Internal Audit Committee Annual Report 2015-16
June 27, 2016
Foreword from the External Members of the Committee
It is with great pleasure that we submit the Annual Report from the external members of the Audit Committee for the year ended March 31, 2016. This was the first year the Committee experienced turnover. Jocelyne Coté-O’Hara, retired from the Committee after serving six years and making valuable contributions during her tenure. Following her departure, the Committee welcomed Ms. Elisabeth Nadeau. Ms. Nadeau is a former senior executive with the federal government and brings a wealth of government and management expertise and experience to the Committee.
We wish to say again this year how pleased we are with the manner in which the AC has operated. The continuing engagement of the Commissioner, the leadership of the Chief Audit Executive and support from the OPC’s staff, particularly the Director of Business Planning and Management Practices, have all been crucial to the success of the Committee. We feel this function works well for a small organization and we are pleased to be a part of it.
The external members are also pleased with the management focus on continuing to improve management processes and practices in a manner that makes sense for a very small organization. This included updating of the Corporate Risk Profile to ensure alignment and support for delivery of the core mandate and new privacy priorities, undertaking a gap analysis to better understand the actual resource requirements for both the privacy priorities and the operational activities so as to help ensure the optimal deployment of the Offices resources, testing of entity level internal controls over financial reporting and implementing actions to address the few areas noted for improvement, and developing a Risk-based Accountability and Reporting Framework to support the effective and efficient adherence to Treasury Board policies and directives, and development of a new three-year, risk-based internal audit plan.
Over the coming year, the Committee looks forward to continuing to advise the Commissioner on the Office’s management practices while also providing strategic advice if requested.
(Original signed by)
Laurel Murray, CPA, CA
(Original signed by)
The external members of the Office of the Privacy Commissioner Audit Committee (AC) prepared this annual report for the Commissioner to summarize the Audit Committee’s activities, observations and advice in the fiscal year 2015-2016. This report is pursuant to the requirements as set out in the Treasury Board’s 2012Policy on Internal Audit and the approved AC Terms of Reference.
In carrying out its work, the AC maintains appropriate independent oversight while building relationships with management and the Office of the Auditor General (OAG). Consistent with prior years, our focus has been to identify and assess risk, to oversee control and governance processes as well as best practices across the OPC. Our aim throughout our work has been to provide the Commissioner with objective, clear and constructive advice.
As specified in the Treasury Board Directive on Internal Auditing in the Government of Canada, the Audit Committee provides oversight in the following key areas:
- Values and Ethics
- Risk Management
- Management Control Framework
- Internal Audit Function
- External Assurance Providers
- Follow-up on Management Action Plans
- Financial Statements and Public Accounts Reporting
- Accountability Reporting
The Audit Committee’s observations of, and advice on, each of the oversight areas are detailed in Section 3 of this report.
2.0 Role and Membership of the Committee
The role of the Audit Committee (AC) is to provide the Commissioner with independent advice and recommendations about the overall quality and functioning of the OPC’s risk management, control and governance frameworks and processes. The AC also provides the Commissioner with strategic advice on emerging priorities, concerns, risks, opportunities and accountability reporting.
The AC is composed of the following members:
- Laurel Murray, CA, Chair, external member
- Elisabeth Nadeau., external member
- Daniel Therrien, Commissioner, ex-officio member
In addition, the following OPC staff were required to attend all 2015-2016 AC meetings:
- Chief Audit Executive, Daniel Nadeau, who is also the Chief Financial Officer
- Secretary to the Committee, Chantale Roussel, who is also the Director, Business Planning and Management Practices
The Audit Committee has documented its role, responsibilities, and operations in a Terms of Reference (TOR). Since its creation in 2008, the TOR has been reviewed frequently by the Committee to ensure continued consistency with the Treasury Board of Canada (TB) Directive on Internal Auditing in the Government of Canada and then reaffirmed by the Commissioner. The most recent version of the TOR, approved by the Commissioner in 2015, is included in Annex A.
To deliver on its approved Terms of Reference, the Audit Committee developed a 2015-2016 Work Plan that was reviewed and discussed at the Committee’s June meeting and formally approved at the August meeting. A copy of the plan is included in Annex B. Progress against the plan is monitored throughout the year to ensure the Committee delivered on its commitments.
As part of the annual discussion of the Audit Committee’s Annual Report, members review and attest to them being free of any real or perceived conflicts of interest that could impede their independence and objectivity. This attestation is recorded in the meeting minutes.
3.0 Summary of 2015-16 Audit Committee Activities
The sections that follow summarize key activities and areas of focus for 2015-2016, together with advice provided to further strengthen management and oversight practices across the OPC.
The AC held four meetings during the year as follows:
- June 16, 2015;
- August 17, 2015;
- December 15, 2015; and
- March 22, 2016.
In addition, the Audit Committee Chair also attended the OPC’s November Strategic Planning session focused on reviewing the organizational priorities and associated commitments to deliver on the new Strategic Privacy Priorities. Participation in this session furthered the Audit Committee’s understanding of the organization’s business and priorities and provided management with insight and advice on management practices that support the delivery of the operational priorities.
At the start of each AC meeting, members undertook an open discussion of emerging issues facing the organization. During these discussions, the Commissioner briefed members on key happenings across the organization since the last meeting as well as possible issues or opportunities that may impact the organization. These discussions provided members with valuable context and insights that promoted a better understanding and appreciation of the changing work and environment within which the organization operates, as well as an opportunity for AC members to provide the Commissioner with strategic advice in new or emerging areas or issues facing the OPC.
There was 100% attendance by all AC members and required attendees at meetings held during 2015-2016. In recognition of the elapsed time between meetings, the minutes are circulated and approved electronically soon after each meeting. This has resulted in efficiencies to the process as well as the ability to inform management of the AC’s work and advice on a timely basis. Following the Committee’s’ approval of the minutes, the Chair formally signed them to clearly convey this approval.
As part of each Committee meeting, the external Committee members held in-camera discussions with the Chief Audit Executive who is also the Chief Financial Officer, and officials from the OAG when in attendance. These in-camera segments provide an opportunity for these officials to raise and discuss sensitive issues in confidence. The external members also meet in camera at each meeting to discuss issues as required.
3.2 Professional Development
In November 2015, the external members of the Committee attended the Office of the Comptroller General’s Departmental Audit Committee symposium entitled ‘ The Capacity Edition: People, Policies, Profession’.
DAC information is publicly available on the OPC website. This includes bios of the AC members, the Committee’s Terms of Reference, annual reports and approved internal audit reports. The Audit Committee believes that the proactive sharing of this information provides Canadians with valuable information and insight into the work of the Committee and its role in the oversight of the management practices of the Office.
4.0 Core Areas of Responsibility
The sections that follow provide a summary of the AC’s activities during the year to discharge its responsibilities in providing the Commissioner with advice that helps strengthen governance, risk management and control processes and practices across the OPC.
4.1 Values and Ethics
During the year, Committee members received an update on the continued implementation of the OPC’s Values and Ethics (V&E) program. This included an overview of what has been done since the launch of the program in the Fall of 2014 both to raise awareness of V&E and to ensure implementation of key elements of the program, a program that includes a dedicated intranet site on values and ethics issues covering topics such as conflict of interest, harassment prevention and political activities.
The Committee reviewed OPC’s implementation of the Treasury Board of Canada’s Directive on Conflict of Interest. Members were briefed on statistics on conflict of interest reporting at the OPC as well as management’s plans to enhance the database to capture the frequency and type of informal discussions held with employees on the topic of values and ethics.
The external members are pleased with management’s continued priority focus on implementing a sound values and ethics regime including the work underway to regularize related reporting to the Commissioner and the Audit Committee in support of actively monitoring this area (i.e. issues, trends, etc.).
4.2 Risk Management
A key element of OPC’s formalized risk management arrangements continues to be the Corporate Risk Profile (CRP) that is reviewed and refined each year. The CRP provides a summary of the organization’s strategic risks requiring ongoing management and monitoring and is a key input into the organization’s strategic planning process and the development of the OPC’s Report on Plans and Priorities (RPP), a key accountability document in the Estimates process.
