Terms of Reference for the Audit Committee

Revised: September 2025

1. Introduction

This document outlines the purpose, responsibilities, membership and operating procedures of the Audit Committee (the Committee) in the Office of the Privacy Commissioner of Canada (OPC).

The Committee is an essential component of the internal audit regime established within OPC and reflective of both the Treasury Board Policy on Internal Audit which came into effect on April 1, 2006^{Footnote 1} and the Joint Agreement of the Working Group of Officers of Parliament.^{Footnote 2} The latter reinforces Commissioner’s status as an Officer of Parliament.

The Working Group of Officers of Parliament have agreed that the intent of the government’s Internal Audit Policy shall be reflected in the Internal Audit systems, processes and infrastructure within each Office of Parliament, but taking account of their status of independence and their relatively small size.

2. Mandate

The Committee’s primary role is to advise the Commissioner in monitoring the organization’s core systems of control and accountability.^{Footnote 3} The Commissioner, defined as the accounting officer in the Financial Administration Act, is ultimately accountable for the internal audit function.

The Committee provides independent and objective guidance and advice to the Commissioner in the areas of governance, risk management and control. To give the Commissioner this support, the Committee reviews, with a risk guided focus, all areas of responsibility for departmental audit committees related to OPC management, control and accountability processes as determined by the Comptroller General of Canada. The work of the Committee reinforces the quality and reliability of the financial and other performance information used by OPC managers for decision-making and reporting and, in so doing, contributes to enhanced managerial accountability. The Committee also serves to reinforce the independence, effectiveness and accountability of the Chief Audit Executive.

The Committee also provides advice and recommendations on matters for which the Commissioner, as accounting officer, is responsible and on other related matters as needed or as may be requested by the Commissioner.

3. Committee reporting and composition

3.1 Membership

The Commissioner establishes an independent audit committee for the Office consisting of a minimum of three members, of which he is an ex-officio member and a majority are to be external members, not currently members of the Federal Public Service. To the extent possible, committee membership reflects Canada’s diversity in terms of gender, official languages, Indigenous Canadians, minority groups and regional representation. The chair of the Committee is from outside the federal public administration. The Chief Audit Executive (CAE)/Chief Financial Officer (CFO) attends all meetings.

The Commissioner selects the Committee’s Chair, the members and the Secretary. All members of the Committee shall be, or become within the first year of appointment, financially literate and familiar with financial reporting. At least one member is a financial expert who possesses a professional accounting designation in good standing.

Members shall be independent as demonstrated by their absence of real and perceived, direct and indirect, personal and financial interest or that of their family and business associates and competitors AND by their personal capacity and behaviour to engage the management, CAE and external auditors in demanding explorations of practices and areas of concern. It extends to seeing this principle through to standing by one’s challenge to reports and practices held to be incompatible with the facts or to acceptable practices – even when colleagues on the Committee may be inclined to defer. The consequence of this is the duty to inform the Commissioner directly in such a case. Protection of independence may result in a mutual agreement to terminate the appointment.

The external members of the Committee must disclose all current and prospective activities, interests, or appointments prior to acceptance in order for the OPC to assess whether they may impair, or be seen to impair, the member’s ability to discharge their duties in an independent and objective manner. This disclosure should be done as required and at least annually for the duration of the member’s term. Each external member is required to complete, annually, a declaration form, to be reviewed by the CAE.

3.2 Reporting

The Chair represents the Committee in periodic meetings with the Commissioner.

3.3 Length of Term

External members are appointed pursuant to the Terms and Conditions of Appointment for Audit Committee Members of the Office of the Privacy Commissioner of Canada. An external member shall serve no more than a total of eight years. To ensure continuity, mandates can be staggered or, in exceptional circumstances, can extend beyond the maximum number of years.

4. Committee meetings

4.1 Frequency

The Committee shall meet once every quarter either in person or by teleconference, with more meetings as deemed necessary by the Chair. The Committee’s meeting schedule will normally be set out three months in advance so that OPC management and internal auditors can prepare the information and reports required to support the Committee’s work. Rescheduling of Committee meetings will be by exception only.

4.2 Quorum

Quorum shall be a majority of the members, including if necessary, the Commissioner in their capacity as ex-officio member. No alternates shall be permitted.

4.3 Preparation and Attendance of Members

To enhance the effectiveness of the Committee meetings, each member shall:

Devote the time necessary to prepare for, and participate in, each meeting: this involves reading the reports and reference documents provided for the meeting;
Maintain an excellent record of attendance at meetings.

4.4 Attendance of Non-Members

The Chief Audit Executive shall attend all meetings of the Committee. The Chair may request the attendance of other senior officials. When required, the Chair shall ask a senior representative of the external assurance providers to attend the Committee meetings to discuss the plans, findings and other matters of mutual concern.

4.5 Minutes of meetings

Minutes of each meeting are kept and contain the list of attendees, a summary of the decisions made and an overview of the points discussed. The minutes are approved by the Committee and signed by the Chair on behalf of the Committee.

4.6 In camera meetings

As part of each Committee meeting, the Committee shall meet in camera with the contracted internal auditors, representatives of external assurance providers when in attendance and any other officials the Committee decides to call. In addition there shall be an in-camera session between the external Committee members and the CAE/CFO at every meeting.

4.7 Committee’s Annual Plan

The Chair, in consultation with the other members of the Committee, shall prepare a plan for recommendation to the Commissioner, to ensure that the responsibilities of the Committee are scheduled and fully addressed.

4.8 Examination of the Committee’s Terms of Reference

The Committee shall periodically review its terms of reference and if revised, submit them to the Commissioner for approval.

5. Responsibilities

The particular emphasis and priorities from among the Committee’s key areas of responsibility are to be set by the Commissioner in consultation with the Committee. In doing so, consideration is given to the OPC’s mandate, objectives and priorities, as well as the corresponding risks affecting the organization.

Below are the key areas of responsibility that fall within the scope of concern of the Committee, and that will be reviewed with an appropriate risk-guided focus and cycle. Additionally, the Committee may provide recommendations in these areas, as may be requested by the Commissioner.

5.1 Values and Ethics

The Committee shall review and provide advice to the Commissioner on the OPC’s systems and practices established to monitor compliance with laws, regulations, policies and standards of ethical conduct, and identify and deal with any legal or ethical violations. It may also include the procedures and feedback mechanisms established to monitor conformance with its code of conduct and ethics policies, as well as how its processes encourage and maintain high ethical standards.

5.2 Risk Management

The Committee shall review and provide advice to the Commissioner on the OPC’s risk management arrangements.

5.3 Management Control Framework

The Committee shall review and provide advice to the Commissioner on the OPC’s internal control arrangements and be informed on all matters of significance arising from the work performed by others who provide assurances to senior management and the Commissioner.

5.4 Internal Audit Function

The Committee should be able to reasonably determine if the Commissioner is meeting the requirement of Subsection 16.1 of the Financial Administration Act to ensure “an internal audit capacity appropriate to the needs of the department.”

The Committee shall review and provide advice to the Commissioner on:

The OPC’s Internal Audit Charter;
The sufficiency of internal audit resources;
The quality and substance of the Risk-Based Audit Plan and progress against the plan;
Internal audit reports;
The performance of the Internal audit function (including the results of external practice assessments and ongoing and periodic internal assessments);
The recruitment, qualifications and performance of the CAE.

The Committee shall be informed of any internal audit engagements or tasks that do not result in a report to the Committee, including all matters of significance arising from such work;

5.5 External Assurance Providers

The Committee shall be informed of and shall advise the Commissioner on:

All audit work relating to the OPC to be undertaken by external assurance providers, including management’s response; and,
Audit-related issues and priorities raised by external assurance providers.

5.6 Financial Statements and Public Accounts Reporting

The Committee shall review and, as appropriate, provide advice to the Commissioner on key financial reports and disclosures of the OPC, including quarterly financial reports, annual financial statements and Public Accounts and the annual Statement of Management Responsibility and associated plans and assessments with respect to internal controls over financial reporting. The Committee is not required to recommend these materials for approval by the Commissioner, nor are members expected to participate in their development.

Since the OPC financial statements are audited by the OAG, the Committee shall review:

The financial statements with the external auditor and senior management, discuss any significant accounting estimates and adjustments, as well as any difficulties or disputes the external auditors encountered with management during the course of the audit;
Any management letters arising from the external audit;
The auditor’s findings and recommendations relating to the internal controls over financial reporting and consider their impact on OPC controls, risk management and governance processes.

5.7 Follow up on Management Action Plans

The Committee shall regularly review and provide advice to the Commissioner on the progress of implementing approved management action plans resulting from the work of external assurance providers.

5.8 Accountability Reporting

The Committee shall receive copies of the Departmental Plan, the Departmental Results Report and other significant accountability reports. These reports provide context for the deliberations of the Committee and advice to the Commissioner. Over time, and in the course of successively reviewing these documents, the Committee will be attentive to, and provide advice on, any material misstatements or omissions.

These reports provide context on OPC operations and oversight. The Committee is not required to recommend these documents for approval by the Commissioner, nor is it expected to be involved in the development of these reports.

5.9 Other Duties

The Committee shall, at a minimum, receive copies of evaluation plans and evaluation reports for information. The Committee may also provide advice on evaluation activities as may be requested by the Commissioner.

The Committee shall serve as an external independent oversight mechanism to which the OPC management can report on classification-related trends or high-risk elements stemming from its classification activities for non-EXs, as needed.

6. Operations

6.1 Access

The Committee has full access to the Chief Audit Executive and the other OPC employees and documents required to fulfill its responsibilities, subject to applicable legislation. The CAE has full access to the Committee and to the Committee Chair.

6.2 Orientation, Training, and Continuing Education of Committee Members

Members shall receive formal orientation and training on the Committee’s responsibilities and objectives and on the business of the OPC.

6.3 Support

The Internal Audit function provides the Committee with the necessary support to carry out its responsibilities and fulfill its duties. The Committee also has the power to obtain independent help and advice. The support to the Committee includes among other things:

Administrative duties (i.e., preparation and distribution of meeting agendas, minutes and materials);
Supporting the Committee in executing its work;
Supporting the Committee in assessing its performance;
Supporting the Committee in its accountability reporting;
Supporting the orientation for new members.

6.4 Duty to Inform and Duty to Resign – Disagreement

In the event that a member of the Committee has a difference of opinion with another member that cannot be resolved by the Chair or if the member has an unresolved difference of opinion with the Chair and provided that the difference of opinion, from the perspective of the member, has, or could have, a material, negative impact on the fairness of reported information or on the integrity of operations of the OPC or involves the questionable behaviour of an individual then the member shall bring the issue forward for resolution, as follows:

Bring the issue to the attention of the Commissioner within a reasonable timeframe.
If the Commissioner is unable to resolve the issue and if the member is of the opinion that the issue still remains, the member has a duty to resign.

7. Evaluation of the committee’s performance

The Committee shall periodically evaluate its own performance to continually improve how it carries out its responsibilities. The Committee’s performance shall also be part of an external evaluation of the internal audit function that is to be carried out at least every five years, by an independent auditor.

8. Annual report

The independent members of the Committee shall submit an annual report to the Commissioner that shall:

Summarize the results of the Committee’s reviews of areas of responsibility; and,
Express views in the annual report that shall be entirely and exclusively those of the independent members, notwithstanding any assistance given by OPC officials in the preparation of the annual report.

9. Approval of committee terms of reference

(Original signed by)

Reviewed by the Audit Committee