Internal Audit Committee Annual Report – 2013-2014

2013-2014

Table of contents

• Introduction
• Context
  • Issues and observations
• Key areas of responsibility
  • Assessment of internal audit function
  • Follow-up on management action plans
  • Values and ethics
  • Risk management
  • Management control framework and reporting
  • External assurance providers
  • Financial statement and public accounts reporting
  • Accountability reporting
• Departmental Audit Committee assessment
• Annex A: Membership and operations of the Internal Audit Committee
• Annex B: Internal Audit Committee annual activity 2013-2014

Introduction

This Annual Report of the Internal Audit Committee (IAC) of the Public Service Commission (PSC) covers the period from April 2013 to March 2014. It follows the guidance provided by the Treasury Board Secretariat (TBS) in Practice Guide: Departmental Audit Committee Annual Report and meets the reporting requirements for Departmental Audit Committees as established in the Directive on Internal Auditing in the Government of Canada.

The report begins with an overview of some important contextual factors. It then provides a summary of the key issues and observations of the IAC during this reporting period, followed by a summary of activities and results in each of the IAC's key areas of responsibility. It concludes with a synopsis of the results of the IAC's annual self-assessment. The annexes provide additional information about the membership, operations and activities of the Committee.

Context

As explained in the IAC's Annual Report for 2012-13, membership on the IAC was renewed through the Treasury Board appointment process in December 2012 (when two external members, including the Chair, were appointed) and March 2013 (when one additional external member was appointed). The four meetings of the IAC that took place during 2013-14 were therefore the first meetings of the fully renewed IAC.

Also during this reporting period a new CAE was appointed following the retirement from the PSC of the previous one. This appointment followed closely an internal reorganization in which the evaluation and internal audit functions, which had previously reported through separate channels, were placed under a single executive. The new CAE is now managing both functions.

With respect to the broader context for the IAC's interactions with PSC's senior management team, four elements stood out during this period:

• First, senior management is leading a comprehensive effort to transform the way the organization does its business. This transformation will require better integration of PSC's policy and oversight functions, and cultural change at all levels in the organization. The end state will be an approach focused on helping departments manage their risks in staffing more effectively and without unnecessarily tight and inefficient controls. This transformation will require sustained leadership over several years. It has therefore been, and will continue to be, a critically-important focus for senior management.
• Second, ongoing implementation of the deficit reduction action plan had a major impact. In addition to providing support to departments implementing reductions, PSC had to take some difficult decisions about priorities and implement some significant structural adjustments to achieve its own reduction targets under the deficit reduction action plan and to align cost-recovery services with reduced demand from departments. These realities required significant attention and hands-on management of risks by senior managers.
• Third, there were some significant changes at the executive management level including the departure of two Vice-Presidents. As a result, several key senior managers were moved into acting positions for extended periods of time resulting in other consequential acting appointments as well. Managing the related challenges during these transitions in leadership was another significant focus for senior managers throughout this period.
• Fourth, while managing so many other issues, the organization also moved from its previous long-time Ottawa location to Gatineau. The fact that the move went smoothly and without major disruption to operations is a tribute to the individual and collective leadership exercised by PSC's senior management team.

At the beginning of this reporting period, as outlined in the IAC's Annual Report for 2012-13, the IAC agreed with the President that it would focus particular attention and support in four key areas: (1) helping PSC deliver on the internal audit plan, (2) continuing to strengthen PSC's corporate approach to risk management, (3) ensuring that internal controls remain robust in the context of ongoing fiscal constraint and (4) assisting in efforts to improve performance measurement and public performance reporting. As outlined in subsequent sections of this report, the IAC engaged the organization in each of these areas during this period and provided significant input and advice.

Although senior managers were understandably focused on addressing some critically-important challenges, the organization engaged the IAC extremely well during its first full year. Management's approach, without exception, has been open, transparent and collaborative. In addition to attending IAC meetings, senior managers, including the President, made themselves available for a number of special briefings and discussions with IAC's external members. In addition, the President sought the perspectives of external members on a number of issues and challenges not directly related to the formal mandate of the IAC, including their perspective on her comprehensive agenda to transform the way PSC does its business. After a year together, the renewed IAC feels it is now well established and fully engaged.

Issues and observations

Based on the results of internal audits over this reporting period and the IAC's engagement in formal meetings and other discussions, the IAC has developed a positive view about the management of the organization and does not have any fundamental concerns or recommendations to highlight in this report. While there are, as noted in the following sections, some areas where continued focus and improvements are required, the IAC believes the organization is on a sound path with respect to risk management, control and governance.

The IAC is encouraged by the way the President and other senior managers have engaged on all issues discussed at IAC meetings. It is also encouraged by the responses of management to the substantive inputs and advice of external members on audits and other issues, including advice on Management Action Plans (MAPs) developed in response to recommendations in audits.

The IAC is particularly pleased to note that significant progress continues to be made on PSC's approach to risk management. The Corporate Risk Profile continues to mature and is now playing a far more important role in the planning and reporting processes. While more work is required to continue to strengthen the organization's approach to risk management, the efforts over the past year have clearly resulted in another quantum step forward in this area.

Looking ahead, one area that will require special attention by management is information management (IM). A comprehensive audit in this area during the reporting period highlighted the need for robust action if the organization is to meet its obligations under government policies on the classification and retention of electronic information. This audit was considered at an IAC meeting in December along with a draft Management Action Plan (MAP), and the IAC provided advice focused on ensuring this plan would achieve the required results. The main thrust of this advice, which was accepted by management, was that the MAP should recognize that cultural change is required and that senior management needs to engage visibly and provide strong leadership. While the IAC is far more comfortable with a revised MAP that was subsequently developed, it will closely monitor progress in the coming year and provide inputs and advice as required.

From an IAC perspective, two other important challenges the organization will face in the coming year will be to continue to make progress on risk management and continue to adapt controls to fit with the changing environment. The IAC considers these challenges to be critical ones for two reasons. First, continued progress in these areas is needed to ensure that internal risks are appropriately identified and managed, and that internal controls are adapted to changing circumstances. Second, continued progress in these areas is needed to help promote the changes in culture needed to succeed in making the transformational changes in how PSC does its business with departments. While senior managers are committed and early progress is clearly being made in these two areas, success will require a sustained effort over the longer term. In this context, the IAC will continue to place a high priority on supporting the organization's efforts to renew its approach to risk management and control over this next year and beyond.

Key areas of responsibility

1. Assessment of the Internal Audit Function

Significant progress has been made over the past year in delivering on the Risk-Based Audit Plan (RBAP) and the IAC is encouraged by the steps now being taken by the new CAE to ensure the audit function provides products that are more valuable to management.

In the previous reporting period, the audit function in PSC experienced considerable difficulty maintaining the capacity to deliver planned audits, mainly due to difficulties in staffing vacant positions. As a result, only two of four planned audits were delivered in 2012-13. This issue was highlighted as an area of concern in the IAC's Annual Report for 2012-13 and was also the primary reason for an overall rating by TBS of “opportunity for improvement” for internal audit in its annual Management Accountability Framework (MAF) assessment for PSC.

Three out of four planned audit engagements were substantially completed in 2013-14 and the fourth one was well under way by the end of the year. This outcome represents significant progress and resulted in an improved MAF rating by TBS (overall rating is now “acceptable”). However, part of this is attributable to the fact that one planned audit was changed into a consulting engagement after the initial risk assessment concluded there were no significant control weaknesses that warranted the conduct of an in-depth audit. While the IAC fully supported this change, the reality is that delays in staffing positions again had an impact during this reporting period and once again only half the planned audits were delivered.

On a more positive note, both of the full audits delivered in the reporting period were conducted in highly professional way and resulted in products that served as a solid foundation for action plans to strengthen organizational practices. One was an Audit of Information Management which highlighted the need for a robust action plan, which is now in place, to meet the requirements of the government policies on the classification and retention of electronic information. The other was an Audit on Cyclical Financial Controls which pointed to the need to strengthen management practices in some specific areas.

Looking ahead, the IAC is encouraged by the steps the new CAE has taken to ensure the audit function provides more valuable products to management. He has already brought forward a comprehensive strategy, which the IAC has endorsed, to strengthen the function over the next three years. This strategy includes measures to manage the risks of unforeseen staff absences and departures so that the Internal Audit and Evaluation Directorate can fully deliver on the RBAP for 2014-17. Following productive discussions in both PSC's Executive Management Committee (EMC) and the IAC, the RBAP has been approved by the President. It is realistic and focused on areas of highest risk, and includes a Core Controls Audit in the first year which will provide broader assurance to the IAC and the President on PSC's internal control framework.

Overall, IAC is pleased that the audit function is being reinvigorated under the leadership of the new CAE. It fully supports the strategies he has recently brought forward to strengthen the function and will provide ongoing advice and support as these strategies are implemented.

2. Follow-up on Management Action Plans

During the year, IAC reviewed progress on the implementation of Management Action Plans (MAPs) in response to internal and external audits. To this point the CAE has tracked the implementation of all items in action plans that have not yet been fully implemented and has reported results at every second meeting. The most recent reports, which were reviewed at the September and March meetings, highlighted some delays in implementing some actions in MAPs. However, these delays were explained to the IAC and are in areas where the risks are manageable. The IAC was generally satisfied with the explanations provided and believes there has been no major risk exposure.

Nevertheless, the IAC believes it needs to follow more closely the implementation of action plans. In this context, it has asked the CAE to report on progress at each IAC meeting so that, as appropriate, it has an opportunity to provide reactions and advice to the President in a more timely way. The IAC has also asked the CAE to develop an instrument to highlight more clearly areas of concern including the CAE's assessment of risks. The first such report was presented at the March IAC meeting and the reporting instrument will be refined over time.

The IAC is confident these steps will help ensure the right level of monitoring and input from members. It is also confident that these steps will directly address the concerns raised by TBS in its latest assessment of PSC's internal audit function where the subcategory related to monitoring and implementation of action plans is the sole remaining area rated as “opportunity for improvement”.

One area where implementation of an action plan has been very decisive is the action plan related to the audit that the Audit and Data Services Branch of PSC conducted on staffing at PSC as a department. This audit and the MAP developed in response to the recommendations were considered by the IAC. Most of the items in the MAP (over 80%), which was fully supported by IAC, have already been implemented. The remaining items, including the use of a third party to independently confirm full implementation, will be completed soon. Given that one of the core roles of PSC is to conduct these staffing audits, an aggressive approach to implementation of this action plan was clearly appropriate, but the speed and effectiveness with which this was done has nevertheless been impressive.

3. Values and ethics

During the reporting period, the IAC again reviewed progress in implementing PSC's Values and Ethics Action Plan and continues to believe that PSC has a very strong values and ethics program. This program is broadly embraced across the organization and is being implemented well. The IAC's perspective on this is consistent with the MAF ratings by TBS for values and ethics at PSC which were completely positive with no gaps identified.

While recognizing the strength of this program, the IAC did make some suggestions to strengthen some of the communications aspects. These included making it clear in the next version of the plan that all Vice-Presidents play a critical leadership role in the governance structure, and making it clear that in addition to effective downward communications from managers to employees, upward communications from employees to managers are critical to success. Management has undertaken to bring more clarity to these issues in the next version of the plan.

The bottom line is that the IAC is fully comfortable with the values and ethics program at PSC. It is clear to members that this program is well organized and robust, and that implementation is effective. This is an area in which, given its mandate, PSC should have a very strong approach, and the IAC is encouraged that it does.

4. Risk management

Significant additional progress was also achieved during this reporting period in strengthening PSC's approach to risk management. Two years ago this was an area that had been identified by both IAC and TBS as one that required more attention by PSC. Since then real progress has been made and the organization has put in place a solid approach.

In its Annual Report for 2012-13, the IAC identified risk management as an area in which it would focus more attention and support to help strengthen PSC's approach. To help external members better understand the risk environment, external members met separately with each of the Vice-Presidents to discuss the risks they are facing and the way these are being managed. These were excellent discussions which helped external members develop a better appreciation of challenges and risks across the organization. It also helped position external members to engage more effectively and provide their advice in the discussions about the Corporate Risk Profile (CRP) that took place at three IAC meetings during this period.

The IAC is now satisfied with the way the CRP is maturing and being utilized in the planning and reporting processes. Senior managers are now fully engaged in identifying risks and impacts at both the corporate and branch levels, and in developing appropriate mitigation strategies to address them. There has been a determined effort to build the right foundation for the organization in this area, and it has been successful.

Nevertheless, PSC needs to continue to develop and strengthen its approach to risk management during the upcoming year. The MAF assessment for the reporting period identified two subcategories of risk management (“accountability” and “risk management results and improvement”) where there the organization's approach could be strengthened. These “opportunities for improvement” reflect the reality that while the main thrusts of a sound approach are now in place, some elements still need to be refined. The IAC believes this should be done during the coming year.

Developing a fully mature approach and culture around risk management, both as a department and as a central agency with a government-wide mission, will require a sustained effort by PSC over several more years. The IAC will continue to do everything it can to support the organization in this area.

5. Management control framework and reporting

In the context of budget reductions and organizational structure changes, a key challenge for PSC in 2013-14 was to ensure that internal controls remained robust. In its last annual report, the IAC identified this as another key area where it would focus particular attention and support. Having done this through regular briefings and discussions with senior managers, including the President and CFO, the IAC is comfortable that internal controls are still effective. For an organization the size of PSC where both formal and informal controls need to complement each other to enable management to achieve its objectives, there appears to be a good balance of the two in place and the IAC is not aware of any major internal control gaps at this juncture.

The IAC also reviewed an Audit of Cyclical Financial Controls focused on revenues and directed contracts. While this audit highlighted the need to more clearly define roles and responsibilities and to update policies and procedures, it also provided assurance that financial controls are generally working well. The IAC made some suggestions to strengthen the action plan which were readily accepted by management, and controls in these areas are now being appropriately fine-tuned.

One outstanding issue in this area is that PSC still does not have a formalized financial management control framework approved by the President. In its last annual report, the IAC signaled its intention to engage on the issue of whether such a framework might be helpful in supporting the President in her role as Accounting Officer. The IAC now believes that the organization should have one. In its latest MAF assessment of financial management and control, TBS also encouraged PSC to complete the development of such a framework. The IAC notes that PSC is now doing this and the work is quite well advanced. An IAC discussion on the draft financial management control framework is now scheduled for the next meeting in June, and the IAC looks forward to providing its input and advice.

Looking ahead, the upcoming Core Controls Audit, which will take a broader look at controls across PSC, will help ensure that the IAC keeps a sufficiently sharp focus on the way that the organization is adapting its controls to fit with the changing environment and that it has an opportunity to provide appropriate input and advice.

6. External assurance providers

The only audit on PSC conducted during this period by an external assurance provider was the audit done by the Audit and Data Services Branch of PSC on staffing in PSC as a department. Consistent with its mandate, the IAC provided advice on the MAP developed by the organization in response to the recommendations of this audit. As noted in subsection 2 of this section, the IAC was pleased with the speed and effectiveness with which this issue was handled by the organization.

Although PSC was not one of the departments directly included in the Horizontal Audit on Compliance with the Policy on Management, Resources and Results Structures conducted by the Office of the Comptroller General (OCG), the IAC also reviewed a self-assessment against the findings of this audit done by the Corporate Management Branch. This self-assessment found that two of the five findings represented a risk to PSC. The IAC was pleased to note that mitigation strategies have been developed and implemented by the Corporate Management Branch to deal with these risks.

7. Financial statement and public accounts reporting

As indicated in the IAC's Annual Report for last year, the Office of the Auditor General (OAG) had, for several years prior to 2011-12, conducted annual audits of PSC's financial statements. In each case the OAG issued an unqualified opinion with no audit adjustment or management letter, thus providing a high level of assurance to PSC and the IAC about PSC's financial statements. However, due to budget cuts at the OAG, this practice has been discontinued.

Given the decision by the OAG to no longer conduct these audits, PSC decided, on the recommendation of the IAC, to conduct internal audits to provide continued assurance that financial management, including internal controls over financial reporting, remains sound. The first such audit, the Audit on Financial Management Controls mentioned previously in this report, was conducted during this past fiscal year. While it pointed to the need to strengthen practices in some specific areas, it provided PSC and IAC with a high level of assurance that the processes supporting financial statements in these areas are fundamentally sound. Internal audit coverage of controls related to financial reporting will continue in the upcoming year with the Core Controls Audit.

With the OAG no longer conducting annual audits of PSC's financial statements, the IAC is also playing a more active role in reviewing and providing input to financial statements, including the statements of management responsibility accompanying them. The current procedure is for IAC to review these statements and provide comments following review by the Chief Financial Officer (CFO) and before sign off by the President. During 2013-14 the IAC reviewed PSC's Quarterly Financial Statements and PSC's submission for the Public Accounts. However, due to timing constraints, the IAC was not provided with an opportunity to review PSC's Forward-Oriented Statement of Operations for 2014-15. It has since been assured that it will be provided with an opportunity to do so in subsequent rounds to fulfill its obligations under the Directive on Internal Audit in the Government of Canada. The IAC has also requested more direct feedback on comments it provides on financial reporting to help strengthen its understanding of the reporting requirements and the value of its comments over time.

Overall, the IAC is confident that the quality of PSC's financial statements remains high. Moving forward, the key challenge will be to ensure controls remain strong as time passes following the rigor of the OAG audits. To assist in this effort, the IAC will continue to monitor developments in this area closely.

8. Accountability reporting

During this reporting period, the IAC reviewed PSC's public performance reports. It also provided comments and advice on its Report on Plans and Priorities (RPP) and Departmental Performance Report (DPR). While the Directive on Internal Auditing in the Government of Canada requires only that the IAC receive these reports, it has, at the request of the President, also provided substantive input and advice on the RPP and DPR. The IAC also reviewed the Performance Measurement Framework (PMF) that supports PSC's accountability reporting.

Overall, the IAC believes that PSC's public performance reports compare favorably with those of other federal government organizations. It is particularly pleased with the way that PSC has integrated its work on risk management and business planning, and has recently included some initial efficiency indicators in the PMF. However, to support the continued development of accountability reporting, as well as to help strengthen the organization's approach and culture around results-based management, the IAC has encouraged further development of the current PMF over the coming year.

Departmental Audit Committee assessment

In accordance with the Directive on Internal Auditing in the Government of Canada, the IAC has conducted a self-assessment for the reporting period based on an adapted version of the Departmental Audit Committee Self-Assessment Tool developed by the Office of the Comptroller General. Since this reporting period was the first year for the IAC with an external chair and the first year on the IAC for the two other external members, this self-assessment was particularly timely. The feedback, which comes from the four IAC members as well as the CFO and CAE, can be succinctly summarized as follows:

• First, the overall formula is working. The IAC has an appropriate number of members with the necessary skills and expertise to fulfill its mandate. Members act with independence and objectivity. They make the contributions they want during meetings and feel free to challenge the chair as appropriate. Differences of opinion are generally resolved to their satisfaction. External members fully understand and respect the line between their role and the role of management.
• Second, external members are well supported by PSC in fulfilling their mandate. The President has welcomed their inputs and advice, and the Vice-Presidents and other senior managers, including the CFO and CAE, have engaged them with energy and candor. External members have also been well supported in terms of materials and logistical arrangements.
• Third, after a full year together, external members believe their contributions in some areas could be strengthened. Possible near-term adjustments to do this include extending the length of meetings so that the discussion of agenda items is not rushed (an adjustment the President has already indicated she fully supports) and refining the process for engaging on financial statements and other key accountability documents to ensure the provision of timely and useful inputs by external members.
• And finally, external members would like to develop a better sense of the impact their interactions with management are having on risk management, controls and governance in PSC. While the impact of advice is obviously not easily measured, this feedback points to the need for further discussions among IAC members and with PSC senior managers about how, moving forward, the IAC might be able to assess the degree to which it is adding value.

After operating together for one full year, this is an opportune time for the members of the renewed IAC to take stock and make adjustments for the next stage. In this spirit, the results of this year's self-assessment will be reviewed by members at the IAC meeting in June to ensure a consensus on next steps.

Annex A: Membership and operations of the IAC

Membership of Audit Committee

The IAC has three external members, Keith Coulter (Chair), Hélène Fortin and Jim Lahey, and one internal member, the President of the PSC, Anne-Marie Robinson.

The IAC complies with all of the membership provisions in Section 6.4 of the Directive on Internal Auditing in the Government of Canada:

• Three of the four members are external members recruited from outside the federal public administration. The internal member is the Deputy Head.
• The three external members were jointly selected by the President and the Comptroller General, and their appointments were approved by Treasury Board.
• External members have an appropriate diversity of skills, knowledge and experience. One is a former Deputy Minister who also has senior management experience in the Canadian Armed Forces and the private sector. Another is a former Associate Deputy Minister with a wealth of experience in public administration including experience in the Privy Council Office directly supporting implementation of the Clerk's priorities on public service renewal. The third has extensive private sector experience in accounting, finance and governance, including service on Boards of Directors.
• This is the first term for all external members. The Chair was appointed to a three-year term (December 2012 to December 2015). Another member was appointed to a three-year term (March 2013 to March 2016) and the other to a four-year term (December 2012 to December 2016). This built-in stagger, coupled with careful decisions about term lengths for any renewals, should help ensure good continuity in the coming years.
• The IAC approach now follows “the preferred model” defined in the Directive with an external member serving as the Chair.
• All external members are familiar with public sector financial reporting. Two of them have extensive experience in reporting as former senior federal public servants and the other is a practicing Chartered Accountant with FCA, FCPA and ICD.D designations. In addition, all of them are members of the Departmental Audit Committees (DACs) of other departments, and one of them serves as the DAC Chair for a large department.
• Consistent with the Terms of Reference for the IAC, the Chief Financial Officer (Vice President Corporate Management), the Chief Audit Executive and the Director General Finance and Administration attend all IAC meetings as ex-officio members.
• Also consistent with these Terms of Reference, the quorum for meetings is a simple majority of members and no alternates are permitted.
• In addition to the VP Corporate Management, the other four Vice Presidents also attend the IAC meetings as observers.
• External IAC members are all free of any real or perceived conflict of interest, and fully understand that any such conflict, real or perceived, should be discussed immediately with the Chair and the President.

Operations of Audit Committee

The IAC has a comprehensive Terms of Reference which is approved by the President. These Terms of Reference, which were reviewed and updated during this reporting period, outline in a comprehensive and practical way the roles, responsibilities and operations of the IAC and are closely aligned with the new Policy on Internal Audit and Directive on Internal Auditing in the Government of Canada.

Consistent with the Terms of Reference, which establish the frequency of IAC meetings, the Committee met four times during the reporting period. All meetings were face-to-face and all members attended all meetings. In addition, the Committee met with the Commissioners of the Public Service Commission to discuss the previous annual report. This meeting, which takes place annually, represents a valuable opportunity for the IAC to exchange perspectives on the major issues and challenges facing the organization and the Commission.

The incremental cost of running the IAC over the reporting period was $67,900. Most of this amount ($66,400) was for direct compensation to external members in the form of payroll expenses. With only one member commuting from a nearby location (Montreal), travel expenses of $1,000 represented only a small proportion (1.5%) of overall expenditures. The remainder of the cost ($500) was for miscellaneous expenses including hospitality.

In-camera meetings were held as part of each IAC meeting. This included separate sessions with the CAE and CFO, and sessions with members only both before and after the IAC meetings. These in-camera sessions have become an important part of the routine around IAC meetings, especially the sessions with members only which facilitate frank discussions with the President.

To ensure the IAC addresses its responsibilities, the Chair prepares, with the assistance of the CAE, a forward agenda and activity plan for each upcoming year. This plan is approved by the President. The forward agenda and activity plan are discussed at each meeting, so members have an opportunity to provide input on a regular basis.

Following a preparatory meeting of external members, the Chair drafted this report with the CAE providing background information and fact checks as requested. The draft report was then circulated to the other external members for comments and a second draft was prepared. This second draft was reviewed by external members, the CFO and CAE. The President then reviewed the revised report and provided her comments to external members before the report was finalized.

Consistent with the requirements outlined in the recent Directive on Internal Auditing in the Government of Canada, the views expressed in this annual report are entirely and exclusively those of the independent external member.