During the year, the Audit Committee reviewed and discussed the draft CRP. Members provided comments and suggestions to best capture current controls, clarify certain text and to ensure that the right risk indicators are monitored for each risk. Members received a copy of the revised CRP following the AC meeting and following its review and discussion at the Senior Management Committee.
During the Strategic Planning session, members also emphasized the importance of proactively identifying and addressing any risks associated with the action plans being developed and implemented to deliver on the privacy priorities.
As management monitors its key risks throughout the year, members look forward to being apprised of any changes to the key risks.
4.3 Management Control Framework
Throughout the year, the Audit Committee reviewed elements of OPC’s management control framework. The following is a summary of this review and associated advice/recommendations.
4.3.1 Internal Controls over Financial Reporting
At its June meeting, the Committee reviewed the results of the testing of internal controls over financial reporting that the CFO carried out in 2014-2015 as well as the proposed actions to address noted issues. The processes that were tested included:
- Financial close and reporting, including receivables;
- Information technology general controls;
- Budgeting and forecasting;
- Contributions; and,
- Payroll testing of Section 33 of the Financial Administration Act.
Overall the results of this testing were positive with only minor issues noted. The Committee members were pleased with the rigour of the testing and management’s attention to addressing the minor issues noted.
It was noted that the Delegation of Authority is tested under a number of financial management processes, such as the procure-to-pay, but not as a standalone process. The Commissioner indicated that testing the delegation instrument would provide an opportunity to examine whether the controls are at the right level within the organization. The Commissioner expressed the desire to revisit the Delegation Instrument with a view of ensuring that it is providing the proper delegation at the proper level within the OPC. The Committee looks forward to reviewing the results of this review.
In carrying out these reviews of controls over financial reporting, external members encouraged the DCFO to highlight any area viewed as over controlled and to come to the Committee to discuss opportunities to streamline the related process(es), where it makes sense to do so.
4.3.2 Privacy Act Diagnostic Review
Members reviewed the draft Privacy Act Investigations Branch Diagnostic Review report. Three foundational issues were identified that should be addressed for Branch operations to become more sustainable in the long term, namely,
- adopting a more formalized risk tolerance aligned to Branch outcomes and OPC risk appetite;
- implementing a consistent taxonomy for performance measurement; and,
- reinforcing incentives for departments to respond in a timely, effective manner.
Committee noted that management is developing an action plan to address these areas and as part of this, will look to liaise with other organizations that have successfully addressed similar issues thereby leveraging lessons learned.
4.3.3 Financial Resource Management
The Committee received briefings on OPC’s financial situation throughout the year, noting the increased financial resource management challenges flowing from increased work as a result of the new mandatory breach notification under PIPEDA, the new privacy priorities and the increased awareness of privacy issues among Canadians. Committee members discussed the OPC’s potential funding shortfall and how best to address it. The Commissioner conveyed that he had informed Parliament about the increased challenges of managing within existing resources and the external members were pleased to note that management was also undertaking a gap analysis to better understand the actual resource requirements for both the privacy priorities and the operational activities. With this gap analysis, the external members were pleased to note that efforts were undertaken during the year to identify internal resources that could be freed up and redeployed to address priority areas.
4.3.4 Management Accountability Framework (MAF)
The Audit Committee continued to monitor and be pleased with management’s progress in addressing the three areas noted for improvement, that were identified in the 2014-2015 MAF self-assessment.
For the 2016-2017, the external members recommended that the OPC’s proposed approach for the MAF self-assessment be discussed at the Audit Committee and that members be provided with a copy of the Treasury Board Secretariat’s methodology.
4.3.5 Internal Control Testing
During the year, in support of ensuring sound internal controls over financial reporting (ICFR), management engaged consultants to undertake testing of the entity level internal controls. The Committee reviewed the results of this testing, and were pleased that the results were very positive and that work was well underway to address the few areas noted for improvement.
4.3.6 Risk-based Accountability and Reporting Framework
Recognizing the myriad of Treasury Board policies and directives management undertook a project this year to examine OPC’s current processes and practices in place to comply with these requirements and to understand the related level of effort. To help guide the work of this project in supporting management in ensuring compliance in a manner that is both effective and efficient, Committee members advised that where there is discretion in how compliance is achieved/carried out, management should use the following criteria to help guide their approach:
- Does the manner proposed to meet the policy requirement help the OPC meet its mandate; and,
- Does it provide sufficient safeguard that the policy objectives are met.
4.3.7 Quarterly Financial Reporting
The AC reviewed and provided feedback and advice on the OPC’s 1 st, 2nd and 3rd 2015-2016 Quarterly Financial Reports. While the format of these reports is prescribed by Treasury Board Secretariat, members did not note any concerns but rather commend management for the clarity and conciseness of these reports.
4.4 Internal Audit Function
The OPC’s Internal Audit function supports the OPC’s program activities and the CAE, who is also the Chief Financial Officer, and reports directly to the Commissioner. The mandate, roles and responsibilities and authority of the internal audit function are detailed in the OPC’s Internal Audit Charter that is recommended for approval by the Audit Committee and formally approved by the Commissioner. The Charter was reviewed by the Audit Committee in June 2015 and, with the following amendments, the Charter was recommended for approval to the Commissioner:
- Removal of the reference to the oversight role played by the Parliamentary Advisory Panel on Funding of Officers of Parliament, a panel that is no longer operational;
- Reference to the alignment of the audit and evaluation processes to ensure the two functions are complementary; and
- Modify wording to provide flexibility on the term of membership (while sill complying policy requirements).
The OPC’s in-house internal audit capacity consists of a Director, Business Planning and Management Practices, with oversight by the Chief Audit Executive (CAE), both of whom work on this portfolio part-time as part of their larger suite of responsibilities. The CAE, who is also the Director General, Corporate Services and Chief Financial Officer, reports directly to the Commissioner.
To augment the in-house capacity and support the independence of the audit function, OPC continues to co-source both the development of the Risk-based Audit Plan (RBAP) and the individual internal audit engagements with an outside professional services firm. This arrangement enables OPC to retain control and oversight of the internal audit function while leveraging the expertise and experience of internal audit professionals. The AC Chair, who is a Chartered Accountant with significant internal audit expertise, also provides expertise, guidance and advice to support the enhancement of this function and its independence and oversight throughout the year.
With respect to the OPC’s RBAP, the external members met with the contractor developing the plan in December 2015 so as to provide input into the draft plan. The draft RBAP was then tabled at the December AC meeting. While members were comfortable with the selection of the proposed audit projects, concerns were raised with the risk rating of the audit entities when viewed in the context of current controls. The revised RBAP was reviewed and discussed at the March 2016 meeting, with members noting the integration of recommendations previously put forward. Committee members recommended the approval of the revised RBAP and recommended that it be discussed at the August 2016 meeting to ensure it is still addressing priority and highest risk areas.
As required under the Policy, the Chief Audit Executive (CAE) is required to provide an annual report to the Audit Committee and the Commissioner. At the June 2015 meeting, members reviewed the CAEs streamlined CAE Annual Report; no issues were noted. At the March meeting, during an in-camera discussion with the Commissioner, the external members provided input into the performance appraisal of the CAE.
4.5 External Assurance Providers
Each year, the Office of the Auditor General (OAG) carries out an audit of the OPC’s financial statements with the objective of rendering an audit opinion on these statements. Representatives from the OAG attended the Committee’s March meeting to discuss the plan for the annual audit of OPC’s 2015-2016 financial statements.
The OAG Audit Principal and Audit Project Leader attended the AC’s August 2015 meeting to review and discuss the audited Financial Statements and the Management Representation Letter, including the related Annex with respect to internal control over financial reporting. The OAG’s report to the AC highlighting the annual audit results for the year ended March 31, 2015 was also a key document reviewed and discussed at this meeting. For the eleventh (11 th) straight year, the OAG rendered an unmodified audit opinion on the financial statements. No significant internal control weaknesses were noted by the OAG nor did they issue a Management Letter.
4.6 Follow-up on Management Action Plans
The AC monitors management’s progress in implementing management action plans stemming from internal audit reports until all recommendations have been satisfactorily implemented or are no longer relevant. On a semi-annual basis, the Committee receives and reviews a report on management’s progress in implementing outstanding actions.
As outlined in the table that follows, there was just 1 outstanding management action as at April 1, 2015 with a further 5 new management actions coming on stream for active monitoring in 2015-2016. As outlined in the table that follows, of these 6 management actions, four were fully implemented during the year. While there are slight delays in fully implementing the remaining 2 recommendations, the Committee notes that progress is being made and the CAE reported to the AC that there is little to no residual risk associated with these delays given the current controls that are in place.
|Project Title||Year||# Recs Issued||# Outstanding at April 1, 2015||2015-16 Status|
|Fully Implemented||On-Track||Delayed||# Outstanding at Mar 31, 2016|
|Audit Responding to Inquiries||2010-2011||4||1||1||0|
|Audit of IM/IT Governance||2014-2015||5||0||3||2||2|
4.7 Financial Statements
As the Commissioner is an Agent of Parliament, the financial statements of the organization are audited by the Office of the Auditor General (OAG) each year. At the August meeting, AC members reviewed and discussed the OPC’s 2014-2015 audited financial statements with the Deputy CFO, CFO and representatives from the OAG. Following these discussions, the AC recommended the Commissioner approve these financial statements.
4.8 Accountability Reports
The external members reviewed the OPC’s draft 2014-2015 Departmental Performance Report (DPR) and the draft 2016-2017 Report on Plans and Priorities (RPP). AC members provided advice and recommendations to management prior to these reports being approved by the Commissioner.
5.0 Looking Ahead
Over the coming year the Committee will continue to exercise oversight across all eight areas of responsibility with particularly emphasis on the following:
- Performance dashboard/results in delivering on the privacy priorities and the associated mechanism to support active monitoring by management
- Provide advice on the development of a new Results Framework to replace the MRRS
- Provide advice on strategic performance measurement to support executive decision-making
- Advice on the review of delegations of authority
- Continued review and advice on financial resource management, including results of the gap analysis
ANNEX A - Audit Committee Terms of Reference
Revised: June 16, 2015
This document outlines the purpose, responsibilities, membership and operating procedures of the Audit Committee (the Committee) in the Office of the Privacy Commissioner of Canada (OPC).
The Committee is an essential component of the internal audit regime established within OPC and reflective of both the Treasury Board Policy on Internal Audit which came into effect on April 1, 2006 Footnote 1 and the Joint Agreement of the Working Group of Officers of Parliament. Footnote 2 The latter reinforces OPC’s status as an Officer of Parliament.
The Working Group of Officers of Parliament have agreed that the intent of the government’s Internal Audit Policy shall be reflected in the Internal Audit systems, processes and infrastructure within each Office of Parliament, but taking account of their status of independence and their relatively small size.
The Committee provides objective advice and recommendations to the Commissioner regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the OPC's risk management, control and governance frameworks and processes (including accountability and auditing systems). This work supports the Commissioner’s role as OPC’s accounting officer before Parliament.
To give the Commissioner this support, the Committee reviews, with a risk guided focus, all core areas of OPC management, control and accountability processes in an integrated way, such that the results of internal audits may be incorporated into the OPC priority-setting and strategic planning processes. Hence, the work of the Committee reinforces the quality and reliability of the financial and other performance information used by OPC managers for decision-making and reporting and, in so doing, contributes to enhanced managerial accountability. The Committee also serves to reinforce the independence, effectiveness and accountability of the Chief Audit Executive.
The Committee also provides advice and recommendations as may be requested by the Commissioner.
3. COMMITTEE REPORTING AND COMPOSITION
The Commissioner is responsible for establishing an independent audit committee for the Office consisting of three members. There are two external members who are not currently members of the Federal Public Service and the Commissioner is an ex-officio member. The Chief Audit Executive (CAE)/Chief Financial Officer (CFO) attends all meetings.
The Commissioner is responsible for selecting the Committee’s Chair, the members and the Secretary. All members of the Committee shall be, or become within the first year of appointment, financially literate and familiar with private- or public-sector financial reporting. At least one member is a financial expert who possesses a professional accounting designation.
Members shall be independent as demonstrated by their absence of real and perceived, direct and indirect, personal and financial interest or that of their family and business associates and competitors AND by their personal capacity and behaviour to engage the management, CAE and external auditors in demanding explorations of practices and areas of concern. It extends to seeing this principle through to standing by one’s challenge to reports and practices held to be incompatible with the facts or to acceptable practices – even when colleagues on the Committee may be inclined to defer. The consequence of this is the duty to inform the Commissioner directly in such a case. Protection of independence may result in a mutual agreement to terminate the appointment.
The external members of the Committee shall declare their independence and absence of conflict of interest annually.
The Chair represents the Committee in periodic meetings with the Commissioner.
3.3 Length of Term
Members shall normally be appointed for a term of four years. A member shall serve no more than two terms. To ensure continuity, mandates can be staggered, and some terms may be for less than four years.
4. COMMITTEE MEETINGS
The Committee shall meet two or three times a year either in person or by teleconference, with more meetings as deemed necessary by the Chair. The Committee’s meeting schedule will normally be set out six months in advance so that OPC management and internal auditors can prepare the information and reports required to support the Committee’s work. Rescheduling of Committee meetings will be by exception only.
Quorum shall be a majority of the members. No alternates shall be permitted.
4.3 Preparation and Attendance of Members
To enhance the effectiveness of the Committee meetings, each member shall:
- Devote the time necessary to prepare for, and participate in, each meeting: this involves reading the reports and reference documents provided for the meeting;
- Maintain an excellent record of attendance at meetings.
4.4 Attendance of Non-Members
The Chief Audit Executive shall attend all meetings of the Committee. The Chair may request the attendance of other senior officials. When required, the Chair shall ask a senior representative of the external assurance providers to attend the Committee meetings to discuss the plans, findings and other matters of mutual concern.
4.5 Minutes of meetings
Minutes of each meeting are kept and contain the list of attendees, a summary of the decisions made and an overview of the points discussed. The minutes are approved by the Committee and signed by the Chair on behalf of the Committee.
4.6 In camera meetings
As part of each Committee meeting, the Committee shall meet in camera with the CAE/CFO, representatives of external assurance providers when in attendance and any other officials the Committee decides to call.
4.7 Committee’s Annual Plan
The Chair, in consultation with the other members of the Committee, shall prepare a plan for recommendation to the Commissioner, to ensure that the responsibilities of the Committee are scheduled and fully addressed.
4.8 Examination of the Committee’s Terms of Reference
The Committee shall periodically review its terms of reference and if revised, submit them to the Commissioner for approval.
The particular emphasis and priorities from among the Committee’s key areas of responsibility are to be set by the Commissioner in consultation with the Committee. In doing so, consideration is given to the OPC’s mandate, objectives and priorities, as well as the corresponding risks affecting the organization.
Below are the key areas of responsibility that fall within the scope of concern of the Committee, and that will be reviewed with an appropriate risk-guided focus and cycle.
5.1 Values and Ethics
The Committee shall review and provide advice on the OPC’s systems and practices established by the Commissioner to monitor compliance with laws, regulations, policies and standards of ethical conduct and identify and deal with any legal or ethical violations. This may also include the arrangements established by management to exemplify and promote public service values and to ensure compliance with laws, regulations, policies, and standards of ethical conduct.
5.2 Risk Management
The Committee shall review and provide advice on the risk management arrangements established and maintained by the OPC.
5.3 Management Control Framework
The Committee shall review and provide advice on the OPC’s internal control arrangements, and be informed on all matters of significance arising from the work performed by others who provide assurances to senior management and the Commissioner.
5.4 Internal Audit Function
The Committee shall:
- Recommend, and periodically review, the OPC Internal Audit Charter for approval by the Commissioner;
- Provide advice to the Commissioner on the sufficiency of resources of the internal audit function;
- Review and recommend for approval by the Commissioner the Risk-Based Audit Plan;
- Monitor and assess the performance of the Internal Audit function;
- Advise the Commissioner on the recruitment and appointment, as well as the performance of the Chief Audit Executive;
- Review and recommend for the Commissioner’s approval internal audit reports and corresponding management action plans to address recommendations;
- Be advised of audit engagements or tasks that do not result in a report to the Committee and be informed, by the appropriate level of management, of all matters of significance arising from such work;
- Review regular reports on progress against the risk-based audit plan.
5.5 External Assurance Providers
The Committee shall be informed of and shall advise the Commissioner on:
- All audit work relating to the OPC to be undertaken by external assurance providers, including management’s response; and,
- Audit-related issues and priorities raised by external assurance providers.
5.6 Financial Statements and Public Accounts Reporting
The Committee shall review and provide advice to the Commissioner on the key financial management reports and disclosures of the OPC, including quarterly financial reports, annual financial statements and Public Accounts.
The Committee shall also review the annual Statement of Management Responsibility Including Internal Control over Financial Reporting and provide advice to the Commissioner on the risk-based assessment plans and associated results related to the effectiveness of the OPC’s system of Internal Control over Financial Reporting.
Since the OPC financial statements are audited by the OAG, the Committee shall review:
- The financial statements with the external auditor and senior management, discuss any significant accounting estimates and adjustments therein, any adjustments required to the statements as a result of the audit, as well as any difficulties or disputes encountered with management during the course of the audit;
- Management letters arising from the external audit;
- The auditor's findings and recommendations relating to the internal controls in place for financial reporting and consider their impact on controls, risk management and governance processes.
5.7 Follow up on Management Action Plans
The Committee shall review regular reports on the progress of the implementation of approved management action plans resulting from prior internal audit recommendations as well as management action plans resulting from the work of external assurance providers.
5.8 Accountability Reporting
The Committee shall receive copies of the Report on Plans and Priorities, the Departmental Performance Report and other significant accountability reports. These reports provide context for the deliberations of the Committee and advice to the Commissioner. Over time, and in the course of successively reviewing these documents, the Committee will be attentive to, and provide advice on, any material misstatements or omissions.
5.9 Evaluation Plans and Reports
The Committee shall, at a minimum, receive copies of evaluation plans and evaluation reports for information. The Committee may also provide advice and recommendations on evaluation activities as may be requested by the Commissioner.
The Committee has full access to the Chief Audit Executive and the other OPC employees and documents required to fulfill its responsibilities, subject to applicable legislation. The CAE has full access to the Committee and to the Committee Chair.
6.2 Orientation, Training, and Continuing Education of Committee Members
Members shall receive formal orientation and training on the Committee's responsibilities and objectives and on the business of the OPC.
The Internal Audit function provides the Committee with the necessary support to carry out its responsibilities and fulfill its duties. The Committee also has the power to obtain independent help and advice. The support to the Committee includes among other things:
- Administrative duties (i.e., preparation and distribution of meeting agendas, minutes and materials);
- Supporting the Committee in executing its work;
- Supporting the Committee in assessing its performance;
- Supporting the Committee in its accountability reporting;
- Supporting the orientation for new members.
6.4 Duty to Inform and Duty to Resign – Disagreement
In the event that a member of the Committee has a difference of opinion with another member that cannot be resolved by the Chair or if the member has an unresolved difference of opinion with the Chair and provided that the difference of opinion, from the perspective of the member, has, or could have, a material, negative impact on the fairness of reported information or on the integrity of operations of the OPC or involves the questionable behaviour of an individual then the member shall bring the issue forward for resolution, as follows:
- Bring the issue to the attention of the Commissioner within a reasonable timeframe.
- If the Commissioner is unable to resolve the issue and if the member is of the opinion that the issue still remains, the member has a duty to resign.
7. EVALUATION OF THE COMMITTEE’S PERFORMANCE
The Committee shall periodically evaluate its own performance to continually improve how it carries out its responsibilities. The Committee’s performance shall also be part of an external evaluation of the internal audit function that is to be carried out at least every five years, by an independent auditor.
8. ANNUAL REPORT
The independent members of the Committee shall submit an annual report to the Commissioner that shall:
- Summarize the results of the Committee's reviews of areas of responsibility;
- Provide the independent members’ assessment, and make recommendations as needed on the capacity, independence and performance of the internal audit function; and,
- Express views in the annual report that shall be entirely and exclusively those of the independent members, notwithstanding any assistance given by OPC officials in the preparation of the annual report.
9. APPROVAL OF COMMITTEE TERMS OF REFERENCE
Reviewed by the Audit Committee
Approved by the Commissioner
Annex B - Audit Committee Annual Plan 2015-16
|#||AC Action Item Description||Purpose/Action||Frequency||Q1
|Other||Comments/Issues for Consideration|
|1||AC Terms of Reference||Review and recommend to the Commissioner for approval||Periodically||1|
|2||AC Annual Plan (for upcoming fiscal year)||Review and recommend to the Commissioner for approval||Annually||1||Required annually to establish committee work required for the year.|
|3||Establish AC meeting schedule||Approve||Every 6 months||1||Done semi-annually as not practical to set meetings too far in advance-often done off line vs at a meeting.|
|4||Orientation/ongoing PD requirements||Determine||Periodically||1||Members identify and take course and ongoing PD as required.|
|Internal Audit Oversight Responsibilities|
|5||Internal Audit Charter||Review and recommend to the Commissioner for approval||Periodically||1|
|6||Adequacy of internal audit resources||Monitor||Annually||1||Integral part of approval of the Risk-based Internal Audit Plan (RBAP) process|
|7||Risk-based Internal Audit Plan (RBAP)||Review and recommend to the Commissioner for approval||Annually||1||AC engaged in the update process and reviews draft RBAP and recommends it for approval by the Commissioner|
|8||Performance of the internal audit function and CAE||Monitor and assess||Annually||1||AC input is intended to be an input into the CAEs annual performance appraisal. Done through an in-camera discussion with the Commissioner in our last meeting of the year|
|9||Internal Audit Reports and corresponding management responses and action plans||Review and recommend to the Commissioner for approval||Ongoing||1||Draft PA Diagnostic Review report scheduled for June meeting.|
|10||Reports on the progress against the internal audit plan||Receive and review||Ongoing||1||1||1|
|11||CAE's Annual Report||Receive and review||Annually||1|
|12||Values and Ethics||Review and provide advice||In accord with risk guided focus and cycle||Results of implementation of new COI Directive expected in 16-17.|
|13||Risk management||Review and provide advice||In accord with risk guided focus and cycle||1|
|14||Management Control Framework||Review and provide advice||In accord with risk guided focus and cycle||1||In addition to reviewing key elements of the MCF via internal audit reports, the AC will also review progress in implementing action plan to address 2014-15 MAF self-assessment results.|
|15||OAG, agents of parliament and central agencies||Review OAG Audit Plan and Review and Discuss Audit Results||Semi-annual||1||1||OAG to come to the AC to discuss planning for the financial statement audit and special meeting held in the summer to discuss the audit results.|
|16||Follow-up on Management Action Plans||Review and provide advice||Periodically||1||1||Semi-annual review.|
|17||OPC Financial Statements||Review and recommend to the Commissioner for approval||Annually||1||Special meeting held in the summer whereby the AC reviews and discusses the financial statements together with the results of the OAG's audit of them and provides advice/recommended approval.|
|Report on Plans and Priorities (RPP)||Review and provide advice||Annually||1||Tied to Parliamentary reporting timelines.|
|Departmental Performance Report (DPR)||Annually||1|
|19||Committee self-assessment||Review and monitor implementation of any resulting actions||Periodically||1||Will look to engage OPC management who appear before the committee in the process.|
|20||External practice inspection||Undergo/Review||Every 5 yrs||Completed in 2014-2015 and all recommendations implemented.|
|Accountability and Reporting|
|21||AC Annual Report||Prepare and brief Commissioner prior to finalization||Annually||1|
|22||OPC Priorities||Review and provide advice||TBD||1||Provide insight and advice with respect to related risks of delivering on the new priorities|
- Date modified: