External Members of the Audit Committee Annual Report 2024-2025

Foreword from the External Members of the Audit Committee (AC)

We submit herewith the Annual Report of the External Members of the Audit Committee of the Office of the Privacy Commissioner of Canada (OPC), for the year ended March 31, 2025. The report presents an overview of the activities carried out by the Committee consistent with its practice to be transparent and to provide useful information on its work in support of OPC’s risk management, control, and governance processes. As in previous years, we endeavored to provide independent competent advice and to make a useful contribution to support the Commissioner in his role as accounting officer. The views expressed in this report are entirely those of the External Members of the Committee.

Against a backdrop of increasingly complex privacy issues, the Office worked to stay ahead of the increasing pace of technological advancement, prepared for potential privacy law reform, and initiated a major transformation of its structure and the way the Office works to achieve its objectives efficiently and effectively. As evidenced by our report, we believe the Office of the Privacy Commissioner responded well to these challenges while maintaining an effective regime of risk management, control, and governance processes.

We would also like to thank OPC’s Executive team, and in particular, the Enabling Services Sector for their ongoing diligence and assistance to the Audit Committee.

 

Carmen Vierula, FCPA, FCA, CIA

Liette Dumas-Sluyter, CPA, CMA, CIA

1.0 Introduction

The external members of the OPC’s Audit Committee (AC) prepared this annual report for the Commissioner to summarize the Audit Committee’s activities in the fiscal year 2024-2025, pursuant to the approved AC Terms of Reference.

In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Consistent with prior years, our focus has been to oversee control and governance processes and best practices across the OPC. Our aim throughout our work has been to provide the Commissioner with objective, clear and constructive input.

The Audit Committee’s review of, and observations on, each of the Committee’s oversight areas^{Footnote 1} are detailed in Section 4 of this report.

2.0 Role and Membership of the Committee

The role of the Audit Committee (AC)’s external members is to provide the Commissioner with independent and objective guidance and advice about the overall quality and functioning of the OPC’s risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities, and accountability reporting.

The AC is composed of the following members:

• Carmen Vierula, FCPA, FCA, CIA, Chair, external member
• Liette Dumas-Sluyter, CPA, CMA, CIA, external member
• Philippe Dufresne, Commissioner, ex-officio member

In addition, the following OPC staff attend AC meetings:

• Richard Roulx, Deputy Commissioner, Chief Audit Executive (CAE) and Chief Financial Officer (CFO)
• Chantale Roussel, Secretary to the Committee and Director, Strategic Management Directorate.

The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference (TOR) document. These TOR are periodically reviewed, updated as required, and reaffirmed by the Commissioner. To deliver on its approved Terms of Reference, the AC developed a 2024-2025 Work Plan. Progress against the plan is monitored throughout the year to ensure the Committee delivers on its commitments.

As part of the annual discussion of the Audit Committee’s work plan, members review and attest to being free of any real or perceived conflicts of interest that could impede their independence and objectivity. No issues have been noted in this regard. A process for declarations of conflict of interest is in place, whereby members complete a written annual declaration form, which is reviewed by the CAE.

3.0 Summary of 2024-2025 Audit Committee Activities

The sections that follow summarize key activities and areas of focus in 2024-2025, together with advice provided to further strengthen management and oversight practices across the OPC.

3.1 Meetings

The AC held four formal meetings relating to the fiscal year as follows:

• June 19, 2024
• September 13, 2024
• December 17, 2024
• March 31, 2025

At the start of each AC meeting, members engaged in an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefed members on key developments since the last meeting as well as emerging matters or opportunities that could impact the OPC. These included briefings on the Office’s strategic and operational plans, and a discussion of corresponding measures put in place to manage risks. Ongoing updates were provided concerning significant legislative reform developments and their potential operational impacts, as well as the approach and implementation of the Office’s transformation of its organizational structure to position itself to best deliver on its strategic priority of protecting and promoting privacy with maximum impact.

As part of the Audit Committee meetings, the external Committee members held in-camera discussions with the Commissioner, the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG and other external professional service providers when in attendance. These in-camera segments provide an opportunity for these officials and representatives to raise and discuss any sensitive issues in confidence.

In addition to the formal AC meetings, the external members of the Audit Committee held periodic check-in calls with the Deputy Commissioner, Enabling Services Sector and CFO/CAE, and the Secretary to the Committee/Director, Strategic Management Directorate. Through these calls, external members received further updates on the evolving operating context, along with a discussion of the impact of these developments on the Office’s plans, priorities, finances, operations and people.

On October 16, the external members of the AC participated in the OPC Showcase. This event was organized for OPC staff by OPC staff to highlight the incredible work being done across the organization, where each directorate had a booth to share their mandate and the work they do, allowing for a deeper understanding of the diverse and impactful efforts across the OPC. AC members also toured the technology analysis laboratory that provides support for research and investigations related to emerging technologies such as artificial intelligence, biometrics, digital ID, and privacy-enhancing technologies like de-identification, in addition to cybersecurity.

The AC external members attended the annual Departmental Audit Committee (DAC) Symposium, organized remotely by the Treasury Board Secretariat (TBS) in November 2024. This informative event enhances DAC members’ understanding of relevant issues and developments across the federal public service and fosters the sharing of governance best practices.

These discussions and visits provided members with valuable perspective and insights that allowed them to stay current on the OPC’s key areas of business.

3.2 Transparency

Audit Committee information is publicly available on the OPC website. This includes biographies of the AC members, the Committee’s Terms of Reference, annual reports, and internal audit reports. The Audit Committee believes that the proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office.

4.0 Core Areas of Responsibility

The sections that follow provide a summary of the AC’s activities during the year to discharge its responsibilities in providing the Commissioner with input that helps strengthen governance, risk management and control processes and practices across the OPC.

4.1 Values and Ethics

Values and Ethics (V&E) continues to be an area of importance for management and the AC. At its June 2024 meeting, the Committee discussed with management the 2023-2024 annual report on values and ethics, conflict of interest (COI) and post-employment measures. This report is shared with all OPC employees and is presented to the AC to inform members of the mechanisms in place to promote and ensure compliance with V&E at the OPC. No areas of concern were noted. An overview of the V&E activities planned for the coming year was also provided.

4.2 Risk Management

4.2.1 Risk Management Framework

A key element of OPC’s formalized risk management arrangements continues to be the Corporate Risk Profile (CRP) that is reviewed and refined generally annually as part of the strategic planning process. The CRP provides a summary of the organization’s strategic risks requiring ongoing management and monitoring and is a key input into the organization’s strategic planning processes and the development of its operational plans. The CRP also serves as a key input into developing the Office’s annual Risk-based Internal Audit Program.

As part of its 2024-2025 Audit Committee meetings, the AC received verbal updates from management on corporate risks including any changes to the key risks as well as the effectiveness of risk mitigation strategies. As previously described, recurring check-in meetings were also held during the year to keep informed of the impact of continuing developments on OPC’s plans, processes, and operations.

An area of AC focus in the coming year is the project to develop a risk appetite framework to define the organization’s risk appetite and tolerance, which will be initiated in the spring of 2025. The AC external members reviewed the draft terms of reference of the work to be conducted with the support of an external professional.

4.2.2 OPC Transformation

At its September 2024 meeting, the AC external members were briefed on the OPC’s planned approach for its transformation to optimize its programs and services to respond more rapidly and effectively to emerging issues with greater collaboration and cohesion and with increased opportunities for employee growth and development.^{Footnote 2} The members were satisfied that the planned approach was comprehensive, inclusive through its consultations with employees, and transparent.

The AC members continued to be informed and were engaged in discussions with the Commissioner and other OPC leaders during the development and implementation of the transformation plan: Forward Together: Maximining Efficiency, Impact and Innovation. This major transformation allows the Office to reimagine how it protects and promotes privacy in a digital age. It is an opportunity to consider how the OPC can do things differently to keep having an impact in an evolving and challenging landscape. The risk management approach of the transformation and resulting implementation of changes in internal controls will continue to be a focus of the AC in the coming year.

In this context, the AC agreed that it was appropriate to defer the update of the risk-based audit plan to later in 2025-2026 once the OPC transformation has advanced sufficiently for management to be engaged in the risk assessment.

4.3 Management Control Framework (MCF)

On a regular basis, management updates the AC on its key management control processes, along with procedures adopted to mitigate any concerns towards achieving results. A summary of the areas of the MCF examined and input provided by the external members follows.

4.3.1 Internal Controls over Financial Reporting (ICFR)

As part of its cyclical ICFR testing plan, work was carried out by an external professional services firm in 2024-2025 on the controls over the payroll process, with the completed results reported to the Audit Committee at the September 2024 meeting.

In addition, work was carried out by the firm to update the OPC’s Financial Management Control Framework which it adopted in 2015, with an Internal Control Financial Management (ICFM) framework. The AC reviewed the enhanced ICFM framework at its December 2024 meeting. The framework considers an environmental scan and review of OPC’s control environment. The framework documents roles and responsibilities, risk assessment elements and a five-year monitoring plan. The plan is designed to ensure that ongoing control testing focuses on the highest risk areas, and to ensure that changes in risks are considered and any needed amendments to the multi-year monitoring plan are made. The enhanced ICFM framework demonstrates OPC management’s commitment to effective and efficient internal controls in its financial management. The AC will follow the implementation and continuous improvement of the framework.

4.3.2 Financial Resource Management

Considering the increasing complexity and volume of privacy protection issues, the growing digital economy and now deferred privacy legislation reform, financial resource management continues to be critical to supporting the organization in effectively managing its resources in an environment of significantly growing workloads. The AC received an update on the OPC financial situation at each of its meetings. Briefings were also provided regarding the approach to assessing the financial and operational implications of potential legislative reform for the Office and of its transformation. These updates highlighted the due diligence with which OPC management strives to manage its resources in fulfilling its priorities in its Strategic Plan 2024-2027.

4.3.3 Quarterly Financial Reporting

The AC reviewed and provided feedback on the OPC’s 2024-2025 1st, 2nd, and 3rd Quarterly Financial Reports. Treasury Board Secretariat prescribes the format of these reports, and members did not note any concerns but rather once again commended management for the clarity and conciseness of the reporting.

4.3.4 Human Resources Management

The AC reviewed in September 2024 the OPC’s planned approach to develop the next strategic human resources plan. The AC observed that the plan was comprehensive, including mechanisms to support effective human resources management.

4.4 Internal Audit Function

The Audit Committee plays an important advisory role in supporting the Commissioner in his oversight of the OPC’s internal audit function. The mandate, roles and responsibilities, and authority of the internal audit function are detailed in the OPC’s Internal Audit Charter which is periodically reviewed and recommended for approval by the Audit Committee and formally approved by the Commissioner.

The Committee concurs with and continues to be kept apprised of the mechanisms in place at the OPC to ensure the independence of the internal audit function. The Office’s model has served it well over several years and was reaffirmed by an External Practice Inspection conducted in 2019-2020, with the OPC Internal Audit function receiving the highest rating of “Generally conforms” in all areas of inspection.

In 2024-2025, the OPC hired an external auditor to support the Internal Audit function with the transition to the new audit standards that came into effect in January 2025, and to help the function prepare for the five-year external inspection scheduled for next year. This will be an area of focus for the Audit Committee in the coming year.

The OPC’s in-house internal audit capacity consists of a Senior Analyst, Results, Audit and Evaluation, a Director, Strategic Management Directorate, with oversight by the Chief Audit Executive (CAE). The CAE, who is also the Deputy Commissioner, Enabling Services Sector and Chief Financial Officer, reports directly to the Commissioner. To augment the in-house capacity and support the independence of the audit function, OPC continues to periodically co-source the development of its Risk-based Audit Plan (RBAP). In addition, individual internal audit and ICFR engagements are co-sourced with outside professional services firms. This approach enables OPC to retain oversight of the internal audit function while leveraging the independent expertise and experience of internal audit professionals.

The AC Chair, who is a Chartered Professional Accountant with significant internal audit experience, also provides guidance to support the enhancement of this function and its independence throughout the year. In addition, the external members of the Committee meet in camera with representatives of the outside professional services firms. They also hold quarterly in-camera sessions with the CAE and an annual in-camera discussion with the Commissioner to provide input into the performance appraisal of the CAE.

During 2024-2025 the Internal Audit function engaged the services of an external professional services firm to conduct a Review of the Management Framework for Employee Training and Development. This review had been identified within the Office’s 2023-2024 updated Risk Based Internal Audit Plan (RBAP) which was recommended by the Audit Committee and approved by the Commissioner. The plan was developed taking into consideration key organizational risks, the operational context and the level of change and transition taking place in the coming year. Given the strategic importance of strengthening organizational capabilities in a rapidly evolving privacy landscape, employee training and development was the chosen area of focus for 2023-2024, however, the work was completed this year.

The review engagement was supported by internal resources and overseen by the Chair of the Audit Committee as it focused on an area that falls within the scope of responsibilities of the CAE in his role as Deputy Commissioner of the Enabling Services Sector. The objective of the project was to assess the adequacy of the OPC’s framework supporting training, learning and development program to ensure it enables and supports the OPC in achieving its mandate and objectives. The results and action plan were presented and discussed at the December 2024 AC meeting. The lead on the external review confirmed that the OPC was well positioned to manage its employee training and development activities. He added that the team’s recommendations were aimed to further improve the framework and optimize its performance. The AC noted that the management framework is an important mechanism to support OPC’s transformation.

4.5 External Assurance Providers

As in past years, the Office of the Auditor General (OAG) carried out an audit of the OPC’s financial statements with the objective of rendering an audit opinion on these statements.

The OAG Audit Principal attended the AC’s September meeting to review and discuss the audited Financial Statements and the Management Representation Letter, including the related Annex with respect to internal control over financial reporting. The OAG’s report to the AC highlighting the annual audit results for the year ended March 31, 2024, was a key document reviewed and discussed at this meeting. For the twentieth (20th) straight year, the OAG rendered an unmodified audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG.

The Audit Principal’s representative from the OAG also attended the Committee’s March 2025 meeting to present the plan for the annual audit of OPC’s 2024-2025 financial statements.

4.6 Follow-up on Management Action Plans

The AC is kept apprised of management’s progress in implementing management action plans stemming from internal audit and internal control reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a periodic basis, the Committee receives and reviews a report on management’s progress in implementing outstanding action items. At its December meeting, the Committee received and reviewed a status update on the action plans resulting from two previous internal audit reports, the 2020 cybersecurity audit and maturity assessment, and the 2022 internal audit of information management (IM). The Committee noted the progress made since its last update and will continue to be informed on progress on implementing action plans in these important and evolving areas. The AC concurred with the importance of ensuring that the OPC’s internal practices for acting against breaches are as good as, if not better than, those that the OPC requires of other organizations.

4.7 Financial Statements

As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the Office of the Auditor General (OAG) each year. As noted in section 4.5 of this report, at their September meeting AC members reviewed the OPC’s 2023-2024 audited financial statements and discussed them with the Director of Finance, the CFO, and the OAG Audit Principal. Following the discussions, the AC external members recommended that the Commissioner approve the financial statements.

4.8 Accountability Reports

The external members reviewed the OPC’s draft 2023-2024 Departmental Results Report (DRR) and the draft 2025/2026 Departmental Plan (DP). AC members provided comments to management prior to these reports being approved by the Commissioner.

5.0 Looking Ahead

The Committee looks forward to continuing to provide advice to the Commissioner regarding the oversight of the Office’s risk management, governance, and control processes.

In 2023-2024, the Commissioner laid out three key strategic priorities for the OPC which form the pillars of the Office’s strategic plan: protecting and promoting privacy with maximum impact, addressing and advocating for privacy in this time of technological change, and championing children’s privacy rights. Committee members will continue to follow with interest how the decision-making and business processes may evolve to support these priorities.

Through consultations with employees regarding how to best deliver on the strategic priority 1 of maximizing the OPC’s impact, the OPC undertook a major transformation to position itself to best serve the needs of Canadians and its employees and maximize its responses to emerging privacy issues through risk management and understanding, use of data to inform decisions, partnerships, and capacity building. Risk management of the transformation and resulting effective implementation of changes in internal controls will continue to be a focus of the AC in the coming year.

Considering the challenging and uncertain environment, the Committee will continue encouraging the organization to maintain a strategic approach to implementing its HR and IM/IT plans. The Office’s HR Strategy will be particularly important to effectively support people management. It is expected to be a continued focus area for the AC.

Similarly, the organization needs to be able to keep pace with the evolution and challenges associated with new and evolving technologies. Ongoing progress in implementing action plans associated with both the cyber security audit and maturity assessment, as well as the IM audit will continue to be important areas of focus, as will the OPC’s continuing development of its business intelligence strategy.

The Committee will follow the implementation and continuous improvement of the recently enhanced Internal Control Financial Management (ICFM) framework. The framework’s five-year monitoring plan is designed to ensure that ongoing control testing focuses on the highest risk areas, and to ensure that changes in risks are considered and any needed amendments to the multi-year monitoring plan are made.

The AC will focus on the Office’s project to develop a risk appetite framework to define the organization’s risk appetite and tolerance, which will be initiated in the spring of 2025. This will help the OPC mature its enterprise Risk Management Program across the organization. It will serve the Office’s strategic and operational decisions-making by clearly setting the parameters around risk-taking across the Office.

The Internal Audit function will be implementing the transition to the new requirements of the Global Internal Audit Standards that came into effect in January 2025 and will prepare for the five-year external inspection scheduled for next year. The AC will provide advice and recommendations to support the function’s conformance to the international standards so that the Internal Audit function is equipped to continue to provide valuable advice and assurance services to the Office and the AC.

We are thankful to benefit from the strong endorsement of our mandate by Commissioner Dufresne and look forward to offering our ongoing support to him as he and his leadership team steer the OPC through an ever-evolving landscape, changing the way things are done to address the priorities of the Strategic Plan 2024-2027.