Annual Audit Committee Report to the Clerk of the Privy Council 2016-2017
Memorandum to the Clerk
I am pleased to present the Annual Report of the Privy Council Office Audit Committee, my first as the new Chair, on behalf of all of the Committee members. I want to thank you personally in giving me the opportunity to be the Chair of this Committee that performs, in my view, a valuable role in helping PCO manage the risks it faces.
We decided to use the flexibility with respect to annual reporting offered in the new Treasury Board Internal Audit Policy in drafting the Report. You will find that the main body of the Report is short with a focus on providing you with the highlights of what was accomplished last year and what we plan to focus on in the next year. It is our view that the past year was a very productive one and we look forward to being helpful in providing advice to you in our areas of responsibility in the future.
In this context, in addition to the two ongoing priorities, security risk and the production of high quality assurance and review products, it is our view that a third priority - a fresh look at risk and risk management, both in the way PCO assesses risks and does risk management and the way the Committee engages on these issues - would be helpful in further enhancing the Committee’s contribution.
We take this opportunity to thank those, without whose considerable support, the Committee could not have been successful over the past year. This includes Kami Ramcharan, Jim Hamer, the internal audit staff and all other PCO staff that appeared before the Committee.
The Committee looks forward to discussing this Report with you.
Munir A. Sheikh
Chair, PCO Audit Committee
Review of 2016-17 and Priorities for 2017-18
This report provides a review of the Audit Committee’s work for 2016-17 and proposes priorities for 2017-18. Annexes include:
A note entitled: A review of Risk and Risk Management (Annex A);
Key areas of the Committee responsibility (Annex B); and the
PCO Audit Committee 2017-18 Annual Plan (Annex C).
A. Review of 2016-17
The PCO Audit Committee met with the Clerk on August 12, 2016 to discuss its Draft 2015-16 Annual Report and to finalize its priorities for 2016-17. Progress against these priorities is discussed below.
Priority 1: Ensure the continued effectiveness of the Committee while managing the current succession of internal membership and forthcoming succession of external membership
It is the Committee’s view, supported by the information provided in this Report, that we were effective. We were able to meet all the priorities during a period of significant transition of both internal and external membership.
The new internal committee members at the start of the year included Serge Dupont, the new Deputy Clerk, Matthew Mendelsohn, the second internal member, and Kami Ramcharan, the new Chief Financial Officer. Serge Dupont, who left the committee, played a huge role in the deliberations of the Committee, given his understanding and knowledge of your needs as the Clerk and the operations of PCO as a department. We welcome Andrea Lyon to the Committee as the new internal member and look forward to working with her as effectively as with Serge.
The period also saw considerable change in external membership with the replacement of two members, including the Chair. As the first external chair, Larry Murray played a highly effective leadership role in shaping the functions and operations of the Committee and developed its positive relationship with PCO management over the past eight years. Keith Coulter, another external member, who played an invaluable role with his experience and his incisive commentary on issues brought to the Committee, completed his terms and has been replaced by Meena Roberts. Meena brings a wealth of experience and knowledge to the Committee. We are fortunate to have Mary Ritchie on the Committee as a continuing member, which will be immensely helpful in providing institutional memory and transitional support to the Committee over the next two years.
In addition, Jim Hamer, the Chief Audit Executive departed and was replaced by Anne Weldon-Lacroix. The internal audit division’s work over the past year, as summarized below, is indicative of Jim’s contribution. Anne comes to us from Global Affairs Canada, with a wealth of experience in audit.
Now that these changes have all taken place, we are confident that the Committee will continue to perform well and give you the best advice.
Priority 2: Maintain the emphasis on the production of highly focused assurance and review products in areas of highest risk and significance, and on the implementation of management action plans.
The Committee was satisfied both with the “production of highly focused assurance and review products in the areas of highest risk and significance" and with "the implementation of management action plans." The Committee, however, felt that there were opportunities for improvement in the future, particularly as it reviews risk and risk management (Annex A).
Identification of areas of highest risk: The Committee was satisfied with the process that identified audit issues to be taken up in the development of the Risk-Based Audit Plan, prepared by the Chief Audit Executive (CAE). A particularly useful feature of the identification of areas of highest risk is information brought to the Committee by individual Deputy Secretaries.
An issue for the Committee, which is part of the priorities for next year as discussed below, is whether opportunities exist to strengthen this process (Annex A).
Assurance and other products completed in 2016-17: This was another productive year for the Committee as five substantive products of high quality were completed and approved by the Clerk.
These products included: “The Audit of the Management and Use of Acquisition Cards”; “The Performance Measurement Strategy for PCO’s Central Innovation Hub”; “The Risk Assessment of PCO’s Personal Information Holdings”; “The Review of PCO’s Performance Management Framework for Employees”; and “The Audit of PCO’s Accounts Payable Function.”
Implementation of Management Action Plans (MAPs): There was significant progress in implementing MAPs during the year. Management’s ongoing efforts to fully implement their MAPs is an indicator of the value added that the internal audit function brings to PCO. The Committee, however, felt that improvements could be made in getting better information on the significance of delays in the implementation of MAPsFootnote 1 and on the residual risks associated with these delays.
Priority 3: Sustain the Committee’s focus on the management of security risks
As an indication of the importance attached to this priority, the Committee received updates on security-related matters at each of its quarterly meetingsFootnote 2 and provided its input and advice.
The Committee was pleased with the work that has taken place at PCO in dealing with security risks. By their very nature, the issues are complex and there are many uncertainties. A constant vigil is required and, for that reason, the Committee has, and will continue to, attach a high degree of importance to be briefed on these issues and provide advice for improvements.
Priority 4: Provide support and advice to help PCO meet the requirements of the new Treasury Board “Policy on Results.”
The Treasury Board unveiled its new “Policy on Results,” which took effect on July 1, 2016 and gives departments until November 1, 2017 to implement it. The policy replaces a number of older policies and streamlines reporting results. PCO has started work to meet the requirements of the Policy and has briefed the Committee on the progress made to-date.
The Committee’s objective was to provide support and advice to help PCO meet the requirements of the new Policy on Results. It is the Committee’s view that PCO is making progress on this front but significant work remains, given the challenges associated both with quantifying results and linking those results back to PCO priorities.Footnote 3
The Committee believes that more could be done to strengthen PCO’s approach to results based management and will continue to encourage and support these efforts.
The Committee will continue to monitor progress in this important area in 2017-18 and offer its advice both on the direction being proposed and implementation of changes.
Priority 5: Continue to support PCO’s efforts to strengthen its approach to risk management.
Over the past year the Committee dealt with a number of topics that indicate its commitment to continuously support PCO’s focus to strengthen the way it manages risks.
The Committee’s advice is based on a number of activities: its detailed discussion of the drafts of the Enterprise Risk Profile (ERP) and its contribution in improving it; the assurance work of the internal audit staff; an ongoing review of the implementation of MAPs; the review of financial statements and public accounts reporting; the Committee’s regular discussions with Deputy Secretaries; and, briefings by PCO staff.
Overall Opinion with Respect to Priorities:
The Committee is pleased with:
- PCO’s efforts in understanding and managing the variety of risks it faces;
- Its own contribution in helping PCO make progress in this regard; and,
- The quantity and quality of the work undertaken by the Internal Audit and Evaluation Division.
- Having stated this, the Committee is of the view that there is potential for enhancing the degree of rigour in examining risk and risk management issues that should improve the quality of outcomes in these critical areas. This matter is discussed in Annex A.
B. Priorities for 2017-18
The Committee’s role is to give you advice. In this context, our proposed priorities for the current year are the following:
- The production of highly focused assurance and review products in areas of highest risk and significance, and on the implementation of management action plans;
- To engage and provide advice on the management of security risks; and
- To support PCO's development of a risk management framework that would enhance the rigour attached to risk and risk management issues (see Annex A).
Annex A - Note: A Review of Risk and Risk-Management
Record of Decision: Audit Committee Meeting June 9, 2017
The Committee agreed with the conclusion in this note that this is an opportune time to review the practice of risk management and study the need for developing a risk management framework in view of its importance for both the organization and the Committee’s work.
To that effect, the Committee agreed that the next step is for the CFO to review the existing integrated risk management framework and determine how it can be adapted to take into account the issues raised in this paper. The review by the CFO will be discussed at the September Committee meeting.
The document “Charter for the Privy Council Office Audit Committee” describes the Committee’s role as follows:
“The Committee provides objective advice and recommendations to the Clerk regarding the sufficiency, quality and results of internal audit engagements related to the adequacy and functioning of PCO’s risk management, control and governance frameworks and processes. To do this, the Committee uses a risk-based approach to review and provide advice on the core area…”
The document lists eight areas of responsibility for the Committee’s work that are sourced directly from the Treasury Board Policy Suite on Internal Audit:
- Values and Ethics
- Risk Management
- Management Control Framework
- Internal Audit
- External Assurance Providers
- Follow-Up on Management Action Plans
- Financial Statements, Public Accounts Reporting
- Accountability Reporting
In the context of this importance of a risk-based approach and risk management to the Committee’s work, this note was prepared for the June meeting and asks whether there could be benefits to bringing more rigour to the various aspects of risk and risk management as they are dealt with at PCO and brought to the Committee.
Definitions: The Treasury Board defines risk management broadly as: “Risk management is a systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, making decisions on and communicating risk issues.” It would be useful to have greater clarity on how this definition applies to the eight areas of responsibility for the Committee’s work. Risk management is listed as a separate item 2 under the eight categories above. At the same time, it would seem that items 3-8 in the eight areas of responsibility listed above are all components of how risk is managed in item 2. That leaves the first item “Values and Ethics” as stand-alone: it could be an area of risk or not depending on the subject matter it covers.
Common view on risk: At the present time, there are a number of sources of information on risk, which include the Departmental Plan, consultants’ views, ERP, Deputy Secretaries’ views of the risks they face, and the risk profile underlying the Risk-based Audit Plan (RBAP), which is put together by the CAE based on his extensive consultations with PCO staff. While there are similarities across various lists of risks, there are also significant differences.
Framework: On the framework to manage risk, the Treasury Board does not suggest one: it asks a question whether the department has one (p.20 of its Guidebook for a Departmental Audit Committee).
The most important question that arises is whether there may be value in the development of an explicit “risk framework” by PCO (a review of the risk management references in PCO’s Management Control Framework document may be of value to addressing this question). Further thought and discussion on this may be helpful in light of the following questions that arise from the above analysis, which a framework may be able to deal with:
Given the new flexibility given to audit committees, but ensuring that all requirements laid out by the Office of the Comptroller General are met, should the risk-related work that comes to the Committee be arranged, to be clear and more rigorous, under the headings of: the risks that PCO faces; and, how they are managed? This question arises in the context of enhancing clarity to the Committee’s eight areas of responsibility to help bring more rigour to the Committee’s work.
With this arrangement, what are the key risk-related areas that fall under risk and those that fall under how risk is managed?
How important is it to have a unified assessment of risks within PCO?
Does this framework suggest we have an appropriate balance of work under the two headings to capture the most important issues PCO faces?
Are there gaps in what is the work done in the two areas and/or relative overemphasis in one of these areas? As an example, is there enough precision in evaluating how much risk has changed after steps have been taken to manage it?
How does PCO manage risk when it occurs at short notice? And what is the Committee’s role in such situations?
What is the right balance between doing an internal audit and undertaking a review of optimal strategies to manage risk? Is there any place in this possible set-up to use short/quick reviews as different from comprehensive reviews, as an example of dealing with issues that are important but emerge without notice and require a quick response?
What is the right balance in audits between auditing processes and outcomes in better understanding the nature of risk being faced?
The note does not deal with, nor does it envisage, a change in the evaluations that are done in PCO and brought to the Committee.
There has been a fairly large turnover in the Audit Committee. Given that risk management is at the core of what the Committee does, it is an opportune time to review it. This should help the Committee to be better informed and more rigorous in the way it considers risks and provides advice to management. The analysis asks whether there is merit in PCO developing a risk management framework that could help answer a number of question that are summarized above, which would be entirely consistent with Treasury Board direction.
Annex B - Key Areas of Responsibility
During 2016-17, the Committee held four meetings to fulfill its oversight requirements. It examined issues related to all of the following eight areas of its responsibility as listed in the TB Directive on Internal Audit and the PCO Audit Committee Charter:
- Values and Ethics
- Risk Management
- Management Control Framework
- Internal Audit
- External Assurance Providers
- Follow-Up on Management Action Plans
- Financial Statements, Public Accounts Reporting
- Accountability Reporting
1. Values and Ethics
The Committee is satisfied that PCO has a robust approach to values and ethics with both managers and staff appropriately engaged.
At the September meeting, the PCO Champion for Values and Ethics and the Senior Officer for Disclosure briefed the Committee on the PCO Climate Study on Values and Ethics and noted that, although the response rate to the Climate Study was low, the qualitative results were meaningful. The Committee commended PCO for the Climate Study initiative and the way it has integrated the recommendations from this initiative into its current Values and Ethics Action Plan.
The March 2017 meeting discussed a number of items related to values and ethics. First, Destination 2020 highlighted a number of innovative programs to promote mental health and work/life balance. The Committee acknowledged the good work being done but suggested that additional focus could be brought to emerging workplace challenges and how they could be addressed. The Committee also suggested exploring ways of expanding and strengthening mentorship programs.
Second, the Committee accepted both the Audit of the Performance Management Framework (PMF) for Employees and its Management Action Plan (MAP) but suggested a number of improvements related to clarifying the roles between the Human Resources Advisory Committee and the PCO Review Panel.
Third, an update was provided to the Committee on the Terms of Reference for the Self-Assessment of PCO’s Staffing Activities. The Committee was pleased with the work done and made suggestions for further improvements, particularly in regards to the degree to which the PCO Staffing Policy was consistent with the new PSC Framework.
2. Risk Management
Since risk management was one of the Committee’s priorities for 2016-17, this core area of the Committee’s responsibility is described in the main body of the report and in Annex A.
3. Management Control Framework
The Committee assesses that the PCO Management Control Framework (MCF) remains effective and that internal controls are continuing to be improved and strengthened.
PCO has, over the past year, implemented a new ICFR (Internal Controls over Financial Reporting) Framework, which includes an updated version of the PCO’s Management Control Framework as an annex.
In September 2016, the Committee discussed the Statement of Management Responsibility over ICFR. It is the Committee’s recommendation that the MCF reflects both formal and informal PCO controls. The CAE recommended and the Committee agreed that, since MCF was stable, its discussion in the future should be scheduled on an as-required basis and PCO work would be followed secretarially.
In March 2017, there was a discussion of “2016-2017 Monitoring Results” deck on key controls that outlined high risk business processes, the ratings applied to those processes (Effective vs Area for Improvement), a summary of the monitoring results, recommendations for improvement, and a status on remedial actions. Key processes included resource allocation, vendor accounts, budget review, financial delegations, capital assets, departmental liabilities, accounts receivable and travel expenses. Of seven key processes monitored over the last two years, five have warranted some minor remedial actions while two were deemed “Effective.”
In addition to the progress related to internal controls noted above, the Committee assessment has also been informed by the Committee’s ongoing review of Financial Statements and Public Accountability documents and by numerous briefings and discussions with PCO staff and senior management.
The Committee will also receive regular updates on progress implementing the MAP for the Audit of Internal Controls over Financial Reporting (ICFR) and continue its longstanding practice of including an in-camera session with the CFO, and separately with the CAE, during every Committee meeting.
Notwithstanding the many recent changes in senior PCO personnel, the Committee continues to have confidence that the overall governance structure of the organization remains robust as part of the management’s focus to control and manage risk. In this context, the Committee has continued to have extensive dialogue with many PCO personnel ranging from Deputy Secretaries to other levels of staff. These discussions on a variety of subjects throughout the year, coupled with the results achieved in assurance and review work, provide the Committee with confidence in its overall positive view.
4. Internal Audit Function
The Committee is satisfied with the performance of the internal audit function over the past year, which faced significant turnover in its staff.
The number, variety and the quality of assurance products were maintained at a reasonable level. Extensive consultations with senior management, the Committee members and other stakeholders, including the CAE of Shared Services Canada and other potential partner departments, is now a standard feature of the annual audit planning process and the development of the Risk-Based Audit Plan. Post-audit feedback remained generally positive.
Internal Audit staff fully supported the PCO effort to contribute to increased transparency and more open government by improving coordination processes to facilitate more efficient preparation and posting of an increasing number of assurance products online. The PCO Internal Audit Performance Measurement Framework continues to be refined this year and is becoming a more useful monitoring tool for the staff, senior management and the Committee.
5. External Assurance Providers
A regular feature of the Committee’s work on this topic is the discussion of the Machinery of Government’s quarterly update on external audits. At the June meeting, the Committee discussed the audits in the External Assurance Providers (EAP) Report, which was tabled by the CAE with the Clerk. At the December meeting, the Committee was briefed on the new approach to the Governor in Council (GIC) appointments process and the recent Office of the Auditor General Audit of PCO’s GIC Appointment Process in Administrative Tribunals.
An ongoing issue for the Committee at most of its meetings over the past year has been that PCO lacked a reliable mechanism to ensure external audits, which involve PCO as a department (as opposed to PCO as a Central Agency), are brought to it for information and consideration. At the September meeting, the Committee asked PCO to revisit the current arrangements with a view to establishing better mechanisms to ensure it is informed on EAP audits and corresponding MAPs. As a follow-up, three improvements have resulted: first, the CAE tabled an “Audit Projects by External Assurance Providers” report showing all EAP projects so that the Committee has an opportunity to engage on those that are relevant to its mandate. The Committee will use this report to stay informed on EAP projects and request information/presentations as necessary. Second, the Assistant Secretary to the Cabinet, Machinery of Government (MoG), discussed arrangements to improve the flow of information to the Committee. Third, the CFO agreed to liaise with MoG to ensure these information flows are efficient.
It is the Committee’s view that it should not only be informed about external audits but also be informed in a more timely way so that the Committee has an opportunity to provide its advice at the right moment (as required under the IA Policy, both old and new). We have confidence in the new arrangements but will be closely monitoring implementation.
6. Follow-up on Management Action Plans
The Committee reviewed the status of implementation of MAPs, based on self- assessments by management, during each of its four meetings.
At the start of the 2016-17, eight trackable actions relating to three PCO audits were in progress. Another 11 new actions were added during the year in response to two audits that were approved by the Clerk in 2016-17, including seven in the MAP for the Audit of IT Management and four in the MAP for the Audit of the Management and Use of Acquisition Cards. This brought the total to 19 actions being tracked in relation to five PCO audits during the fiscal year. Of these 19 actions, six achieved full implementation status during the year, leaving 13 actions at various stages of implementation in relation to five PCO audits at year-end. Management’s ongoing efforts to fully implement their MAPs is an indicator of the value added that the internal audit function brings to PCO.
Based on the progress achieved in implementing MAPs during the year, the Committee assesses that they appear to be implemented in a reasonable manner. However, in order to assess the extent to which audit recommendations and the associated MAPs are achieving the intended results, the Committee will, over the upcoming year, consider whether to recommend another review of the implementation of MAPs similar to the one conducted in 2014-15.
The Committee will continue to track MAP implementation going forward. In addition the Committee will examine the extent of residual risk attached to those MAPs that are not implemented on time.
7. Financial Statements, Public Accounts Reporting
The Committee reviews the Quarterly Financial Statements and the annual Future-Oriented Statement of Operations and remains satisfied with the quality and discipline of financial reporting. The Committee is particularly pleased with the positive impact that the Audit of ICFR is having on further improving related processes in this important area.
8. Accountability and Reporting
The Committee reviewed and provided input on the 2015-16 Departmental Performance Report and on the 2017-18 Departmental Plan (previously known as the Report on Plans and Priorities). While the Committee is satisfied with the progress being made in maturing the narrative of these documents, progress remains slow with respect to performance measurement. The Committee is hopeful that the new Treasury Board Policy on Results, which places a higher priority on performance information, will lead to improvements in this area.
The comprehensive feedback to Committee input on these various documents by involved PCO staff is appreciated and makes the effort seem particularly worthwhile.
Annex C - PCO Audit Committee 2017-18 Annual Plan
The key areas of responsibility that shall be addressed by the Committee during the 2017-2018 fiscal year are listed below. The particular emphasis and priorities for the Committee will be adjusted as necessary in consultation with the Clerk and in consideration of the departmental mandate, objectives and priorities, as well as the corresponding risks affecting PCO and the government. It should be noted that ‘review’ actions may be accomplished in several ways, including: the review of documents (during meetings or secretarially); receiving presentations by subject matter experts; and discussions with PCO officials.
Action Item Description.Footnote 4
|Dec 2017/Jan 2018||
|Audit Committee Infrastructure|
|1||Audit Committee Charter
Review the Audit Committee Charter and as necessary seek reaffirmation by the Clerk.
|2||Audit Committee Meeting Annual Plan
The Chair, in consultation with the other Committee members, will prepare a plan for recommendation to the Clerk to ensure that the Committee’s annual and ongoing responsibilities are scheduled and fully addressed.
|Audit Committee Responsibilities|
|3||Values and Ethics
Review and provide advice on PCO’s systems and practices established to monitor compliance with laws, regulations, policies and standards of ethical conduct and identify and deal with any legal or ethical violations.
Review and provide advice on PCO’s risk management arrangements, including the department’s risk profile.
|5||Management Control Framework
Review and provide advice on PCO’s internal control arrangements, and be informed of significant issues relevant to the Committee’s mandate and relating to the effectiveness of those arrangements that may arise from work performed by others who provide assurances to senior management and the Clerk.
|6a||Departmental Internal Audit Charter
Review PCO’s Internal Audit Charter and recommend for reaffirmation by the Clerk, as necessary.
|6b||Adequacy of Internal Audit Resources
Provide advice to the Clerk on the sufficiency of resources of the internal audit function.This action will be linked to discussion of the AC Annual Report (item 11) and the CAE Annual Report (item 6g).
|6c||Risk-Based Internal Audit Plan
Review and recommend for approval the multi-year risk-based internal audit plan.
|6d||Performance of the Internal Audit Function/CAE
|6e||Internal Audit Reports & Management Action Plans
Review and recommend for approval internal audit reports and corresponding management action plans to address recommendations.
|6f||Progress Against Risk-Based Internal Audit Plan
Review regular reports on progress against the risk-based internal audit plan.
|6g||Annual Report from the CAE
Review the annual report prepared by the Chief Audit Executive.
|7||External Assurance Providers
Be informed by the quarterly PCO report to the Clerk, and after requesting and receiving presentations and/or detailed information from line management on discrete audit projects, advise the Clerk, as appropriate, on:
|8||Follow-up on Management Action Plans
Review semi-annual reports on the progress implementing approved management action plans resulting from both prior internal audit recommendations as well as management action plans resulting from the work of external assurance providers, including reviewing and concurring with management requests for extensions to planned MAP completion dates as well as the Chief Audit Executive’s assessment of residual risk on a recommendation by recommendation basis as these MAPs are being implemented.
|9a||Financial Statements and Public Accounts
|10||PCO Accountability Reporting
Receive and review copies of PCO’s Departmental Results Report (formerly the Departmental Performance Report - DPR), the Departmental Plan (formerly the Report on Plans and Priorities – RPP), and any other significant accountability reports. The Committee may also receive information copies of plans and reports prepared by the departmental evaluation function.
|Accountability Reporting by the Committee|
|11||Audit Committee Annual Report to the Clerk
The independent external members of the Committee will prepare and submit an annual report to the Clerk.The Clerk will be fully briefed in advance of the finalization of the Annual Report of the Committee
The Committee will meet individually in camera at each of its in-person meetings with PCO’s Chief Financial Officer and Chief Audit Executive, and any other officials the Committee may determine.
|13||External Practice Inspection
As applicable, the Committee will review regular reports on the progress implementing the CAE’s action plan resulting from recommendations from the 2013 External Practice Inspection.
Report a problem or mistake on this page
- Date modified: