Internal Audit of Access to Information: Internal Audit Report
June 2024
Table of Contents
- Executive Summary
- Background
- Objective
- Scope
- Internal Audit Criteria
- Internal Audit Approach
- Overall Opinion
- Statement of Conformance
- Summary of Findings
- Conclusion
- Recommendations, Management Response and Action Plan
- Appendix A: Sampling Strategy
- Appendix B: File Testing Results
- Appendix C: Benchmarking Analysis
- Appendix D: Key Information Reviewed
Executive Summary
The Internal Audit of Access to Information was authorized as part of the Department of Finance Canada’s (the Department) 2023-2025 Risk-based Audit Plan, which was approved by the Deputy Minister on June 29, 2023.
What we examined
The objective of this internal audit was to provide reasonable assurance that the Department’s access to information process is compliant with applicable legislation and policies, and that the process is effective and efficient.
Why it is important
The Access to Information Act (ATI Act) provides a right of access to records under the control of a government institution. Under the ATI Act, Canadian citizens, permanent residents, or any individual or corporation present in Canada have the right to request access to information contained in government records. Government institutions are required to respond to a request within 30 calendar days unless an extension has been granted. While the legislation provides for access to almost all records, there are limited and specific exemptions and exclusions that apply. Given the sensitive nature of the information generated by the Department in support of its mandate, it is especially important that information is properly reviewed and redacted in accordance with the ATI Act’s provisions.
What we found
Overall, we found that the Department is generally compliant with most of the legislative and policy requirements relating to the ATI process. However, the Department has a low on-time compliance rate with regard to responding to requests within the legislated timelines outlined in the ATI Act. This can, in part, be attributed to a large volume of requests received by the Department and capacity challenges within the Access to Information and Privacy Division. The Department also does not have ATI-specific mandatory training in place, as is required by the Treasury Board Policy on Access to Information and its associated directive.
Although we found some areas for improvement relating to efficiency and effectiveness of the ATI process, we found that internal controls throughout the ATI process have been established and are functioning as intended.
Marie-Josée Yelle
Chief Audit Executive
Background
The Department of Finance Canada (the Department) is responsible for developing the annual Federal Budget and Fall Economic Statement, as well as providing ongoing analysis and advice to the Government of Canada on economic, fiscal, and social policy. Within the Department, employees generate a significant amount of information in support of their work to provide strategic analysis and advice to the Minister of Finance.
The Access to Information Act (ATI Act) provides a right of access to records under the control of a government institution in accordance with the principles that such information should be available to the public, that necessary exceptions to the right of access should be limited and specific, and that decisions on the disclosure of government information should be reviewed independently of government. Under the ATI Act, Canadian citizens, permanent residents, or any individual or corporation present in Canada have the right to request access to information contained in government records. The ATI Act requires the head of a government institution to respond to a request within 30 days after the request is received unless a request for extension is obtained.
The Privacy Act’s purpose is to protect the privacy of individuals’ personal information held by government institutions. The Privacy Act sets out rules for how institutions of the Government of Canada collect, use, disclose, retain, and dispose of personal information of individuals. Individuals a have a right to access personal information held about them by the federal government, and a right to correct that information. Requests received by the Department under the Privacy Act are minimal, with only eight requests received during the 2022-23 fiscal year. While requests under the Privacy Act were originally included in this audit during the planning process, given the low volume of requests received under the Privacy Act and low risk associated with the beforementioned requests, this internal audit only focused on requests received under the ATI Act.
As per the ATI Act and the Treasury Board Policy on Access to Information, heads of government institutions are responsible for the effective administration of the ATI Act and may decide to delegate these responsibilities to one or more officials of the institution. The Minister of Finance has delegated this authority to the Deputy Minister and other members of the Department’s senior management team.
Within the Consultations and Communications Branch, the Access to Information and Privacy (ATIP) Division is responsible for administering the ATI Act and the Privacy Act for the Department. As a centralized operation, the ATIP Division coordinates the timely processing of requests under the legislation, conducts interdepartmental consultations, handles complaints lodged with the Information Commissioner, and responds to informal inquiries. As of October 2023, 13 employees within the ATIP Division were dedicated to the administration of the ATI Act and the Privacy Act along with other related functions.
All employees of the Department play a key role in processing ATI requests by identifying and providing relevant records and making recommendations on their disclosure. While the purpose of the legislation provides for access to almost all information in records, there are limited and specific exemptions and exclusions which can be applied to deny this right. Given the sensitive nature of the information generated by the Department in support of its mandate, it is especially important that information is properly reviewed and redacted in accordance with the ATI Act’s provisions, as the inadvertent disclosure of sensitive information could have the potential of moving markets and impacting the Canadian economy.
The Department has established a process to respond to ATI requests, which can be seen in Figure 1 below. Process steps marked with an asterisk may not be required for every ATI request.
The Department’s Access to Information Process
Objective
The objective of this internal audit engagement was to provide reasonable assurance that the Department of Finance Canada’s (the Department) access to information (ATI) process is compliant with applicable legislation and policies, and that the process is effective and efficient.
Scope
The scope of the internal audit included completed ATI requests as well as ATI systems and processes in the Department between April 1, 2021, and October 31, 2023. At the request of the audit client, the internal audit team expanded the parameters of its file review to include ATI requests for records that were disclosed late, up to February 28, 2024, to determine if updates to the ATI process impacted efficiency.
The scope did not include:
- Roles and activities of external stakeholders, such as the Office of the Information Commissioner and the Treasury Board of Canada Secretariat, on access to information requests.
- Requests received under the Privacy Act since the Department receives very few privacy requests.
- Requirements under Part 2 of the ATI Act relating to the proactive publication of information (such as, travel expenses, hospitality expenses, reports tabled in Parliament, contracts over $10,000, etc.).
- An assessment of the accuracy of the application of exemptions and exclusions within completed ATI requests.
- An assessment of the accuracy of the data presented in the Department’s Annual Report to Parliament on the Administration of the ATI Act.
Internal Audit Criteria
- Criterion 1: The Department’s access to information process is compliant with the Access to Information Act and the Treasury Board Policy on Access to Information and its associated directives.
- Criterion 2: The Department’s access to information process is effective and efficient.
Internal Audit Approach
In conducting this internal audit, we:
- Reviewed relevant documentation such as legislation, policies and guidance, and departmental guidance.
- Interviewed personnel from the Access to Information and Privacy Division, as well as branch coordinators from all 11 branches and the Deputy Minister’s Office.
- Identified key controls and developed process maps.
- Performed three rounds of file review:
- Round 1: To confirm that control points were established and functioning as intended (as per legislation and policy requirements), the internal audit team reviewed 10 ATI requests received between April 1, 2021, and October 31, 2023.
- Round 2: To determine where key bottlenecks in the process are occurring for requests that were over the legislated timelines, the internal audit team reviewed 44 ATI requests for records disclosed late between April 1, 2021, and March 31, 2023.
- Round 3: To determine if updates to the ATI process impacted its efficiency, the internal audit team reviewed an additional 13 ATI requests for records disclosed late between April 1, 2023, and February 28, 2024.
- Performed benchmarking against other federal departments and agencies.
Overall Opinion
Sufficient and appropriate procedures were performed, and evidence gathered, to support the accuracy of the internal audit conclusion. The internal audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the internal audit against established criteria that were agreed upon with management.
The findings and conclusion are only applicable to the entities examined and for the scope and period covered by the internal audit.
Statement of Conformance
The internal audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.
Summary of Findings
The internal audit team has issued formal recommendations for findings non-compliant with legislation and policy. Where a formal recommendation has been issued, management has developed a Management Action Plan (MAP). The Internal Audit Directorate (IAD) will follow-up on these MAPs to ensure that they have been implemented.
The internal audit team has also included some areas of consideration for senior management’s attention for issues identified that are not related to a legislative or policy non-compliance. The IAD will not follow-up on areas of consideration as it is management’s prerogative to risk-manage these areas.
Key Findings – Criterion 1
The internal audit team found that overall, the Department is meeting most of the applicable legislation and policy requirements. This includes having a Minister of Finance approved delegation instrument in place, making a reasonable effort to respond to all ATI requests received by the Department, applying exemptions and exclusions only when necessary, responding to complaints received by the Information Commissioner, and publishing an annual report to Parliament on the Department’s ATI results.
Two non-compliance issues are noted below.
As per the ATI Act a government institution must respond to a request within 30 calendar days after the request is received and each request must be handled on a priority basis. The ATI Act allows for reasonable extensions of the 30-day timeline for a limited number of circumstances, such as large number of records requested, interference with government operations or required consultations.
During the internal audit, we noted that the Department has a low on-time compliance rate with regards to responding to ATI requests within the legislated timelines outlined in the ATI Act(see departmental results in Table 1 below). However, preliminary data for the 2023-2024 fiscal year shows significant improvement to the Department’s on-time compliance rate. The low compliance rates up to the 2022-2023 fiscal year, which had continued to decline in the last five years up to 2023-2024, have been reported to Parliament through the Department’s Annual Report to Parliament on the Administration of the ATI Act.
Fiscal Year |
New Requests Received | Requests Completed | Active Files on last day of fiscal year | Number of Pages Processed | Number of Pages Released | On-Time Compliance rate | Number of full-time ATIP employees |
|---|---|---|---|---|---|---|---|
| 2023-20242 | 854 | 778 | 726 | 25,645 | 9,583 | 74% | 14 |
| 2022-2023 | 650 | 860 | 646 | 50,742 | 29,070 | 40% | 14 |
| 2021-2022 | 823 | 946 | 856 | 38,710 | 17,907 | 53% | 10 |
| 2020-2021 | 1,115 | 486 | 978 | 14,569 | 6,725 | 73% | 16 |
| 2019-2020 | 744 | 794 | 348 | 52,558 | 21,921 | 78% | 18 |
| 2018-2019 | 1,724 | 1,598 | 398 | 61,009 | 30,623 | 84% | 13 |
| 1 Information gathered from the Department’s Annual Report to Parliament on the Administration of the ATI Act (2018-2019 to 2022-2023). 2 Results for 2023-2024 are preliminary. Official results for the 2023-2024 year are still being compiled and will be released in Fall 2024. |
|||||||
During the COVID-19 pandemic and the resulting work-from-home orders (beginning in March 2020), the ATIP Division temporarily stopped processing ATIP requests for the first several weeks of this period. Following the ATIP Division’s return online, the Department received a large influx of ATIP requests due to the Department’s work in delivering COVID-19 related assistance to Canadians which resulted in a significant backlog of files.
The ATIP Division has also been encountering resourcing issues. Between March 31, 2020, to March 31, 2022, the ATIP Division lost eight (8) full-time employees and on-time compliance dropped by 25%. Challenges have been noted across the federal government with regards to recruiting and retaining qualified ATIP analysts, as noted in the December 2022 Treasury Board Access to Information Review Report to Parliament. The Department has been working with the Treasury Board of Canada Secretariat (TBS) to address staffing issues within the ATIP Division and, during the scope period of the internal audit, it was successful in bridging several students onto the team. However, there remains a gap on the team with regards to having experienced ATIP analysts.
In order to assess the performance of the ATIP Division, the internal audit team conducted a benchmarking exercise by comparing the performance of the Department against four other government departments. Based on this analysis, the Department had the lowest on-time compliance rate of the five departments. However, it’s noteworthy that the Department had the highest volume of requests received and requests completed during each fiscal year examined. In addition, the Department had the highest volume of ATI requests completed per ATIP employee and a relatively small number of complaints received in proportion to the volume of requests completed when compared to the other institutions (see Appendix C for more information).
These contributing factors inhibit the Department’s ability to comply with its statutory obligations as it relates to on time compliance with legislated timelines. By providing requestors with timely access to records, the Department can maintain public confidence and promote transparency of departmental operations.
In addition, any delays in responding to ATI requests within the legislated timelines place the Department in violation of the ATI Act. A complaint may be filed and investigated by the Office of the Information Commission (OIC). The Information Commissioner will then either facilitate a resolution or make a recommendation for corrective action.
A number of complaints were received by the OIC regarding the delay in providing records or the extension taken by the Department (see Table 2).
Fiscal Year |
Complaints received by the OIC regarding time delays or extensions | Complaints closed by the OIC deemed well-founded regarding time delays or extensions1 | Orders issued by the OIC regarding time delays or extensions2 |
|---|---|---|---|
| 2023-20243 | 13 | 0 | 0 |
| 2022-2023 | 11 | 5 | 1 |
| 2021-2022 | 17 | 29 | 3 |
| 1
Well-founded complaints were also noted for the following reasons: • Exemptions and exclusions claimed (over-redaction of records): 3 well-founded complaints in 2021-2022, 5 well-founded complaints in 2022-2023. • Missing records/incomplete search: 1 well-founded complaint in 2021-2022, 7 well-founded complaints in 2022-2023. Given the low number of complaints deemed to be well-founded in these areas and given the Department has agreed with and resolved the complaints, the internal audit team has no significant concerns. 2 Following the investigation of a complaint, the Information Commissioner has the power to make binding orders in relation to ATI requests, which includes ordering the release of government records. 3 Information for the 2023-2024 is still being compiled. Official results will be included in the Department’s 2023-2024 Department’s Annual Report to Parliament on the Administration of the ATI Act, which will be tabled in Fall 2024. |
|||
The Department has agreed with all recommendations and orders issued by the OIC and carried out the requirements stipulated.
When comparing the volume of complaints received against other departments during the internal audit team’s benchmarking exercise, no significant concerns were noted regarding the volume of complaints made against the Department of Finance (see Appendix C). In fact, the Department received the most requests, and was subject to a relatively small number of complaints in proportion to the volume of requests completed.
Recommendation 1: The Department should implement a strategy to improve the on-time compliance rate.
See criterion 2 for related areas of consideration for improving efficiency of the process.
As per the TB Policy on Access to Information and its associated directive, all employees of government institutions must receive training on their obligations under the ATI Act. Additional mandatory training requirements are also prescribed for employees with functional or delegated responsibility under the ATI Act.
The ATIP Division provides training on an ad-hoc basis. The ATIP Division will provide training sessions to branches if requested. However, we noted that the Department did not have mandatory training in place for all employees, including branch ATIP coordinators, regarding the ATI process and the related legal responsibilities and obligations relating to the ATI Act. This also includes not having mandatory training for employees that have functional or delegated responsibility for the ATI Act (including employees of the ATIP Division).
A lack of adequate training increases the risk that roles, responsibilities, and ATI-related objectives are not clearly defined and understood, which may also have an impact on the ability to respond to ATI requests in a timely manner and give well informed recommendations on redactions for exemptions and exclusions.
Recommendation 2: The Department should make ATI training mandatory within the Department for all employees and monitor its completion.
Key Findings – Criterion 2
Overall, the internal audit team found that internal controls throughout the access to information (ATI) process were in place and functioning as intended (See Round 1 of sampling in Appendix A and B for more information).
However, some areas of improvement were identified with respect to the efficiency and effectiveness of the ATI process, which are outlined in the table below.
As previously noted under criterion 1, the Department has a low on-time compliance rate with regards to responding to requests within the legislated timelines.
In order to understand where the backlogs were occurring in the ATI process, the internal audit team reviewed 44 ATI requests where records were released outside of the legislated timelines (see Round 2 of sampling in Appendix A and B for more information). Notably, of the 44 files reviewed, eight (8) of these were over 365 calendar days overdue.
Based on this review of 44 files, the longest delays were attributed to the time waiting for a consultation with other stakeholders (both internal and external) and the review and approval process within the ATIP Division.
- Internal consultations within the Department: Delays were occurring during the internal consultation process with other departmental branches. During the audit, the internal audit team consistently heard that branches struggled with their lack of capacity to respond to ATI-related requests.
- External consultations with other government departments and third parties: Delays were found to be occurring during the external consultation process, which is largely out of the control of the Department. The internal audit team noted that follow-up requests were sent, however, in two (2) instances, a follow-up was sent a year after the initial request.
- ATIP Division review and approvals: Delays were noted throughout the various stages of review and approval within the ATIP Division, which can largely be attributed to capacity issues as previously mentioned in the report.
Given that the 44 files sampled were all from fiscal years 2021-2022 and 2022-2023, the internal audit team expanded the parameters of its file review to include an additional 13 files where records were released outside of the legislated timelines for fiscal year 2023-2024. This was done at the request of the audit client to determine if changes post-pandemic had impacted the efficiency of the process (see Round 3 of sampling in Appendix A and B for more information).
Of the additional 13 files examined during this review, the internal audit team found that most of the delays were still attributed to the time waiting for a consultation with other stakeholders (internal or external). However, the internal audit team also noted an increase in time taken in other areas. For the branch retrieval of records, as per branch consultations, delays are due to the branches struggling with the lack of capacity to respond to requests. This is also the case for the legal services review as there is only one legal counsel assigned to the review of ATIP requests, which is in addition to their other assigned duties (see Round 2 and 3 of sampling in B for more information).
Notwithstanding these issues, of these 13 files, improvements were noted in the turnaround time within the ATIP Division, specifically in the length of time for management and director approvals.
Recommendation: See recommendation 1.
As a best practice, the ATIP Division sends out weekly ATI Branch reports to all implicated Assistant Deputy Ministers and branch coordinators to provide a status update on all ongoing record retrieval requests as well as requests for consultations.
Branch coordinators see the value in receiving these reports; however, some reports are not accurate. Due to the timing of closing steps within the ATIP process, the reports often note that the branch has certain outstanding ATI requests, even after the branch has submitted their records back to the ATIP Division. Having to validate the information in these weekly reports creates additional administrative burden.
Having accurate reporting will better allow branch coordinators to monitor their outstanding requests.
In addition to the weekly status updates to the branches, the Director, ATIP Division, provides regular updates to senior management within the Consultations & Communications Branch via weekly bilats with the Director General. However, departmental performance results are currently only being shared with the Deputy Minister’s Office once a year via the Department’s Annual Report to Parliament on the Administration of the ATI Act. Regular monitoring and oversight practices are key to assessing the extent to which the Department is able to assess not only its own performance in managing ATI requests but also to its ability to identify and manage risks associated with processing ATI requests in a timely and effective manner.
Areas of Consideration:
- The Assistant Deputy Minister, Consultations & Communications Branch, should consider providing quarterly reports to the Deputy Minister’s Office on the Department’s ATI-related performance.
- The Director, ATIP Division, may consider updating internal procedures to ensure that the weekly status reports are more accurate, and then follow up with the branch coordinators in a few months to confirm the accuracy of the data.
During branch consultations, several branch coordinators noted issues regarding applying redactions to records using Adobe Reader software. They noted that Foxit Phantom PDF software was a better tool for applying redactions but were under the impression that there was a high cost associated with the acquisition of the software. Several branch coordinators also noted difficulties with modifying and saving PDF documents in *redacted* (the Department’s document management system), resulting in changes made not being properly saved. These issues have resulted in significant burden to the analysts working on record retrieval and have resulted in loss of productivity for employees.
In order to remedy the situation in a timely manner, the internal audit team informed the Department’s Information Management and Technology Directorate (IMTD) of the issues, which they rectified immediately, including recommending that all employees request a Foxit license. In late February, during a Management and Operations Committee meeting, IMTD was also invited to inform senior management of the updates and recommended actions.
Area of consideration: The Director, ATIP Division, may consider following up with the branch coordinators in a few months to ensure that they are no longer experiencing any technical issues.
The Department’s ATIP Division is currently using outdated software, AccessPro Case Management (APCM), for managing ATI requests. At the beginning of the audit, APCM was residing on the Department’s legacy *redacted* network which is in the process of being decommissioned. Given that the Department was almost exclusively working on the *redacted* network, the ATIP Division was required to transfer information back and forth between networks, which created inefficiencies for the team. As of March 2024, IMTD successfully transferred APCM onto the *redacted* network.
At the time of the audit, the ATIP Division was working with TBS and Public Services and Procurement Canada (PSPC) to procure an updated software solution. While TBS and PSPC have worked to acquire updated software solutions from two different suppliers, delays in implementing a new solution could be attributed to ongoing work by PSPC and the suppliers to fix identified security gaps. As of April 2024, these issues have been resolved.
Area of consideration: The Director, ATIP Division, should continue to work with the Department’s IMTD to upgrade the software.
Conclusion
Overall, we found that the Department is generally compliant with most of the legislative and policy requirements relating to the ATI process. However, the Department has a low on-time compliance rate with regard to responding to requests within the legislated timelines outlined in the ATI Act. This can, in part, be attributed to a large volume of requests received by the Department and capacity challenges within the Access to Information and Privacy Division. The Department also does not have ATI-specific mandatory training in place, as is required by the Treasury Board Policy on Access to Information and its associated directive.
Although we found some areas for improvement relating to efficiency and effectiveness of the ATI process, we found that internal controls throughout the ATI process have been established and are functioning as intended.
Recommendations, Management Response and Action Plan
The Consultations and Communications Branch agrees with the conclusions and the recommendations of the report and would like to highlight the information outlined in the Benchmarking Analysis (Annex C), which shows that compared to others, the Department received a larger number of requests, responded to more requests, did so more efficiently (more files completed/FTE), and received the smallest proportion of complaints over a two-year period. It is also noteworthy that the internal controls throughout the process are functioning as intended.
The Branch will develop and implement a strategy to address the low compliance rate, and will work with the Department’s Learning and Recognition team to implement mandatory training for all Finance employees. The Branch will also strive to further increase its effectiveness, relying on the useful suggestions highlighted in the Areas of Consideration throughout the report.
Recommendations |
Management Response and Action Plan |
|---|---|
|
Management Response: Action Plan: Lead: Target Date: |
Recommendations |
Management Response and Action Plan |
|
Management Response: Action Plan:
Lead: Target Date:
|
Appendix A: Sampling Strategy
The internal audit team identified a population of 1890 access to information (ATI) requests received for the period of April 1, 2021, to October 31, 2023. The internal audit team removed all requests from the population that were either abandoned, redirected, or transferred to another government department, resulting in a population of 1805 ATI requests.
Round 1
In order to confirm that control points were established and functioning as intended, a random non-statistical sampling method was chosen, with a total of 10 files selected. The sample distribution is as follows:
| Stratification | |||||||
|---|---|---|---|---|---|---|---|
| Open ATI requests (on-time) |
Open ATI requests (late) | Closed ATI requests, records disclosed (on-time) | Closed ATI requests, records disclosed (late) | Closed ATI requests, no records disclosed (on-time) | Closed ATI requests, no records disclosed (late) | Total | |
| Population Count | 118 | 231 | 706 | 504 | 190 | 56 | 1805 |
| April 1, 2023, to October 31, 2023 | 118 | 41 | 172 | 20 | 45 | 2 | 398 |
| 2022-23 | 0 | 94 | 287 | 168 | 65 | 19 | 633 |
| 2021-22 | 0 | 96 | 247 | 316 | 80 | 35 | 774 |
| Sample Count | 0 | 2 | 3 | 3 | 1 | 1 | 10 |
Round 2
To get a better understanding of root causes that resulted in ATI requests not being completed within the legislative timelines, the internal audit team chose a non-statistical random sample of 44 files from the 504 files with the “Closed ATI requests, records disclosed (late)” stratification group (see table above). This round of testing focused on the root cause of late retrieval and the length of time that each step of the ATIP process took.
Round 3
To determine if post pandemic changes to the ATI process impacted its efficiency, and as requested by the audit client, the internal audit team expanded the parameters of its file review to include the additional 44 closed ATI requests for records that were disclosed late for fiscal year 2023-2024. The internal audit team agreed to randomly sample 13 of those ATI requests and redistributed one request from Round 2 to Round 3 to account for its closure after April 1, 2023.Footnote 1
Appendix B: File Testing Results
Round 1
Non-statistical random sample of 10 requests received between April 1, 2021, and October 31, 2023.
| Test Criteria | Transactions tested |
Files with issues |
Additional Information |
|---|---|---|---|
Request was tasked to the branch. |
10 |
0 |
N/A – no control weaknesses found |
Branch provided a response. |
9 |
0 |
N/A – no control weaknesses found |
Extension notice sent to applicant within 30 days of receiving the request. |
9 |
2 |
For two (2) files, the Department notified the requester that an extension was being taken outside of the legislated 30-day window. However, the delays were minimal, with one notice sent on day 32 and the other on day 33. |
Office of the Information Commissioner was copied on extension notices where the extension is over 30 days. |
6 |
1 |
For one (1) file, where an extension was taken over 30 days, the Department did not inform the Office of the Information Commissioner (OIC). However, when notifying the requester of the extension, the Department still provided details to the requester on how to make a complaint with the OIC. |
The Department’s Legal Services team reviewed all records containing exclusions based on Cabinet Confidence material. |
7 |
0 |
N/A – no control weaknesses found |
ATIP Manager approval received. |
9 |
0 |
N/A – no control weaknesses found |
ATIP Director approval received. |
7* |
0 |
N/A – no control weaknesses found |
Branch Head approval received. |
7* |
0 |
N/A – no control weaknesses found |
Consultations & Communications Branch Assessment completed. |
7* |
0 |
N/A – no control weaknesses found |
The Department responded to the requestor. |
9 |
0 |
N/A – no control weaknesses found |
*As of February 5, 2024, when the internal audit team completed the sample of 10 requests, one of the files was being reviewed by the ATIP Director and two of the files were non-disclosed request and required only the ATIP Manager approval.
Round 2
Non-statistical random sample of 44 requests where records were disclosed outside of legislated timelines, received between April 1, 2021, and March 31, 2023. Of the 44 requests, 39 obtained an extension past the 30-day period, but still did not meet the deadline.
The following table outlines results of the 44 files reviewed. The table is meant to provide an overview of the average length of time spent in each individual step of the process. Averages only apply to the files reviewed, and results cannot be extrapolated to the population as a whole.
| Process Step | Files reviewed | Average calendar days |
|---|---|---|
| Request submitted by requestor to branch tasking | 44 | 5 |
| Branch record retrieval | 44 | 43 |
| Internal Consultation | 10 | 97 |
| External Consultation (other government departments) | 12 | 117 |
| External Consultation (third party) | 6 | 94 |
| Legal services consultation | 11 | 12 |
| ATIP Analyst Review | 42 | 69 |
| ATIP Manager Review | 37 | 28 |
| ATIP Director Review and Approval | 43 | 40 |
| Branch Head approval | 43 | 9 |
| Communications Assessment | 43 | 17 |
| Records sent to requestor once all other steps complete | 44 | 14 |
Round 3
Non-statistical random sample of 13 requests where records were disclosed outside of legislated timelines, received between April 1, 2023, and February 28, 2024. Of the 13 requests, nine (9) obtained an extension past the 30-day period, but still did not meet the deadline.
The following table outlines results of the 13 files reviewed. The table is meant to provide an overview of the average length of time spent in each individual step of the process. Averages only apply to the files reviewed, and results cannot be extrapolated to the population as a whole.
| Process Step | Files reviewed | Average calendar days |
|---|---|---|
| Request submitted by requestor to branch tasking | 13 | 4 |
| Branch record retrieval | 13 | 36 |
| Internal Consultation | 4 | 34 |
| External Consultation (other government departments) | 2 | 51 |
| External Consultation (third party) | 1 | 67 |
| Legal services consultation | 5 | 22 |
| ATIP Analyst Review | 10 | 15 |
| ATIP Manager Review | 13 | 4 |
| ATIP Director Review and Approval | 13 | 14 |
| Branch Head approval | 13 | 5 |
| Communications Assessment | 13 | 5 |
| Records sent to requestor once all other steps complete | 13 | 3 |
Appendix C: Benchmarking Analysis
The internal audit team conducted a benchmarking exercise, by comparing the performance of the Department of Finance Canada against four other government departments that are similar in mandate. The benchmarking exercise was completed using publicly available information in each of the department’s Annual Report to Parliament on the Administration of the Access to Information Act.
On-time Compliance Rate Comparison
Volume of Requests Received
Volume of Requests Completed
Requests Completed per FTE
Complaints received by the Office of the Information Commissioner
Percentage of Complaints Received per Request Completed
Appendix D: Key Information Reviewed
The following is a non-exhaustive list of key information reviewed by the internal audit team:
Legislation, policies, and guidelines
- Access to Information Act
- Treasury Board (TB) Policy on Access to Information
- TB Directive on Access to Information Requests
Documents specific to the Department of Finance Canada
- Annual Report to Parliament on the Administration of the Access to Information Act (2022-2023, 2021-2022, 2020-2021)
- Access to Information and Privacy Division internal process documentation
- Branch-specific access to information process documentation
Other
- The State of Canada’s Access to Information System, Report of Standing Committee on Access to Information, Privacy and Ethics, June 2023
- Treasury Board Access to Information Review Report to Parliament, December 2022
- Office of the Information Commissioner – Final Reports on Decisions Rendered
Page details
- Date modified: