk for the department. Within CIC, oversight exists for some policy areas through committees, but the oversight requirements have not been formally defined or standardised within the departmental governance structure. Without defined requirements, a departmental framework of internal controls to continuously monitor compliance commensurate with risk tolerance for specific policy areas cannot be established.

Four of the thirty CIC management committees have compliance identified in their terms of reference; two more have the mandate to further best practices in policy areas. As an example of good practice, the Procurement and Contracting Oversight Committee has identified contracting activities for additional management review, based on risk requirements. The branch responsible for procurement and contracting has also begun sample testing contracting activities across the Department and is reporting on compliance results, as contracting is typically deemed a high risk area given the complexity of rules and documentation requirements.

Other functional authorities – such as Regulatory Frameworks, Access to Information and Privacy, and Official Languages – have significant central agency reporting requirements that can satisfy an oversight function. Many of these requirements, however, are designed to meet legislative obligations and do not address the full breadths of the Treasury Board policies.

Oversight activities are established by the functional authorities and are not consistent across CIC. Oversight requirements for functional authority areas and policy suites have not been assessed or established according to risk. The annual Management Accountability Framework (MAF) assessments performed by the Treasury Board Secretariat are seen as the primary source of oversight for much of CIC’s activities, however these assessments do not cover all policy areas, nor are they assessed every year. As with the process to manage compliance described above, if oversight requirements are not standardised across the Department and based on risk, there may be insufficient oversight, or an oversight activity may use too many resources.

Performance requirements against compliance are not formalised.

CIC has a rigorous planning and reporting regime, however performance against compliance requirements is not included. While every functional authority must develop and report against key milestones for progress against objectives, no such formality has been established for the Department to monitor compliance to Treasury Board policies. No documentation was provided to demonstrate that standardised performance management includes compliance considerations. Without a formal and risk-based performance framework related to compliance, CIC will not be in a position to determine whether its efforts to deliver on its objectives will come at the compromise of its policy obligations or efficiencies.

Issues related to non-compliance are addressed on an ad hoc basis.

While anecdotal instances of addressing non-compliance were provided, there is no standardised approach to documenting if management responses are used across the Department. As noted above, there is no risk assessment of policies or functional areas, which might result in an informal escalation process for non-compliance. A formal process to address non-compliance could be included in a risk-based oversight framework for monitoring compliance.

It should be noted that subsequent to the time period covered by this audit, the Executive Committee approved a Corporate Risk Impact Scale that specifies thresholds for levels of impacts of non-compliance that are required to be reported to senior management. The department should consider monitoring and reporting requirements to ensure the requirements of the Corporate Risk Impact Scale can be met, as is included in recommendation #1 below.

Recommendation 1 (Medium Risk):

CIC should develop and implement a risk-based oversight framework for monitoring compliance to Treasury Board policies. This should include: accountability for development and implementation of the framework, risk-ranking and risk tolerance for Treasury Board policies, accountability for individual policy compliance (including shared when relevant), documentation requirements to support compliance assessments, monitoring of activities, and reporting requirements including pre-determined frequency of reporting.

Recommendation 2 (Medium Risk):

CIC should develop and implement measures to identify and report on non-compliance and the adequacy of the actions taken in a situation of non-compliance with Treasury Board policy requirements.

Appendix A – Detailed Audit Criteria

The objective of the audit was to provide assurance to senior management that effective practises are in place within Citizenship and Immigration Canada (CIC) for the management of compliance with Treasury Board policy requirements.

Lines of Enquiry CriteriaFootnote 2 Control ConclusionFootnote 3

Governance

An oversight regime exists to ensure all relevant Treasury Board policy requirements are respected in line with Treasury Board policy expectations.

1 – An analysis has been done to determine policies relevant to CIC and an appropriate framework of oversight has been determined based on risk. Moderate Issues
2 – For policies relevant to CIC, accountability has been assigned and performance management includes compliance considerations. Moderate Issues
3 – The results of monitoring of Treasury Board policy compliance are reliable, risk-based and are reported to those with an oversight responsibility, and action is taken when appropriate. Moderate Issues
4 – CIC has measures in place to ensure that non-compliance and the nature of the consequences and their severity are commensurate with the nature of the non-compliance. Moderate Issues

Risk Management

CIC policies and procedures and monitoring practices over Treasury Board policy requirements have been designed with consideration of risk.

5 – CIC policies and procedures are commensurate with the associated risk of non-compliance with Treasury Board policy. Moderate Issues
6 – Policies and procedures foster an organizational environment conducive to innovation and informed risk-taking. Moderate Issues

Internal Controls

Approval processes, procedures and control systems of CIC are in line with Treasury Board policy requirements.

7 – Departmental frameworks for internal controls and management practices are designed to be efficient, transparent, understood and supported in CIC, and, where applicable, are in line with Treasury Board policy requirements. Moderate Issues
8 – Employees are trained and have access to learning opportunities and relevant information to increase their awareness and knowledge of applicable Treasury Board policy requirements. Controlled

Definitions of Control Conclusions

Well Controlled
  • Well managed, no material weaknesses noted; and
  • Effective.
Controlled
  • Well managed, but minor improvements are needed; and
  • Effective.
Moderate Issues

Has moderate issues requiring Management focus (at least one of the following two criteria need to be met):

  • Control weaknesses, but exposure is limited because likelihood of risk occurring is not high; or
  • Control weaknesses, but exposure is limited because impact of the risk is not high.
Significant Improvements Required

Requires significant improvements (at least one of the following three criteria need to be met):

  • Financial adjustments material to line item or area or to the department; or
  • Control deficiencies that could result in significant impact if not mitigated; or
  • Control deficiencies that have a high likelihood of risk occurring.

Appendix B – Management Action Plan

Recommendation Risk Ranking Action Plan Responsibility Target Date

1. CIC should develop a risk-based oversight framework for monitoring compliance to Treasury Board policies. This should include: accountability for development and implementation of the framework, risk-ranking and risk tolerance for Treasury Board policies, accountability for individual policy compliance (including shared when relevant), documentation requirements to support compliance assessments, monitoring of activities, and reporting requirements including pre-determined frequency of reporting.

Medium

  • Engage senior management to determine the scope and level of effort that CIC wishes to commit in developing a risk-based oversight framework and for monitoring compliance with Treasury Board policies. Obtain ExCom approval for mandate, roles, responsibilities, and resources accordingly. (Q4 2013-14)
  • In accordance with ExCom decisions, develop and implement an action plan to:
    1. Engage functional community.
    2. Review inventory of TBS and internal policies, including relevance, requirements, accountabilities, current monitoring and reporting mechanisms and consequences of non-compliance; and identify gaps.
    3. Develop risk assessment tool and conduct risk assessments of all policies to obtain a risk ranking.
    4. Develop a risk based approach to monitoring and reporting on compliance. (Q2 2014-15)

CAB

Q2 2014-15

2. CIC should develop and implement measures to identify and report on non-compliance and the adequacy of the actions taken in a situation of non-compliance with Treasury Board policy requirements.

Medium

  • In accordance with ExCom decisions, develop and implement a risk-based approach to identify and report on non-compliance by engaging with functional authorities to:
    1. Review historic instances of non-compliance.
    2. Risk rate the consequences of non-compliance for all policies.
    3. Develop and implement a risk-based approach to monitoring compliance.
    4. Develop and implement a schedule to report to senior management on compliance monitoring, including the adequacy of the measures taken to address non-compliance.

CAB

Q4 2014-15

Appendix C – Links to Applicable Frameworks, Policies, Directives, and Standards

Page details

Date modified: