Department Audit Committee 2014 - 2015 Annual Report

Message from the independent (external) committee members

The Departmental Audit Committee (DAC) is pleased to submit its Annual Report for 2014-2015, the seventh consecutive report for Employment and Social Development Canada (ESDC). We believe we have engaged the department on a number of significant issues, particularly in our focus areas of internal control, governance, and risk management. Several themes have continued from prior years, and new areas of interest have emerged.

ESDC is a large and very complex organization. Having a healthy, supportive, and open environment is important to ESDC’s efficiency and effectiveness, and ultimately to providing the taxpayer with value for money and critical services.

The leadership and tone from the top of open and respectful dialogue fostered by the Deputy Minister has created a very positive environment for the audit function, the DAC, senior management, the ESDC Deputy cadre, and ultimately the department. The DAC has worked well with departmental senior management, with a healthy dose of mutual respect, frank discussion, and varied perspectives. This adds to the strength of the internal audit function, and the value of our advice and thinking.

The audit function is assessed later in this report. It is worth noting in this opening message that the DAC has found the CAE and his staff responsive, professional, and very effective. We appreciate this support.

During the 2014-2015 year, we had the pleasure of conducting a site visit to observe and better understand ESDC operations. These site visits provide invaluable insight and perspective. Our site visit this year included guided tours of the Passport Canada Program Central Operations Centre as well as the National Emergency Operations Centre (NEOC), both located in Gatineau, QC. The DAC has engaged both of these subject areas during our meetings, and will continue to do so in the coming year.

During the year the DAC and the audit function had an increased focus on human resource management. With a large workforce of some 24,000 people, it is important to motivate, manage, and ensure ESDC is a workplace of choice. Human resource management also has clear synergies with values and ethics, recent initiatives on professional practices and how these practices relate to the protection of taxpayer information, and compliance with applicable legislation. As such it is integral to risk management and ultimately to service delivery.

In our report last year, we referred to ‘corporate coherence’. By this we mean having all parts of the large ESDC organization pulling in the same direction at the same time. This is a significant challenge. We also reported that management had implemented many successful governance improvements to ensure continued success in this regard. We are pleased that the new governance mechanisms, as well as filling vacant Associate Deputy positions, has solidified these gains.

The DAC invested a significant amount of time on corporate risk management, and notes the implementation of a new and very robust risk management mechanism. This serves management well, and we are satisfied that the audit plan aligns well with ESDC risk areas.

Information Management (IM)/Information Technology (IT) continues to be an area of significant interest. ESDC relies on a very complex and integral technology structure to deliver services. The DAC meets with the Chief Information Officer (CIO) at every meeting, and is updated on both risk areas and mitigations. Of particular note is the important relationship that ESDC has with Shared Services Canada (SSC), which provides key services to ESDC. The DAC will continue to be interested in how this relationship evolves and supports ESDC service delivery and modernization efforts.

As mentioned in previous reports, the DAC views compliance with the Financial Administration Act (FAA) as being a ‘bread and butter’ issue. We always ensure that there is an appropriate coverage of FAA compliance through the various audits.

This last year the Department and the Office of the Auditor General (OAG) implemented two new practices that we consider important improvements. The first is that the OAG has attended the DAC to discuss their Strategic Plan for future/potential ESDC audits. This has been helpful to ESDC, the DAC, and the OAG. The second practice is that our annual Technical Briefing to review and recommend the various financial statements and corresponding OAG financial audits, where the DAC meets with both ESDC management and the OAG, has been coordinated as a comprehensive one day event. This enables better oversight.

The DAC has had in camera meetings with the CFO, CAE, and Deputy Minister on a regular basis, and will begin an in camera session with the CIO in 2014-15. This has been most helpful in understanding departmental priorities, risks, and attendant mitigations.

As a reminder of our humanity, it is with great sadness that we acknowledge the passing of Jalynn Bennett, who had been a member of this committee since the inception of the committee in November 2008. Jalynn was always insightful and helpful, balancing wisdom and wit with great grace. She is greatly missed.

A new DAC member, Tim Wilson, joined the DAC in November 2014. Tim brings superior insight and business acumen to the DAC, and has immediately become a most effective contributor. The DAC looks forward to Tim’s perspectives and suggestions.

We would also like to thank our DAC Secretary, Christopher Tracey, who has supported the DAC with great aplomb and efficiency for the past five years. We wish him well in his new endeavours.

In concluding, the DAC is most appreciative of the excellent working relationship with and effective support from the Chief Audit Executive and his team. It has been our pleasure to work with this group.

There are many challenges in the year ahead, and we look forward to another fruitful year.

Section 1: Issues and observations

The 2014 – 2015 Employment and Social Development Canada (ESDC) Departmental Audit Committee (DAC) Annual Report was developed and prepared by the independent (external) committee members and is intended for the Deputy Minister (DM) in his role as Accounting Officer. Notwithstanding, we encourage management at all levels to review and consider the advice provided herein as the DAC has become an integral part of the ESDC governance regime and structure.

Our Annual Report allows us the opportunity to collectively present an overview/high-level summary of our activities, advice and recommendations provided to the Deputy Minister (DM) throughout fiscal year 2014-2015 and is based on the responsibilities bestowed upon us as a DAC as outlined in the Directive on Internal Auditing in the Government of Canada .

The Internal Audit (IA) function, as well as the department, conducted and completed a considerable amount of work which further supported our Risk Management and Management Control Framework and Reporting areas of responsibilities. The IA work that was completed was largely assurance based and continued to contribute to improved efficiencies and assisted in the mitigation of departmental risks. The IA function examined areas related to Privacy, Old Age Security (OAS), Planning and Risk Management, Compensation and Benefits, Integrity Practices, IT Security, IT General Computer Controls (ITGCs), and the compliance of the Canada Student Loans Program (CSLP) with Section 34 and Section 33 of the Financial Administration Act (FAA). A more complete overview of our observations, comments, and recommendations to the DM with respect to the Internal Audit Function can be found within Section 2.1: Assessment of the Internal Audit Function.

All of the internal audit findings and recommendations were accepted by senior management, with the minor exception of one recommendation pertaining to ITGCs (Application Controls). We believe that management’s agreement with internal audit recommendations, and their attention and dedication to clearly addressing and responding to findings and recommendations, is a reflection of both the strong relationship that the IA function has with its clients/auditees as well as the high-level of confidence that management has towards the function. It is evident that management welcomes the advice and guidance of the IA function and is fully supportive and cooperative during the audit process.

We have once again engaged with management on a variety of topics and have been privy to a broad range of briefings and presentations that have further increased our knowledge and appreciation of the department, namely in the areas of Information Management (IM), Information Technology (IT) (including IT Security and data-loss protection), Grants and Contributions (Gs&Cs) Modernization, Workforce Planning, Project Management, Policy on Internal Control (PIC) Implementation, and Employment Insurance (EI) Service Delivery Modernization. These briefings and discussions allowed us to bring additional attention and rigour to our Risk Management and Management Control Framework and Reporting areas of responsibilities and provide advice and recommendations to management as and where appropriate (highlighted and summarized in the table below).

DAC areas of responsibility: Risk management and management control framework

Major Themes For 2014-2015

Reflecting on the activities and operations of the committee throughout 2014-2015, our identified major themes from 2013-2014 remained present and a new theme emerged, in which we provided advice and recommendations to senior departmental officials and the DM as follows :

Information Management / Information Technology (Im/It) : ESDC continues to modernize the IM/IT function by making improvements to project management and ensuring that resources are and continue to be directed to the highest business priorities, specifically service and compliance. Senior management’s efforts in managing associated IM/IT risks and in ensuring the security and protection of personal information is commendable and merits mention. Once again, the DAC received regular IM/IT updates throughout 2014-2015 which demonstrated management’s commitment and responsiveness to the DAC’s ongoing interest in this area. The DAC’s ongoing attention has supported improved IM/IT governance and management, relationship management, and has assisted the department in developing a clearer and more precise understanding of its needs. To this end, the DAC feels that the department has been very responsive to our collective views, advice, and recommendations in this area.

Corporate Coherence : The committee reviewed many audits products that observed on the alignment of various facets of ESDC. In other words, are all the various components of ESDC pulling and working together to achieve corporate alignment both horizontally and vertically. The DAC reviewed audit work in the areas of Privacy, Integrated Planning and Risk Management, Compensation and Benefits, Program Integrity, IT Security, and the Passport Program, all of which emphasized the need for focused corporate management to align the efforts of the various departmental components.

Risk Management :The department implemented a new and improved risk management process in 2013-2014 and continued this in 2014-15. The DAC reviewed and commented on the new process which better linked risk management with business processes and to key senior departmental officials. The DAC commented on and requested stronger linkages between the new risk mitigation strategies and the identified risk, which was accomplished. It is our opinion that the new approach is a significant improvement in both identifying and mitigating risk.

Compliance And Control : The DAC requested regular updates on the improvements to controls over financial reporting. The DAC has also continued to clearly differentiate between controls over financial reporting and compliance with the Financial Administration Act (FAA). We have requested regular and ongoing briefings in these areas to support of sound financial management. The department has implemented plans for improvement in both of these areas.

Human Resources (HR) Management : We brought addition attention to HR management and the availability and deployment of resources during 2014-2015. We reviewed the 2013-2014 Management Accountability Framework (MAF) Results and inquired as to how the results can be improved specifically with respect to performance and talent management and succession planning (People Management). As a result of and in follow-up to our MAF discussion and observations, we received a targeted briefing pertaining to ESDC Workforce Planning and the supporting Workforce Action Plan. We were pleased to see that workforce planning will be integrated into the 2015- 2016 Business Planning cycle/process, however we recognized the considerable level of effort and work that is and will be required to deliver on the action plan commitments. We also engaged in a resource deployment discussion following the department’s response and mitigation efforts as a result of the Privacy Commissioner of Canada’s Special Report to Parliament regarding the Investigation into the loss of a hard drive at Employment and Social Development Canada. The DAC will continue to have an interest in these areas as part of the broader human resources strategy. Having emerged from various program review exercises, there will be continued efforts in staff development and longer term staff capacity.

In sum, the DAC has had considerable influence, and the department has responded, in the areas of human resources, risk management, compliance, control, and governance.

Section 2: Specific focus of committee activities

The ESDC DAC convened four (4) in-person regular meetings throughout the 2014-2015 fiscal year as follows:

• May 27, 2014;
• August 26, 2014 (2013-2014 Annual Technical Briefing);
• November 25, 2014; and
• March 31, 2015

In addition to our regular in-person meetings, the committee also convened two (2) conference calls as follows:

• April 17, 2015; and
• To review, discuss, and provide preliminary comments on the draft 2014-2017
  
  Risk-based Internal Audit Plan prior to tabling at our May 27, 2015 meeting.
• September 5, 2014
• To review and comment on the 2013-2014 Departmental Performance Report (DPR).

A more detailed breakdown of our specific committee business and operations (agenda items and briefings) throughout 2014-2015 can be found within Annex B, which depicts, illustrates, and links our work to our respective areas of responsibility. The efforts of the department and the CAE and staff are to be commended for appropriately addressing our key areas of responsibility.

Beyond our key areas of responsibility, as part of last year’s Annual Report, we utilized our major themes identified for 2013-2014 as our established areas ongoing areas of interest/focus for 2014-2015. These areas included:

Information Management (IM) / Information Technology (IT) : Continued focus and attention on IM/IT risks and risk mitigations strategies as well the ongoing work with respect to protecting and securing personal information.

Corporate Coherence : Continue to pursue efforts and provide advice and guidance to the Deputy Minister (DM) and senior management with respect to the importance and necessity of horizontal and vertical alignment to improve corporate governance and risk management and mitigation strategies/measures.

Risk Management, Compliance and Control : Increased attention to our Risk Management and Management Control Framework and Reporting areas of responsibility, given the inherent linkages and interconnectivity of these areas.

Continuously question and challenge the department as necessary and when and where required with respect to risk, risk management, management control frameworks, and compliance and controls. This will ultimately assist the DAC in providing valuable and explicit advice to the DM.

The committee was of the opinion that by maintaining and carrying forward these major themes into 2014-2015, we would be able to build upon our advice previously provided to the DM and also present a more holistic and comprehensive overview as part of this annual report. Our comments and overall opinion pertaining to our identified areas of ongoing interest/focus, as well as the commitment of senior management to these areas, can be found within Section 2.9: 2014-2015 Areas of Ongoing Interest/Focus.

In order to effectively perform our role as external advisors and as a strategic resource to the DM, the organization’s mission, objectives, priorities and risk profile must be at the forefront of our committee business. As stipulated in the 2014-2015 Report on Plans and Priorities (RPP), the mission of ESDC is to build a stronger and more competitive Canada, to support Canadians in making choices that help them live productive and rewarding lives and to improve Canadians' quality of life. The Department delivers a range of programs and services that affect Canadians throughout their lives through three business lines:

• Employment and Social Development;
• Labour Program; and
• Service Canada.

ESDC Objectives and Priorities

The 2014-2015 RPP identified the department’s organization priorities as follows:

• Business transformation and modernization of core business;
• Improving policies and programs; and
• Building a high-performing organization

ESDC Risk Profile

The 2014-2015 RPP identified the department’s risk profile as follows:

• Project management
• Privacy/security
• Information technology infrastructure renewal and business continuity; and
• Human resource management

Again this year, senior management is to be commended for their ongoing commitment to continuously striving to attain and deliver on the established departmental objectives and priorities. The continuation of the established 2013-2014 organizational priorities through and into 2014-2015 allowed for continued progress of the department’s transformation and modernization agenda. During our committee proceedings, it became evident that senior management embedded departmental objectives and priorities within their business lines and operations by aligning modernization and transformation activities accordingly.

From our unique and external perspective, and in consideration of our established areas of responsibility, we feel that several elements of our committee proceedings aligned well with ESDC’s 2014-2015 organization priorities and risk profile. We were privy to targeted briefings regarding Information Technology (IT) on several occasions, as well as identity management, integrity matters, and IT security. We also engaged in Project Management and Workforce Planning discussions. The internal audit function directly contributed to assisting the department with addressing the 2014-2015 risks by conducting and completing specific audit projects in the areas of Privacy and IT. A more comprehensive overview of these specific audit projects and the work of the internal audit function can be found within Section 2.1: Assessment of the Internal Audit Function.

In addition to our review of the 2013-2014 DPR, we were briefed on the 2014-2015 Corporate Risk Profile (CRP), the 2014-2019 Departmental Evaluation Plan (DEP) and the corresponding Report on the State of Performance Measurement in support of Evaluation. While the department proactively engages the DAC during the development of and prior to the finalization of the RPP for the upcoming fiscal year, the passing of our colleague, Ms. Jalynn Bennett, occurred at the time when we would have convened a conference call to review and discuss the RPP. When we do not have the opportunity to review the RPP prior to its submission to Treasury Board (TB), the department still very much welcomes and appreciates our comments, advice and recommendations which are taken into consideration at the onset of the development of future year RPPs. As such, we were provided with a copy of the 2015-2016 RPP for information, review and comments as necessary.

2.1 Assessment of the Internal Audit Function

The internal audit (IA) function at ESDC resides within the Internal Audit Service Branch (IASB) and is under the leadership and direction of the Chief Audit Executive (CAE), who reports directly to the DM. This direct report ensures the independence of IA function.

The IASB completed a total of seventeen (17) internal audit engagements throughout 2014-2015, a slight decrease, however nonetheless consistent, with the previous year. This demonstrates that the function has maintained appropriate resources and capacity to deliver on its planned audit engagements. Internal Audit projects with a supporting management action plan (MAP), per DAC meeting date that were approved by the DM, following the recommendation of the DAC were as follows:

May 27, 2014 :

• Audit of the Implementation of the Aboriginal Skills and Employment Training Strategy (ASETS)
• Audit of the Implementation of Program-Led Privacy Action Plans
• Audit of Employment Insurance Phase III – Payment and Claim Maintenance
• Audit of Automatic Enrolment for an Old Age Security Pension Phase 1B
• Audit of Integrated Planning and Risk Management

November 25, 2014 :

1. Audit of Compensation and Benefits
2. Auditability Assessment of Identity Management Practices
3. Audit of the Canada Student Loans Program - Sections 34 and 33 of the Financial Administration Act (FAA)
4. Audit of Program Integrity Practices
5. Preliminary Survey of the Delivery of Passport Services
6. Audit of the Departmental Information System and Technology Controls Phase I – Application Controls
7. Audit of the Consolidated Statement of Administrative Costs Charged to the Canada Pension Plan (CPP) Account by ESDC, March 31, 2014

March 31, 2015 :

1. Audit of the Implementation of Delegation of Authority within SAP
2. Audit of Account Verification Quality Assurance Processes
3. Audit of Personal Information Management for Policy Analysis, Research and Evaluation (PARE)
4. ESDC Passport Program – Internal Controls Design Effectiveness Testing
5. Audit of Information Technology Security Over Portable Digital Media

With respect to the aforementioned audit projects, the revised Audit of the Implementation of the Aboriginal Skills and Employment Training Strategy (ASETS) returned to the committee for review and recommendation following our advice and recommendations to management and the DM during our February 4, 2014 meeting. The revisions to the audit report and supporting MAP are just one example as to how the DAC assisted management and the DM by providing expert advice to reflect the balance of complying with controls and the risks and complexities associated with the various client groups. We equally appreciated that our recommendation to perform follow-up audit work within the next six (6) to twelve (12) months, to provide additional assurance to the committee and senior management on the state and status of the ASETS program, was reflected in the 2015-2017 Risk-based Internal Audit Plan (RBAP).

By employing our unique and external perspective when reviewing the various 2014-2015 audit projects, we continued to recommend and provide useful advice to management. Collectively, the committee recognizes that clarity and context are becoming of utmost importance within audit reports. As such, on several occasions, we requested that additional context and clarity be provided by management and by IASB. Of particular mention was our request to embed ‘Management Commentary’ within the Auditability Assessment of Identity Management (IdM) Practices to contextualize the ongoing IdM work, the risk mitigation strategies, and the overall harmonized and enterprise-wide approach being employed within the various programs. Furthermore, and in consideration of our Follow-Up on Management Action Plans area of responsibility, we have made suggestions to management to outline interim risk mitigation measures when responding to audit recommendations via Management Responses, specifically when planned/target implementation dates are a year or more into the future. The Audits of the Implementation of Delegation of Authority within SAP and of Account Verification Quality Assurance Processes are examples where we made said suggestions. We feel that this is an important precision which will aid in managing and mitigating identified risks and providing additional assurance to management and the DM.

Notable highlights as a result of the audit projects reviewed were the confidence displayed by the internal audit function when reporting the results of the Audit of Automatic Enrolment for an Old Age Security Pension Phase 1B. Internal Audit issued no recommendations to management as a result of the audit and we felt that this was a noteworthy matter. Additionally, our support and endorsement of management’s disagreement with an audit recommendation as a result of the Audit of the Departmental Information System and Technology Controls Phase I – Application Controls. Although management disagreed with internal audit’s recommendation, we concurred with the horizontal and enterprise-wide approach in response to the recommendation proposed by management, while acknowledging the importance of the recommendation.

We reviewed and were consulted on a revised and updated Internal Audit (IA) Charter as part of our May 2014 proceedings. We recommended a minor revision to the IA Charter to demonstrate and reflect the unique challenge function we provide as a committee. As a standard practice, the IA Charter is tabled annually for review by the committee.

The IASB operated under a new organizational structure in 2014-2015 whereby directorates within the branch were amalgamated and reporting relationships were streamlined. We were previously consulted on the re-organization and were supportive of the streamlined changes to the branch. The completion of seventeen (17) internal audit engagements demonstrates that the function continues to be sufficiently resourced to deliver on planned engagements and respond to management requests as and when necessary. We do however encourage the CAE and the IASB senior management team to continue recruitment and retention as well as succession planning efforts to ensure the continued success and professionalism of the function. This is increasingly important, and a necessity that is heighted, in a time of fiscal and resource restraint.

Throughout 2014-2015 we reviewed and approved the 2014-2017 RBAP as well as the 2015-2017 RBAP. By having had the opportunity to review and approve two RBAPs, we have been able to see the evolution of the internal audit function as well as the increased sophistication of the planning and development of the audit plans. We have witnessed continued horizontal alignment to risk and risk management as well as an increased focus on horizontality and alignment of audit projects to departmental priorities and objectives. Collectively, and following a recommendation by the CAE, we supported and endorsed the movement towards a two-year RBAP, recognizing the evergreen nature of planned audit activities and the requirement to bring additional focus and attention to planned audit engagements. Naturally, we questioned and probed the CAE regarding any potential policy and compliance requirements when removing year three from the 2015-2017 and future RBAPs. We were happy to be informed that a two-year audit plan respects policy requirements and welcomed the addition of the Advisory Services & Further Business Intelligence Analysis section of the 2015-2017 RBAP which assists in visualizing future planned audit engagements as well as the ongoing commitment of internal audit to continuously monitor and evaluate risks.

The CAE and senior IASB management continued to regularly report against progress in implementing the 2014-2017 RBAP. Internal Audit Project Status Reports continue to be a standing discussion item at all of our meetings and assist us in monitoring and overseeing the work of the IA function. These regular updates also permitted the committee to note any pertinent changes to the departmental risk environment as well as to engage in discussions pertaining to new or emerging risks and/or the addition, cancellation, or amalgamation of audit projects that were previously planned. Our regular RBAP reviews and updates further allowed the DAC to ensure that audit resources are and will continue to remain sufficient. We appreciate the CAE and senior IASB management’s effort to provide regular and ongoing status updates to the committee against progress in implementing the planned audit engagements, however we feel that a more ‘visual depiction’ of progress would be beneficial. We therefore encourage the CAE to visually depict progress of planned audit engagements moving forward. This could include incorporating graphical representation of the status and progress of planned engagements as well as additional background information on planned projects. Elements of the newly developed and approved 2015-2017 RBAP could be leveraged to assist in visually reporting the status of internal audit projects.

Similar to our previous year report, we continue to be of the opinion that the performance of the IA function within ESDC (a large, complex, and challenging environment), is successful and that audit coverage is comprehensive. Completed audit projects as well as the multi-year RBAPs have had high-value impact within the department. Significant assurance work was completed and provided value-added recommendations in the areas of privacy, planning, risk management, IT (including integrity and identity management), and the delivery of passport services/operations. The work of the internal audit function continues to align with and supports the management and mitigation of the identified corporate risks. This is largely demonstrated by the evolution and horizontal alignment of the planning and development of the risk-based internal audit plan (RBAP).

As we move forward into 2015-2016, we collectively welcome additional briefings and discussions pertaining to the monitoring and assessment of the performance of the internal audit function. Having had the opportunity to review the 2011 External Practice Inspection results, and in anticipation and preparation of the 2016 External Practice Inspection, we would appreciate additional discussions and the presentation of results regarding the IASB Quality Assurance and Improvement Program (QAIP). We believe that the DAC could benefit from receiving said briefings and updates with respect to the results of post-audit surveys and quality assurance reports and contribute to the overall improvement of the IA function by providing valuable and insightful recommendations. We equally welcome further discussions regarding the IASB Performance Measurement Framework (PMF) which will greatly assist the IA function with ongoing monitoring and annual self-assessments. We are nonetheless confident that the IA function remains in compliant with professional audit standards and that the independence of the function is maintained.

While the IA function continues to meet our expectations, we have no specific recommendations for the DM regarding the audit function. We continue to appreciate the high-degree of professionalism of the CAE and his staff. We would however like to reiterate that we encourage continued and additional efforts in the areas of recruitment and retention, as well as succession planning for audit resources. We look forward to being engaged in ongoing and regular performance discussions and will continue to monitor the resource levels of the function in order for it to continue to be successful.

2.2 Follow-Up on Management Action Plans (MAPs)

In the past year, the CAE tabled the results of the MAP follow-up exercise to the committee, for discussion and information, on three separate occasions. These presentations provided the committee with valuable, and much needed information on the department’s existing exposures identified in Internal and External audit reports and the strategies management will put in place to mitigate them.

In particular, on the November 25, 2014 meeting, the CAE tabled the results of the June 2014 Internal and External MAP exercise. This exercise was comprehensive in nature and consisted of two-hundred and fourteen (214) internal and external recommendations. The analysis conducted demonstrated that one-hundred and twenty-six (126) recommendations were assessed as ‘Fully Implemented’. The remaining eighty-eight recommendations were determined to be either be obsolete, on schedule, late and requires attention, or Late with concerns.

Following the presentation and our review of the results of the Internal and External MAP follow-up exercises, we observed a high number of 'Late' audit recommendations and expressed concerns regarding the timely implementation of recommendations and the potential reputational risk that the department may be exposed to by these extended delays and/or further delays in implementation. While we were cognisant that several recommendations were dependent on enterprise-wide IT solutions and collaboration with Shared Service Canada (SSC), we recommended that the CAE perform additional follow-up work to contextualize these delays as well as provide an assessment of the risks and associated mitigation strategies.

As per our request, on March 31, 2015, the CAE tabled the results of IASB's additional follow-up work on our aforementioned concerns. As part of this process, IASB assessed internal /external audit recommendations that have been outstanding for a period of three years (i.e.; eleven recommendations) and internal / external audit recommendations that had a target completion date of September 2014 to December 2014 (i.e.; forty-seven recommendations). The results of this additional follow-up work were positive and indicate that:

• All the recommendations that have been outstanding for a period of three years or more have been adequately implemented;
• Of the recommendations that had a target completion date of September 2014 to December 2014, twenty-five (25) have been assessed as ‘Fully Implemented’. The remaining twenty-one (21) recommendations were either delayed because of external organizations dependencies or their target completion dates have been revised. All twenty-one recommendations were assessed as having a low risk exposure to the department.

In addition, the CAE also conducted a validation exercise, using a risk-based approach, to determine if the completed management actions addressed the issues identified in their respective internal audit reports and whether residual risks, if any, were identified and accepted by senior management. The results were tabled for discussion and information at our March 31, 2015, meeting. We were satisfied with the results of the validation exercise and are pleased to see the progression in implementing audit recommendations and maintaining appropriate and supportive audit evidence.

Our Follow-Up on MAPs area of responsibility was adequately and appropriately addressed during fiscal year 2014-2015. Our only recommendation to further assist the DM in monitoring, assessing, and mitigating risks is for the CAE and senior departmental management to appropriately contextualize the likelihood of a risk event occurring when implementation of a recommendation is outside the control of the department and is dependent on an external entity. This should also include the capturing of interim departmental risk mitigation measures that are, can, or could be taken. We continue to be impressed by the department’s understanding of the importance of maintaining sufficient and appropriate documentation on file to support a ‘Fully Implemented’ self-assessment and senior management’s commitment and attention to the successful implementation of internal and external audit recommendations.

2.3 Values and Ethics (V&E)

The DAC approached values and ethics through the lens of protection of personal and taxpayer information. The audit work in these areas dealt with the professional practices, and ethics, required to meet appropriate standards of care. It is evident that the department embraces and fosters a culture where V&E is at the heart of the organization. We continue to be of the opinion that the ESDC Code of Conduct (the Code) is first in class and extend our compliments to senior management for their time and commitment to regularly engaging and discussing the Code and related V&E matters and issues with employees. This demonstrates the underlying devotion of senior management to V&E. This devotion was further justified by the ‘Acceptable’ rating achieved as part of the 2013-2014 Management Accountability Framework (MAF) results (tabled for discussion and information at our May 2014 meeting).

We engaged in comprehensive discussions pertaining to Workforce Planning and Project Management during our November 25, 2014, meeting and believe that these discussions directly contributed to our V&E area of responsibility. ESDC is continuing to modernize and transform the way services are provided and delivered and this necessitates the need to effectively manage change; more specifically culture change. By continuously approaching change management and culture change issues with an appropriate V&E lens, the department will be able to capitalize on the appetite for change, the willingness of employees to drive change, and contribute to the department's priority of building a high performing organization. Our Project Management discussion included management's observations and perspectives on the change and culture challenges of moving forward with the implementation of the Project Management Information System (PMIS). We encouraged management to adhere to the guidelines of professional conduct bestowed upon all ESDC employees as established within the Code as well as within the Values and Ethics Code for the Public Sector as these guidelines can greatly assist with change and culture challenges.

Furthermore, we understand that as a result of the Audit of the Implementation of the Code of Conduct (completed in November 2013), a monitoring framework and a three-year V&E vision are developed and that work has commenced to collect data and produce statistics to appropriately report and communicate V&E issues/breaches to management. We welcome future discussions pertaining to these matters and look forward to receiving the multi-year departmental Workforce Management Strategy in 2015-2016. We believe that discussing the V&E monitoring framework, the V&E vision, and by applying a V&E perspective to the multi-year workforce strategy, we will be able to provide additional insight and recommendations to management which will further contribute to our V&E area of responsibility.

2.4 Risk Management

We were provided with a comprehensive overview of the 2014-2015 Corporate Risk Profile (CRP) during our November 2014 meeting and engaged in a wholesome discussion with management regarding the identified corporate risks facing the department. The new approach to the governance and accountability for corporate risks that was established for the 2013-2014 fiscal year continued to be utilized for the 2014-2015 fiscal year whereby risk and related mitigation strategies were monitored and governed by the appropriate portfolio governance committees via responsible senior branch officials. This approach continues to sufficiently and directly link risk identification, management, and mitigation within and to the ESDC governance structure and promotes and assists in the horizontal management and alignment of corporate risks. A total of twenty-one (21) risk categories were identified by the department, five (5) of which have been assessed as high-risk categories.

We suggested to management the possibility of aggregating and/or further condensing the twenty-one (21) risk categories, but were satisfied that the department had appropriately captured the risks of immediate and potential concern. Furthermore, the department continues to discuss the possibility of aggregating the identified corporate risks, however are cognisant that any additional aggregation may result in losing the 'spirit' or the risk and reduce employee connection and relation to the departmental risks. We encourage the department to be continuously aware of external risk factors (political, socioeconomic, and environmental) that could have an impact on the department. In addition, we advised management that consideration should be given to raise the risk-level of Service Delivery from a medium-risk to a high-risk.

In addition to internal risks and to our advice and recommendations outlined in Section 1 with respect to Risk Management, we were briefed by senior Office of the Auditor General (OAG) officials during our March 31, 2015, meeting in support of the development of their multi-year Strategic Audit Plan for ESDC. The OAG met with a variety of key senior program and departmental officials to reassess the risks facing the department (previously identified in their 2010 One-Pass Plan) and informed us of the current and new risk assessment of the department as a result of their recent consultations. We greatly benefited from this discussion with the OAG and appreciated the OAG's openness and willingness to discuss the developments of their Strategic Audit Plan. We capitalized on this opportunity to inform the OAG that, from our perspective, capacity issues in the areas of IM/IT as well as workforce management remain as areas of concern. We further noted that we had been briefed on and were presented with audit results pertaining to integrity, identity management, and FAA compliance matters and highlighted these areas and the associated risks.

The Privacy Commissioner of Canada tabled a Special Report to Parliament in March 2014 regarding her Investigation into the loss of a hard drive at Employment and Social Development Canada . The external hard-drive contained the personal information of 583,000 Canada student loan borrowers, and 250 ESDC employees. The report's findings and recommendation were openly shared and discussed with us during our May 2014 meeting. The breadth and depth of the department's response in light of this extensive privacy and information breach, including the level of effort and resource deployment, was comprehensive and ESDC merits our compliments for their efforts in implementing corrective actions and mitigation measures. This incident however served as a prominent reminder that "the department needs to continually be aware of the personal information and assets it holds, and their associated sensitivity and criticality." It further necessitated the need to embed and integrate robust and effective personal information protection and IT controls and assets risk management and mitigation measures within departmental functions. Although the incident of the lost hard-drive was politically sensitive and received much media attention, we are confident in the department's response and actions as a result of the loss and believe that an improved risk management regime now exists should a similar incident ever occur. We encouraged ESDC to share lessons-learned and best practices as a result of this incident with other government departments who wish to adopt the employed approach, given the sophistication and completeness of the risk mitigation strategies.

The Audit of Integrated Planning and Risk Management conducted by the IASB further contributed to our Risk Management area of responsibility and provided a specific recommendation to senior management on the need to develop a common department-wide planning process, building upon and leveraging the good foundation that currently exists. In addition, the audit also recommended that the responsible enabling services senior officials develop a protocol for these services to be integrated into each branch’s business planning cycle to facilitate a greater understanding of the Department’s core business. We were fully supportive of the audit, the recommendation, and the supporting MAP, which will enable further corporate integration and alignment of risks and risk management throughout the department.

Our recommendation from last fiscal year continues to be relevant and applicable for this fiscal year. We recommend that senior ESDC departmental officials continue toward holistic corporate management of risks. We further encourage the department to build upon and improve the means, methods, and processes in place to identify, manage, mitigate and address risks. We have also observed the movement toward enterprise-wide business and IT solutions and believe that risks will be further mitigated by employing such measures.

2.5 Management Control Framework and Reporting

In addition to our advice and recommendations outlined in Section 1 with respect to Management Control Framework, we once again would like to reiterate that Management Control is an area that we feel should not be viewed in a silo; rather it should viewed corporately and holistically. Appropriate management control considerations should be embedded and coordinated across all areas of the department, as a means of encouraging and supporting corporate coherence.

We believe that ESDC has invested a significant amount of time and resources to further align, both horizontally and vertically, departmental planning and reporting efforts. These efforts have not gone unnoticed as we have witnessed the integration and unity throughout key departmental reports; namely the RPP, DPR, and the CRP. This integration has also been applied to the developmental process of multi-year RBAPs and Evaluation Plans.

We were provided with a detailed update on the progress achieved in implementing the requirements of the Treasury Board (TB) Policy on Internal Control (PIC) at our November 2014 meeting. We were pleased that no major control weaknesses have been discovered or reported to date. We do however acknowledge that in a large and complex department like ESDC, coupled with fiscal and resource restraints, continuous PIC monitoring and reporting will prove to be challenging. We have encouraged management to employ a risk-based approach to satisfy departmental responsibilities in this regard. We are also cognisant that the successful implementation of the PIC is not a stand-alone responsibility; it requires the cooperation and support of numerous business process owners as well as their commitment to address corrective and remedial actions in a timely manner. As such, we have requested and recommended that the Chief Financial Officer (CFO) keep the committee abreast of any concerns, challenges or issues that may impede the successful implementation of the PIC.

We once again met with senior OAG and ESDC officials in August 2014 as part of our annual Technical Briefing to review the complete suite of financial statements and the related control frameworks associated with financial reporting and the FAA. We continued to query areas where controls should be improved, and requested appropriate explanations from the OAG and management when necessary. Additional advice and recommendations that we provided regarding the control framework for financial reporting and FAA can be found within Section 2.7: Financial Statements and Public Accounts Reporting .

The work of the internal audit function examined and analyzed several elements of the ESDC control framework. Notable control frameworks in which the internal audit function provided assurance included but was not limited to, the implementation of the Aboriginal Skills and Employment Training Strategy (ASETS), the adequacy of the maintenance of Employment Insurance (EI) claims, including the authorization and payment of benefits, the investigation management framework and the consistency of investigation practices, and the processes and controls related to ESDC responsibilities for the Passport Program. Overall, internal audit provided assurance that the aforementioned controls and processes were adequate and are operating as intended, however opportunities for improvement were noted and recommendations were issued which we supported and believe will further enhance and strengthen the robustness the current controls frameworks in place. Senior Management accepted the recommendations issued and developed comprehensive supporting MAPs in response to the recommendations. This is a clear indication to the committee that ongoing improvement and refinements to departmental management control framework matters are taken seriously by senior management. This also demonstrates senior management’s ongoing attention and commitment to continuous improvement.

Work in support of Information Technology General Computer Controls (ITGCs), was completed by the IASB, in particular application controls, and the OAG followed-up on previous ITGC management letters issued as part of their 2011-2012 financial audit of the Employment Insurance (EI) Operating Account and their 2012-2013 financial audit of the Canada Pension Plan (CPP) account. Assessing the ITGCs and application controls are an integral part of the PIC framework and the overall management control framework of the department. This internal and external follow-up work was timely as IT infrastructure and services are a necessity for the department to continue with modernization and transformation efforts, thus increasing the need for a robust automated IT control environment. A thematic and horizontal/enterprise-wide approach to addressing the findings and recommendation was employed by the department to promote consistency and alignment. This approach will also assist both the department and Shared Services Canada (SSC) in implementing corrective actions, specifically with respect to security monitoring and access controls.

The Department’s Internal Control Framework continues to be effective, and with the support of senior management, opportunities for further enhancements and continuous improvement are accepted and addressed as necessary. The department is continuing efforts to complete their first full risk-based assessments of internal controls over financial reporting (ICFR), including identifying and addressing gaps and weaknesses in internal controls by March 31, 2016. As the initial assessment for each key process is completed, a corresponding risk-based program for continuous monitoring of the internal controls over financial reporting will be implemented.

As this work continues, we feel that a reiteration of our Overall Assessment of HRSDC's Risk Management, Controls, and Accountability Processes (as outlined in Section 2.3 of our 2011-2012 Annual Report) summarizes our overall recommendation and advice to the DM and senior management for 2014-2015, specifically as the department continues to transform, modernize, and implement new ways of doing business:

“Rigour and vigilance become even more essential to ensure that risk is adequately managed and that appropriate mitigation strategies are in place, that controls are relevant and effective (and not burdensome), and that governance and accountabilities are well defined and respected.”

We have observed and witnessed considerable effort on the part of the senior management in improving and advancing the Department’s Internal Control Framework and the implementation strategy for Internal Controls.

2.6 External Assurance Providers

Throughout 2014-2015, we continued to be regularly briefed and updated on the status of external audit activity implicating/impacting the department. Regular external audit status reports remained as a standing discussion item at all of our meetings, and assisted us in the monitoring of and inquiring about the work of the various external providers.

As previously mentioned (refer to Section 2.4: Risk Management), the Privacy Commissioner of Canada (PCC) tabled a Special Report to Parliament in March 2014 regarding her Investigation into the loss of a hard drive at Employment and Social Development Canada. We reviewed the Commissioner’s report with senior management during our May 2014 meeting, and complimented the department for their ability to rapidly respond to this incident and implement significant risk mitigation measures as a result. We recommended that the department share lessons learned and best practices with other government departments and agencies given the comprehensiveness of the supporting MAP. In addition, as the Commissioner’s Special Report referenced the delay in notifying affected individuals of the incident, we further recommended that the department implement a targeted mechanism which would be readily available to reach out and contact affected individuals should another similar incident occur in the future. This would demonstrate a proactive, as opposed to reactive, approach and allow the department to confirm the extent of potential risks directly with the affected individuals, clients, and/or employees.

The Public Service Commission tabled the results of their Audit of Employment and Social Development Canada in October 2014, which focused mainly on the departments delegated staffing authorities to ensure that appointments are made in accordance with legislative, regulatory and policy requirements. We were briefed and reviewed the report and supporting MAP, as well as the departmental response, as part of our November 2014 meeting. We inquired as to the reasons as to why not all conditions of appointment were specified and were pleased to be informed that management is confident that it can take steps to address this matter by improving internal communications, tools, and templates. We complimented the department on positive audit results, noting the high compliance rate attained.

The Auditor General (AG) of Canada tabled his Fall 2014 in the morning of November 25, 2014, which coincided with our November 2014 meeting. A third-party reference to ESDC was included in the AG’s Fall 2015 Report within Chapter 7—Documentary Heritage of the Government of Canada—Library and Archives Canada. A copy of the final audit report was provided to the committee for information and reference and management advised us that the OAG accepted all of the department’s suggested revisions to ensure the factual accuracy of the third-party reference.

We were briefed by senior OAG officials during our March 31, 2015, regarding the development of their Multi-Year Strategic Audit Plan for ESDC (refer to Section 2.4: Risk Management). We continue to regularly engage with the OAG during committee proceedings to further improve working relationships and to discuss matters of mutual interest. Furthermore, our Annual Technical Briefing to review the various financial statements and corresponding OAG financial audit results is now embedded within both ESDC and OAG planning processes.

The OAG issued Management Letters following the conclusion of their annual 2013-2014 financial audits of the ESDC Public Accounts (PA), the Government Annuities Account (GAA), and the EI Operating Account. We reviewed the Management Letters with the appropriate senior officials and supported the corresponding MAPs in response to the observations and recommendations. While minor Section 34 and Section 33 non-compliance issues were noted by the OAG, we remain confident that the department will implement the necessary and required automated controls within SAP, the new departmental financial system, to address these matters of compliance. Compliance with the FAA has been and will remain as one of our “bread and butter” responsibilities; one which we ensure receives ample visibility and is allotted sufficient time for discussion and deliberation.

We recognize that risks are inherent and various in a large a large and complex organization like ESDC and therefore the department is often considered and included in external audit entity projects. Notwithstanding the various mandates of the external audit entities, we would recommend that an appropriate challenge function be employed at the onset of external audit engagements to ensure that the planned external work is necessary and will bring additional and long-term added value and result in meaningful/useful recommendations. As an external advisory body to the DM, we will assist as necessary by employing our unique challenge function in this regard.

2.7 Financial Statements and Public Accounts Reporting

Again this year, the Quarterly Financial Reports (QFR) for Q1, Q2, and Q3 were tabled with the committee for review and discussion. The CFO continued to provide comprehensive overviews of the quarterly reports and we continue to appreciate and welcome these presentations as it allows us to actively be informed and involved in any financial matters of concern or that require attention. We have recommended that the CFO capitalize on the opportunity to advise and inform us of any notable seasonal or cyclical patterns and highlight significant material differences from one quarter to the next to facilitate and improve our discussions.

Last year, we were instrumental in arranging a full-day, all-inclusive Annual Technical Briefing. Our first all-inclusive Technical Briefing occurred on August 26, 2014, and allowed us the opportunity to review and discuss the following Financial Statements (F/S) in detail with the responsible senior departmental officials during our morning proceedings:

• 2013-2014 Departmental Consolidated F/S (Unaudited);
• 2013 – 2014 EI Operating Account F/S;
• 2013-2014 CPP Account F/S;
• 2013-2014 GAA F/S; and
• 2013-2014 ESDC portion of the PA of Canada.

In addition, the responsible senior OAG officials joined our Technical Briefing proceeding in the afternoon and reviewed and presented the results and findings of their four (4) annual financial audits to the committee and senior management as follows:

• 2013-2014 ESDC PA – Presentation to Management;
• 2013-2014 EI Operating Account – Report to Signatories;
• 2013-2014 GAA – Presentation to Management; and
• 2013-2014 CPP Account – Report to Signatories

We also had the opportunity to arrange in-camera sessions with the responsible OAG audit principals similar to last year, the Departmental Consolidated F/S were not subject to an independent, third-party review. While we continued to support management’s decision to forgo this practice, we encourage and recommend that consideration be given to reinstating this independent review in the future. The implementation of SAP, as the new departmental financial system improves many departmental controls and increases efficiency, but also brings new risks to the way financial transactions are recorded, processed, and treated. An independent review of the Departmental Consolidated F/S could further assist the department in strengthening automated financial controls and business workflows accordingly.

The Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting was presented and reviewed in conjunction with the 2013-2014 Departmental Consolidated F/S. We continued to observe the significant amount of work that has been completed with respect to the design effectiveness testing for the existing scheduled business processes and were pleased to be informed that EI and CPP design effectiveness testing was nearing completion. In addition, significant progress also continues to be made towards the operating effectiveness testing of key controls. As ESDC is expected to complete the first full risk-based assessment of its system of internal control over financial reporting (ICFR) by the end of 2015-16, we recommend that briefings and presentations continue to be brought forward to the DAC with respect to ICFR and the results of the various design and operating effectiveness reviews of the business processes. We have been privy to PIC Updates and discussions throughout 2014-2015, however we would greatly appreciate further engaging with management on the results and corresponding Management Response and Action Plans (MRAP) of the design and operating effectiveness testing; specifically pertaining to the department’s statutory programs (EI, CPP, OAS) and other pertinent business processes such as Canada Student Loans and Grants and Contributions.

The OAG completed and tabled their annual financial audit results of the EI Operating Account, the CPP Account, the GAA, and the ESDC portion of the Public Accounts of Canada for the year ending March 31, 2014. Once again, unmodified audit opinions were received and no adjustments were required to the statements. ESDC management was fully cooperative and supported the OAG in the conduct of their work and this contributed to sustaining a positive relationship between the OAG and ESDC. This positive relationship, which allows for open dialogue, exchanges, and communication, was instrumental when an issue pertaining to the GAA arose. As part of last year’s financial auditing process, the OAG advised ESDC that a decision of the Supreme Court of Canada on different pension plan accounts was made in December 2012 and could have an impact on the GAA F/S. The department worked in close collaboration with the OAG and reached a consensus on presenting this fact in the GAA Statement of Financial Position. We were appropriately briefed on this matter by management during our morning technical briefing proceedings and were confident in advising the OAG that we have reviewed the revisions to the GAA F/S, were comfortable with the employed approach, and supported the disclosure of this matter in the accompanying Notes.

The OAG issued Management Letters at the conclusion of their annual 2013-2014 financial audits of the ESDC PA, the GAA, and the EI Operating Account. Matters of FAA compliance (Section 34 and 33) were observed and recommendations were issued. We were presented with and briefed on the management letters as well as the departmental responses and supporting MAPs. Although Management Letters were issued and identified opportunities for improvement, based on the audit work performed by the OAG (which included discussing relevant facts and circumstances with the appropriate level of management), no significant deficiencies in internal control were identified.

2.8 Accountability Reporting

We reviewed and were briefed accordingly on several key departmental reports as follows throughout 2014-2015:

• 2013-2014 Departmental Performance Report;
• 2014-2015 Corporate Risk Profile; and
• 2014-15 to 2018-19 Departmental Evaluation Plan and the corresponding Report on the State of Performance Measurement in support of Evaluation.

We were privy to a comprehensive overview of the 2013-2014 Management Accountability Framework (MAF) results and were we were provided with a copy of the 2015-2016 RPP for information, review and comments as necessary.

As previously contextualized and outlined, we have witnessed a significant improvement in the horizontal and vertical alignment of these reports. This speaks volumes regarding the planning and developmental processes and demonstrates the department’s commitment to consistency and uniformity.

We recommended that it may be beneficial have these departmental reports, namely the RPP and DPR, reviewed by an external editor to identify technicalities and to promote the use of ‘plain language’ in consideration of the target audience (Parliamentarians and the general public). In addition, we feel that visual aids could be employed at the onset of these reports to further contextualize and assist in visualizing the size of the department and number of programs and services offered.

2.9 2014-2015 Areas of Ongoing Interest/Focus

As previously indicated, and in addition to our eight key areas of responsibility, we identified areas of ongoing interest and focus for 2014 – 2015 (as part of last year’s annual reporting process) as follows:

Information Management (IM) / Information Technology (IT) : Continued focus and attention on IM/IT risks and risk mitigations strategies as well the ongoing work with respect to protecting and securing personal information.

We engaged in several IM/IT discussions with the Chief Information Official and senior management regarding the 2014-2015 IM/IT Plan as well as the multi-year IT Security Plan and were provided with updates on current initiatives, notable highlights, and future plans for the upcoming fiscal year. It was reassuring to the committee to see that corrective and concrete actions to address certain data-loss prevention findings/recommendations as a result of the Privacy Commissioner’s Special Report to Parliament have been embedded within the departmental IM/IT plan. The ITGC work that was completed by the IASB and the follow-up ITGC work completed by the OAG demonstrated that enterprise-wide IT solutions are being promoted and employed to reduce and mitigate risks. Dialogue and communications with Shared Services Canada (SSC) are improving and senior executives are now more engaged in IT Security discussions to further increase horizontality. The department has continued to ensure that their IT Security posture and related defense mechanisms are working as intended and can continue to withstand the threat of emerging and evolving new technologies and increasingly sophisticated intrusions attacks.

In light of the above, we share the DM’s view that the department is on the right track in the areas of IT Security and data loss prevention and recommend that implementation of the IM/IT Plan continue. We are fully aware and recognize that continued progress and success is largely dependent on SSC’s engagement, cooperation, and commitment and therefore recommend that the department inform and advice the DAC as appropriate with respect to issues and challenges.

Corporate Coherence : Continue to pursue efforts and provide advice and guidance to the Deputy Minister (DM) and senior management with respect to the importance and necessity of horizontal and vertical alignment to improve corporate governance and risk management and mitigation strategies/measures.

Through key departmental reports (RPP, DPR, CRP), enterprise-wide IT solutions, and the development of the multi-year Evaluation Plans and RBAPs, the department has built upon and leveraged an already existing good foundation to further integrate planning and reporting processes and promote corporate coherence. We have witnessed this integration not only at the corporate-level, but also at the program and projects levels as well whereby policy and program, and business and technology lines are working collaboratively and operating in a unified parallel manner.

We encourage the department to continue their efforts with respect to horizontal and vertical alignment, as this alignment lends itself to improved corporate governance and risk management and mitigation strategies/measures.

Risk Management, Compliance and Control : Increased attention to our Risk Management and Management Control Framework and Reporting areas of responsibility, given the inherent linkages and interconnectivity of these areas.

Continuously question and challenge the department as necessary and when and where required with respect to risk, risk management, management control frameworks, and compliance and controls. This will ultimately assist the DAC in providing valuable and explicit advice to the DM.

As outlined in Section 1: Issues and Observations, and as mentioned in Sections 2.4: Risk Management and 2.5: Management Control Framework and Reporting we have brought additional attention and rigour to these key areas of responsibility. We continue to inquire regarding established risk management and mitigation strategies and ensure that new risks and mitigation measures are properly discussed and understood. In a large and complex organization such as ESDC, risk is present in virtually every business line and in the daily operations and functions of the department. As modernization efforts continue, as transformation projects are implemented, specifically in the areas of IM/IT that require the cooperation and support of outside organizations, the likelihood of a risk event occurring is heightened. We recommend that the department further concentrate and allot appropriate considerations to exploring interim risk mitigation measures which are within their means and controls. It is in this regard that ESDC will be able to further strengthen the overall risk management function of the department.

Section 3: DAC Assessment

Consistent with previous years, we completed self-assessments in order to gauge the performance of the committee in terms of our ability to effectively perform our advisory role and deliver on our areas of responsibility. The overall results of our self-assessment continue to be extremely positive – a continued reflection of the commitment of the Deputy Minister and dedication of senior management and staff to the DAC.

Our committee operations continue to be streamlined, briefings and discussions have become more focused, and our meeting agendas are now more balanced.

Collectively, and as a result of our self-assessments, we encourage the department to continue their efforts in providing new DAC members with appropriate and comprehensive orientation session to facilitate their transition. In addition, we will continue our efforts and provide guidance and advice with respect to compliance with the Financial Administration Act (FAA), including the Department’s Internal Control Framework and the implementation strategy for Internal Controls at ESDC. We do however recognize and appreciate senior management’s added attention to these areas over the past year.

The IA Function will be subject to an External Practice Inspection in 2016. As such, we will request a final update from the CAE following the 2011 Practice Inspection to ensure that recommendations have been appropriately addressed and implemented. We will embed the 2016 External Practice Inspection within our Assessment of the Internal Audit Function area of responsibility as part of our 2015-2016 Annual Report.

Section 4: Moving forward

As we move forward into 2015-2016, we have meetings scheduled to occur in June and November 2015, as well as in March 2016. Our all-inclusive annual Technical Briefing will occur in September 2015 and will proceed in the same fashion as this year’s Technical Briefing.

As it is customary practices, we establish areas of ongoing interest/focus for the upcoming fiscal year as part of our annual reporting process. We feel that the following key areas will be of utmost important to the committee throughout the upcoming year and are areas where we believe the department can capitalize on our continued advice, guidance, and recommendations:

Information Management (IM) / Information Technology (IT) : We will once again continue our focus and attention to IM/IT risks and mitigation strategies (as outlined in our 2013-2014 Annual Report) with a particular focus on IT Security and Privacy (protection of personal information). At the same time, we will endeavour to support management regarding IM/IT issues and challenges that are dependent on outside organizations/partnerships and will be inquiring as to the state and status of the department’s IT infrastructure to ensure business continuity.

Passport Services, Delivery, and Modernization : On July 2, 2013, the Government of Canada transferred the primary responsibility for the Passport Program from the Department of Foreign Affairs, Trade and Development (DFATD) to Citizenship and Immigration Canada (CIC) with Employment and Social Development Canada (ESDC) being responsible for the delivery of passport services in Canada. This transfer entails a new business line for the department and presents new risks and challenges to an already large and complex organization. In addition, a Program Modernization Initiative was recently launched in the Spring of 2015. As this new business line continues to embed itself with the department and as the modernization initiative unfolds, we will be interested in receiving regular briefings as appropriate tailored specifically to risk management and mitigation and the overall management framework surrounding the Passport Program (and the necessary and required partnerships between the various departments).

Human Resources (HR) Management : We will bring addition focus and attention to HR management and the availability, flexibility, and deployment of resources during 2015-2016. Embedded within this area is the ongoing necessity to implement, instill, and embrace a culture of change throughout the department. It is becoming increasingly imperative for ESDC to have the right number of employees with the right mindset and competencies to meet both transformation (future) and ongoing business (present) agendas.

Our areas of ongoing interest/focus will be discussed and examined with appropriate attention to risk management, compliance and controls.

We welcomed Mr. Tim Wilson in November 2014, and will be welcoming a new committee member in 2015, who will replace the late Ms. Jalynn Bennett. We look forward to welcoming and working with our new colleague and will assist with and support their integration to the committee and its various areas of responsibility.

Section 5: Conclusion

The DAC is satisfied that it has met its mandated responsibilities, as well we provided advice to the Deputy Minister and his management team on a number of issues. In this respect, the 2014-2015 year has been stimulating, challenging, and successful.

The year ahead brings similar challenges, as our risk management, governance, and compliance responsibilities will focus particularly on IM/IT, human resources, corporate coherence, and the Financial Administration Act (FAA).

We appreciate the ongoing support of the Deputy Minister, his management team, the CAE, and the audit team. This is a professional, engaged, and committed group, and our relationship with them is excellent.

Annex A: DAC composition, operations, and biographies

Annex B: DAC operations per key area of responsibility

This table depicts the various DAC agenda items/presentations to their corresponding area(s) of responsibility. Since the DAC’s areas of responsibility are not independent, linkages between these areas must be achieved to allow the committee to succeed in its advisory role. As a result of these linkages, some agenda items are reported under more than one area of responsibility.

2014 – 2015 DAC Meeting Dates

Area of responsibility

Values and ethics

November 25, 2015

• ESDC Workforce Planning
• Project Management and SAP Migration

Risk Management

May 27, 2014

• IM/IT 2014-15 Plan and Security Update
• Grants and Contributions Modernization
• Audit of Integrated Planning and Risk Management

November 25, 2014

• ESDC Workforce Planning
• Project Management and SAP Migration
• 2014-2015 Corporate Risk Profile (CRP)
• Update on the Policy of Internal Control

March 31, 2015

• Information Technology (IT) Security – Update
• EI Service Delivery Modernization

Management Control Framework and Reporting

May 27, 2014

• 2013-2014 Management Accountability Framework (MAF)
• IM/IT 2014-15 Plan and Security Update
• Grants and Contributions Modernization

November 25, 2014

• Project Management and SAP Migration
• Update on the Policy of Internal Control

March 31, 2015

• Information Technology (IT) Security – Update
• EI Service Delivery Modernization

Internal Audit Function

May 27, 2014

• Internal Audit Charter – Update
• 2014-2017 Risk-Based Internal Audit Plan (RBAP)
• 2013-2014 Chief Audit Executive (CAE) Annual Report
• Internal Audit Projects Status Report
• Audit of the Implementation of Program-Led Privacy Action Plans
• Audit of Employment Insurance Phase III – Payment and Claim Maintenance
• Audit of Automatic Enrolment for an Old Age Security Pension Phase 1B
• Audit of Integrated Planning and Risk Management

November 25, 2014

• Internal Audit Projects Status Report
• Audit of Compensation and Benefits
• Auditability Assessment of Identity Management Practices
• Audit of Program Integrity Practices
• Audit of the Departmental Information System and Technology Controls Phase 1 - Application Controls
• Audit of the Canada Student Loans Program - Section 34 and 33 of the Financial Administration Act
• Preliminary Survey of the Delivery of Passport Services
• Audit of the Consolidated Statement of Administrative Costs Charged to the Canada Pension Plan Account by ESDC, March 31, 2014
• 2014-2017 Risk-Based Internal Audit Plan (RBAP) – Update

March 31, 2015

• 2015-2017 Risk-Based Internal Audit Plan (RBAP)
• Internal Audit Projects Status Report
• Audit of the Implementation of Delegation of Authority within SAP
• Audit of Account Verification Quality Assurance Processes
• Audit of Personal Information Management for Policy Analysis, Research and Evaluation (PARE)
• ESDC Passport Program – Internal Controls Design Effectiveness Testing
• Audit of Information Technology Security Over Portable Digital Media

April 17, 2015

• 2014-2017 Risk-based Internal Audit Plan (Conference Call)

External Assurance Providers

May 27, 2014

• External Audit Projects Status Report
• Office of the Privacy Commissioner of Canada (OPC) – Special Report to Parliament – Investigation into the loss of a hard drive at Employment and Social Development Canada

November 25, 2014

• External Audit Projects Status Report
• Public Service Commission of Canada (PSC) – Audit of Staffing
• OAG Audit of Documentary Heritage of the Government of Canada – Library and Archives Canada (LAC)
• OAG Information Technology General Controls (ITGCs)
• OAG 2011-2012 Employment Insurance (EI) Letter of Recommendations Follow-Up – June 2014 Update; and OAG 2012-2013 Canada Pension Plan (CPP) ITRDS Letter of Recommendations – August 2014 Update

March 31, 2015

• Office of the Auditor General (OAG) Multi-year Strategic Audit Plan for ESDC - Risk Discussion
• External Audit Projects Status Report
• 2013 – 2014 OAG Annual Financial Audits – Management Letters (Public Accounts, EI, and GAA) and Management Action Plan

Follow-up on Management Action Plans (MAPs)

May 27, 2014

• IASB's 2013 Annual Validation Exercise of Completed Internal/External Audit Management Action Plans

November 25, 2014

• Results of IASB’s June 2014 Follow-up Exercise on Internal and External Audit Management Action Plans

March 31, 2015

• IASB’s 2014 Annual Validation Exercise of Completed Internal/External Audit Management Action Plans
• IASB’s Interim Follow-Up Exercise of Selected Internal/External Audit Recommendations

Financial Statements and Public Accounts Reporting

May 27, 2014

• Q3 Quarterly Financial Report

August 26, 2014

• 2013 – 2014 Departmental Financial Statements
• Draft Departmental Consolidated Financial Statements 2013 – 2014; including the Annex to the Statement of Management Responsibilities
• Draft 2013 – 2014 EI Operating Account Financial Statements
• Draft 2013 – 2014 CPP Financial Statements
• Draft 2013 – 2014 GAA Financial Statements
• 2013 – 2014 Public Accounts of Canada
• OAG Presentation to Management – 2013 – 2014 Public Accounts Audit
• OAG Draft Report to Signatories – Employment Insurance (EI) Operating Account Annual Audit for the year ending March 31, 2014
• OAG Draft Report to Signatories – Canada Pension Plan (CPP) Annual Audit for the year ending March 31, 2014
• OAG Presentation to Management – Government Annuities Account (GAA) Annual Audit for the year ending March 31, 2014
• In Camera Sessions with the OAG – Public Accounts, EI, CPP and GAA Annual Audits

November 25, 2014

• Final Results of the OAG 2013–2014 Financial Statements Audits (Public Accounts, EI, CPP and GAA Annual Audits
• Q1 Quarterly Financial Report
• OAG Information Technology General Controls (ITGCs)
• OAG 2011-2012 Employment Insurance (EI) Letter of Recommendations Follow-Up – June 2014 Update; and OAG 2012-2013 Canada Pension Plan (CPP) ITRDS Letter of Recommendations – August 2014 Update

March 31, 2015

• 2013 – 2014 OAG Annual Financial Audits – Management Letters (Public Accounts, EI, and GAA) and Management Action Plan
• Q2 Quarterly Financial Report

Accountability Reporting

November 25, 2014

• 2014-2019 Departmental Evaluation Plan (DEP)
• Report on the State of Performance Measurement in support of Evaluation
• 2014-2015 Corporate Risk Profile (CRP)

September 5, 2014

• 2013-2014 DPR (Conference Call)