Audit Committee Annual Report 2019-2020

Foreword from the External Members of the Audit Committee (AC)

We are pleased to submit the Annual Report of the external members of the Audit Committee to the Office of the Privacy Commissioner of Canada (OPC), for the year ended March 31, 2020. The report reflects a summary of the oversight work carried out by the Committee.

While no longer a reporting requirement under the Treasury Board (TB) policy, the Audit Committee’s external members continues to table an annual report on the AC’s activities, as it provides useful information on the work of the committee and their independent perspective on the OPC’s risk management, control and governance processes. The views expressed in this report are entirely those of the external AC members.

As it has observed over the past several years, the AC noted the Office’s continued focus on results and performance. Notably, the OPC implemented the results of a major organizational review, including a realignment of the Office’s organizational structure. The Office also received new funding as a result of Budget 2019, allowing it to enhance its organizational capacity to respond to a rapidly evolving privacy landscape. These activities were informed by the OPC’s strategic privacy priorities in serving the needs of Canadians, as well as by strategic planning and risk management practices that continue to mature and be integrated into various facets of the organization’s work. These are crucial governance elements as the Office navigates the increasing demands of a dynamic and challenging strategic and operating environment.

Notably, the importance of the Office’s focus on strong governance and risk management practices became even more evident as the impact of the COVID-19 Pandemic started to be felt at the end of the 2019-2020 fiscal year. In response, the AC is adapting the format and frequency of its meetings, as the organization puts enhanced risk, control, and governance processes in place to navigate through this unprecedented time.

The soundness of OPC’s accounting and financial reporting practices is evidenced by the results of the testing of the controls over financial reporting and the fifteenth straight unmodified (i.e. ‘clean’) audit opinion the Office of the Auditor General rendered on the 2018-2019 financial statements.

We sincerely appreciate the Commissioner’s continued strong interest and support for the Audit Committee. We would also like to thank OPC’s Executive team, and in particular, the Corporate Management Sector for their continued hard work and assistance to the Audit Committee.

1.0 Introduction

The external members of the Office of the Privacy Commissioner Audit Committee (AC) prepared this annual report for the Commissioner to summarize the Audit Committee’s activities, observations and advice in the fiscal year 2019-2020, pursuant to the approved AC Terms of Reference.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Consistent with prior years, our focus has been to identify and assess risk, to oversee control and governance processes as well as best practices across the OPC. Our aim throughout our work has been to provide the Commissioner with objective, clear and constructive input.

The Audit Committee’s review of, and observations on, each of the Committee’s oversight areas^{Footnote 1} are detailed in Section 4 of this report.

2.0 Role and Membership of the Committee

The role of the Audit Committee (AC)’s external members is to provide the Commissioner with independent advice and recommendations about the overall quality and functioning of the OPC’s risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities, and accountability reporting.

The AC is composed of the following members:

• Suzanne Morris, CPA, CA, Chair, external member
• Elisabeth Nadeau, external member
• Daniel Therrien, Commissioner, ex-officio member

In addition, the following OPC staff attend AC meetings:

• Chief Audit Executive (CAE), Daniel Nadeau, Deputy Commissioner, who is also the Chief Financial Officer (CFO)
• Secretary to the Committee, Chantale Roussel, who is also the Director, Business Planning, Performance, Audit and Evaluation.

The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference (TOR) document. These TOR are periodically reviewed, updated as required, and reaffirmed by the Commissioner.

To deliver on its approved Terms of Reference, the Audit Committee developed a 2019-2020 Work Plan that was reviewed and approved at the Committee’s June 2019 meeting. Progress against the plan is monitored throughout the year to ensure the Committee delivers on its commitments.

As part of the annual discussion of the Audit Committee’s Annual Report, members review and attest to being free of any real or perceived conflicts of interest that could impede their independence and objectivity. No issues have been noted in this regard. Further, a process for declarations of conflict of interest is in place, whereby members complete a written annual declaration form, which is reviewed by the CAE.

3.0 Summary of 2019-2020 Audit Committee Activities

The sections that follow summarize key activities and areas of focus for 2019-2020 to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held three meetings during the fiscal year as follows:

• June 25, 2019;
• August 22, 2019; and
• December 13, 2019.

Further, the Audit Committee’s fourth planned meeting for the year, usually held in March, took place following the lockdown implemented in light of the Covid-19 outbreak. It was held on April 8, 2020 via a conference call.

At the start of each AC meeting, members engaged in an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefed members on key developments across the organization since the last meeting as well as possible issues or opportunities that could impact the organization. In this regard, the early April 2020 meeting included a briefing on the impacts of the emerging COVID-19 situation and a discussion of business continuity and other measures put in place by management to adapt OPC’s operations.

As part of its annual meeting schedule, the AC continued its practice of holding an informal discussion with the OPC’s Deputy Commissioners. This provided insight into their leadership perspective regarding the Policy and Promotion and Compliance Sectors’ priorities, challenges, operating context, key risks, and areas of focus.

All of these discussions provided members with valuable context and insights that allowed them to stay current on the organization key areas of business and to gain a better understanding and appreciation of the swiftly changing operational context within which the organization operates. These discussions also allow an opportunity for AC members to provide the Commissioner with strategic advice on new or emerging areas or issues facing the OPC.

Minutes are prepared for each meeting and circulated electronically between meetings for review and recommended approval. Following the Committee’s recommendation, the Chair formally signs them to clearly convey this approval.

As part of the Committee meetings, the external Committee members held in-camera discussions with the Commissioner, the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG when in attendance. In-camera meetings were also held with external providers of internal audit related services. These in-camera segments provide an opportunity for these officials and representatives to raise and discuss any sensitive issues in confidence. The external members also meet in camera to discuss issues as required.

Again this year, the external members attended the annual Departmental Audit Committee (DAC) Symposium organized by the Treasury Board (TB) in November 2019, to enhance their understanding of the OPC’s environment and of relevant issues and developments across the public service. The Chair also participated in a related meeting of all DAC Chairs.

3.2 Transparency

Audit Committee information is publicly available on the OPC website. This includes biographies of the AC members, the Committee’s Terms of Reference, annual reports and approved internal audit reports. The Audit Committee believes that the proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office. Work was also completed during the year to enhance the electronic availability of AC information on the OPC’s intranet site.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC’s activities during the year to discharge its responsibilities in providing the Commissioner with input that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

Values and Ethics (V&E) continues to be an area of importance for management and the AC. During the year, the Committee reviewed and discussed the annual report on values and ethics, conflict of interest (COI) and post-employment measures, which summarize the OPC’s activities related to its V&E program. No areas of concern were noted in the annual report.

The Committee discussed the governance model around V&E, and related promotion and awareness efforts deployed during the past year within the OPC to ensure that values and ethics are embedded in the organizational culture. V&E training is now mandatory for all employees and is to be renewed every 5 years. Management and Committee members discussed the process in place to ensure the tracking of training activities and plans to continue building on achievements to date. Members noted that planned V&E training is particularly important given the addition of new human resources this year as a result of increased funding under Budget 2019.

4.2 Risk Management

A key element of OPC’s formalized risk management arrangements continues to be the Corporate Risk Profile (CRP) that is reviewed and refined each year as part of the strategic planning process. The CRP provides a summary of the organization’s strategic risks requiring ongoing management and monitoring. It is a crucial input into the organization’s strategic planning process and the development of the OPC’s Departmental Plan (DP), a key accountability document in the Estimates process.

As in prior years, as management monitors developments throughout the year, the external members looked to be apprised of any changes to key risks as well as the effectiveness of risk mitigation strategies. Notably, at its April 2020 meeting, the AC received a verbal update on corporate risks in the context of the evolving COVID-19 situation. More frequent Audit Committee meetings are planned during 2020-2021 to monitor continuing developments with respect to the pandemic, and their impact on OPC’s plans, processes, and operations.

4.3 Management Control Framework (MCF)

On a regular basis, management updates the AC on its key management control processes, along with procedures adopted to mitigate any concerns towards achieving results.

As an Agent of Parliament, OPC is not subject to the Management Accountability Framework (MAF) assessment undertaken by Treasury Board of Canada Secretariat. Notwithstanding this, the OPC utilizes the TBS tool to carry out a self-assessment of the organization’s management control processes and practices. The external members continued to be pleased with management’s commitment to build on the strengths evidenced through this assessment, and to continually strive to improve in an efficient and effective manner.

At its December meeting, the Committee received an update on management’s efforts to implement action items following the 2018-2019 MAF self-assessment, which focused on three areas: People Management, Financial Management and Information Management and Information Technology (IM/IT). The majority of action plan items are underway, and the AC will follow their progress as well as the development of future initiatives in these critical areas.

Earlier in the year, the AC received a briefing on the OPC’s IM/IT Strategy, including current and planned projects. This included an overview of the IM/IT vision, principles and methodology to update the strategy. A key area of focus is the development of a data management program and the creation of business intelligence capacity within the Office. A data maturity model assessment is underway, and the results of this work will be presented to the Audit Committee as plans for the implementation of the data management program are completed.

A summary of other areas of the MCF examined and input provided by the external members follows.

4.3.1 Internal Controls over Financial Reporting (ICFR)

Using an outside consulting firm, OPC tested key internal controls over financial reporting with respect to payroll processes for the 2018-2019 reporting cycle. At its June meeting, the AC received the results of this work, noting that a new review and verification process was introduced towards the end of the testing period, including improved manual procedures required to address ongoing issues with the Phoenix pay system.

The AC also discussed with management the additional monitoring practices that continue to be in place so that OPC’s Finance and HR functions can stay on top of issues with the payroll system, including regular oversight meetings with the CFO.

As part of the governance process, the external members of the AC met in-camera with the representative of the external firm who performed the ICFR testing. The AC was pleased with the overall results of the ICFR testing and management’s commitment to continuous improvement.

4.3.2 Financial Resource Management

In an environment of growing workloads, financial resource management continues to be critical to supporting the organization in effectively managing its resources and the AC was pleased to note the increase in funding received by the OPC as a result of Budget 2019 and the strong business case put forward by the Commissioner. This new funding will help the organization deliver on its mandated obligations in the face of the exponential growth of the digital economy. The AC received an update on the OPC financial situation at each meeting, as well as a briefing on the financial results, management of the new funding and carry forward/reprofiling requests for 2019-2020. These updates highlighted the due diligence and rigour OPC management undertakes to manage an expanding mandate with limited additional resources.

4.3.3 OPC’s Organizational Structure and HR Strategy

Over the last few years, the Office implemented a new strategically focused Departmental Results Framework (DRF), consolidated its programs and put in place a new organizational structure to ensure greater alignment and integration of activities, roles, and responsibilities.

At each AC meeting during the year, management continued to brief AC members on progress made to operationalize these strategic initiatives. In 2019-2020, the focus was on plans to staff executive positions, and the implementation of a new OPC Committee structure and related terms of reference.

As the OPC’s operations continue to rapidly evolve and workloads increase, its HR Strategy will be particularly important to effectively support various aspects of people management at the Office. At its December meeting, the AC received an overview of the work done to date to develop the OPC’s strategic vision and plans for human resource management. The Committee discussed in detail the major themes emerging from this work and members provided suggestions to ensure that the HR strategic plan is aligned with the needs of the organization and that it is focused on bridging any noted gaps. Members appreciated the opportunity to review and provide input as the plan is being developed.

4.3.4 Public Service Employee Survey

At its June meeting, the Committee received an overview of the results of the most recent Public Service Employee Survey (PSES), noting that for the first time, results were available by organizational unit, enabling management to better analyse and address issues more effectively. Management presented the strengths and challenges that emerged from the survey, and the steps taken and planned to address and leverage the results. The survey is a useful tool to take the pulse of the organization. While it is no longer mandatory, management is of the view and the AC concurs that it should continue to be carried out on a regular basis.

4.3.5 Quarterly Financial Reporting

The AC reviewed and provided feedback on the OPC’s 2019-2020 1^st, 2^nd, and 3^rd Quarterly Financial Reports. Treasury Board Secretariat prescribes the format of these reports, and members did not note any concerns but rather once again commend management for the clarity and conciseness of the reporting.

4.4 Internal Audit Function

The Audit Committee plays an active oversight role of the OPC’s internal audit function. The mandate, roles and responsibilities and authority of the internal audit function are detailed in the OPC’s Internal Audit Charter that is periodically reviewed and recommended for approval by the Audit Committee and formally approved by the Commissioner.

The Committee concurs with and continued to monitor the mechanisms in place at the OPC to ensure the independence of the internal audit function, a model which has served the Office well over several years and which was reaffirmed by an External Practice Inspection conducted in 2019-2020 as being in conformity with the Institute of Internal Auditors’ International Professional Practices Framework. At its April 2020 meeting, the AC received the results of the External Practice Inspection and action plan, with the OPC Internal Audit function receiving the highest rating of ‘Generally conforms’ in all areas of inspection. The practice reviewers commented on the nimbleness of the function, its effectiveness in carrying out its mandate with limited resources, and on how it is well respected within the organization.

The OPC’s in-house internal audit capacity consists of a Director, Business Planning, Performance, Audit and Evaluation, with oversight by the Chief Audit Executive (CAE). The CAE, who is also the Deputy Commissioner, Corporate Management Sector and Chief Financial Officer, reports directly to the Commissioner. To augment the in-house capacity and support the independence of the audit function, OPC continues to periodically co-source the development of the Risk-based Audit Plan (RBAP). In addition, individual internal audit and ICFR engagements are co-sourced with outside professional services firms. These arrangements enable OPC to retain oversight of the internal audit function while leveraging the independent expertise and experience of internal audit professionals. The AC Chair, who is a Chartered Professional Accountant, Chartered Accountant (CPA, CA), with significant internal audit expertise, also provides guidance to support the enhancement of this function and its independence and oversight throughout the year. In addition, the external members of the Committee meet in camera with representatives of the outside professional services firms. They also hold quarterly in-camera sessions with the CAE and an annual in-camera discussion with the Commissioner to provide input into the performance appraisal of the CAE.

In 2018-2019, an updated RBAP was developed and approved, informed through consultations with all OPC executives and the AC Chair. An update was provided at the AC’s December meeting on the implementation of the major year-one project under this plan - a cybersecurity audit and maturity assessment. The project was scoped, the external service provider selected, and the audit component of the project subsequently achieved substantial completion by the end of the 2019-2020 fiscal year. The project has been led by the Chair of the Audit Committee, supported by internal resources, as it focusses on an area that falls within the scope of responsibilities of the CAE in his role as Deputy Commissioner of the Corporate Management Sector. Results of this important project will be presented at a forthcoming AC meeting in 2020.

4.5 External Assurance Providers

As in past years, the Office of the Auditor General (OAG) carried out an audit of the OPC’s financial statements with the objective of rendering an audit opinion on these statements.

The OAG Audit Principal and Audit Project Leader attended the AC’s August 2019 meeting to review and discuss the audited Financial Statements and the Management Representation Letter, including the related Annex with respect to internal control over financial reporting. The OAG’s report to the AC highlighting the annual audit results for the year ended March 31, 2019 was also a key document reviewed and discussed at this meeting. For the fifteenth (15^th) straight year, the OAG rendered an unmodified audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG nor did they issue a Management Letter.

Representatives from the OAG attended the Committee’s April 2020 meeting to discuss the status of plans for the annual audit of OPC’s 2019-2020 financial statements. Given the developing COVID-19 situation, the OAG representatives expect a delay in completing the audit for the 2019-2020 year and will continue to work with OPC management to determine the expected timing of their audit procedures.

OPC management and the AC periodically look for opportunities to leverage lessons learned from external assurance providers in other areas of government. At the request of the AC, a summary report was prepared and circulated to members, covering relevant system-wide audit engagements performed by external service providers across the federal government in 2019-2020. This was a useful exercise, which provided valuable insights on opportunities to continue enhancing business processes.

4.6 Follow-up on Management Action Plans and Open Government

The AC monitors management’s progress in implementing management action plans stemming from internal audit reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a semi-annual basis, the Committee receives and reviews a report on management’s progress in implementing outstanding actions. In 2019-2020, there were no outstanding management action from previous year internal audits.

At the December meeting, an update was provided on the open government initiative and the OPC’s ongoing efforts to achieve compliance with new requirements under Bill C-58.

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the Office of the Auditor General (OAG) each year. As noted in section 4.5 of this report, at their August meeting AC members reviewed the OPC’s 2018-2019 audited financial statements, and discussed them with the Deputy CFO, CFO, and representatives from the OAG. Following the discussions, the AC recommended that the Commissioner approve the financial statements.

4.8 Accountability Reports

The external members reviewed the OPC’s draft 2018-2019 Departmental Results Report (DRR) and the draft 2020-2021 Departmental Plan (DP). AC members provided recommendations to management prior to these reports being approved by the Commissioner.

5.0 TB Policy Reset Initiative

During the year, the AC continued to be briefed on the Treasury Board Policy Reset Initiative. At the December meeting, management provided an update on the recently approved and revamped Policy on People Management and the Policy on the Management of Executive and its corresponding twenty-two Directives. AC members will be kept apprised of efforts underway by the OPC to review key changes, identify next steps and determine the work required to address any gaps with respect to the new policy and directives.

6.0 Looking Ahead

Over the coming year, the Committee looks forward to providing oversight as well as advice to the Commissioner. Ongoing developments in the COVID-19 situation are defining a new reality in the face of which it will be imperative for the organization to respond quickly and effectively. The “new normal” will test the organization’s governance, its operational agility and control framework. The Committee will pay attention to how the organization responds to these challenges as well as to impacted key areas such as business critical risk management, decision-making, people management, financial management, program delivery, business continuity and resumption, change management and communications.

An important area of focus for the Committee will be to ensure that potential control gaps are quickly and effectively addressed. In that context, the Committee will look forward to discussing how the organization plans to recalibrate both the Corporate Risk Profile (CRP) and the Risk Based Audit Plan (RBAP).

In light of the challenging environment, the Committee will encourage the organization to adopt a strategic approach to completing the development of the HR and IM/IT strategies, plans and initiatives to support the OPC’s expanding mandate and the rapid evolution of privacy issues in the digital environment. Similarly, the finalization of the cyber security audit and maturity assessment as well as the associated action plans will be important priorities.

Finally, the Committee will follow with interest the implementation of new/revised TB policies and OPC’s compliance with associated requirements; implementation of MAF action plans; and plans to address the Open Government Directive, while recognizing that the timelines of some of these activities may need to be adjusted.