Audit of Conflict of Interest at the Public Health Agency of Canada
Download alternative format
(400 KB, 17 pages)
Organization: Public Health Agency of Canada
Date published: October 2024
Public Health Agency of Canada
Office of Audit and EvaluationJune 2024
Table of Contents
- Executive summary
- Introduction
- Criterion 1 – Governance
- Criterion 2 – Risk management processes and controls
- Criterion 3 – COI process in relation to external activities
- Recommendations
- Appendix A – About the Audit
Executive summary
Engagement objective
The objective of this audit was to examine whether the processes in place to manage apparent, potential, or real conflicts of interest (COIs) at the Public Health Agency of Canada (PHAC) were effective in mitigating COI risks.
A COI can be defined as a situation in which a public servant has private interests that could improperly influence the performance of their official duties and responsibilities or in which the public servant uses their office for personal gain.
Engagement scope
The audit scope included the following:
- various activities, beginning with COI process improvement initiatives launched in January 2021 up to December 2023;
- a focus on governance structure, roles, responsibilities, accountabilities, policies, procedures, and processes in place;
- risk assessment processes to identify, evaluate, and prioritize COI risks within the Agency.
The scoping period for this audit was from January 2021 to December 2023. However, continued outreach efforts, initiatives, and activities implemented by Health Canada’s (HC) Corporate Services Branch (CSB) after December 31, 2023, were taken into consideration.
What we found - Good practices
The Agency has established some of the necessary elements for an effective COI management framework. In addition to incorporating COI into its Values and Ethics (V&E) Code, the Agency has established a Guide on COI and Post-Employment (PE) measures that enhances organizational awareness on these topics. The Agency’s Guide on COI and Post-Employment (PE) is aligned with the Treasury Board Secretariat’s Directive on Conflict of Interest and stipulates most of the expectations and requirements related to COI, including information, advice, and informing employees. The Agency has also established several policy instruments and guidance documents on key COI-related topics, such as the Health Canada and Public Health Agency of Canada Scientific Integrity Policy, and the Policy on affiliations with academic, research and health care organizations, as well as establishing a process and form for seeking approval for these affiliations.
The authorities and responsibilities for COI and conflicts of duties are delegated to the Executive Director of the Labour Relations Division. Corporate Services Branch (CSB) supports the implementation of the employee’s duty to declare COIs as a condition of their employment, as laid out in the V&E Code and the Guide on COI and PE. CSB processes COI declarations, increases awareness, and provides advice to employees. The audit team observed ongoing initiatives to raise awareness of COI obligations through the Agency’s Broadcast News updates, updates to the COI mySOURCE page, and the COI training campaign between October 2021 and December 2023. CSB plans to implement an HTML declaration form, an automated repository, and self-paced training.
COI monitoring and oversight activities include providing quarterly updates on COI declarations and any sensitive files that require the attention of branch heads and the President. These updates are included in a comprehensive labor relations reporting package. Throughout the COI campaign, the COI Office conducted visits to different Branch Executive Committees (BECs) to launch the campaign. During this time, regular quarterly updates were provided to the Executive Committee to report on the progress made and provide relevant statistics.
Outreach efforts were observed through information posts in the Agency’s Broadcast News system, and updates to the COI Office’s mySOURCE intranet page were noted. The COI Office and the Office of the Chief Science Officer (OCSO) have implemented tools and processes to inform employees of their responsibilities to declare a real, apparent, or potential COI during the onboarding process, as well as when engaging in affiliations with external organizations.
Opportunities for improvement
The following opportunities to strengthen and formalize processes were identified during this audit:
- Governance: There are opportunities to strengthen coherence of Agency-specific policies and procedures on COI to ensure alignment with the TBS Directive on COI. Roles and responsibilities of individuals and offices supporting the COI process could be better coordinated, clarified, and communicated. Specifically, more manager-specific training and resources could help streamline COI processes.
- Risk management processes and controls: Preliminary measures were taken to informally identify positions and branches that may pose a higher inherent risk however, this information was not used formally to prioritize risk mitigation measures in these areas. A sufficient risk-based approach was not formally adopted for managing COI risks with new employees or incumbent employees. Employees are only required to submit a COI declaration form if they self-identify a potential, actual, or apparent COI situation, regardless of their position, level, or responsibilities. There is no periodic mandatory review of COI obligations or re-declarations. Although it pre-dates the scope of the audit, NMLB was identified as a branch with a high inherent COI risk and additional controls were implemented to mitigate these risks, such as a pilot training campaign at NMLB and, more recently, the creation of the Directive on affiliations with academic, research and health care organizations at the NMLB by the Office of Intellectual Property Management and Business Development (OIPMBD). There are no monitoring or follow-up activities to ensure that recommended mitigation measures are being implemented or that COI declarations are being updated on a periodic basis. There are opportunities to clearly define and communicate management’s responsibility and accountability for ongoing monitoring of COI risk mitigation activities.
- COI processes in relation to external activities: A review of Agency-specific policy instruments with COI implications could improve the consistency of COI processes. A more structured approach is recommended to bolster collaboration and the sharing of information between CSB and OCSO. Manager-specific training and resources could help streamline the affiliation approval processes when it comes to COI implications. For business continuity reasons it is suggested to formalize standard processes when reviewing requests for approval for employees to engage in external affiliations.
Introduction
The context in which the Agency operates has changed in recent years in response to the COVID-19 pandemic, including significant shifts in functions, new organizational structures, and exposure to new ethical risks. There was a considerable increase in hiring during this time, and communication and onboarding practices were essential in setting a consistent tone for values and ethics awareness, particularly in regard to conflicts of interest (COI).
A COI in the federal government can be defined as a situation in which a public servant has private interests that could improperly influence the performance of their official duties and responsibilities, or in which the public servant uses their office for personal gain. A real conflict of interest exists at the present time, an apparent conflict of interest could be perceived by a reasonable observer to exist, whether or not it is the case, and a potential conflict of interest could reasonably be foreseen to exist in the future.
In the Government of Canada, COI is governed by the Treasury Board Secretariat’s (TBS) Directive on Conflict of Interest and the Values and Ethics (V&E) Code for the Public Sector. In addition, PHAC has implemented the PHAC V&E Code in alignment with the core values and commitments of the V&E Code for the Public Sector.
The V&E Code for the Public Sector states that public servants shall serve the public interest by taking all possible steps to prevent and resolve any real, apparent, or potential COIs between their official responsibilities and their private affairs, in favour of the public interest. Given PHAC’s role in promoting health, preparing for and responding to public health emergencies, and serving as a central point for sharing Canada's expertise with the rest of the world, ensuring the integrity of its operations is paramount. A COI could call into question decision-making processes and undermine public trust. While it may not always be possible to avoid all situations that could lead to a COI, it is important to always take measures to increase transparency by declaring and mitigating COIs. Unmitigated COIs could increase skepticism and doubt in the Agency’s ability to carry out its mandate, and this could impede the Agency’s ability to efficiently and effectively implement public health measures.
As a result of preliminary discussions and risk analysis, the audit scope was broadened to address COI risks across the Agency, including risks related to cross-appointments, and adjunct or interchange arrangements where employees may be conducting activities under other titles while employed at PHAC. The audit considered how these individuals who are recruited from outside the public service are supported in meeting public service accountability requirements.
The Office of Audit and Evaluation (OAE) conducted this audit as part of PHAC’s Risk-based Audit Plan (RBAP) that was approved by the President in June 2022.
Criterion 1 – Governance
Context
Policy instruments
Compliance with conflict of interest (COI) and post-employment (PE) requirements is an employment condition at the Government of Canada, as set out in the TBS Directive on COI. These requirements are grounded in, and serve to uphold the values described in the V&E Code for the Public Sector, and are expressed in Chapter I of the PHAC V&E Code, which came into force on April 2, 2012. A Reference Guide for COI and PE Measures was implemented at PHAC in May 2016, with the aim of reflecting the Agency’s commitment to reinforce ethical standards of professional conduct, to support sound departmental practices, and to enhance public confidence in the integrity of the public service. In addition, avoiding COI and ensuring that any real, potential, or apparent COI is explicitly recognized, reported on, and appropriately managed is a requirement of the HC and PHAC Scientific Integrity Policy and the PHAC Policy on Affiliations with academic, research and health care organizations.
Roles and responsibilities
The senior official designated by the Agency’s deputy head is responsible for putting the infrastructure and controls in place to effectively administer the Directive on COI and to report to the Treasury Board of Canada Secretariat upon request.
Persons employed by the Agency are responsible for identifying, preventing, and resolving COIs or conflict of duties situations during their employment in the public service, and any COI situations when they leave the public service, as well as reporting in writing to their deputy head all outside employment and activities, assets, liabilities, and interests that might give rise to a real, apparent, or potential COIs in relation to their official duties and responsibilities.
Oversight
The COI Office within HC’s Corporate Services Branch (CSB) provides oversight of COI management. The Executive Director of Labor Relations is the Delegated Authority on COIs at the Agency. The Chief Science Officer (CSO) of PHAC is the Science Integrity Lead (SIL) and, as such, the Office of the CSO (OCSO) has a role in fostering a culture that supports and promotes scientific integrity at PHAC. The COI Office and OCSO consult one another as needed.
What we expected to find
The TBS Directives requires that the Agency has the infrastructure and controls in place to effectively administer them. We expected to find the following:
- that the governance structure, reporting lines, and policy instruments for managing COIs are clear, well defined, and well documented;
- that roles, responsibilities and accountabilities for COI processes are documented, clear, and well communicated; and
- that employees are provided with the necessary training, tools, resources, and information to support the fulfillment of their COI obligations under the PHAC Values and Ethics (V&E) Code.
Why it matters
A clear and coordinated governance framework that includes a clear definition of real, apparent, and potential COIs, a comprehensive code of conduct, and stand-alone policy provisions is essential for establishing accountabilities, roles, and responsibilities in managing COIs. Unclear parameters for managing COIs could result in inefficiency, duplication of efforts, and confusion among employees. Education and outreach efforts are essential in raising awareness to allow employees to better understand, identify, report, and mitigate COIs in a timely manner.
Key findings
With staffing increases in recent years, the Agency has been the subject of public scrutiny. Significant efforts have been made to increase COI awareness among employees through the COI training campaign and tools like the COI self-assessment tool, the COI declaration form, and the COI Reference Guide. During the audit period, the audit team noted various outreach efforts through the Agency’s internal Broadcast News to address specific areas where COI obligations may intersect with internal or external engagements. In addition, updates to the COI mySOURCE intranet page were observed, including the addition of more resources relating to academic affiliations and defining the roles and responsibilities of the COI Office.
We found that there is clear ownership for COI management by CSB. However, we noted that the organizational chart provided by CSB does not show clear reporting lines. While OCSO is the owner of the HC and PHAC Scientific Integrity Policy and the Policy on affiliations, all PHAC employees with academic affiliations are required to seek approval for their external affiliations. The Scientific Integrity Policy mandates that employees engaged in science or research adhere to responsible research standards, which include avoiding COIs and upholding the highest levels of impartiality and research ethics.
There is a comprehensive suite of acts, codes, policies, guides, and forms used at the Agency to guide COI and COI-related processes. Employees must be aware of COI obligations in order to abide by the Agency’s codes of conduct. The COI declaration process is founded on an honor-based system. Being aware of and understanding all these documents requires a significant amount of time for review and to keep up to date on these obligations. The definition of a COI in the HC and PHAC Guide for COI and PE is clear and addressed real, apparent, and potential COIs. However, the Guide is almost a decade old, it may no longer be reflective of the current issues that employees are faced with while fulfilling their obligations to declare COIs. The Guide on COI pre-dates the TBS Directive on COI, so a coherence review between the Agency-specific guidance and the TBS Directive is suggested. The Directive states that there is a requirement to identify the types of assets and liabilities that must be reported by persons employed, because ownership might constitute a real, apparent, or potential COI. There is also a requirement to create and update, as required, the list of reportable assets and liabilities. The audit team did not find any evidence of this list. The Agency-specific policy instruments in place for managing COIs do not clearly lay out the reporting lines and requirements for managing COIs. Outdated reference documents and unclear reporting lines for managing COIs could lead to misunderstanding of what is required by employees, duplication of efforts, and inefficiency.
There are a number of offices involved in supporting COI-related areas, such as the Centre for Ombuds, Resolution and Ethics (CORE), Internal Disclosure Services (IDS), and the Intellectual Property (IP) Office. We found that there is no clear reporting mechanism for employees to report other employees’ COIs. Neither the COI Office nor IDS have a clearly defined process for addressing allegations of other employees being involved in a COI. Conflicting information on the matter was provided to the audit team during interviews. This could cause confusion among employees and this gap could cause inefficiency in the reporting process. Without clear guidance, a COI could often be overlooked where areas overlap, and this could lead to missed communication with the appropriate office. Operating in silos can lead to a fragmented approach to problem solving and duplication of efforts.
In addition, the COI Office relies heavily on managers to enforce COI obligations. However, managers are not experts in COI matters, and their role in monitoring, compliance, and enforcement of COI obligations is not clearly communicated in the COI guidance material. There is no manager-specific COI training, despite their role in educating, monitoring, compliance, and enforcement of COI obligations. The COI Office has stated that their mandate does not include monitoring, compliance, nor enforcement activities. An unclear and siloed approach can lead to redundancy, inefficiency, and missed opportunities to streamline COI processes. The impact of COIs could go unmitigated due to the inability to report allegations. Monitoring, enforcement, and compliance measures are not currently in place for managing COIs.
When it has been determined that a COI exists, the COI Office requests a signed copy of the COI letter by the employee to ensure that an employee has read and understood their obligations. The training material available to employees was found to be consistent with the employee obligations outlined in the Directive, the Guide, and the V&E code. However, a discrepancy was noted in the training deck presented throughout the training campaign in that an archived policy was cited instead of the Directive on COI, which is the current TBS policy instrument in place. It was not clearly communicated that attendance at the COI training campaign was mandatory. There is no process in place to ensure that all employees have taken the mandatory training. Training records show that 74% of employees have attended the COI training session. Additionally, there is no mandatory refresher training required for long-term employees or when individuals change positions, nor is there a mandatory requirement for a periodic nil declaration. There may be a gap in the availability of COI training sessions for new employees until the COI Office can implement a self-paced training session. The training and declarations data was collected in a fragmented way that does not allow for data integrity. Without a strategic approach to COI training activities and related data collection, the Agency may not be communicating COI awareness to all employees efficiently, effectively, nor continuously.
Conclusion
The Agency has a governance structure in place to support COI management. The Agency-specific policy instruments for managing COIs are aligned with almost all the general requirements stated on the TBS Directive on COI. The Guide on COI and PE pre-date the TBS Directive on COI. For this reason, the audit team recommends reviewing the coherence of the Agency-specific guidance with the TBS Directive to ensure alignment of all mandatory elements of the framework. Formally clarifying the roles and responsibilities of both the offices and individuals involved in COI management could increase accountability and collaboration. Specifically, managers’ responsibilities in the process are not explicitly defined nor communicated. Manager-specific COI training could support an increase in discussions and knowledge of COI processes. The recent COI training campaign reached the majority of employees during the audit period. Going forward, a long-term strategic plan for outreach and training efforts is essential to maintaining and optimizing awareness levels at the Agency.
Criterion 2 – Risk management processes and controls
Context
From the TBS Guide to Integrated Risk Management: Risk management, which involves a systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, making decisions on, and communicating risk issues, is an integral component of good management.
At the Agency level, the Corporate Risk Profile (CRP) includes six corporate risks for 2022 to 2025. These include the following:
- simultaneous and serious ongoing events;
- access to and dissemination of timely and accurate data;
- maintaining the public's trust;
- maintaining the Agency's relevance and reputation in an ever-changing environment;
- management of infrastructure and facilities;
- workforce capacity, capability, and retention; and funding.
Each risk category contains a likelihood and impact rating and description. COI is not specifically mentioned under “Public Trust” as a risk driver, but could fall under the driver of public messaging and communication, given that media attention on high-profile issues like COIs could damage the public’s confidence in PHAC’s ability to deliver on its mandate. To minimize the likelihood and impact of this risk, PHAC has initiatives in place such as science excellence, education, and open data.
Efforts to specifically mitigate COI risks at the Agency were demonstrated by the formation of a COI Task Force in 2021. This Task Force consisted of stakeholders from HC’s Corporate Services Branch (CSB), the Centre for Ombuds, Resolution and Ethics (CORE), Communications and Public Affairs Branch (CPAB), as well as the Agency’s Chief Financial Officer and Corporate Management Branch (CFOCMB).
The COI Task Force worked to implement the Way Forward Plan which started as a National Microbiology Laboratory Branch (NMLB) pilot. This decision was motivated by high public scrutiny, dealing with highly sensitive information that directly affects the health of Canadians, and the nature of NMLB activities, such as laboratory science and connections with industry, PTs, and academia.
There was an increase in the number of COI declarations following COI training efforts at NMLB. As a result, it was decided that the pilot would be expanded to the rest of the Agency. The COI Office proposed a risk-based sequencing of branches for training at the Executive Committee (EC) based on the nature of files and functions, possible public exposure, staffing plans, and pandemic pressures. This pilot became what is commonly referred to as “the COI Campaign” and was endorsed at EC in February 2022. Quarterly updates on the Way Forward Plan were provided at EC and annually at DAC. This campaign was carried out through training sessions across the branches over a two-year span between October 2021 to December 2023. Branch specific training decks were created in both official languages, including case studies. Outreach efforts were observed through information posts in the Agency’s Broadcast News system, and updates to the COI Office’s mySOURCE intranet page were noted.
What we expected to find
The TBS Directive on COI stipulates that the Agency is responsible for identifying those positions that may be at risk for post‑employment COIs. We expected to find that risk assessment processes are in place and up to date, documented, and followed consistently to allow the Agency to identify, evaluate, prioritize and mitigate risks related to real and potential COIs, including reputational risks and that the Agency undertakes monitoring of corrective actions for confirmed COIs. There are procedures in place for following up to ensure compliance with COI requirements.
Why it matters
The use of a long-term strategic approach to risk management can improve the Agency’s ability to optimize resource use in order to conduct targeted risk-based outreach efforts and raise awareness across the Agency. Identification and prioritization of areas where the possibility of COI is greater and related operational risks could increase efficiency, reduce duplication of efforts, and ultimately reduce the impact and likelihood of COIs going unmitigated, thereby protecting the Agency from reputational risks.
Key findings
The Agency is aware of higher-level strategic risks related to COIs for example based on visibility, level of public scrutiny, impact on the health of Canadians, potential for and history of negative media attention, the nature of the work, connections with industry and academia, and grants and contributions. COI has not been explicitly identified as a prioritized risk in the CRP, however it can be inferred under the pillar of Public Trust. The creation of the COI Task Force and the Way Forward Plan show that measures have been taken to reduce the reputational risk to the Agency. Recent drafting of the Directive on affiliations with academic, research and health care organizations at the NMLB by the Office of Intellectual Property Management and Business Development (OIPMBD) demonstrates additional measures to mitigate COI risks in this previously identified high-risk area.
CSB has taken preliminary measures to identify strategic governance risks related to the planning and control of COIs. Plans have been initiated to identify and prioritize higher risks associated with different branches, as well as employee classifications. However, the order of training in branches was not carried out in the predetermined, risk-based manner, and the information gathered to identify high-risk employee classifications has not been used to prioritize risks formally. No evidence was provided of further measures being taken to control and monitor the risks associated with positions and branches that may be at higher risk for COIs, such as the implementation of periodic mandatory declarations or mitigation measure follow-ups.
CSB is not conducting a formal COI-related strategic risk prioritization across the Agency, as a result resources may not be allocated in the most efficient way. This could result in limited staffing capacity and a lack of resources available to effectively use the information gathered from risk identification, assessment, and prioritization in day-to-day operations. CSB does not have official service standards and they operate on a case-by-case basis. However, they do have a target turn around time of four weeks.
When reviewing data on COI declarations received by the COI office in the 2022-2023 calendar year, we found that 65% of declared COI cases were closed, indicating a backlog of 35% cases remaining open. The longest case remained open for 352 days. With several outliers removed, the audit found that, on average, it took two and a half months for a COI file to be closed. Capacity issues were likewise reported by the COI Office in regard to staffing and technology, such as the absence of a case management system and a self-led training platform. Those factors created the risk that potential COIs will remain unmitigated for a long period of time. The ability to operationally sustain risk management processes may be hindered by insufficient resource allocation.
The audit team reviewed a sample of six COI declaration forms to determine whether the appropriate steps had been taken to process them. Although the COI processes were not formally documented and there were no standard operating procedures in place, the processing steps and analysis of supporting evidence were deemed to be adequate.
CSB has identified improvement opportunities in the management of COI-related activities. However, how these objectives will be achieved is unclear, as measurable objectives with clear timelines have not been provided. It was stated there are plans to streamline COI processes at the operational level, with the hope of freeing up staff so that they can dedicate time to declaration analysis and responding to inquiries. Resource limitations may hinder the Agency’s ability to carry out objectives to improve COI processes in a timely fashion. This could result in COI processes that are not able to be optimized for efficiency, thus preventing staffing resources to be freed up for future planning and mitigation of COIs.
There are no COI compliance or enforcement tracking mechanisms in place. The informal COI process does not include monitoring of corrective actions nor implementation of mitigation measures, beyond the confirmation that the employee has read and agrees to the mitigation measures. CSB stated that monitoring compliance efforts are not part of their mandate, rather that it is the employee manager’s responsibility. CSB does not communicate with the employee’s manager or director to confirm if the measures have been put in place and followed. Since decisions on COI declarations and implementation measures are only communicated through CSB, which is the only branch that has access to the COI log and files, managers entering a new position would not have access to the mitigation measures and action plans for their employees that were communicated to the previous manager, leaving the onus on the employee to provide this information.
Conclusion
The Agency has informally identified employee classifications and branches with higher COI risks. However, evidence of the actual implementation of formal prioritization and risk mitigation strategies for these identified classifications and branches was not found. Going forward, a plan for a sustainable long-term risk-based approach has not been provided on a periodic basis for managing COI risks for new employees or incumbent employees. There is room for improvement in formalizing and strengthening strategic and operational risk management, in line with the TBS requirements. Adoption of additional controls and monitoring in terms of compliance, mitigation, and follow-up could reduce the likelihood of unmitigated COIs from being revealed to the public.
Criterion 3 – COI process in relation to external activities
Context
The Agency’s mandate includes its role in strengthening intergovernmental collaboration on public health and facilitating national approaches to public health policy and planning. The Agency recognizes that the participation of researchers and scientists in the global scholarly community depends on domestic and international collaboration and partnerships. Such collaborations and partnerships provide important opportunities for the Agency’s researchers and scientists to leverage their expertise, knowledge, and infrastructure in developing research and scientific knowledge for the benefit of Canadians. Inherent risks like COIs must be considered when onboarding employees, and engaging and collaborating with external individuals or organizations.
Onboarding processes play a crucial role in managing COIs by facilitating their identification, educating people that are new to the public service and employees who wish to participate in external affiliations about ethical obligations, establishing clear expectations, integrating organizational policies, and building a culture of compliance and integrity. These processes are especially important in setting an ethical tone and mitigating COI risks associated with significant increases in staffing levels at the Agency in recent years. Individuals external to the public service may be onboarded as full- or part-time employees, students, interchange employees, contractors, or consultants.
Affiliations with academic, research or health care organizations include, but are not limited to, appointments to positions such as: adjunct, assistant, associate or full professor, adjunct research professor, special faculty advisor, affiliate investigator, research associate, honorary scientist, clinical specialist, clinical consultant, nurse, board member, and other similar designations.
While external affiliations themselves do not inherently constitute a COI, certain aspects of these affiliations could, especially when they are closely related to an employee’s official duties at the Agency. It is imperative for persons employed at the Agency to recognize any real, apparent, or potential COIs that may arise from activities like teaching courses or seminars, applying for federal research grants, engaging in external research and publishing, mentoring students on their theses, or participating in committees.
The HC and PHAC Scientific Integrity Policy mandates that employees engaged in science or research adhere to responsible research standards, which includes avoiding COI and upholding the highest levels of impartiality and research ethics. A key objective of the Policy on affiliations with academic, research and health care organizations is to ensure that employees’ affiliations with academic, research, and health care organizations are consistent with their primary duties as federal public servants, as outlined in the PHAC Values and Ethics Code, and with the requirements of applicable legislation, policies, and directives. This includes an employee’s responsibility for identifying any real, apparent, or potential COI that may arise out of their affiliations with academic, research or health care organizations. A key expectation of the Directive on affiliations is that the National Microbiology Laboratory Branch (NMLB) will be able to proactively manage challenges and mitigate risk associated with conflicting policies between host institutions and the duties and obligations of federal public servants. This includes, but is not limited to, COI, funding, intellectual property, operational requirements, protection of sensitive information, security, students, and working officials.
What we expected to find
We expected to find that that persons employed at PHAC are equipped with the necessary tools to be aware of their responsibilities when it comes to COI-specific risks associated with affiliations with external organizations during the onboarding process, as well as during their employment.
Why it matters
Tools such as policies, procedures, and onboarding packages play a crucial role in managing situations that may pose a higher COI risk such as onboarding people that are new to the public service and when an employee wishes to participate in an external affiliation. This is done by providing clear guidelines to mitigate legal and reputational risks, and maintaining transparency, integrity, and objectivity in decision-making processes.
Key findings
We found that the Agency established processes when onboarding employees from outside the public service to sensitize them to their new responsibilities and accountabilities with regards to COI. Training and tools are made available to new employees to inform them of their obligation to declare COIs within 30 days from their appointment effective date. If no declaration is received by the COI Office, it is assumed the employee did not have a COI to declare. However, COI training may not be accessible to all new employees in a timely manner, which could preclude them from being aware of potential COI implications associated with their new role at the Agency. There are no controls in place to confirm if the employee attended a COI training session. As a result, new employees may be unaware of the nuances of COI implications associated with the intersection of their role as a public servant and their external activities.
The COI Office, the Office of the Chief Science Officer (OCSO), and OIPMBD are the three Agency offices primarily involved in managing COI risks associated with engaging in affiliations with external organizations. Each office has their own suite of guidance documents. The definition of a COI provided by OCSO in the Policy on affiliations is in line with the COI unit’s Reference Guide on COIs and PE measures. OCSO’s Scientific Integrity Policy, Policy on the Dissemination of Research and Scientific Findings and Affiliations Policy do take into consideration COI-implications and are consistent with COI policies. OCSO informed the audit team that they are currently developing a performance monitoring plan for the Scientific Integrity Policy. OIPBMD’s Directive on Affiliations at NMLB addresses additional COI risks posed by engaging in adjunct professorship positions.
COI is encompassed in several policies at the Agency and there is a chance that COI obligations could be overlooked when an issue is brought forward where more than one policy may apply. There are approximately 15 documents such as policies, procedures, guidelines, and checklists that may be applied during the process of reviewing COI implications when an employee is seeking approval to engage in external affiliations. There is room for improvement in the coherence of these guidance documents by developing a more structured collaborative approach when it comes to information sharing, monitoring, and policy oversight. There is a risk that COI mitigation opportunities could be missed due to confusion surrounding which office and policy to consult first. This could result in disorientation, duplication of efforts, and inefficiency.
Guidance documents and checklists are available to support managers in fulfilling their responsibilities for the oversight of affiliations; however, it is not mandatory that managers complete or sign off on this checklist. There is no manager-specific training on COI risks associated with engaging in external affiliations. Managers play a key role in education, monitoring, and compliance with affiliations policy instruments, but managers are not experts. There is a chance that managers are unaware of all the aspects of these requirements, which could lead to missed opportunities for COI mitigation during the approval process for affiliations with academic, research, and health care organizations.
The audit team reviewed a sample of three affiliation approval forms to determine whether the appropriate steps had been taken to process them. The audit team was not provided with a standard operating procedure for the approval process for engaging in affiliations. No mitigation measures were recommended in this sample, and it is unclear what mitigation measure implementation, monitoring, and follow-up would look like in this process. The affiliations approval process is heavily reliant on employees’ first-level manager ensuring their employee is following the process correctly. There did not appear to be a distinct process or procedure for reviewing PHAC versus NMLB affiliations. The Policy on Affiliations applies to all employees, including the NMLB employees. The Directive adds additional requirements for NMLB employees.
There is a risk that a COI could be missed during an affiliation review, since OCSO staff are not experts in the COI process. A COI could be mismanaged when engaging in collaborative scientific engagements due to failure to consult the COI Office for a review of an affiliation approval form. OCSO maintains a spreadsheet with a record of affiliations. The spreadsheet may not be reflective of the actual employee population who engage in affiliations, and there is a chance that employees may submit a COI declaration to the COI Office, but not also submit a request for an approval of an affiliation through OCSO. There are no controls in place to ensure two-way communication between OCSO and the COI Office. No evidence was found of monitoring activities or follow-up mechanisms in place to ensure employees submit the affiliation approval form to the COI Office for review.
Conclusions
There are several tools available to employees to inform them of their responsibilities when it comes managing their obligation to declare a real, apparent, or potential COI during the onboarding process, as well as when engaging in affiliations with external organizations. However, there is room for improvement terms of coherence of the policy instruments and guidelines that may apply. Clarification of shared roles and responsibilities of individuals and offices involved in the process could strengthen accountability, collaboration, and reduce duplication of work.
Recommendations
Recommendation 1:
The ADM of CSB, with the support of Chief Science Officer and VP of DSFB, should clarify and communicate the roles, responsibilities, and accountabilities, related to corrective action implementation and monitoring, employee training, stakeholder communication, data collection, and reporting.
Recommendation 2:
The ADM of CSB, with the support of Chief Science Officer and VP of DSFB, should review and implement training and outreach activities to better support managers on COI obligations.
Recommendation 3:
The ADM of CSB, with the support of Chief Science Officer and VP of DSFB, should review and update the guidance document suite to ensure better alignment with all policies, procedures, and guidelines on COI.
Recommendation 4:
The ADM of CSB, with the support of Chief Science Officer and VP of DSFB, should develop a risk-based monitoring approach to optimize resources, processing timelines and reduce backlogs as well as develop and implement standard operating procedures to ensure COI declarations and affiliation approval records are analysed and mitigation measures are applied consistently.
Recommendation 5:
The ADM of CSB, with the support of Chief Science Officer and VP of DSFB, should establish a communication protocol for regular information sharing between various functions implicated in COI-related areas, such as the Centre for Ombuds, Resolution and Ethics (CORE), Internal Disclosure Services (IDS), and the Intellectual Property (IP) Office.
Appendix A – About the audit
Audit objective
The objective of this audit was to examine whether the processes in place to manage apparent, potential, or real COIs at the Agency were effective in mitigating COI risks.
Audit scope
The audit scope included the following:
- Activities beginning with the COI process improvement initiatives in January 2021 up to December 2023.
- A focus on governance structure, roles, responsibilities, accountabilities, policies, procedures, and processes in place.
- Risk assessment processes to identify, evaluate, and prioritize COI risks within the Agency.
Audit approach
The audit was conducted in accordance with the Government of Canada's Policy on Internal Audit, which requires examining sufficient and relevant evidence, and obtaining sufficient information and explanations to provide a reasonable level of assurance in support of the audit conclusion. The audit approach included, but was not limited to the following:
- Testing of controls, as required.
- Review of processes and methodologies, and examination of outputs and other relevant supporting documentation.
- Interviews with management, committee members, and key stakeholders within corporate and branch organizational units.
Statement of conformance
This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing and is supported by the results of the OAE’s Quality Assurance and Improvement Program.
Audit criteria
- The Agency has a well-defined governance structure in place to support COI related activities, and has established clear policies, procedures, roles, responsibilities, and accountabilities to prevent and mitigate COIs.
- Processes and controls are in place to identify, assess, prioritize, monitor, and mitigate risks related to real, apparent, or potential COIs.
- The Agency ensures that COI risks specific to collaborations and affiliations with external organizations are managed, and that people employed at PHAC are equipped with the necessary tools to be aware of their COI responsibilities.
Page details
- Date modified: