Coordinated Audit of Physical Security Access at the James Michael Flaherty Building at 90 Elgin Street

Note to the readers

This report contains information severed in accordance to the Access to Information Act.

On this page

Statement of conformance

The Internal Audit and Evaluation Bureau has completed an audit of physical security access at 90 Elgin. This audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the Bureau’s quality assurance and improvement program.

Executive summary

[This information has been severed]

1. Introduction

The James Michael Flaherty Building is located at 90 Elgin Street in Ottawa and serves as the headquarters for both the Treasury Board of Canada Secretariat (TBS) and the Department of Finance Canada (FIN). The building was constructed between 2013 and 2015, with full occupancy completed in late 2015. It houses approximately half of TBS’s branches and sectors and all FIN employees. It is also the location of meeting and training facilities for both departments.

The building is considered a public access facility because it also houses several private sector businesses, including:

  • a financial institution
  • food establishments
  • other storefront vendors

The building is divided into separate zones, including:

  • public and reception zones in common areas
  • operations zones beyond the turnstiles
  • security zones on TBS’ working floors
  • high-security zones in areas that require further limited access and monitoring

The turnstiles confirm identity electronically.

Physical security access at 90 Elgin involves multiple stakeholders:

  • Great-West Life Assurance Company (GWLAC), the owner and landlord
  • GWL Realty Advisors Inc. (GWLRA), the property manager and a wholly owned subsidiary of GWLAC
  • Public Services and Procurement Canada (PSPC), the custodian and signatory in 2011 for the 25-year lease and property management agreement with GWLAC
  • TBS, the major tenant, as the majority of the personnel in the building are TBS employees
  • FIN, a tenant

Building physical security access is a combined effort between:

  • PSPC, which is responsible for base building security (the part of a multi-tenant building that directly serves and affects all tenants)
  • GWLRA, the property manager which is responsible for maintenance and guard force services (currently supplied by the Canadian Corps of Commissionaires)
  • the tenant departments

As required by the Policy on Government Security, each department’s Departmental Security Officer (DSO) is responsible for:

  • its own security program
  • its physical security access controls
  • their department’s security zones

This program and these controls support departmental operations and ensure the security and integrity of employees, sensitive information and assets.

The level of physical security access controls in place is based on a department’s risk tolerance.

2. Audit details

2.1 Authority

This coordinated audit of physical security access is part of TBS’s approved Risk-Based Audit Plan for 2016 to 2018.

2.2 Objectives and scope

The objective of the audit was to provide reasonable assurance that physical security access controls at 90 Elgin are operating to safeguard:

  • departmental assets
  • information
  • employees
  • authorized visitors
  • delivery of service

The scope of the audit applicable to TBS was determined using a risk-based approach and the audit team’s high-level assessment of risks. The audit covered the management and operation of physical security access controls at 90 Elgin, including (but not limited to) the:

  • base building
  • security zoning
  • TBS access security

The scope of the audit was based on a coordinated approach between TBS and FIN, and it assumed the active cooperation of key stakeholders, including:

  • PSPC
  • GWLAC
  • GWLRA
  • Canadian Corps of Commissionaires

Under the coordinated audit approach, each department examined the physical security activities conducted under its respective responsibility and shared their results. Two distinct reports, one for TBS and one for FIN, were produced. Due to the fact that 90 Elgin is jointly occupied, some observations and recommendations impact only TBS and others impact both TBS and FIN.

The audit period covered to .

The audit did not address any of the following:

  • information technology security
  • physical security access controls at other buildings occupied by TBS
  • the scope of authority entrusted to other federal partners

2.3 Approach and methodology

The audit included various tests and procedures, such as:

  • Interviews
  • document reviews
  • process walkthroughsFootnote 1
  • data analysis
  • physical testing of access controls

Documents from to were reviewed. These documents included:

  • policy instruments
  • agreements
  • meeting minutes
  • reports

Interviews and physical testing were conducted from to .

Detailed lines of enquiry are presented in Appendix A.

3. Audit details

[This information has been severed]

A management response and action plan to address these recommendations has been provided in Appendix B.

4. Overall conclusion

Physical security access controls at 90 Elgin have been implemented and reviewed and are operating with the goal of safeguarding:

  • departmental assets
  • information
  • employees
  • authorized isitors
  • delivery of service

Security measures that have been implemented include:

  • the development of a pre-move strategy in 2013
  • a defined and documented internal governance structure
  • a comprehensive and up-to-date Threat and Risk Assessment
  • the appointment of an executive-level employee to support the DSO

[This information has been severed]

Recommendations have been made to address the issues identified.

Appendix A: audit criteria

Line of enquiry 1: Departmental oversight for security

Audit criteria

1.1 TBS has a clearly defined departmental security management framework that includes a security plan and procedures established to safeguard:

  • employees
  • authorized visitors
  • information
  • assets

The plan also assures the continued delivery of services and has been communicated to all employees.

1.2 Security committees are established to ensure:

  • the coordination and integration of physical security activities
  • the monitoring and reporting of incidents

1.3 The following are defined, documented and understood:

  • accountabilities
  • delegations
  • reporting relationships
  • roles and responsibilities of physical security personnel and organizations

1.4 Departmental plan and procedures have been communicated to employees with security responsibilities and include:

  • physical security
  • building access

Operational information has been communicated to all employees.

Line of enquiry 2: Security operations and controls

Audit criteria

2.1 The physical security zoning of the building’s workplaces is compliant with relevant policies, directives and standards.

2.2 Access controls are implemented to protect the:

  • building
  • floors
  • workplaces
  • common spaces

2.3 Physical security is reviewed and tested periodically.

2.4 Security management ensures that accurate and timely operational information is available to provide effective administrative oversight of departmental resources.

Appendix B: management response and action plan

[This information has been severed]

Page details

Date modified: