Chief Audit Executive Annual Report 2015-2016
[ PDF Version ]
[ * ] An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and Privacy Act.
1.1 Summary of 2015-16 Internal Audit Accomplishments
I’m pleased to provide the Clerk with this, my 2015-16 Chief Audit Executive (CAE) Annual Report. The table below summarizes key accomplishments achieved under my leadership by Privy Council Office’s (PCO’s) Audit and Evaluation Division (AED) during 2015-16:
- After consulting extensively with senior management and other key stakeholders, created PCO’s 2015-18 Risk-based Audit Plan (RBAP) which, as agreed to last year, featured a wider variety of tightly scoped projects. Vetted the RBAP with Executive and Audit Committees and obtained the Clerk’s approval of this RBAP.
- Completed the audits and PCO’s first-ever Fraud Risk Assessment (FRA) that were in progress at the start of the year, delivered one of two projects that were to be started and completed during the year, (one project was cancelled), and launched three projects, two of which were in reporting phase and one of which had just begun at year end – these latter projects will be completed in 2016-17.
- Delivered a wider variety of RBAP projects by obtaining the Clerk’s approval for the FRA, by conducting the Performance Measurement Strategy for PCO’s Central Innovation Hub project as a precursor to the Evaluation of the Hub that must be completed in 2018-19 per Treasury Board (TB) direction, and by launching the Risk Assessment of PCO’s Personal Information Holdings project.
- Supported the Clerk in increasing PCO’s openness and transparency by consulting extensively with colleagues from Communications and Access to Information and then performing the work needed to post various mandatory and non-mandatory audit-related products online. This work is ongoing.
- Provided full secretariat support to Audit Committee (AC) throughout the year, including performing the work needed to facilitate the renewal of AC’s external financial expert for another 4 year term on PCO’s AC.
- Facilitated AC’s monitoring of the implementation of Management Action Plans (MAPs) ensuring that internal audits lead to value-added changes at PCO. Also obtained Clerk approval for updated Internal Audit and AC Charter documents.
- Managed AED through periods of staff vacancies. Re-staffed AED’s EC-06 position substantively through competition and again by engaging a qualified Casual employee [ * ].
1.2 Purpose and Nature of my Report
As required by TB’s Policy on Internal Audit, I’m pleased to submit my seventh Annual Report to inform the Clerk of the performance and accomplishments of PCO’s internal audit (IA) function and how IA contributed to PCO achieving its objectives in 2015-16. My report outlines how PCO meets its responsibilities under the TB’s IA Policy Suite, which consists of the Policy on Internal Audit, the Directive on Internal Auditing in the Government of Canada, and the accompanying Internal Auditing Standards for the Government of Canada.
IA in the Government of Canada is a professional, independent, objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes. IA provides services, the majority of which are assurance services, which are intended to assist PCO decision-makers with exercising more effective oversight and control, and with applying sound risk management.
The work of IA stems from my CAE responsibilities. Principal among these is creating and delivering a multi-year RBAP based on a risk assessment (from an audit perspective) and focused predominantly on assurance services. I work to ensure PCO’s IA resources are, to the best extent possible, used to achieve the approved RBAP and to discharge AED’s other responsibilities, and that individual projects are completed and vetted with the AC in a timely manner.
2.0 Performance of Internal Audit and Overview of Results
2.1 Independence and Proficiency of the AED Team
The independence of PCO’s IA function was re-affirmed in October 2015 when the Clerk approved an updated IA Charter. To ensure independence is maintained, AED personnel report to me, and I in turn report to the Clerk. My relationship to the Clerk has, for the last several years, occurred through the office of the Deputy Clerk of the Privy Council and Associate Secretary to the Cabinet who sits as an internal member of the PCO AC - this governance model was commended to PCO in 2010 by the Comptroller General of Canada.
AED’s structure and capacity are, when fully staffed, considered adequate to PCO’s needs. AED is myself as CAE at the EX-01 level, an EC-06 Internal Audit and Evaluation Principal, an AS-06 Internal Audit Manager, and an AS-03 Administrative and Research Officer.
Each of AED’s professional staff held university or higher level degrees and/or recognized professional auditing/accounting designations in good standing in 2015-16. AED also ensured all staff followed approved training plans which enabled them to attend various training and professional development events during the year. AED also has two Contracts with Task Authorizations that are used to engage resources from private sector suppliers.
2.2 Maintaining AED’s Resources
Following a period of resource stability from 2008-09 to 2011-12, the personnel in each of AED’s positions have changed at least once since then - this turnover has created ongoing challenges for project and service delivery. This continued in 2015 when I replaced AED’s EC-06 employee [ * ]. I then backfilled this position with a Casual employee [ * ]. I’ve just hired another Casual employee which will address this resource issue for all but a few weeks of the [ * ]. Despite these challenges, AED continued in 2015-16 to move forward with delivering planned projects, in part by supporting AED’s project managers with contracted resources from one of two private sector suppliers.
Regardless of the mix of internal and contracted resources, I take the necessary steps to ensure AED’s resources individually and collectively possess the credentials, knowledge, skills, competencies and experience to perform their responsibilities professionally.
2.3 Key Activities, Deliverables and Progress Against the RBAP
Regarding the annual RBAP, more extensive consultations with management, AC members and other stakeholders are now a standard feature of annual audit planning. I conducted these consultations early in 2015-16, analyzed the results, conducted an overall assessment of risk (from the audit perspective), all of which culminated in the development of PCO’s 2015-18 RBAP. After vetting this RBAP at Executive Committee and AC, it was approved by the Clerk in July 2015. The strategy of delivering more tightly scoped assurance projects will be maintained – I’ve recently completed similar RBAP interviews and will be tabling a new 2016-19 RBAP at Executive Committee and AC in late June.
From a project perspective, the FRA and the Audit of Internal Controls Over Financial Reporting (ICFR) were active projects as 2015-16 began – each was finalized and approved by the Clerk during the year. The Audit of Information Technology (IT) Management was an in-progress project as 2015-16 began in that the audit report had been accepted by AC in December of 2014, but the MAP remained a work-in-progress.
In 2015-16, AED launched and completed the Audit of Recordkeeping Transformation, and launched the Audit of the Management and Use of Acquisition Cards and the Performance Measurement Strategy for the Central Innovation Hub project. These latter two projects were slightly behind schedule but in the reporting phase at the end of the year. AED also launched the Risk Assessment of PCO’s Personal Information Holdings project just prior to year-end. All active projects at year end are being completed in 2016-17.
I also worked closely during the year with the Public Service Commission (PSC) external audit function to sort out the road ahead for PCO’s planned Review of Staffing Activities in light of the announcement that the PSC would be changing its staffing framework effective April 1, 2016. Ultimately, as was recommended by PSC to the Clerk, PCO cancelled its Review of Staffing Activities project in favor of conducting a self-assessment against the new PSC’s staffing framework, the results of which are to be delivered by September of 2017. I’ll ensure this self-assessment is reflected in PCO’s new 2016-19 RBAP.
AED also continued to provide full secretariat support services to AC for its four 2015-16 meetings. As well, I worked closely with the Clerk and the Office of the Comptroller General (OCG) to facilitate the renewal for another four year term of the external AC member who fills the mandatory role as AC’s financial specialist.
In addition, I supported the Clerk during the last half of the fiscal year with increasing PCO’s overall openness and transparency by performing the work needed to prepare for the online posting of an increasing variety of audit-related products. Audit reports must be posted per TB policy, but other audit-related products are discretionary postings. I worked closely with colleagues in both Communications and the Access to Information Division and I prepared a variety of summary materials to support stakeholder briefings delivered by the ADM-CSB about upcoming postings. With work underway to prepare other audit-related items for posting, this effort remains a work-in-progress and will continue through 2016-17.
The following paragraphs provide information on projects that were in play during 2015-16.
2.3.1 Fraud Risk Assessment
PCO conducted it’s first-ever FRA in 2014-15. Shortly after 2015-16 began, the FRA report was recommended to and approved by the Clerk. AC further recommended that the FRA be repeated every three to four years to ensure controls continue to mitigate the risk of fraud. With the first FRA available to build on, the resourcing cost to repeat the FRA project in future should be less than was expended for the 2014-15 FRA. As AC recommended, I will ensure the next FRA project is appropriately reflected in PCO’s new 2016-19 RBAP.
2.3.2 Audit of Information Technology Management
This audit was conducted to provide assurance on the extent that an effective framework of controls over IT management is in place to support PCO business requirements and coordinate IT requirements with Shared Services Canada. The audit report was accepted by AC in December 2014, but Management’s Action Plan remained a work-in-progress. At the April 2015 AC meeting, it was agreed that in light of structural changes taking place in Corporate Services and the expected hiring of a new Chief Information Officer (CIO), this new CIO would oversee completion of the MAP. Once the new CIO was hired, the MAP was finalized, presented to and accepted by AC in December 2015 (subject to a small number of MAP changes being processed). Following a final AC discussion at the March 2016 AC meeting about the audit, the MAP’s impact on PCO and Budget 2016 considerations, the Final Audit Report with MAP was recommended to and approved by the Clerk in May 2016. Although finalizing the MAP took time, the ADM-CSB kept AC informed that her team had nonetheless been taking steps to address the issues raised by the audit, thus managing the risks associated with delays addressing the audit’s recommendations.
2.3.3 Audit of Internal Controls Over Financial Reporting
This audit assessed if PCO had established an effective framework of management controls to maintain and assess the system of ICFR in support of the Department’s annual Statement of Management Responsibilities Including ICFR. The audit launched in December 2014, was completed in June 2015, was presented to and accepted by Audit Committee in September 2015, and was recommended to and approved by the Clerk in October 2015. The audit concluded that PCO had established the key components of an effective framework of controls to maintain and assess the system of ICFR. The audit made four recommendations which management is now addressing through their MAP.
2.3.4 Audit of Recordkeeping Transformation
This audit was performed to provide assurance on the implementation of the Department’s Recordkeeping Transformation Strategy (RKTS) and PCO’s commitments in response to a 2011 OCG Horizontal Audit of Electronic Recordkeeping. The audit launched in March 2015 and audit work was completed by the Fall. The Final Audit Report with MAP was presented to and accepted by AC in December 2015 and was recommended to and approved by the Clerk in April 2016. The audit concluded PCO has implemented the vast majority of both its RKTS and its commitments in response to the OCG’s 2011 horizontal audit. The audit made one recommendation which management is now addressing through their MAP.
2.3.5 Audit of the Management and Use of Acquisition Cards
This audit is being conducted to provide assurance on the adequacy and effectiveness of PCO’s control framework for the management and use of acquisition cards. The audit launched in November 2015 with audit fieldwork being completed in March 2016. The audit team recently briefed management on audit results and provided the draft report to the A/ADM-CSB for acceptance and development of a MAP. Barring unforeseen delays, the audit report with MAP will be tabled for AC acceptance in June 2016. Once accepted by AC, the Final Report with MAP will be recommended to the Clerk for approval.
2.3.6 Performance Measurement Strategy for PCO’s Central Innovation Hub
This project is being done as a precursor to an Evaluation of PCO’s Central Innovation Hub (The Hub) that, by TB direction, must be completed in 2018-19. The objective of the project is for AED to support management in developing a performance measurement (PM) strategy for The Hub. A PM strategy is a results-based management tool for Hub management to use when selecting, developing and using performance measures that will allow them to monitor the Hub’s performance over time. The project launched in November 2015 – the completed PM Strategy Report is now with senior management for acceptance and is expected to be tabled for AC acceptance in June 2016 and recommended for Clerk approval shortly after.
2.3.7 Risk Assessment of PCO’s Personal Information Holdings
AED launched this risk assessment just before the end of the fiscal year. It’s objectives are: to identify the risks associated with the protection and management of personal information under PCO’s control; to assess the relative significance of the risks in terms of the likelihood of each risk occurring and its impact should it occur; and to determine on a preliminary basis whether management's assertions about controls are likely to prevent or mitigate the occurrence of the risks of greatest concern. The project will be conducted during the first half of 2016-17 with a final report expected to be tabled at the September 2016 AC meeting, after which it will be recommended for Clerk approval.
2.4 Follow-up on Implementation of Management Action Plans
Implementing MAPs is an important part of the IA cycle, and a key component of the value added that PCO obtains from its IA function and AC. PCO uses a self-reporting process for monitoring MAPs which features senior executive(s) who are accountable for each action plan reporting status information to AC. AED distributes a standardized reporting template that is completed by the accountable executive(s) and returned to AED for analysis and inclusion of AED assessment comments. If issues arise, they are resolved through consultation between AED and the accountable executive. Once issues are resolved, completed templates are tabled at AC to inform them of the status of actions being implemented. This process remained in place during 2015-16 and it will be maintained going forward into 2016-17.
Eight actions relating to five audits were in progress at the start of the year. Nine actions were added during the year from the approved Audit of ICFR, bringing the total to 17 actions that were being tracked against six PCO audits. Of these 17 actions, nine achieved full implementation status during the year, leaving eight in-progress actions at year end that relate to only three PCO audits. These results show that management continues to assign a high priority to implementing their MAPs which, from AED’s perspective, is one indication of the value added that the IA function brings to PCO. AED and AC will continue to monitor and track the implementation of MAPs in this way going forward.
2.5 Quality Assurance and Improvement Program
A Quality Assurance and Improvement Program (QAIP) facilitates an independent assessment by qualified external parties of an IA function’s conformance with the Internal Auditing Standards for the Government of Canada, including the Institute of Internal Auditors’ International Professional Practices Framework. The QAIP assesses the efficiency and effectiveness of the IA function and identifies opportunities for improvement. All Deputy Heads must ensure a Practice Inspection of their department’s IA function is conducted at least every five years.
PCO’s IA function was subjected to its first Practice Inspection in 2013-14. While AED achieved the highest available ratings, the report recommended improvements in some areas to build on the foundation already in place. AED/PCO accepted the recommendations and developed and implemented an action plan which was overseen by AC. At the start of 2015-16, only one action remained outstanding – this final action was completed shortly thereafter. Collectively, actions taken in response to Practice Inspection recommendations have strengthened AED’s operations and its documentation and recordkeeping.
3.0 Summarizing 2015-16 and Looking Ahead to 2016-17
AED made steady strides in 2015-16 with completing projects that were in progress at the start of the year, and with launching projects during the year in keeping with the RBAP. AED recently obtained Clerk approval for the Audit of Recordkeeping Transformation and the Audit of IT Management, so we’ve now shifted our focus to obtaining management’s acceptance of the Performance Measurement Strategy of The Hub report and the report from the Audit of the Management and Use of Acquisitions Cards. We’re also now working on the Risk Assessment of PCO’s Personal Information Holdings project while preparing for the June 2016 AC meeting.
I conducted annual audit planning consultations in 2015-16 and produced PCO’s 2015-18 RBAP which was approved by the Clerk. I’ve recently completed my annual audit planning consultations again and I’m now developing PCO’s 2016-19 RBAP which will be vetted with Executive Committee and AC in June. Once accepted by AC, this new RBAP will be jointly recommended by me and the AC Chair to the Clerk for approval.
The 2015-16 fiscal year was another during which resourcing challenges in AED had to be addressed. I hired a new EC-06 who started at AED in September and I then hired a Casual employee in February [ * ]. I’ve hired another Casual employee who will be with AED for all but a few weeks of the [ * ]. AED’s substantive EC-06 employee is expected to rejoin AED in February 2017.
AED continued in 2015-16 to provide high quality secretarial support to AC, and will continue to do so in 2016-17. Having facilitated the November 2015 renewal of the external financial expert member on AC, I’m now working with the new Deputy Clerk and the OCG to engage replacement members for the AC Chair and for the third external AC member whose final terms on PCO’s AC will expire in February and June of 2017 respectively.
Management continued to implement planned actions against audit recommendations during 2015-16. Eight planned actions were in progress at the start of the year, nine more were added during the year bringing the total to 17 actions being tracked. Of these 17 actions, nine achieved full implementation status during the year which left eight in-progress actions at year end. This shows management commitment to implementing improvements at PCO through their MAPs and is an indication of the value added which IA brings to PCO.
And finally, in support of increased openness and transparency, I supported the Clerk with preparations for and the posting of a wider variety of audit-related products in 2015-16. As more of these products are approved in 2016-17, the AED team will perform the internal work needed to prepare for the mandatory posting of audit reports and the discretionary posting of other audit-related products.
AED had another productive year in 2015-16 although resourcing challenges and the work and time needed to address them resulted in some slippage in project delivery. Nonetheless, AED continued to move forward with delivering the increasingly broad range of audits and other projects in PCO’s approved RBAP. AED also continued to provide high quality support to AC, and took on the additional task of supporting the Clerk with enhancing PCO’s openness and transparency though the preparation and posting of an increasingly diverse inventory of audit reports and other audit-related products. When AED’s and AC’s work is coupled with management’s advances implementing their MAPs, this is yielding ongoing improvements to risk management, internal control and governance at PCO.
Looking ahead, with the 2016-19 RBAP now being developed, with another qualified Casual employee about to join the AED team, and with work now underway in collaboration with the OCG to identify and engage a new AC Chair in February 2017 and a new AC member in June 2017, I’m optimistic PCO’s IA function will continue to provide high quality value-added support and assurance services to the Clerk, to Senior Management, and to AC in 2016-17 and beyond.
Report a problem or mistake on this page
- Date modified: