Internal Audit of Audit and Data Services Branch Management – Final Report
Approved December 15, 2011
Table of Contents
- Executive Summary
- 1. Introduction
- 2. Background
- 3. Risks
- 4. Objectives
- 5. Scope
- 6. Statement of assurance
- 7. Methodology
- 8. Observations and recommendations
- 9. Conclusion
- Appendix A - Management control framework for the Audit of Audit and Data Services Branch Management
- Appendix B - Glossary
- Appendix C - Action plan to address recommendations
Context
Rationale
No audit has been conducted of ADSB projects, activities or programs since the branch’s inception in 2004. While many elements of the branch have progressed toward maturity of their operations and have stabilized, other functions were restructured and provided with challenging mandates. The tasks undertaken by audit units and the Data Services and Analysis Directorate (DSAD) have vast ramifications and are at the essence of the PSC’s mandate. The branch has experienced changes to both its management cadre and its administrative processes over the past few years.
The PSC’s Internal Audit Committee approved the Audit ofAudit and Data Services Branch Management in February 2010, as part of the 2010-2011 audit plan.
Objective
Conclusion
The Internal Audit Directorate (IAD) has concluded that the management control framework established in ADSB is generally sound. The branch has significantly strengthened its governance and management mechanisms as it progresses toward maturity.
Overall, the branch has operational and HR plans in place to support the achievement of its objectives. HR planning is aligned with the branch’s business strategy and goals and is supported by comprehensive processes and documents, though some gaps exist. The level of readiness, maturity and stability varies among directorates, and HR planning is a reflection of this.
The branch has adequately designed oversight structures, offering stable governance, strategic direction and accountability. Internal communications were seen to be comprehensive and open. While employees might benefit from additional specialized training, the branch generally offers effective learning support to all of its employees for the discharge of their responsibilities. Management can partly rely on mechanisms that generate and use information for decision-making to enable efficient and effective program delivery. The budget process, for instance, is well established. Other mechanisms, such as risk management and performance measurement, are not at the same level of readiness. While branch HR strategies are well documented, work remains to be done to formalize the identification of operational risks.
While information management remains a risk, the branch has identified the need to review its personal data collection practices and usage to limit operational and compliance risks concerning privacy, information management or security.
ADSB, in its current state, has been in existence for only two years. One of its directorates, DSAD, received a new mandate that includes the Business Intelligence and Enterprise Data Warehouse program. This directorate, perhaps at a larger extent than the other areas within the branch, is evolving in a dynamic environment, operating with highly skilled personnel having specialized training needs, faced with knowledge transfer issues and under constant, if not increasing, demand for services. DSAD should further develop its HR approach for the middle and long term, including attention to succession planning as well as staff needs with respect to language and technical skills.
Management has worked in co-operation with IAD and has provided comments and information. Management has also developed action plans that will address the risks noted.
In February 2010, the Public Service Commission (PSC) Internal Audit Committee (IAC) approved the PSC’s Internal Audit Plan for 2010-2011. One approved project was the management of the Audit and Data Services Branch (ADSB). The planning phase for this audit started in November 2010.
The PSC is responsible for ensuring that the appointment authorities it delegates to deputy heads are exercised according to the spirit, values and principles of the Public Service Employment Act (PSEA). Reporting mechanisms provide the PSC with information on how departments and agencies are functioning within the PSEA. Established in 2004, the Audit Branch, which has since gone through several reorganizations, was developed to gather, compile and analyze these data for assurance purposes. The branch ensures compliance with the PSEA through its external assurance activities with other organizations, as well as its analyses and sharing of staffing-related data.
The branch has experienced various financial and environmental changes, particularly as audit, data monitoring and reporting operations were scaled up. In its January 2009 report entitled Review of Public Service Commission Oversight, the Independent Review Committee set out recommendations for the branch’s activities and organization. Based on the recommendations in this report, structural changes took place in late 2009, transitioning the evaluation function to the Policy Branch and resulting in an organizational realignment, including the addition of a Business Intelligence and Enterprise Data Warehouse (BI/EDW) program. Additional pressures were placed on the branch to fulfil the recommendations in this report, including changes to the required cycle of assessing organizational compliance, a shortage of qualified staff, methodologies that were still maturing and a substantial change to the approach to operations in its data management.
The branch has several directorates. The Data Services and Analysis Directorate (DSAD), with a full-time equivalent (FTE) count of 49 and a budget envelope of approximately $6.3M, develops studies and surveys and is currently establishing the BI/EDW program. This program aims to provide a strategic approach to business intelligence and data management. The Audit Directorate (AD) conducts independent audits of staffing within organizations, as well as audits of government-wide staffing issues. It has 51 FTEs and a budget of $4.6M. The Professional Practices and Planning Directorate (PPPD) develops the policies and practices followed by the branch, primarily for audit operations, and has a budget of $1.5M and 16 FTEs. The Branch Management Services (BMS) Division, with 6 FTEs and a budget of $706,000, provides centralized human resources (HR) and financial services, production schedule reporting and other administrative functions for the branch. The Vice-President’s Office has an FTE count of 3 and a budget of $343,000.
The branch has not undergone a formal internal audit since its inception in 2004.The work performed in audit operations, as well as the gathering and analysis of recruitment and appointment data, are crucial to the PSC’s mandate.
The ADSB staff, composed mostly of the Personnel Administration and the Economics and Social Science Services groups, is reflective of the branch’s activities, products and services. In the past, the mobility that characterised these two professional groups had given rise to high turnover. Although this has decreased in recent years, finding, developing and maintaining the necessary skill sets — especially for the complex analyses tied to data services, studies and surveys — continue to be a challenge. Attrition and extended absences are also having an impact on corporate knowledge and operations.
The use of BI/EDW will, once implemented, streamline data flow and analysis. It will allow external users, as well as those within the PSC, to organize and export data using queries and searches. Transition toward this will provide additional challenges to resources within ADSB and other areas of the PSC.
As branch operations evolved, administrative and financial activities also underwent change. The structure and decision-making that were initially centralized have since been somewhat decentralized. Delegations, in particular, have been moved downward.
The nature of the information processed as part of the audit and data services activities also represent a risk in terms of compliance with privacy requirements.
The preliminary risk assessment by IAD identified areas needing further examination:
- Establishment, communication and achievement of branch objectives;
- Capacity and resource building to give staff necessary knowledge, skills and tools; and
- Identification, assessment and management of internal and external risks.
The objective was to determine whether an adequate management control framework had been established for management of ADSB. Emphasis was placed on planning, reporting, organization and compliance with branch, corporate and government policy and directives for finance, HR and administration.
We expect that:
- Plans to guide efforts in achieving the organization’s objectives should be established and communicated;
- All structures and resources used by management should enable the achievement of the branch’s objectives and intended results;
- The mechanisms in place that generate and use information for decision-making should enable efficient and effective program delivery and success; and
- The branch should conduct operations compliant with policies and procedures, including asset management, information management, language of work, privacy and security.
The audit reviewed the overall management of the branch. Specially, the scope of the audit included:
- All four areas (AD, DSAD, PPPD and BMS);
- All aspects of management, including administration, financial management, HR processes and staffing, work planning and performance management; and
- Compliance with policies and procedures, including asset management, information management, language of work, privacy and security.
It should be noted that neither an assessment of adherence to the standards of professional auditing practices within the branch nor the examination of program delivery decisions formed part of this audit. Neither did this audit review PSEA oversight relationships with other branches or program level operations, including design of the BI/EDW.
This audit engagement was planned and conducted to be in accordance with the Internal Auditing Standards for the Government of Canada.
In my professional judgment as Chief Audit Executive, sufficient and appropriate procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations as they existed at the time of the audit and against the audit criteria.
The PSC Standard Audit process includes three principal phases:
- Planning;
- Detailed Examination; and
- Reporting.
All deliverables are reviewed and signed off by the Director of Internal Audit. As part of the audit process, briefings and validations of observations were reviewed by the Vice-President of ADSB and her representatives. ADSB has provided all requested documents and access to employees.
The planning phase began in November 2010, during which a preliminary risk assessment was used to identify lines of inquiry. IAD developed draft criteria guided by the Core Management Controls: A Guide for Internal Auditors (Draft –November 2007) of the Office of the Comptroller General of Canada. These were refined through the review of existing procedures and reports, along with interviews of key management and operational staff, including branch executives and functional specialists. Additionally, the draft criteria were provided to the branch management for their review and comments.
Examination methodologies included interviews with management and staff, as well as review and analysis of key processes and documents, including systems-generated reports, strategy documents related to budgets, projects or operations and other data. Sample-based analysis concerning overtime was also performed. Preliminary findings were developed and presented to ADSB on September 8, 2011. Information from ADSB was gathered over the period from January to September 2011.
Control Objective 1 - Plans to guide efforts in achieving the organization’s objectives should be established and communicated.
8.1 Operational planning
Auditors expected the branch to have operational plans and objectives in place to achieve its strategic objectives.
At the strategic level, the branch has developed several primary documents to support the achievement of its objectives. These include the Integrated Business Human Resources Plan, the Audit Plan and the Learning Strategy. Information from these is then drilled down to the directorate and division levels. IAD found evidence of operational work planning for each division. In general, plans adequately detail upcoming division work for the coming year, including time lines and resources. Plans are regularly revised or updated. In some cases, certain priorities and planned projects were postponed due to operational demands or resource limitations.
8.2 Resource planning
We expected HR planning to be aligned with strategic and business planning and to guide recruitment, hiring and promotions.
For some time after its creation, the branch was in “building mode,” setting up processes and controls for its activities while recruiting personnel from areas of expertise in high demand. The branch is now practically fully staffed and has developed a number of planning tools to help achieve its goals. As an example, in summer 2010, the branch drafted its first Integrated Business and Human Resources Plan (IBHRP) for 2011-2014. This did not provide much coverage to DSAD, which later issued a complementary IBHRP. However, this plan fell short in a number of key areas. For example, DSAD has not addressed its mid- and long-term learning needs. Neither has it identified key positions within the directorate. These gaps could impact the branch’s ability to attract, train and retain skilled personnel, and to allow the organization to attain its objectives. Management is aware that these initial plans have some limitations and has committed to address these gaps in the 2012-2015 IBHRP.
AD and PPPD are reported to be essentially at staff complement and skills capacity. Accordingly, the branch’s Professional Development Program has been temporarily suspended. The HR strategy has changed to reflect this, mostly by creating anticipatory pools for the future.
Some areas of DSAD were noted to be struggling with sustainability, given the actual resource levels and increasing operational demand. DSAD requires staff with specialized skill sets, including experience with the directorate’s business lines. In addition, attrition and extended leave are significant resourcing issues affecting all levels, leaving some people to cover other positions as well. Management recognizes that this situation is impacting on its operations. Approved positions are at various stages of the staffing process.
While the organization was maturing, stability was slower to attain. Evidence gathered indicates that turnover has significantly decreased. According to management, this could be a possible result of maturation of the organization, and/or reduced government mobility under budgetary constraints. The development of a formal succession plan in consultation with the Human Resources Management Directorate (HRMD) is part of the branch’s 2011-2014 IBHRP. DSAD’s complementary plan notes the importance of succession planning for key positions, but does not include a strategy for its development. Nor is knowledge transfer of key employees identified. The branch has prepared an analysis of DSAD’s staff development needs, taking into consideration the current environment surrounding knowledge transfer. However, the branch is using learning-by-immersion to counter the knowledge transfer issue. Learning initiatives and on-the-job training must fulfill the developmental needs of branch staff. Given DSAD’s challenges and dynamic, knowledge-based environment, the skill of staff is critical to mission delivery.
The examination found that several non-imperative appointments had been approved in 2008 under the Public Service Official Languages Exclusion Approval Order (PSOLEAO). (A non-imperative appointment is an indeterminate appointment to a bilingual position that the deputy head has identified as not needing a person who meets the required level of language proficiency at the time of appointment. Individuals who do not meet the language requirement are appointed with conditions.) The ADSB appointments were compliant with the provisions of the PSOLEAO. They were made in response to the branch’s requirement to staff key positions in a short period of time from specific sought-after employment groups. Due to the subsequent reorganizations, the majority of these positions have moved to the Studies Division of DSAD, and full-time language training occurred concurrently for several members of the team. (During the examination phase, the director, one of two managers and a principal analyst were on full-time training). Consultants were used as additional resources during this time to ensure that product delivery was not affected. Language training as a result of non-imperative staffing continues.
The need to rely on non-imperative staffing highlights the importance of ensuring that the organization has the capacity to provide for succession of departing employees. The branch’s first IBHRP for 2011-2014 states that “to allow for the greatest flexibility, the branch should consider non-imperative appointments so that its capacity is not significantly impacted by language training.” However, the branch has since questioned reliance on non-imperative staffing as a sustainable recruitment approach. Any future requests for non-imperative staffing will continue to adhere to HRMD controls. HRMD has since implemented more rigorous controls to ensure that non-imperative staffing and extensions under the PSOLEAO are adequately justified and are compliant with the related Regulations.
Overall, HR planning is aligned with the branch’s business strategy and goals and is supported by comprehensive processes and documents, though some gaps exist. The level of readiness, maturity and stability varies among directorates, and HR planning is a reflection of this. As recognized in its plans, the branch needs to continue to flesh out its operational planning and strategy, especially in its highly challenged and developing areas.
Recommendation 1: An HR strategy should be developed to position ADSB, particularly DSAD, for its current and future needs with respect to language and technical skills.
Management response
Agreed. It should be noted that the branch, as it is currently organized, has been in existence for two years. In the first year of its existence, ADSB developed and finalized a comprehensive Integrated Human Resources and Business Plan that outlines the key areas of focus for the branch and the upcoming priorities. This plan is being finalized for the second year of ADSB’s operation and will include a greater emphasis on the medium- and long-term needs of ADSB. This includes the plans for both current and future technical and language skills.
The specific actions, responsibilities and time lines for this response are included in Appendix C.
Recommendation 2: The branch’s IBHRP should include a formal approach to implementing knowledge and talent management, as well as training planning and succession consideration, that encompasses the whole branch.
Management response
Agree. ADSB sees itself as a learning organization and, as such, has focused on developing a comprehensive learning strategy based on the roll-up of the learning plans of individual employees. The branch’s Learning Strategy is its venue for addressing learning and training needs. ADSB has established an integrated learning plan that supports all individuals each year based on the learning priorities identified on the Integrated Plan, and also has a higher-level strategic learning plan — these are linked to the Integrated Plan via the business priorities. To help ensure ongoing utility, the branch’s Three Year Learning Strategy will be renewed during 2012. In addition, we will develop an integrated knowledge management and succession plan, while taking into consideration the privacy concerns of the employees.
The specific actions, responsibilities and time lines for this response are included in Appendix C.
Control objective 2 – All structures and resources used by management should enable the achievement of the branch’s objectives and intended results.
2.1 Structures, tools and training
Along with effective oversight, we expected to find effective channels for internal communication, provision of training and tools for staff and a formal approach to knowledge and talent management. The branch has adequately designed oversight structures, offering stable governance, strategic direction and accountability. Extended Branch Management Committee meetings and retreats support branch communication, administration and management. Project dashboards and inter-branch committees allow for the oversight of BI/EDW deliverables. The Reporting Management Committee (an internal peer oversight committee that reviews and challenges audit, studies, survey and data work) has brought accountability and good discussion to the branch, according to management members.
Overall, the internal communications of the branch were seen to be comprehensive and open. Employees have a wide-ranging number of tools and resources at their disposal, which are easily accessible on the branch’s internal Web portal. ADSB’s portal is a unique branch tool that offers a central platform for general and specific information. Methodology updates and other records are available through the PSC’s Record and Document Information Management System (RDIMS) and are therefore easily updated. Only with regard to a branch reorganization that took place in 2009 did staff comment on inadequate communication.
Because of the uniformity of its operations, AD benefits from established processes in terms of efficiency and effectiveness. Formal working paper processes were documented, as well as standard attestation forms to encourage audit staff to include only relevant evidence in their work files.
ADSB’s training was previously co-ordinated through BMS, though this function has since been transferred to PPPD for better alignment. Along with an evaluation framework for assessing branch learning initiatives, PPPD has developed a comprehensive strategy to address the learning needed by the branch’s staff, particularly in AD. This, management indicated, was intentional, as DSAD had developed a more directorate-focused Learning Needs document in March 2011 that will be rolled into branch-wide planning.
Some managers within DSAD mentioned that the current budgets for training did not meet the needs of their highly knowledgeable staff. Their training needs encompassed professional conferences and training on SAS analytical software. (Addressing these training needs was mentioned in Recommendation 2.) At the same time, spending on training in all directorates except PPPD was slightly under their allocated budgets, as PPPD both offers and funds technical and specialized training for ADSB employees. Contracts were put in place for SAS training. Management indicated that training for all staff is either completed or ongoing.
The branch offers numerous effective resources to employees in order to assist them in performing their work. In the short term, employees will likely continue to be trained sufficiently enough to discharge their responsibilities. However, some managers, particularly in certain areas of DSAD, did express specific needs for more training to engage and develop staff.
Control objective 3 – The mechanisms in place that generate and use information for decision-making should enable efficient and effective program delivery and success.
3.1 Budgeting
Auditors found that activities, schedules and resources needed to achieve objectives have been integrated into the budget. Outputs drive the budget and therefore fall on divisions first: directors request planned funds and raise requests to the directorate levels for review. These are brought to the branch level, where they are further reviewed by BMS.
BMS is responsible for monitoring and analyzing the branch’s budgets and providing advice and guidance on budget forecasting. Budget accountability and responsibility falls under the directors general and directors. There is a consensus among managers that the centralized system is robust and efficient. The frequency and depth of budget reviews are also appropriate from their perspective. Actual spending in 2010-2011 was within 2% of budget. Similarly, the branch is actively seeking efficiencies. For instance, it is presently focusing some efforts in reducing the costs of its memorandum of understanding with a government agency (a key item in its budget).
Overall, ADSB’s budget function is effective and brings consistent and regular review to the process.
3.2 Risk management
We expected management to have a documented approach to risk management.
The commitments in the branch’s IBHRP are concentrated on HR strategies. A detailed environmental scan of the current situation is given, including the risks facing the branch. Eight key challenges were identified and explained.
The next iteration of the IBHRP is in the draft stage and focuses largely on the current fiscal year. Risks, challenges and strategies are built-upon from the original document. A strategic retreat held in June 2011 provided status updates for most of the branch’s IBHRP Action Plan items. The goal is to formally review the document quarterly. At the time of the audit examination, management noted that they were not yet at this point.
Strategic risk management information for ADSB is provided in the PSC’s Operational Plan. HR risks flows from the Report on Plans and Priorities (RPP) to the Operational Plan through to the IBHRP. Of the operational type risks noted in the IBHRP, all but one could be traced to the RPP. These risks, however, are not presented in the Operational Plan.While operational risks are identified, mitigation focuses primarily on HR issues. With regard to the more granular information on risk, auditors were informed by management that, aside from IBHRP risk management, no additional operational risk management documentation currently exists. Significant risks remain. For example, the Deloitte and Touche study on data and survey strategy identified several areas for improvement, including the effect of ad hoc requests on workloads, undocumented data processes and data quality risks, as well as a need for continuous monitoring of organizational needs.
Risk identification is well established for branch HR strategies. If it is not mitigated and monitored, however, it still threatens branch operations. Moreover, work remains to be done to formalize identification of operational risks throughout the branch. Data risks have been identified in consultant reports and, according to management, will be addressed through the continued implementation of the BI/EDW program.
Recommendation 3: Formalized and regular monitoring should be developed to ensure the implementation of the HR action plan.
Management response
Agree. The branch Integrated Business and HR Plan is reviewed quarterly by management, and a comprehensive review of all commitments is undertaken by the Branch Management Committee in June to support the next year’s planning function. All staffing decisions are submitted and reviewed by the Branch Management Committee and approved by the VP.
The specific actions, responsibilities and time lines for this response are included in Appendix C.
Recommendation 4: Identification, mitigation strategies and an action plan with regular monitoring for operational risks should be completed.
Management response
Agree. Operational risks are tracked, discussed and mitigated by the senior management team of ADSB and, where appropriate, are integrated at an aggregate level along with mitigation strategies in the 2012-2015 ADSB Integrated Business and HR Plan.
The overall strategic risks of the branch are outlined, and mitigation strategies are included in the Integrated Business and HR Plan. A comprehensive action plan and measurement strategies for each of the mitigation strategies are also being developed for the updated 2012 ADSB Integrated Business and HR Plan.
The specific actions, responsibilities and time lines for this response are included in Appendix C.
3.3 Performance measurement
The auditors expected management to monitor actual performance against planned results, and adjust course as needed.
Branch performance measures are listed for the five HR strategies contained in the branch IBHRP. These were reviewed and updated as part of a strategic retreat held in June 2011. The branch also has audit and studies targets based on respective formal plans. Status reports are produced for all audits and studies.
AD has a formal client satisfaction protocol,and also reports regularly through the PSC Monthly Report. Client satisfaction for all other divisions is based on informal feedback (i.e. e-mail and phone correspondence). However, a report developed by the Centre for Public Management described Client Services Division clients as “currently satisfied” and receiving “perceived ‘front-of-line’ service.”
Audits are subject to a Quality Assurance Improvement Plan (QAIP) that includes practice inspections and quality reviews. The QAIP assesses both attribute and performance standards. Additionally, management uses informal client feedback, lessons learned and supervisory review.
DSAD’s management recognizes the need for more formal tracking of client satisfaction and performance. Progress has been made in this area, as the Information Management/Information Technology Committee approved the funding for the implementation of a tracking and reporting system. ADSB is currently working with the Information Technology Services Directorate to assess systems to ensure that they meet required needs.
EZ-Time is a planning and reporting tool used by the branch to estimate the project time of employees. To assess its reliability, the auditors examined how this report might be reconciled with other available data. The auditors conducted a statistical sample analysis of the EZ-Time records of 64 employee over a four-month period. The results suggest that there is some confusion with the system and a lack of understanding of how the EZ-Time data should be entered. Specifically, 31 of 65 employees were reported as working two full days (15 hours) either under or over the actual amount of regular working hours in that period. Management informed the auditors that, due to system limitations, the EZ-Time reports did not accurately portray the database inputs. Clarification provided by ADSB indicated that only 25 were outside the 15-hour threshold. Of these, six were on leave or were not indeterminate, and five were at the EX or EX minus 1 levels. This translates to roughly 22% of the sample exceeding error tolerances. The level of discrepancy caused by system limitations and unexpected variances suggests that there is a systemic problem.
A comparison between EZ-Time overtime figures and those of PeopleSoft compensatory time and Finance and Administration Directorate overtime payout could not reconcile the discrepancies. Neither could ADSB demonstrate how it ensured that EZ-Time figures were reliable.
EZ-Time is primarily used for project-hour reporting intended for future project planning, as well as the monthly and status reports submitted to the President. Managers are responsible for ensuring the accuracy and compliance of staff inputs. Once used only in AD, EZ-Time has only been used branch-wide for one fiscal year, and some groups are not yet familiar with the system. Auditors were informed of some employee reluctance since the system was first rolled out in 2007-2008, the employees seeing it as an additional control.
Overall, AD operations are quite comprehensively monitored, while DSAD has some progress to make in that area. This lack of formal performance measurement can lead, in the short term, to reactive and poorly informed responses. In the longer term, the absence of key indicators could affect the sustainability of services and limit the ability to demonstrate their value in times of budget constraints. Time reporting is used as a verification tool for projects as well as for reporting (e.g. status reports). The sample analysis shows it to be unreliable in terms of accuracy.
Recommendation 5: Formal methods for setting expectations and measuring the performance of data and client services should be established in branch plans.
Management response
Agree. Comprehensive measures for the branch are already part of the PSC Program and Activities Architecture (PAA). They are also reported in the PSC Departmental Performance Report, similar to all other branches in the PSC. More detailed performance measures have been provided in the PSC operational plan. A recent update to our PAA measures has been provided to the Corporate Management Branch as part of an organization-wide initiative. In addition, as part of the commitment to client services, in line with the BI/EDW initiative, specific client services measures have been developed as part of a “Client Service Charter” and will be presented at the Governance Committee Meeting in December 2011.
The specific actions, responsibilities and time lines for this response are included in Appendix C.
Recommendation 6: Management should implement a process to ensure the reasonable accuracy of project time reporting. It should be a reliable source of information used systematically and methodically across the branch.
Management response
Agree. The current PSC time reporting system is useful for overall project planning purposes, but is not sufficiently robust to allow detailed reporting for workforce management. The branch is reviewing the use of the current system and will be providing additional guidance to employees. In addition, ADSB is exploring other tools, including time reporting and project reporting.
The specific actions, responsibilities and time lines for this response are included in Appendix C.
Control objective 4 – The branch conducts operations within compliance of policies and procedures, e.g. asset management, information management, language of work, privacy and security.
4.1 Collection, storage and management of personal information
Auditors expected the collection of personal records and information to be limited to the minimum required for audit and data operations.
In conducting audits, branch intentions are to collect only the information needed. ADSB has established protocols and mechanisms to ensure that this is achieved. Where possible, an auditor’s attestation declares that the PSC has sufficiently reviewed the records of the client organization to avoid collection of unnecessary information. This material is scanned and a record is kept. All material is either password protected within the database or has access limits in RDIMS.
The branch commissioned an internal study on its collection and use of personal information. Preliminary findings from this report, as well as input from the Access to Information and Privacy (ATIP) Office, suggested that there was still personal information being collected. This results in unnecessary work and brings about new risks. ADSB has developed an action plan and has provided clear guidance to its employees in response the report.
Privacy legislation prevents the publication of personal information. The auditors noted that, since 2005, the ATIP Office has reviewed all ADSB reports. On the data side, a Deloitte report produced for the PSC’s Data and Survey Strategy recommended that a review be conducted of the data being collected to determine relevance to needs. In addition, processes for data collection should be documented in order to streamline requests. It also suggests clarifying the relevance of data collected for the Staffing Management Accountability Framework. These issues are being examined by the Policy Branch’s Delegation and Accountability Directorate.
An all-encompassing privacy impact assessment of the DSAD environment is currently in draft stage. Once the assessment is completed, an action plan will be needed. A threat and risk assessment was also produced, and access to JAIS data has been limited accordingly.
A higher volume of data increases ADSB’s workload, even though the PSC’s Information Management Office has the ultimate responsibility for retention and disposal of records. To be compliant with ATIP, the PSC would have to provide the information requested if it is held by the PSC even if the retention period has expired. This provides an impetus for ADSB to remove duplicate files promptly. As well, data matching initiatives are being monitored by the PSC’s ATIP Office because of the obligation to disclose how personal data will be used.
Over-collection of data can increase security, operational and compliance risks. Additionally, there are security and privacy issues with the collection of personal information. While the auditors are not aware of any specific incident undermining the security or privacy of personal information, data management would benefit from a formal framework for the collection of personal information. The branch has shown commitment to this issue; it has undertaken several research and analysis initiatives to ensure that ADSB operations comply with relevant legislation. Efficient use of electronic and physical storage is also an issue currently being reviewed by the branch.
Recommendation 7: ADSB should develop a framework for collecting, storing and managing personal information and address any related shortcomings.
Management response
Agree. An action plan for establishing a framework for collecting information is now in place, and implementation is under way to correct potential privacy issues. Additional guidance has also been provided to auditors, and the privacy management framework for data is in place.
In addition, the branch has shown commitment to this issue in relation to the data, as it has undertaken several information-finding initiatives such as the Data Strategy, Quality Management Framework and Management of Personal Information Report and developed an action plan. ADSB is also in the process of completing a data quality management framework for PSC data holdings. A schedule for testing this framework is under way. The data quality management framework will be consistent with the ADSB quality management framework, where appropriate.
The specific actions, responsibilities and time lines for this response are included in Appendix C.
The Internal Audit Directorate (IAD) has concluded that the management control framework established in ADSB is generally sound. The branch has significantly strengthened its governance and management mechanisms as it progresses toward maturity.
Overall, the branch has operational and HR plans in place to support the achievement of its objectives. HR planning is aligned with the branch’s business strategy and goals and is supported by comprehensive processes and documents, though some gaps exist. The level of readiness, maturity and stability varies among directorates, and HR planning is a reflection of this.
The branch has adequately designed oversight structures, offering stable governance, strategic direction and accountability. Internal communications were seen to be comprehensive and open. While employees might benefit from additional specialized training, the branch generally offers effective learning support to all of its employees for the discharge of their responsibilities. Management can partly rely on mechanisms that generate and use information for decision-making to enable efficient and effective program delivery. The budget process, for instance, is well established. Other mechanisms, such as risk management and performance measurement, are not at the same level of readiness. While branch HR strategies are well documented, work remains to be done to formalize the identification of operational risks.
While information management remains a risk, the branch has identified the need to review its personal data collection practices and usage to limit operational and compliance risks concerning privacy, information management or security.
ADSB, in its current state, has been in existence for only two years. One of its directorates, DSAD, received a new mandate that includes the Business Intelligence and Enterprise Data Warehouse program. This directorate, perhaps at a larger extent than the other areas within the branch, is evolving in a dynamic environment, operating with highly skilled personnel having specialized training needs, faced with knowledge transfer issues and under constant, if not increasing, demand for services. DSAD should further develop its HR approach for the middle and long term, including attention to succession planning as well as staff needs with respect to language and technical skills.
Management has worked in co-operation with IAD and has provided comments and information. Management has also developed action plans that will address the risks noted.
| Control Objectives | Audit criteria |
|---|---|
| Control objective 1 Plans to guide efforts in achieving the organization’s objectives should be established and communicated. |
Criterion 1.1 The organization has in place operational plans and objectives aimed at achieving its strategic objectives. |
| Criterion 1.2 Human resource planning is aligned with strategic and business planning. |
|
| Criterion 1.3 Recruitment, hiring and promotion consider the current and future needs of the organization. |
|
| Control objective 2 All structures and resources used by management should enable the achievement of the branch’s objectives and intended results. |
Criterion 2.1 Open and effective channels exist for internal communications and feedback. |
| Criterion 2.2 The organization provides employees with the necessary training, tools, resources and information to support the discharge of their responsibilities. |
|
| Criterion 2.3 The organization has in place a formal approach to knowledge and talent management. |
|
| Criterion 2.4 Effective oversight bodies are established. |
|
| Control objective 3 The mechanisms in place that generate and use information for decision-making should enable efficient and effective program delivery and success. |
Criterion 3.1 The activities, schedules and resources needed to achieve objectives have been integrated into the budget. |
| Criterion 3.2 Management has a documented approach with respect to risk management. |
|
| Criterion 3.3 Management monitors actual performance against planned results and adjusts course, as needed. |
|
| Control objective 4 The branch conducts operations within compliance of policies and procedures, e.g. asset management, information management, language of work, privacy and security. |
Criterion 4.1 Collection of personal records and information is limited to the minimum required for audit and data operations. |
| Criterion 4.2 The access, use and storage of records data and information are in compliance with privacy legislation. |
| IAD Recommendation | Specific Actions | OPI | Target Date |
|---|---|---|---|
| 1. An HR strategy should be developed to position ADSB, particularly DSAD, for its current and future needs with respect to language and technical skills. | HR strategy 2.1: Responsive human resourcing linked to business needs (refer to 2012-2015 IBHRP, p.21) |
||
| Establish and monitor short-, medium- and long-term staffing strategies that support the business needs for each directorate (refer to 2012-2015 IBHRP, Appendix B): Specific strategies for DSAD include: |
ADSB/BMC/ HRMD |
Ongoing | |
|
DSAD | Ongoing | |
|
DSAD | March 2014 | |
|
DSAD/ PPPD |
Ongoing | |
|
DSAD | Completed | |
| HR strategy 3.1: Strategic investment in learning and development (refer to 2012-2015 IBHRP, p.23) |
ADSB/BMC | Ongoing | |
|
PPPD | March 2012 | |
|
PPPD/DSAD | March 2014 | |
|
PPPD/DSAD | March 2013 | |
|
PPPD/BMS/ Ongoing |
||
|
PPPD/December 2012 | ||
|
PPPD/BMS | Ongoing | |
|
|||
| HR strategy 3.2: Appropriate acquisition and maintenance of language skills (refer to 2012-2015 IBHRP, p.24) |
|||
|
ADSB/BMC | March 2013 | |
|
ADSB/BMC | Ongoing | |
| 2. The branch’s Integrated Business and HR Plan should include a formal approach to implementing knowledge and talent management, as well as training planning and succession consideration, that encompasses the whole branch. | HR strategy 3.1: Strategic investment in learning and development (refer to 2012-2015 IBHRP, p.23) |
||
|
ADSB/BMC | Ongoing | |
|
PPPD | March 2012 | |
|
PPPD/DSAD | March 2014 | |
|
PPPD/DSAD | March 2013 | |
|
PPPD/BMS/ Ongoing |
||
|
PPPD/December 2012 | ||
|
PPPD/BMS | Ongoing | |
| HR strategy 4.1: Succession planning (refer to 2012-2015 IBHRP, p.24) |
|||
|
ADSB/BMC | August 2012 | |
|
ADSB/BMC | August 2012 | |
|
ADSB/BMC | November 2012 | |
| HR strategy 4.2: Integrated knowledge transfer (refer to 2012-2015 IBHRP, p.24) |
|||
|
PPPD | November 2012 | |
| 3. Formalized and regular monitoring should be developed to ensure the implementation of the HR action plan. | ADSB Integrated Business and Human Resources Plan (RDIMS 584501) – This plan is reviewed quarterly and updated annually. | PPPD/BMS | Completed |
|
Ongoing | ||
|
Ongoing | ||
| 4. Identification, mitigation strategies and an action plan with regular monitoring for operational risks should be completed. | ADSB Integrated Business and Human Resources Plan (RDIMS 584501) (refer to 2012-2015 IBHRP, pp 21 to 27) |
Completed | |
|
ADSB | ||
| 5. Formal methods for setting expectations and measuring the performance of data and client services should be established in branch plans. | ADSB performance measurement strategy as part of the PSC Corporate Performance Strategy | ||
|
PPPD | Completed | |
|
DSAD/PPPD | Completed | |
| Operational Strategy 2.2: ADSB performance measurement strategy (refer to 2012-2015 IBHRP, p.26 |
|||
|
DSAD | Completed | |
|
DSAD | Ongoing | |
|
PPPD | Completed | |
|
ADSB | Quarterly | |
| 6. Management should implement a process to ensure the reasonable accuracy of project time reporting. It should be a reliable source of information used systematically and methodically across the branch. | Operational Strategy 2.2: ADSB performance measurement strategy (refer to 2012-2015 IBHRP, p.26) |
||
|
PPPD | ||
|
PPPD | Completed | |
|
PPPD | Completed | |
|
PPPD | Competed | |
|
PPPD | April 2012 | |
| 7. ADSB should develop a framework for collecting, storing and managing personal information and address any related shortcomings. | Operational Strategy1.1: information management guidelines (refer to 2012-2015 IBHRP, p.25) |
||
|
PPPD | Completed | |
|
PPPD | Completed | |
| Operational Strategy 2.1: Update and integrate ADSB quality management strategies (refer to 2012-2015 IBHRP, p.26) |
|||
|
PPPD | June 2012 | |
|
ADSB | June 2012 | |
|
PPPD | March 2013 | |
|
ADSB | March 2013 |
Legend:
- ADSB Audit and Data Services Branch
- AD Audit Directorate
- DSAD Data Services and Analysis Directorate
- PPPD Professional Practices and Planning Directorate
- BMS Branch Management Services
- BMC Branch Management Committee
Report a problem or mistake on this page
- Date modified: