Chief Audit Executive Annual Report 2016-2017

[PDF version]

Note: On May 17, 2017, a new Chief Audit Executive assumed responsibilities for the internal audit function at the Privy Council Office.  This report represents the work of the outgoing Chief Audit Executive during the 2016-2017 fiscal year, but it does also acknowledge certain developments that have occurred since fiscal year end.

Introduction

1.1 Summary of 2016-2017 Internal Audit Accomplishments

I’m pleased to provide the Clerk with this, my 2016-2017 Chief Audit Executive (CAE) Annual Report. The table below summarizes key accomplishments achieved under my leadership by Privy Council Office’s (PCO’s) Audit and Evaluation Division (AED) during 2016-2017:

• After consulting with senior management, Audit Committee and other key stakeholders, I created PCO’s 2016-2019 Risk-based Audit Plan (RBAP) which featured a wider variety of more tightly scoped projects. I vetted the RBAP with the Executive and Audit Committees and obtained the Clerk’s RBAP approval.

• I completed five projects that were underway at the start of the fiscal year, I launched and completed two more projects during the year, and I launched other projects during the year that will be completed in 2017-2018.

• I supported the Clerk in increasing PCO’s openness and transparency by consulting extensively with colleagues from PCO’s Communications and Access to Information organizations and by subsequently posting four project reports plus an additional five non-mandatory audit-related products online.

• I provided full secretariat support to Audit Committee (AC) for each of its meetings throughout the year, including performing some of the work needed to facilitate the arrival of the AC’s new Chair. I also supported the Deputy Clerk with the work needed to replace an Audit Committee member whose term ended in June 2017.

• I worked closely with management to ensure AC was kept updated such that they could monitor the implementation of Management Action Plans (MAPs) thus ensuring internal audits lead to value-added changes at PCO. I also worked closely with AC in modernizing PCO’s AC and Internal Audit Charter documents to bring them in line with the 2017 Treasury Board (TB) Policy and Directive on Internal Audit.  AC reviewed final versions of these two Charter documents at its June 2017 meeting. Both revised Charters are expected to be approved by the Clerk in 2017-2018.

• I managed AED through periods of staff vacancies again in 2016-2017. I engaged two professionally qualified audit resources as casual employees when a year-long vacancy arose in AED’s EC-06 position, and I re-staffed AED’s AS-03 Administration and Research Officer position twice during the year.

1.2 Purpose and Nature of my Report

As required by TB’s Policy on Internal Audit^{Footnote 1} , I’m pleased to submit my eighth Annual Report to inform the Clerk of the performance and accomplishments of PCO’s internal audit (IA) function and how IA contributed to PCO achieving its objectives in 2016-2017. My report outlines how PCO met its responsibilities as outlined in the 2012 Policy on Internal Audit and its accompanying Directive on Internal Auditing in the Government of Canada.

1.3 Background

IA in the Government of Canada is a professional, independent, objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes. IA provides services, the majority of which are assurance services, which are intended to assist PCO decision-makers with exercising more effective oversight and control, and with applying sound risk management.

The work of IA flows from my CAE responsibilities. Principal among these is delivering a multi-year RBAP based on a risk assessment (from an audit perspective) and focused mainly on assurance services. I work to ensure PCO’s IA resources are, to the best extent possible, used to achieve the approved RBAP and to discharge AED’s other responsibilities, and that individual projects are completed and vetted with the AC in a timely manner.

2.0 Performance of Internal Audit and Overview of Results

2.1 Independence and Proficiency of the AED Team

The independence of PCO’s IA function was re-affirmed in September 2016 when PCO’s AC reviewed and agreed the existing PCO IA Charter could be maintained during 2016-2017 subject to it being re-considered in light of the planned introduction of the new TB IA Policy Suite in April 2017^{Footnote 2} . To ensure independence is maintained, AED personnel report to me, and I in turn report to the Clerk. My relationship to the Clerk has, for the last several years, occurred through the office of the Deputy Clerk of the Privy Council who sits as an internal member of the PCO AC - this governance model was commended to PCO in 2010 by the Comptroller General of Canada.

As noted later in this report, the 2016-2019 RBAP was approved by the Clerk in August 2016 based on conditions that existed at the time. If conditions remain unchanged, AED’s structure and capacity, when fully staffed, should be adequate to deliver the 2017-2018 projects outlined in PCO’s approved 2016-2019 RBAP, and adequate to continue providing AED’s other services in 2017-2018, including secretarially supporting AC. However, several factors that have occurred since August 2016 have the potential to affect circumstances and, by extension, to affect AED’s workload.

Discussions at recent AC meetings indicate that under the leadership of AC’s new Chair, AC intends to adopt a more focused approach to risk and risk management. PCO also now has a new CAE who first attended AC at the Committee’s June 2017 meeting. The new CAE’s consideration of the existing 2016-2019 RBAP and the projects outlined therein could result in changes to those projects. As well, evolving circumstance such as implementation of the TB Policy on Results could affect the CAE’s overall responsibilities. Any one or any combination of these change factors could lead to an increase in AED’s workload.

If AED’s workload increases in 2017-2018, the adequacy of the Division’s resourcing levels to accommodate an increase in its workload would need to be assessed. AED currently includes the CAE at the EX-01 level, an EC-06 Internal Audit and Evaluation Principal, an AS-06 Internal Audit Manager, and an AS-03 Administrative and Research Officer.

AED’s professional staff, including the casual employees engaged during 2016-2017, each had the appropriate education and/or recognized professional auditing and/or accounting credentials in good standing in 2016-2017. I ensured all staff followed approved training plans which enabled them to attend various training and professional development events during the year. AED also has two “Contracts with Task Authorizations” that are in place until September 2017 which are used to engage resources from private sector suppliers.

2.2 Maintaining AED’s Resources

As reported in my last Annual Report, following a period of resource stability from 2008-2009 to 2011-2012, the personnel in each of AED’s positions have changed at least once since then, resulting in ongoing challenges for AED’s project and service delivery. This continued in 2016-2017 when a year-long vacancy arose in January 2016 in AED’s EC-06 position.  To address this, I engaged two seasoned audit professionals as successive casual employees to fill this vacancy. The contributions of these two casual employees were instrumental to AED’s ongoing efforts to maintain the delivery of audit and other projects with minimal delay or disruption.

As well, AED’s AS-03 Administration and Research Officer deployed to another PCO unit in August 2016 at which time I identified and deployed a qualified individual from outside PCO to fill the vacant AS-03 position. However, this employee received a job offer and chose to move to another area of PCO – to compensate, I negotiated a temporary work-sharing arrangement with the employee’s new manager.  While this allowed AED operations to continue over the short term, it was not a sustainable solution, so by fiscal year end I had identified and engaged a seasoned and highly qualified resource for the available AS-03 position – this individual started working at AED midway through April 2017.

Despite these challenges, AED continued to move its project delivery agenda forward, in part through the actions described above, and in part by engaging contracted resources from the two private sector suppliers with which AED has contracting arrangements in place.

Regardless of the mix of internal, casual and contracted resources, I ensured AED’s resources individually and collectively possessed the credentials, knowledge, skills, competencies and experience to perform their responsibilities professionally.

2.3 Key IA Activities, Deliverables and Progress Against the RBAP

2.3.1 Development of PCO's 2016-2019 Risk Based Audit Plan

For the annual RBAP, more extensive consultations with management, AC members and other stakeholders is now a feature of annual audit planning. I conducted these consultations early in 2016-2017, analyzed the results, completed an overall assessment of risk (from the audit perspective), and all of this culminated in the development of PCO’s 2016-2019 RBAP. After vetting this RBAP at Executive Committee and AC, it was approved by the Clerk in early August 2016. The strategy of delivering more tightly scoped assurance projects will be maintained for the development of future RBAPs.

2.3.2 Audits and Other Projects – Those That Were In-Progress At The Start of 2016-2017

Regarding the delivery of planned AED projects, five (5) different projects that were at various stages of completion when 2016-2017 began were finalized during the fiscal year.  The final reports from the Audit of Information Technology (IT) Management and the Audit of Recordkeeping Transformation were sent to and approved by the Clerk in early 2016-2017. Project work on both the Performance Measurement Strategy for the Central Innovation Hub project and the Audit of the Management and Use of Acquisition Cards was completed in the first quarter of 2016-2017 and the final reports from each of these projects were tabled at the June 2016 AC meeting and approved by the Clerk soon after. The Risk Assessment of PCO’s Personal Information Holdings that had launched just prior to the start of 2016-2017 was also completed during the fiscal year - its final report was tabled at September’s AC meeting and approved by the Clerk soon after.

2.3.3 Audits and Other Projects – Those That Were Launched in 2016-2017

In addition to projects that were underway at the start of 2016-2017, AED also launched several projects during the year, as planned for in PCO’s approved RBAP.

One of the casual employees I hired launched both the Review of PCO's Performance Management Framework for Employees and the Audit of PCO's Accounts Payable Function in July 2016. The final reports from these projects were delivered to management for acceptance and development of MAPs in January 2017 and both reports were tabled at the March 1, 2017 AC meeting. The Performance Management Framework for Employees received Clerk approval March 31, 2017 while the Audit of PCO’s Accounts Payable Function was approved by the Clerk on April 12, 2017. 

AED also launched the Joint Audit of the Access to Information and Privacy Consultation Process in Cabinet Confidences in November 2016 - this is the first joint audit PCO is undertaking in collaboration with another department (in this case Justice Canada).  The audit is being delivered by a joint audit team comprising auditors from both PCO and Justice Canada. While the joint audit team is moving the project forward and will complete the audit and deliver the agreed-upon single joint audit report in 2017-2018, several issues have arisen during the audit that have added delays to the project schedule.

And finally, AED also launched the planned Audit of PCO’s Parliamentary Returns Process late in March 2017 – as originally planned, this audit will also be completed and a final audit report will be prepared in 2017-2018.

AC received status updates on all of AED’s active projects at each of its meetings throughout the 2016-2017 fiscal year.

2.3.4 Other 2016-2017 AED Activities – Secretarially Supporting PCO’s Audit Committee

As in the past, AED provided full secretariat support to AC for its four 2016-2017 meetings including making all meeting arrangements (including those for AC’s first-ever e-meeting), attending each meeting and supporting the Chair in conducting AC’s business at the meetings, preparing and finalizing a Record of Decisions after each meeting, and performing all necessary follow-up actions in a timely manner after each meeting.

In addition to overseeing logistical arrangements, I prepared a draft Agenda for each AC meeting and finalized these Agenda in consultation with the Deputy Clerk and AC Chair. In setting these Agenda, I ensured the totality of AC’s business dealings conducted during the year successfully positioned AC to fully discharge all of its responsibilities under the TB IA Policy Suite. I ensured member binders with all relevant documentation and other needed materials were assembled and distributed in advance. Of special note, I worked extensively with the Assistant Deputy Minister, Corporate Services and her staff to facilitate AC’s first ever “e-meeting” which capitalized on modern technologies - AC’s March 1, 2017 meeting was conducted electronically using e-binders that were prepared and distributed in advance.  AC expects to use a similar “e-meeting” approach for its 2017-2018 meetings and beyond.

The 2016-2017 fiscal year was also a different year in that PCO had to identify and engage a new AC Chair partway through the fiscal year, and had to take the steps needed to ensure PCO was positioned to engage a new AC member early in 2017-2018.  I supported the Deputy Clerk in each of these two processes, acting in a liaison role between the OCG and PCO.  The result was that the new AC Chair was engaged for AC’s last two 2016-2017 meetings, while AC’s newest member joined AC at their June 2017 meeting.

2.3.5 Other 2016-2017 AED Activities - Supporting a More Open and Transparent PCO

As was first identified in my last AC Annual Report, I continued efforts in 2016-2017 to support the Clerk with his vision for a more open and transparent PCO.  Under the TB IA Policy Suite, only audit and review reports must be posted on PCO’s website. However, prior to 2016-2017, the Clerk and I jointly identified a list of other audit-related reports and products that could be posted to promote increased openness and transparency. Preparing these items for posting required me to conduct extensive interactions with the Access to Information and Privacy Division, Communications, and the Web Publishing Unit. All but two of these items were posted by the end of 2016-2017^{Footnote 3} ; the two remaining items can only be posted once other business issues beyond AED’s control are first addressed.

2.4 Follow-up on Implementation of Management Action Plans

Implementing MAPs is an important part of the IA cycle, and a key component of the value added PCO obtains from its IA function and AC. PCO uses a self-reporting process for monitoring MAPs which features senior PCO executive(s) who are accountable for each action plan periodically reporting on their implementation status to AC. AED distributes a standardized reporting template that is completed by the accountable executive(s) and returned to AED for analysis and inclusion of AED assessment comments. If issues arise, they are resolved through consultation between AED and the accountable executive. Once issues are resolved, completed templates are tabled at AC. This process remained in place during 2016-2017 and it will be maintained going forward into 2017-2018. 

Eight (8) trackable actions relating to three (3) PCO audits were in progress at the start of 2016-2017. Another 11 new actions were added during the year in response to two (2) audits that were approved by the Clerk in 2016-2017, including seven (7) in the MAP for the Audit of IT Management and four (4) in the MAP for the Audit of the Management and Use of Acquisition Cards. This brought the total to 19 actions being tracked in relation to five (5) PCO audits during the fiscal year. Of these 19 actions, six (6) achieved full implementation status during the year, leaving 13 actions at various stages of implementation in relation to five (5) PCO audits at year end^{Footnote 4} . 

From a risk perspective, until all planned management actions are implemented against a specific audit recommendation, a component of residual risk remains outstanding for that audit recommendation. As action items are being implemented, this residual risk typically declines. However, evolving circumstances that occur after the audit recommendation and MAP are first approved can influence both the timing of the implementation of a MAP and the resulting residual risk; in some cases evolving circumstance can even render the original audit recommendation obsolete (this possibility is built into the MAP Status Update template that is used to report on the implementation of MAPs at each AC meeting). 

Reporting on the residual risk associated with the 13 different actions items that were in progress at the end of the fiscal year is not practical in this summary report. However, when these 13 actions items are taken as a whole, the overall level of residual risk should be considered at a medium level using a low/medium/high scale. This is based on three (3) of the 13 action items flowing from audit reports that (i) date back to 2013 or 2014 and that (ii) are associated with important security or business continuity matters, while another five (5) of the remaining 10 actions items flow from one of the more recent audit reports associated with information technology management. 

With a “medium” rating, management should complete outstanding planned actions within current target dates and without requesting additional extensions – exceptions should only be considered when requested by the Senior Executive responsible for the MAP and only when such a request is accompanied by a strong and well documented rationale that the Senior Executive is prepared to defend to the CAE, to AC and if necessary, to the Clerk.  Further, when first preparing MAPs, management should carefully consider the initial target dates they select to ensure they are realistic and achievable under existing circumstances so that extension requests are (a) minimized, and (b) on an exceptional basis only. 

Nonetheless, management’s ongoing efforts and successes at fully implementing their MAPs is an indication of the value added that the IA function and AC bring to PCO. As such, the implementation of MAPs will continue to be tracked in this way going forward. 

2.5 Quality Assurance and Improvement Program

A Quality Assurance and Improvement Program (QAIP) facilitates an independent assessment by qualified external parties of an IA function’s conformance with the Internal Auditing Standards for the Government of Canada, including the Institute of Internal Auditors’ International Professional Practices Framework (IPPF). This assessment is referred to in internal auditing circles as a Practice Inspection.  Each department’s IA function is to be subjected to a Practice Inspection at least every five years. 

PCO’s IA function was subjected to its first Practice Inspection in 2013-2014. While AED achieved the highest available ratings, the report recommended improvements in some areas to build on the foundation already in place. AED/PCO accepted the recommendations and developed an Action Plan, the implementation of which was completed in 2015-2016. 

Anticipating AED’s next Practice Inspection in 2018-2019, AED has included a short term project in the 2016-2019 RBAP to signal that some of AED’s limited resources will be occupied with the preparatory work needed before this Practice Inspection can occur. 

[1] Four (4) new trackable actions with discrete completion dates were also outlined in the MAP for the Review of the Performance Management Framework for Employees which was approved by the Clerk on March 31, 2017. As well, another four (4) new trackable actions were outlined in the MAP for the Audit of PCO’s Accounts Payable Function that was approved by the Clerk on April 12, 2017.  As the implementation of these additional eight (8) new trackable actions will be tracked starting in 2017-2018, they are not counted in the numbers discussed above.

3.0 Summarizing 2016-2017 and Looking Ahead to 2017-2018

In 2016-2017, AED completed the five (5) projects that were in progress at the start of the year, launched and completed two (2) other projects by (or shortly after) the end of the fiscal year, and launched another two (2) projects that will be completed in 2017-2018. As well, after conducting extensive consultations and assessing risk from the audit perspective, I prepared PCO’s 2016-2019 RBAP and had it approved by the Clerk. 

From a resourcing perspective, 2016-2017 was another year during which resourcing challenges arose and had to be addressed. When a year-long vacancy arose in one of the two professional AED positions that support the CAE with project delivery, I successively engaged two seasoned audit professionals as casual employees to maintain AED’s production capacity. In addition, after replacing AED’s departed AS-03 resource, I hired a qualified AS-03 to fill the available position, after which I then brought another AS-03 on board when this position again became vacant before fiscal year end. 

AED continued in 2016-2017 to provide high quality secretarial support services to AC during the year. Of particular note, AED worked in close collaboration with our colleagues from Corporate Services to facilitate AC’s first-ever “e-meeting”. As well, AED supported the Deputy Clerk in engaging PCO’s new AC Chair and in positioning PCO to engage PCO’s next AC member in time for AC’s June 2017 meeting. 

Management also continued during 2016-2017 to implement planned actions against recommendations from approved project reports. Eight planned actions were in progress at the start of the year, eleven more were added during the year bringing the total to 19 actions being tracked. Of these 19 actions, six achieved full implementation status during the year which left 13 actions at various stages of implementation at year end. While there is room for improvement regarding the timely implementation of MAPs, management’s commitment to implementing MAPs is an indication of the value added which IA and AC bring to PCO. 

And finally, in support of increased openness and transparency, and in addition to having posted four (4) project reports, I supported the Clerk with preparations for and the posting of a five (5) other audit-related products in 2016-2017. As more of these products are approved in 2017-2018, AED will do the internal work needed to prepare for the mandatory posting of audit and review reports and the discretionary posting of other audit-related products.

4.0 Conclusion 

AED had another productive year in 2016-2017 although resourcing challenges and the work and time needed to address them had to be carefully managed within AED’s overall approach to project delivery and the Division’s overall productivity. Nonetheless, AED continued to move forward with delivering the increasingly broad range of audits and other projects in PCO’s approved RBAP. AED also continued to provide high quality support to AC, and continued to support the Clerk with enhancing PCO’s openness and transparency though the preparation and posting of an increasingly diverse inventory of audit and review reports and other audit-related products. While the residual risk associated with the ongoing implementation of MAPs might be reduced by encouraging management to set original target dates that are realistic and achievable and to implement their MAPS with fewer extension requests, when AED’s and AC’s work is coupled with management’s efforts to implement their MAPs, this combined effort by all parties continued to yield improvements to risk management, internal control and governance at PCO during 2016-2017. 

Looking ahead, I’m optimistic PCO’s IA function, under the leadership of PCO’s new Chief Audit Executive, will continue to provide high quality value-added support and assurance services to the Clerk, to Senior Management, and to AC in 2017-2018 and beyond.