Internal Audit of the Framework for the Management of Compliance
Internal Audit and Accountability Branch
Citizenship and Immigration Canada
Table of Contents
- Executive Summary
- Why this is Important
- Key Findings
- Statement of Conformance
- Audit Objectives and Scope
- Findings and Recommendations
- Appendix A – Detailed Audit Criteria
- Definitions of Control Conclusions
- Appendix B – Management Action Plan
- Appendix C – Links to Applicable Frameworks, Policies, Directives, and Standards
The objective of the audit was to provide assurance to senior management that effective practices are in place within Citizenship and Immigration Canada (CIC) for the management of compliance with Treasury Board policy requirements.
The audit was not designed to assess compliance with individual Treasury Board policies; it examined whether a framework was established for risk-based oversight, monitoring, and reporting on compliance requirements.
Why This Is Important
A tenet of public sector management holds that the means by which an objective is achieved is as important as the objective itself. Legal and Treasury Board policy requirements, including applicable codes of conduct, underpin a minimum standard of behaviour and conduct that, in the opinion of legislators and Ministers, is necessary to safeguard the public trust.
Having a risk-based compliance oversight regime can provide assurance to the Accounting Officer (Deputy head) and to senior management team that CIC is meeting all of its Treasury Board policy requirements and can rely on the results of monitoring and reporting to be able to take appropriate actions when required.
In 2012, CIC launched an exercise through which functional authorities could attest to their compliance to policy suites, acts, and regulatory requirements. To initiate this, an analysis was performed to determine which Treasury Board policies apply to CIC, and accountabilities by functional area were assigned. An annual compliance attestation exercise has been established to inform the Department’s management of compliance. The self-assessments requested as part of the compliance attestation exercise were not formally challenged or based on risk. Performance requirements against compliance are not formalised. Issues related to non-compliance are addressed on an ad hoc basis.
With the completion of this first exercise to assess compliance, CIC has initiated activities to formally assign accountability for Treasury Board policy domains, but a comprehensive framework for oversight, monitoring or reporting on compliance has not been established. Two recommendations address areas to further develop a reliable compliance framework through greater risk-based oversight.
Management has accepted the audit findings and developed an action plan to address the audit recommendations.Footnote 1
Statement of Conformance
The conduct of this engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. We examined sufficient, relevant evidence to support the conclusions reached.
Chief Audit Executive, CIA, CA
Citizenship and Immigration Canada
Treasury Board policy requirements underpin a standard of behaviour and conduct that is necessary to safeguard the public trust. The Framework for the Management of Compliance - along with the Foundation Framework for Treasury Board Policies and the Framework for the Management of Risk - is one of the key architectural elements of the Treasury Board suite of policies. Specifically, the Framework for the Management of Compliance establishes principles for managing and monitoring compliance to Treasury Board policy suites.
Core responsibilities of the Deputy head within a department include ensuring compliance with legal and Treasury Board policy requirements. This is to be done while fostering an organizational environment conducive to innovation and informed risk-taking to deliver better value to Canadians. A compliance management framework should identify the best methods to align behaviour with expectations and risk tolerance. In their capacity as Accounting Officer, the Deputy head should monitor internal management practices and, where issues arise, take action to maintain a robust environment of internal control. Although the Treasury Board Framework for the Management for Compliance has been in effect since April 2009, the Treasury Board Secretariat has left it up to individual departments to determine how to develop departmental frameworks to manage compliance to Treasury Board policies. Treasury Board Secretariat to date has not required central agency monitoring or reporting on the framework. In 2012, CIC took the initiative to begin assessing departmental compliance to all applicable policies.
The Management Accountability Office (MAO) within CIC leads efforts to strengthen management practices and align accountability for Treasury Board policies. In this regard, the MAO oversees the Department's Management Accountability Framework (MAF) assessments and associated action plans, in addition to coordinating the activities for the Framework for the Management of Compliance. The MAO has not been assigned responsibility to ensure risk-based oversight, monitoring, or if reporting is in place.
Audit Objectives and Scope
The objective of the audit was to provide assurance to senior management that effective practices are in place within CIC for the management of compliance with Treasury Board policy requirements.
The audit examined whether an oversight regime exists at CIC to meet all Treasury Board policy requirements relevant to its operations, along with supporting risk-based monitoring practices, reporting, and control systems.
In order to limit the scope, the audit did not include legislative requirements specific to CIC or a subset of government departments, but rather focused on government-wide policy requirements issued by Treasury Board.
The audit examined activities from June 1, 2012 to August 31, 2013. It also reviewed documents from 2009-2012 related to central and independent agency reporting requirements and Policy Suite Renewal, a departmental exercise launched in 2009-10 to simplify and reduce the number of CIC Frameworks, Policies and tools.
The audit criteria developed for this audit are included in Appendix A.
Findings and Recommendations
An annual compliance attestation exercise exists, further work is required to build a comprehensive framework to manage compliance with Treasury Board policies.
We examined if a framework had been established at CIC to manage compliance with the Treasury Board policy suite. We examined if an analysis had been done to determine policies relevant to CIC and if accountability had been assigned. We assessed if the results of monitoring of Treasury Board policy compliance were reliable, risk-based and were reported to those with an oversight responsibility. And finally, we assessed whether performance management includes compliance considerations, and if CIC has measures in place to address non-compliance.
Without a framework to manage compliance, a department may not be in a position to know whether policies are being followed and respected in a manner consistent with expectations. In order to ensure a framework is comprehensive, a department must first determine which policies are applicable, and to whom the accountability should be assigned. Without formal oversight, including a challenge function, senior management is not in a position to understand its risk related to compliance with requirements. A risk-based approach to determine requirements of monitoring and reporting of compliance ensures that resources are allocated to those areas that require them the most. Managing compliance through performance agreements or performance reporting ensures that those with accountability are measured on their adherence to policy requirements.
An analysis has been performed to determine which Treasury Board policies apply to CIC, and accountabilities have been assigned.
Treasury Board policy instruments (including Frameworks, Directives, and Guidelines) are designed for government operations, and may not apply to every department. CIC has performed the crosswalk to determine which policy instruments are applicable to CIC.
Accountability for each applicable policy domain has been assigned to a functional authority (ie. a Director General or Director) who is responsible for the implementation of a subset of Treasury Board policies, for example those related to Human Resources, Finance or other functional area.
An annual compliance attestation exercise to manage compliance has been established.
In 2012, CIC launched a compliance attestation exercise, through which all functional authorities performed a compliance self-assessment and signed an attestation to confirm compliance against the relevant policy domain. In interviews, functional authorities were aware of the responsibilities related to their functional areas but in many cases no documentation was provided to clearly establish the Treasury Board policies that fell under their area of responsibility. Substantiation to support the attestations ranged from none, to a comprehensive analysis aligning policy requirements to CIC procedures. For some policies there is an identification of reporting requirements outside CIC, for example, to central or independent agencies, to support policy compliance. In situations wherein responsibilities for policies were shared between functional areas, no documentation was provided to demonstrate how accountability was divided.
According to the Treasury Board Secretariat, CIC was the first department to analyze the requirements of the Framework for the Management of Compliance. The compliance attestation exercise is designed to be completed on an annual basis, with the results reported to senior management committees and the Departmental Audit Committee.
The self-assessments requested as part of the compliance attestation exercise were not formally challenged or based on risk.
The attestation used to demonstrate compliance was provided by the functional authorities with no formal independent challenge of the conclusions. As a result, the amount of information provided to substantiate compliance varied significantly between functional areas. While a template and standardised guidance were provided, the level of assurance that could have been gained from the exercise was not optimal, as the level of detail varied significantly and was not based on risk tolerance.
All functional authorities were requested to participate in the exercise, regardless of the results of past assurance exercises, oversight instruments in place, or the potential impacts to the Department of non-compliance. While in its current form the exercise was designed to produce a whole-of-department self-assessed snapshot of compliance, it may have been insufficient for those functional areas of higher risk.
No risk-based oversight requirements exist for compliance.
Oversight mechanisms can take different forms and might involve: regular testing and reporting of controls; reliance on external oversight; or no formal activities, as the policy area is considered low risk for the department. Within CIC, oversight exists for some policy areas through committees, but the oversight requirements have not been formally defined or standardised within the departmental governance structure. Without defined requirements, a departmental framework of internal controls to continuously monitor compliance commensurate with risk tolerance for specific policy areas cannot be established.
Four of the thirty CIC management committees have compliance identified in their terms of reference; two more have the mandate to further best practices in policy areas. As an example of good practice, the Procurement and Contracting Oversight Committee has identified contracting activities for additional management review, based on risk requirements. The branch responsible for procurement and contracting has also begun sample testing contracting activities across the Department and is reporting on compliance results, as contracting is typically deemed a high risk area given the complexity of rules and documentation requirements.
Other functional authorities – such as Regulatory Frameworks, Access to Information and Privacy, and Official Languages – have significant central agency reporting requirements that can satisfy an oversight function. Many of these requirements, however, are designed to meet legislative obligations and do not address the full breadths of the Treasury Board policies.
Oversight activities are established by the functional authorities and are not consistent across CIC. Oversight requirements for functional authority areas and policy suites have not been assessed or established according to risk. The annual Management Accountability Framework (MAF) assessments performed by the Treasury Board Secretariat are seen as the primary source of oversight for much of CIC’s activities, however these assessments do not cover all policy areas, nor are they assessed every year. As with the process to manage compliance described above, if oversight requirements are not standardised across the Department and based on risk, there may be insufficient oversight, or an oversight activity may use too many resources.
Performance requirements against compliance are not formalised.
CIC has a rigorous planning and reporting regime, however performance against compliance requirements is not included. While every functional authority must develop and report against key milestones for progress against objectives, no such formality has been established for the Department to monitor compliance to Treasury Board policies. No documentation was provided to demonstrate that standardised performance management includes compliance considerations. Without a formal and risk-based performance framework related to compliance, CIC will not be in a position to determine whether its efforts to deliver on its objectives will come at the compromise of its policy obligations or efficiencies.
Issues related to non-compliance are addressed on an ad hoc basis.
While anecdotal instances of addressing non-compliance were provided, there is no standardised approach to documenting if management responses are used across the Department. As noted above, there is no risk assessment of policies or functional areas, which might result in an informal escalation process for non-compliance. A formal process to address non-compliance could be included in a risk-based oversight framework for monitoring compliance.
It should be noted that subsequent to the time period covered by this audit, the Executive Committee approved a Corporate Risk Impact Scale that specifies thresholds for levels of impacts of non-compliance that are required to be reported to senior management. The department should consider monitoring and reporting requirements to ensure the requirements of the Corporate Risk Impact Scale can be met, as is included in recommendation #1 below.
Recommendation 1 (Medium Risk):
CIC should develop and implement a risk-based oversight framework for monitoring compliance to Treasury Board policies. This should include: accountability for development and implementation of the framework, risk-ranking and risk tolerance for Treasury Board policies, accountability for individual policy compliance (including shared when relevant), documentation requirements to support compliance assessments, monitoring of activities, and reporting requirements including pre-determined frequency of reporting.
Recommendation 2 (Medium Risk):
CIC should develop and implement measures to identify and report on non-compliance and the adequacy of the actions taken in a situation of non-compliance with Treasury Board policy requirements.
Appendix A – Detailed Audit Criteria
The objective of the audit was to provide assurance to senior management that effective practises are in place within Citizenship and Immigration Canada (CIC) for the management of compliance with Treasury Board policy requirements.
|Lines of Enquiry||CriteriaFootnote 2||Control ConclusionFootnote 3|
An oversight regime exists to ensure all relevant Treasury Board policy requirements are respected in line with Treasury Board policy expectations.
|1 – An analysis has been done to determine policies relevant to CIC and an appropriate framework of oversight has been determined based on risk.||Moderate Issues|
|2 – For policies relevant to CIC, accountability has been assigned and performance management includes compliance considerations.||Moderate Issues|
|3 – The results of monitoring of Treasury Board policy compliance are reliable, risk-based and are reported to those with an oversight responsibility, and action is taken when appropriate.||Moderate Issues|
|4 – CIC has measures in place to ensure that non-compliance and the nature of the consequences and their severity are commensurate with the nature of the non-compliance.||Moderate Issues|
CIC policies and procedures and monitoring practices over Treasury Board policy requirements have been designed with consideration of risk.
|5 – CIC policies and procedures are commensurate with the associated risk of non-compliance with Treasury Board policy.||Moderate Issues|
|6 – Policies and procedures foster an organizational environment conducive to innovation and informed risk-taking.||Moderate Issues|
Approval processes, procedures and control systems of CIC are in line with Treasury Board policy requirements.
|7 – Departmental frameworks for internal controls and management practices are designed to be efficient, transparent, understood and supported in CIC, and, where applicable, are in line with Treasury Board policy requirements.||Moderate Issues|
|8 – Employees are trained and have access to learning opportunities and relevant information to increase their awareness and knowledge of applicable Treasury Board policy requirements.||Controlled|
Definitions of Control Conclusions
- Well Controlled
- Well managed, no material weaknesses noted; and
- Well managed, but minor improvements are needed; and
- Moderate Issues
Has moderate issues requiring Management focus (at least one of the following two criteria need to be met):
- Control weaknesses, but exposure is limited because likelihood of risk occurring is not high; or
- Control weaknesses, but exposure is limited because impact of the risk is not high.
- Significant Improvements Required
Requires significant improvements (at least one of the following three criteria need to be met):
- Financial adjustments material to line item or area or to the department; or
- Control deficiencies that could result in significant impact if not mitigated; or
- Control deficiencies that have a high likelihood of risk occurring.
Appendix B – Management Action Plan
|Recommendation||Risk Ranking||Action Plan||Responsibility||Target Date|
1. CIC should develop a risk-based oversight framework for monitoring compliance to Treasury Board policies. This should include: accountability for development and implementation of the framework, risk-ranking and risk tolerance for Treasury Board policies, accountability for individual policy compliance (including shared when relevant), documentation requirements to support compliance assessments, monitoring of activities, and reporting requirements including pre-determined frequency of reporting.
2. CIC should develop and implement measures to identify and report on non-compliance and the adequacy of the actions taken in a situation of non-compliance with Treasury Board policy requirements.
Appendix C – Links to Applicable Frameworks, Policies, Directives, and Standards
- Framework for the Management of Compliance
- Foundation Framework for Treasury Board Policies
- Framework for the Management of Risk
- Audit Criteria Related to the Management Accountability Framework
- Policy on Evaluation
- Directive on the Evaluation Function
- Standard on Evaluation for the Government of Canada
- Policy on Government Security
- Directive on Departmental Security Management
- Directive on the Administration of Required Training
- Directive on Executive Compensation
- Date modified: