The chart is a flow chart description of the Integrated Strategic Planning Process (ISPP) which consists of six steps. The first four steps of the ISPP are known as the LTP process which is the first phase of the ISPP, and steps five and six take place during Project Implementation, which is the second phase of the ISPP.

The flow chart begins with the first column that is labeled the LTP process. The first box in the LTP process column in Stage 1: Idea Generation shows that the first step of the ISPP starts in April in each year with a Strategic Direction session to align strategic direction with priorities and emerging issues and that the second step of the ISPP is from May to June, when managers develop a high level business proposal to request funding through the LTP process. Proposals are grouped into three main categories for decision- Corporate Business Architecture (CBA) improvements and initiatives; Continuity and Quality maintenance (CQM) of existing programs; and, New Initiatives / Enhancements. Proposals supported for further consideration by Senior Management Review Board move to the second box in the LTP process column. The second box in the LTP process in Stage 2: Project Assessment shows that the third step of the ISPP is from July to October, when programs develop investment proposals which are presented in Step 4 in November at the Senior Management Review Conference for approval. This marks the end of the LTP process.

Projects approved in November from this point move to the Project Implementation column which is the second phase of the ISPP. The first two boxes in the Project Implementation column in Stage 3: Project Initiation and Stage 4: Project Planning show that the fifth step of the ISPP is from December to March when programs initiate, plan and communicate with the stakeholders about the new LTP projects. The last two boxes in the Project Implementation column in Stage 5: Project Execution and Stage 6: Project Close-out show that the sixth and final step of the ISPP is the on-going monitoring of the LTP projects.

This chart illustrates the two stages of the LTP process that falls within the Integrated Strategic Planning Process (ISPP).The first four steps of the ISPP are known as the LTP process. These four steps have been divided into two stages in the flow chart. The first two steps correspond to the first stage of the LTP process which is the Idea Generation stage and the two other steps correspond to the second stage of the LTP process which is the Project Assessment stage.

The flow chart begins with the Stage 1 Idea Generation where CBA and non-CBA business proposals are prepared by programs for review and approval. The chart illustrates that Corporate Business Architecture (CBA) proposals go through an approval process by both the CBA management committee and Field Planning Boards (FPBs). The flow chart shows that non-CBA projects only go through the FPBs for approval. Both CBA and non-CBA proposals that have been approved flow to the SMRB for gate 1 approval and consideration for funding. Proposals approved for consideration, move to Stage 2 Project Assessment. In this stage, programs must prepare a Project Complexity and Risk Assessment (PCRA), a Business Case, and Business Case Costing (BCC) template for all CBA and non-CBA proposals. The chart illustrates that CBA proposals separate from non-CBA proposals and must go back to the CBA Management Committee for approval. Once this approval is given then CBA proposals merge back with non-CBA proposals and then move to the FPBs to have the Business case and BCC forms approved. Those approved proceed to SMRB Gate 2 for approval and funding. All approved LTP proposals are recorded in the Agency’s Decision Record known as the Blue Book.

Audit Report

April 22, 2013
Project Number: 80590-77

• Executive Summary
• Introduction
  • Background
  • Audit Objectives
  • Scope
  • Approach and Methodology
  • Authority
• Findings, Recommendations and Management Responses
  • Control Environment for the Management of the Agreement
  • Data Stewardship
  • Physical and Information Technology (IT) security
• Appendices
  • Appendix A: Audit Criteria
  • Appendix B: Acronyms

Executive Summary

Data Sharing Agreements (DSAs) are a key Statistics Canada business process. In recent years, data sharing has become a growing and increasingly complex area to manage. Ensuring confidentiality of data is a challenge. Health Statistics Division (HSD) enters into DSAs with provincial Health Ministries under the authority of section 12 of the Statistics Act. The DSAs currently in place with the British Columbia Ministry of Health (the Ministry) allow for sharing of statistical health survey information obtained through the Canadian Community Health Survey (CCHS) and the National Population Health Survey (NPHS).

Currently, Statistics Canada is replacing its existing DSAs with an Omnibus data sharing agreement governing the collection and sharing of information from several selected health surveys with the British Columbia Ministry of Health. The Omnibus DSA includes terms and conditions (T&Cs) governing the use, confidentiality, access, monitoring and compliance of information, and physical and information technology security. This audit was conducted as the Ministry prepares to implement the T&Cs of the Omnibus DSA, in order to assess the extent to which practices are in place to meet the requirements set forth in the Omnibus DSA.

The objective of this audit is to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) that:

• The Terms and Conditions of the Omnibus data sharing agreement between Statistics Canada and the British Columbia Ministry of Health are met.

The audit was conducted by Internal Audit Services in accordance with the Government of Canada's Policy on Internal Audit.

Key Findings

Authorities, responsibilities and accountabilities for the management and handling of Statistics Canada health survey information are appropriately segregated and formally defined, documented and communicated at the Ministry's Senior Management level; however further work is required to ensure functional roles and responsibilities are documented, communicated and understood at the operational level.

The Ministry has established appropriate internal protocols to meet the requirements set out in the Omnibus data sharing agreement. The Ministry has transferred responsibility for the management of Statistics Canada health survey information out of the program area (where it previously resided), and into the Ministry's Health Sector Information Management and Information Technology Division. The Ministry has designed a set of practices for protection and safeguarding of Statistics Canada health survey information that is housed within the Ministry.

The Ministry has yet to put in place revised third party agreement templates reflective of the requirements set forth in the Omnibus data sharing agreement. This is an important activity for the Ministry to undertake, to ensure that appropriate safeguards are in place over the full lifecycle of Statistics Canada health survey information.

Effective controls for physical access to the Ministry's premises and physical storage have been designed. The Ministry's Policies and Procedures Manual provides prescriptive guidance and direction in the areas of physical and electronic access;identification and authentication safeguards, IT storage and transmission; and information copying, retention and records management to meet the requirements set out in Statistics Canada's Omnibus data sharing agreement. It is important to note that at the time of the audit, the Ministry was implementing these requirements.

Overall Conclusion

Statistics Canada is replacing its existing DSAs with an Omnibus data sharing agreement governing the collection and sharing of information from several selected health surveys with the British Columbia Ministry of Health. The Omnibus DSA includes terms and conditions governing the use, confidentiality, access, monitoring and compliance of information, and physical and information technology security.

An examination of the adequacy and, where possible, the effectiveness of the processes and practices put in place by the Ministry to comply with the requirements set out in the Omnibus data sharing agreement revealed that the Ministry has taken steps to design practices, policies and procedures to meet the requirements set forth in the Omnibus data sharing agreement. However, further work is required in two areas, prior to the release of statistical health survey information to the BC Ministry of Health: (1) Functional roles and responsibilities for the management and handling of Statistics Canada health survey information need to be clearly defined and communicated to staff at the operational level. (2) Third party agreement templates must fully reflect the requirements of the Omnibus data sharing agreement that is being implemented between Statistics Canada and the BC Ministry of Health.

Conformance with Professional Standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) Internal Standards for the Professional Practice of Internal Auditing.

Introduction

Background

The Health Statistics Division (HSD) at Statistics Canada has the mandate to provide accurate, timely and relevant information regarding the health of Canadians. HSD provides statistical information about the health of the population, the determinants of health, and the scope and utilization of Canada's health care resources. This information is used to assist and support health planners and decision-makers at all levels of government, to sustain demographic and epidemiological research, and to report to the Canadian public about their collective health and health care system. The HSD works in partnership with provincial and territorial vital statistics registrars and cancer registries as well as data providers and users at the federal level (Health Canada and the Public Health Agency of Canada), provincial level (provincial ministries of health), and the regional level (health authorities).

To achieve its mandate, Statistics Canada may, pursuant to section 12 of the Statistics Act (the Act),enter into an agreement for the exchange of information collected from a Respondent, and the Chief Statistician may, pursuant to paragraph 17(2)(a) of the Act, disclose information collected by persons, organizations or departments for their own purposes and communicated to Statistics Canada. These agreements cover a majority of household surveys, and enjoy certain exceptions regarding the release of confidential respondent information provided that the legal requirements for the provision of data-sharing information, consent rights, and confidentiality protection are respected by all parties.

Statistics Canada is replacing its existing data sharing agreements (DSAs) with the British Columbia Ministry of Health (the Ministry) with an Omnibus data sharing agreement for the collection and sharing of information from several selected health surveys, including the Canadian Community Health Survey (CCHS) and the National Population Health Survey (NPHS).

The Canadian Community Health Survey (CCHS) is a cross-sectional survey which collects information related to health status, health care utilization and health determinants for the Canadian population. It is an annual survey which relies upon a large sample of respondents and is designed to provide reliable estimates at the health region level. The uniqueness of these surveys arises from the regional nature of both content and survey implementation. These aspects allow for analysis of health data at a regional level, across Canada.

The National Population Health Survey (NPHS) collects information about the health of the Canadian population and related socio-demographic information. Every two years, the same individuals provide current and in-depth information on their physical and mental health status, use of health care services, physical activities, life in the workplace and social environment. The NPHS has now been discontinued.

The data collected through CCHS and NPHS are used extensively by the research community and other health professionals. Federal and provincial departments of health and human resources, social service agencies, and other types of government agencies use the information collected to plan, implement and evaluate programs to improve health and the efficiency of health services. Non-profit health organizations and academic researchers use the information for research on ways to improve health.

Audit Objectives

The objective of the audit is to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) that:

• The Terms and Conditions of the Omnibus data sharing agreement between Statistics Canada and the Ministry are met.

Scope

Under the Omnibus data sharing agreement, the Ministry may share the data with third party recipients such as Health Authorities (HAs) within its jurisdiction; recognized provincial or university Research Institutes or Organizations; and researchers under contract to the Ministry. To protect the confidentiality and sensitive nature of the information collected by Statistics Canada, the agreement contains Terms and Conditions (T&Cs) to ensure that confidentiality of the information is not compromised.

The scope of this audit included an examination of the adequacy and, where possible, the effectiveness of the processes and practices put in place by the Ministry to comply with the requirements set out in the Omnibus data sharing agreement. The audit focused on the confidentiality and security (physical access, IT storage and transmission, physical storage, information copying, retention, and records management) safeguards that have been put in place by the Ministry to ensure data is protected and confidentiality is maintained.

Approach and Methodology

A site visit was conducted in December 2012 to assess the processes and procedures the Ministry has put in place to ensure the T&Cs of the new Omnibus data sharing agreement between Statistics Canada and the Ministry are met in preparation for receiving Statistics Canada confidential health survey information. The approach consisted of interviews with key Senior Management and personnel, and review of the processes, procedures and guidelines developed by the Ministry to meet the T&Cs of the agreement between Statistics Canada and the Ministry.

This audit was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the TBS Policy on Internal Audit.

Authority

This audit was conducted as a result of a risk-based senior management request.

Findings, Recommendations and Management Responses

Objective:  The Terms and Conditions of the Data Sharing Agreement (DSA) between Statistics Canada and the Ministry are met.

Control Environment for the Management of the Agreement

Authorities, responsibilities and accountabilities should be clearly defined and understood at all levels, to support effective management of the T&Cs of the Omnibus data sharing agreement. Monitoring of practices as outlined in the Omnibus data sharing agreement T&Cs should be in place to detect errors or potential errors which would otherwise increase operational risk.

Authority

Statistics Canada exercises its mandate to enter into statistical data sharing agreements with other organizations under the authority of sections 11 and 12 of the Statistics Act. The statistical health survey information provided to the BC Ministry of Health supports the Ministry in policy development, evaluating programs to improve health and the efficiency of health services, and sustaining demographic and epidemiological research.

Under section 12 of the Statistics Act, Statistics Canada is replacing its existing DSAs with the Ministry with an Omnibus data sharing agreement for the collection and sharing of information from several selected health surveys.

Roles and Responsibilities

The audit determined that roles and responsibilities for the management and handling of Statistics Canada health survey information are formally defined in two key documents: the CCHS Secure Lab Process document and the Ministry of Health Statistics Canada Health Survey Information: Policies and Procedures Manual.

Three levels of signing authority have been defined for the handling of Statistics Canada health survey information: the Assistant Deputy Minister, the Chief Data Steward, and the Data Custodian.

The Chief Data Steward and Executive Director, Information Management & Knowledge Services (IMKS) branch of the Ministry's Health Sector Information Management and Information Technology Division (HSIMT) will be the designated "Receiving Party's Official", responsible for ensuring processes and procedures are in place to fulfill the requirements set out in the DSA, and for ensuring that adequate protection is in place to provide for the security of the health survey information.

The Data Access and Stewardship Director, as the Data Custodian will be responsible for receipt and distribution of Statistics Canada health survey information. The Data Custodian will assume the responsibilities set out in Appendix 'C' of the Omnibus DSA for the whole lifecycle of Statistics Canada health survey information: data receipt, handling, storage, and transmission. As well, the Data Custodian will assume the responsibilities set out in the Ministry's information management policies, procedures and practices.

The Data Access and Stewardship group is supported in the handling and management of Statistics Canada health survey information by Data Warehouse Operations. The Director, Data Warehouse Operations serves as back-up for the Data Custodian. Data Warehouse Operations provides information technology support to IMKS branch, and will provide support for the secure lab housing Statistics Canada health survey information. This support includes the physical set-up of the secure lab, and performance of data processing and handling activities on an on-going basis.

At the operational level, responsibility for the management of third party contracts resides with the Data Access and Stewardship group. One team lead within the Data Access and Stewardship group will handle provincial university research institutes and British Columbia Health Authorities, and the second team lead will handle Information Sharing Agreements (ISAs) for researchers requested by the program areas. Members of the teams will deal with all the requests the Ministry receives from recognized provincial or university Research Institutes or Organizations, Health Authorities, and researchers. The team will review and adjudicate data requests, working with subject matter experts within program areas to determine whether information being requested is only that which is required to perform the work.

The audit found that while roles and responsibilities are defined and understood at the senior level within the Ministry, the same level of clarity and understanding is not in place at the operational level.  Functional roles and responsibilities for the team leads and team members in Data Access and Stewardship are not clearly defined and documented. Team members are not certain of how their roles will evolve once the Omnibus data sharing agreement is in place, and Statistics Canada confidential health survey information is received.

Lack of clearly defined and documented functional roles and responsibilities at the operational level may result in the prescribed T&Cs not being met, and Statistics Canada confidential health survey information not being adequately and effectively protected.

Monitoring

Clauses with respect to monitoring are prescribed by Statistics Canada in the Omnibus data sharing agreement. The Omnibus DSA states that

"Statistics Canada shall have the right, when it determines necessary, to perform reviews of compliance with this Agreement". The DSA also prescribes that third party agreements entered into by the Ministry "shall contain a clause stipulating the right of Statistics Canada or the Ministry (the Receiving Party) to review compliance with the terms of this Agreement".

The audit found that the Ministry has not engaged in monitoring of agreements entered into with third parties in the past.

Interviews revealed that the Ministry intends to include a clause pertaining to monitoring of third parties when it revises its third party agreement templates. However, at the time of the audit, these revisions had not been completed. As a result, the audit team could not review the third party agreement templates to confirm whether or not a monitoring clause has been included. (This finding is addressed through the recommendations made under Data Stewardship.)

Recommendation:

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should communicate with the Ministry to ensure the following is implemented:

• Functional roles and responsibilities at the operational level, related to the handling of Statistics Canada Health Survey Information are defined, documented and communicated.

Management Response:

Management agrees with the recommendation.

• The Director, HSD will request a list of all employees and their roles and responsibilities in terms of handling Statistics Canada Health Survey Information.
  
  Deliverable and Timeline: Letter to the Ministry, by April 2013.
• As part of the Health Statistics process for on-going monitoring of access that will be implemented, the Ministry will be required to provide a list of employees with access to Statistics Canada Health Survey Information, including their roles and responsibilities.
  
  Deliverable and Timeline: A list of employee names with access to Statistics Canada Health Survey Information, including their roles and responsibilities, every six months.

Data Stewardship

The Ministry has established an appropriate framework to manage the requirements set out in the Omnibus data sharing agreement. Internal protocols for the sound management of data should be in place to ensure the protection and safeguarding of Statistics Canada health survey information over the full lifecycle of the information.

Data Management

The BC Ministry of Health has transferred responsibility for the management of Statistics Canada health survey information from the Population and Public Health Division to the Health Sector Information Management and Information Technology (HSIMT) Division. This is a key control, as HSIMT is the Ministry's dedicated group for the management of health data, and not the ultimate users of the data.

Within HSIMT, responsibility for the administration and management has been appropriately segregated between two areas: Data Access and Stewardship, and Data Warehouse Operations.

As described under the Control Environment for the Management of the DSA, the Director of Data Access and Stewardship will be the designated Data Custodian and recipient, and will act as the liaison between Statistics Canada and the Ministry. Three Research Officers (ROs) reporting to the Data Custodian will be authorized to use the secure lab facility to work with the Statistics Canada confidential information. The ROs' role will include initial record linkage for survey respondents who have agreed to have their information linked; validation work; information maintenance; implementation of study specifications, and working in the secure lab to prepare research extracts.

Three Data Base Analysts (DBAs) reporting to the Director, Data Warehouse Operations group, will be authorized to use the secure lab facility, where they will provide the technical skills needed to prepare data files for use by the ROs.

Third Party Sharing

The Ministry can provide access to Statistics Canada confidential health survey information to:

• Researchers working under contract directly for the Ministry to provide a Survey-related product or service for the sole benefit of the Ministry.
• Provincial/territorial or university research institutes working under contract directly for the Ministry to provide a Survey-related product or service for the sole benefit of the Ministry.
• Six British Columbia regional Health Authorities. However, Statistics Canada health survey information can only be provided to HAs if respondents were notified that their Survey Reponses would be provided to HAs in their province of residence. Otherwise, the HA can only work under contract for the Ministry to provide a Survey-related product or service for the sole benefit of the Ministry.

The Ministry confirmed that the above-stated third party recipients will only have access to Statistics Canada confidential health survey information from which Personal Identifiers (i.e. person's name, address, telephone number or other direct means of identifying an individual) have been removed as prescribed in the Omnibus agreement. The Ministry also confirmed that these third parties will not have access to the Ministry secure lab housing Statistics Canada confidential health survey information.

If Statistics Canada health survey information access is provided on the premises of the university research institutes or HAs, then the Ministry is required to include in their agreements the physical and IT security measures as set out in the Omnibus data sharing agreement, which states:

"The Receiving Party (the Ministry) shall ensure that the terms and conditions of this Agreement respecting the use, confidentiality, protection and security of the Information are included in all agreements and arrangements the Receiving Party (the Ministry) enters into, under the terms of which any other organization is granted access to the Information in accordance with subsection 6.2 of this Agreement".

Interviews revealed that the Ministry is currently in the process of revising its third party agreement templates. However, at the time of the audit, these revisions had not been completed. As a result, the audit team could not review the third party agreement templates to confirm whether or not the requirements respecting the use, confidentiality, protection and security of Statistics Canada health survey information have been reflected in the templates.

Recommendations:

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should communicate with the Ministry to ensure the following is implemented:

• Third party agreement templates are developed and reflect the requirements set out in Statistics Canada Omnibus data sharing agreement.

Management Response:

Management agrees with the recommendation.

• The Director HSD, will request from the Ministry their proposed templates for third party agreements to ensure that they reflect the requirements set out in Statistics Canada Omnibus data sharing agreement.
  
  Deliverable and Timeline: The Director HSD, to request from BC Ministry of Health their proposed third party agreement templates, by April 2013.
• The Director, HSD will monitor on a regular basis, third party access privileges to ensure that third party templates are being used appropriately.
  
  Deliverable and Timeline: Report from the Ministry on third party access privileges, every six months.

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should ensure that:

• A review of the third party agreement templates is conducted to ensure that they include the terms and conditions contained in the Omnibus data sharing agreement respecting the use, confidentiality, protection and security of the information, and monitoring clauses, before providing Statistics Canada confidential health survey information to the Ministry.

Management Response:

Management agrees with the recommendation.

• Statistics Canada Health Survey information will only be provided after a thorough and satisfactory review of the proposed third party agreement templates by the Director HSD, to ensure that they meet the terms and conditions of the Omnibus data sharing agreements.
  
  Deliverable and Timeline: The Director HSD will inform the Ministry of any gaps in their templates, and will notify Statistics Canada senior management once the templates are compliant, immediately upon receipt of the templates.

Physical and Information Technology (IT) security

Information provided to the Ministry is designated as 'Protected B' information as defined in the federal Policy on Government Security. The Ministry is required to ensure that the control and protection of the information, either physically or electronically, is carried out in a manner that protects against loss, theft, compromise or improper disclosure.

Physical Access to the Ministry's Premises and Physical Storage

A physical inspection was conducted of the Ministry's site during the examination phase of the audit. The audit noted that the Ministry's policy allows visitors with unaccompanied visitor card access once signed into the building, with the exception of access to the Ministry's server room and the secure lab housing Statistic Canada health survey information. There is a card scanner outside each secured area. Staff and visitors must swipe their access card through the card scanner to enter the secured area.

Statistics Canada health survey information will be stored, accessed, used, linked and analyzed in a secure lab room located in the Ministry's HSIMT division. A motion sensor-activated security camera that can operate on an uninterrupted power supply in the event of a power failure is located facing the lab door, to record all activity occurring in front of the lab door. Facilities Management is responsible for monitoring the camera, and the tapes can only be accessed by the Chief Data Steward and Executive Director.

Access to the secure lab is permitted only to 'Identified' persons. Persons holding visitor cards cannot access the lab independently; visitors to the lab must be escorted by an 'Identified' person. A visitor log book noting name, date, time in and out, is required to be signed by escorted visitors accessing the secure lab.

The audit verified if only 'Identified' persons could access the secure lab. Three employees determined not to have access to the secure lab were asked to swipe their access cards at the card scanner located outside the lab. Their access cards did not allow them to access the secure lab. The auditors also tested their visitor access card, and the visitor access card did not allow access to the secure lab.

The audit also verified if the security camera placed outside the lab was operating as intended. The audit team viewed the camera tape for the activity of the 3 employees asked by the audit team to access the lab. The audit noted that the motion sensor-activated security camera recorded the activity of the 3 employees at the lab door.

Physical and Electronic Access to Health Survey Information Data Files

The Ministry has a formal process in place for requesting access to the secure lab from the Data Custodian. A Request for Access to Secure Area Form has to be completed and signed by every 'Identified' person, and then signed by the Data Custodian signifying authorization of that person's access to the secure lab.

As well, every 'Identified' person has to agree in writing to comply with the terms of the DSA by signing an acknowledgement. The acknowledgement states they have read, understood and agree to comply with the T&Cs of the DSA between the Ministry and Statistics Canada, as highlighted in the Ministry's Policy and Procedures Manual, and by signing a 'Protection of Confidential Information Agreement for Ministry of Health Employees', as required by appendix 'C' of the DSA. The Ministry stated that the Policy and Procedures Manual will be mandatory reading for all 'Identified' persons.

The secure lab has been set up as an isolated network with a stand-alone Oracle server on a desk-top computer and two workstations which are connected to the server by a port and Ethernet Cable. There is no internet access, as required by appendix 'A' of the DSA, and electrical cables are the only external cables in the lab. Statistics Canada information will be stored on the Oracle server and only 'Identified' persons can access the information either from the server or the two workstations.

A secured cabinet with a key lock is located in the lab to store transportable media and print-outs of Statistic Canada health survey information. The data custodian holds the key for this cabinet.

Identification and Authentication Safeguards, IT Storage and Transmission

The stand-alone Oracle server housing Statistics Canada health survey information and the two desk-top computers will have "named user accounts" for each 'Identified' person. 'Identified' persons will be required to provide their named user account ID and Oracle username ID and complex password (minimum 8 alphanumeric characters with at least one upper case letter, one lower case letter and one number) to log in and access Statistics Canada health survey information.

The card scanner outside the lab and the visitor log book will create an audit trail on physical access to the lab. As well, the named user account ID and Oracle username ID will be tracked to provide an audit trail on the two desk-top computers and the server.

The Ministry's Policies and Procedures Manual states that health survey files transmitted by Statistics Canada to the Ministry by electronic file transfer (e-FT) will be downloaded on a portable hard drive by the Data Custodian, and then saved on the Oracle server in the secure lab. No other type of transportable media such as flash memory stick, laptops, etc will be used to transport the downloaded files. The portable hard drive will utilize full encryption and require password to access. After the transport has finished, it will be securely overwritten, to prevent recovery efforts by unauthorized individuals. The portable hard drive will not be used to store Statistics Canada health survey information. When not in use, the drive will be stored in the key locked cabinet.

If survey files are transported by CDs, then information will be downloaded on the server and the CDs will be stored in the locked cabinet in the secure lab. The Policies and Procedures Manual states that backup of the Oracle server will not be maintained. If the server drives are damaged in an incident and are not recoverable, then brand new data will be requested from Statistics Canada. As well, electronic transmission by facsimile or e-mail is not allowed.

Information Copying, Retention and Records Management

The Ministry's Policies and Procedures Manual does not allow paper copies or electronic extracts of Statistics Canada health survey information. At the time of the audit, the secure lab did not have a printer. Printing outside the secure lab will not be permitted. A policy statement directing printer use will be prominently displayed in the lab and communicated to 'Identified' persons when they are granted access privileges. Statistics Canada information will only be held in the secure lab, and its transmission or transport elsewhere will not be permitted. Electronic transmission by facsimile or e-mail will not be allowed.

The DSA requires the Data Custodian to maintain a register of all data files received from Statistics Canada. The audit noted that the Ministry's Policies and Procedures Manual lists this as one of the responsibilities of the Data Custodian. The audit corroborated this understanding with the Data Custodian via interview.

Effective controls for physical access to the Ministry's premises and physical storage are in place. The Ministry's Policies and Procedures Manual provides prescriptive guidance and direction in the areas of physical and electronic access;identification and authentication safeguards, IT storage and transmission; and information copying, retention and records management to meet the requirements set out in Statistics Canada's Omnibus data sharing agreement. It is important to note that at the time of the audit, the Ministry was implementing these requirements.

Recommendation:

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should ensure that:

• A follow-up audit is conducted if and when the new Omnibus data sharing agreement is signed and data has been shared with the Ministry.

Management Response:

Management agrees with the recommendation.

• The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field, will inform Statistics Canada's Policy Committee once the Omnibus data sharing agreement is signed and data has been shared with the Ministry.
  
  Deliverable and Timeline: Decision by Policy Committee members on if and when a follow-up audit should be conducted.

Appendices

Appendix A: Audit Criteria

Appendix B: Acronyms

Key financial controls: Process Overview

The chart is a flow chart description of the process of Assessment of Internal Controls over Financial Reporting (ICFR) presenting the 4 core activities involved and their outputs described just below each activity. Activities and results/outputs are differentiated by colors and forms. The flow chart is set up in 5 key steps aligned with arrows from left to right. A box groups the 4 core activities for the assessment of ICFR. The flow chart begins with the first step on the left, which is Planning & scoping. Outputs from this activity are Strategic Plans for ICFR & ITGC and work plans. From this point, the process moves at right to Documentation of in-scope business processes. Outputs from this activity are Process Narratives or Flow Charts. Going right onto the third step, the process progresses to the activity of Tests of Design of Key Controls and involves, when required, Letters of Recommendations (LoR) regarding Design. Finally, Tests of Effectiveness of Key Controls is the last activity performed within the process of Assessment of ICFR. LoRs are also an output shown for this step. With arrows from top to bottom, the chart demonstrates that ongoing monitoring and risk management are performed at each step throughout the assessment process. Once the process of the Assessment of ICFR is fully completed, there is a resulting step described outside the box, at right. Reporting to the CS, CFO and Field Senior Management includes progress towards implementing PIC, results of the assessment of ICFR, and the state of audit readiness. Finally, an arrow showing an output from reporting, which is the Statement of Management Responsibility including ICFR labelling the signatures of the CS and CFO.

Audit Report

April 22, 2013
Project Number: 80590-74

• Executive summary
• Introduction
  • Background
  • Audit objective
  • Scope
  • Approach and methodology
  • Authority
• Findings, recommendations and management responses
  • Framework supporting the assessment of the effectiveness of ICFR
  • Ongoing monitoring and reporting on the state of ICFR
• Appendices
  • Appendix A: Audit criteria
  • Appendix B: Acronyms
• List of figures
  • Figure 1: Assessment of ICFR

Executive summary

The Treasury Board of Canada (TB) Policy on Internal Control took effect on April 1, 2009 and is issued pursuant to Section 7 of the Financial Administration Act (FAA). The objective of the Policy is to ensure that risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting. The Policy requires the Chief Statistician (CS) and the Chief Financial Officer (CFO) of Statistics Canada to sign an annual Statement of Management Responsibility Including Internal Control over Financial Reporting attesting that an effective risk-based system of internal control is in place and operating within the Agency.

The objective of this audit was to provide assurance to the CS and Statistics Canada's Departmental Audit Committee (DAC) on the adequacy of the activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting (the Statement).

This audit was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the TB Policy on Internal Audit.

Key findings

Statistics Canada has met the requirements for the implementation of a framework supporting the Policy on Internal Control. The Agency's project charter and overall process for assessing the effectiveness of ICFR integrates all major components of the Diagnostic Toolkit developed by the Office of the Comptroller General.

Statistics Canada has developed a key strategy document titled: "Proposed Strategy to Address Requirements of Policy on Internal Controls (March 2010)", which forms the basis of the Agency's approach to implementing the PIC. It includes all of the main components recommended in the Diagnostic Toolkit. Over the past two years, Finance has adjusted certain governance components of its framework for assessing ICFR; however Statistics Canada's strategic plan for PIC compliance has not been revised or updated for continued operational relevance since it was first developed.

The provision of ongoing assurance regarding the full system of ICFR is required to meet policy requirements. Finance has completed all activities related to Tests of Operating Effectiveness (TOE) according to testing schedule established in its PIC strategy, with the exception of processes and systems that are planned to be changed or in the process of being changed. Compensatory controls have not been tested by Finance during transition periods.

Statistics Canada has established processes for monitoring and reporting PIC compliance. The PIC team monitors the level of completion of remediation action plans resulting from each cycle of Tests of Design (TOD) and TOE; however in some cases, to the timing of validation activities does not permit the PIC team to provide ongoing assurance regarding ICFR. Audit testing of completed remediation actions for two business processes' action plans confirmed that recommendations had been implemented.

In accordance with the Policy, the Agency has completed its first Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting for fiscal year 2011-2012, and is currently working towards the preparation of its second statement for fiscal year 2012-2013. The Statement follows the structure per the OCG's Diagnostic Toolkit, however areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for a given period are not explicitly reported.

Overall conclusion

Statistics Canada has implemented a comprehensive framework in support of its annual risk-based assessment of the effectiveness of the system of internal control over financial reporting.

While the activities supporting the framework in place are adequate, opportunities exist to ensure the Agency can sustain its ICFR assessment process cycle and remain current as continuous progress towards audit readiness evolves. Particular attention should be devoted to updating the Agency's strategy, and clearly communicating areas requiring corrective actions and areas where assurance was not attained.

Conformance with professional standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) Internal Standards for the Professional Practice of Internal Auditing.

Patrice Prud'homme
Chief Audit Executive

Introduction

Background

The Treasury Board of Canada (TB) Policy on Internal Control (PIC) took effect on April 1, 2009 and is issued pursuant to Section 7 of the Financial Administration Act (FAA). The objective of the Policy is to ensure that risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting (ICFR).

The Policy requires the deputy head (Chief Statistician) and the Chief Financial Officer (CFO) of Statistics Canada to sign an annual Statement of Management Responsibility Including Internal Control over Financial Reporting (the Statement). The Statement prefaces the Agency's financial statements, and includes the following:

• Acknowledgement of management's responsibility to ensure that an effective system of internal control over financial reporting is maintained;
• Acknowledgement of the conduct of an annual risk-based assessment of the effectiveness of the system of internal control;
• Acknowledgement of the establishment of an action plan; and
• A summary of the results of the assessment and the actions taken in response to issues.

The expected results of the Policy are the following:

• An effective risk-based system of internal control is in place in departments and is properly maintained, monitored and reviewed, with timely corrective measures taken when issues are identified; and
• An effective system of internal control over financial reporting is operating in departments as demonstrated by the Departmental Statement of Management Responsibility Including Internal Control over Financial Reporting.

The Office of the Comptroller General (OCG) has developed the 2010 Policy on Internal Control – Preliminary Draft Diagnostic Tool for Departments and Agencies (Diagnostic Toolkit), which provides departments with a practical step-by-step approach for planning and conducting a risk-based assessment of the effectiveness of the systems of ICFR as required under the PIC. It states that implementation of the PIC does not require an assessment of all controls, but rather an assessment of key controls based on risks. The proposed approach involves multi-year assessment planning, taking into account departmental capacities.

The Financial and Administrative Services Division (FASD) (formally Financial Management Operations and Systems Division) is responsible for developing a framework for the assessment of operating effectiveness of ICFR and Information Technology General Controls^{Footnote 1} (ITGC). Staff assigned to these responsibilities (the PIC team) include: one full-time FTE responsible for the coordination of testing activities carried out by external contractors and tracking follow-up activities. Two levels of supervision oversee activities supporting PIC compliance on a part-time basis, including a Chief and Assistant-Director. The PIC team reports to the Acting Director (A/Director), FASD, and to the Director General of Finance (the Deputy CFO). The Finance team started the initial stages of the planning and scoping process in 2009. Since then, the first full cycle of assessment of ICFR has been completed. The Agency issued its first Statement of Management Responsibility for the fiscal year ending March 31, 2012. From that point on, the project of implementing the PIC has evolved to a sustained process which requires monitoring and maintenance of documentation in collaboration with process owners, testing ICFR and reporting on the state of audit readiness.

At Statistics Canada, Assistant Chief Statisticians (ACSs) are required to sign a Statement of Management Responsibility for their respective fields. This initiative was implemented by the Finance team as a best practice. By signing this statement, ACSs agree to provide full cooperation and support through the annual assessment of ICFR within their area.

The assessment of ICFR involves four (4) core activities, which are undertaken according to an established schedule, as per a strategy defined by the Agency. A brief description of each activity is outlined below. Processes within each activity are further detailed throughout the findings section of this report.

Figure 1: Assessment of ICFR

Planning and Scoping is the first step in conducting an assessment of an Agency's ICFR. Strategic Plans for ICFR and ITGC and related work plans outline the scope of the ICFR that will be covered and the frequency of testing. It presents the results of a risk assessment exercise from which decisions on the selection of in-scope business processes are made.

Documenting processes and controls within each in-scope business process is the approach used to identify key controls in place to mitigate risks to an acceptable level. Ultimately this will help to ensure that control testing efforts are appropriately focused on areas of greatest risk.

The assessment of control design involves identifying the key controls in place to prevent or detect a material misstatement in the financial statements and mitigate key risks. Testing of Design is intended to confirm alignment of these key controls related to the key risks to the financial statements they aim to mitigate.

The assessment of control operating effectiveness involves assessing the extent to which a key control has been operating as intended over a specified period of time. Tests of operating effectiveness are intended to demonstrate the reliability of the controls over a period of time in reducing financial reporting risks.

Key controls requiring improvements are communicated to each business process owner through Letters of Recommendation (LOR). Finance's ongoing monitoring and reporting activities, as well as sound risk management practices ensure continued progress towards audit readiness.

Audit objective

The objective of this audit was to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) on the adequacy of:

• The activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting.

Scope

The scope of this audit included an examination of processes and mechanisms in place for selected key steps within the PIC implementation process, as described in the Office of the Comptroller General's Diagnostic Toolkit. The audit included interviews with management and staff within the Finance Branch and other divisions having an impact on PIC compliance. The scope of the audit included an examination of processes and mechanisms in place during fiscal years 2011-2012 and 2012-2013 up to December 2012.

Approach and methodology

The audit was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the TB Policy on Internal Audit. The audit work consisted of examination of documents, interviews with key Senior Management and personnel of Statistics Canada, review of processes and procedures with respect to internal controls and testing of the completion of a sample of remediation actions. The audit approach was inspired by the TB Policy on Internal Control and the 2010 Policy on Internal Control – Preliminary Draft Diagnostic Tool for Departments and Agencies issued by the Office of the Comptroller General in July 2010.

Authority

The audit was conducted under the authority of Statistics Canada Multi-Year Risk-Based Audit Plan 2012/13-2016/17, approved April, 2012 by the Departmental Audit Committee.

Findings, recommendations and management responses

Objective: Adequacy of the activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting.

Framework supporting the assessment of the effectiveness of ICFR

The process of assessing the effectiveness of ICFS starts from early planning, including financial statement decomposition, through the identification of key risks and key controls, the documentation requirements to support adequate assessments and the design and operating effectiveness testing up to the completion of remediation and on-going monitoring activities with periodic risk-based testing over time. This process is intended to enable departments to better understand their state of audit readiness and level of compliance with the PIC.

Project charter

Based on the approach described in the OCG's Diagnostic Toolkit; activities, schedules, and resources needed to achieve PIC compliance objectives should be documented and sufficient resources should be secured to support compliance to the PIC. Responsibilities for the implementation of ICFR should be clearly identified and assigned. As part of this process, the Agency should have a documented plan in place for the assessment of ICFR effectiveness required by the PIC. The documented plan should include scope, timing, milestones, costs/capacity, and cover the steps required to assess the effectiveness of ICFR. An independent oversight mechanism should be in place to deal with cases concerning values and ethics that allows for anonymous reporting of suspected improprieties.

Statistics Canada has developed two key guiding PIC strategy documents: The first is titled the "Proposed Strategy to Address Requirements of Policy on Internal Controls (March 2010)" and the second is the "Proposed Strategy to Address Requirements of Policy on Internal Controls - ITGCs (January 2012)", which is specific to Information Technology General Controls. These two strategy documents form the basis of the Agency's approach to implementing the PIC, and include all the main components recommended in the Diagnostic Toolkit, with the exception of costs and capacity, which are covered in the work plan developed annually to execute on the ICFR and ITGC strategy documents.

Responsibilities for PIC compliance are clearly identified and assigned within the "Proposed Strategy to Address Requirements of Policy on Internal Controls document (March 2010)". The strategy document identifies four stakeholders within the Agency having significant roles and responsibilities: the CS, the CFO, the DAC and Financial Management Operations Systems Division (now the FASD). Described roles and responsibilities are in-line with the Policy. In addition, the Annex to the Statement of Management Responsibility Including ICFR describes the roles of three committees involved in monitoring the PIC compliance program:

• DAC is an advisory committee that provides objective views on the Agency's risk management, control and governance frameworks;
• The Corporate Policy Committee (CPC) is chaired by the CS and is the most senior executive committee in the Agency, providing broad strategic direction. It acts as the body for all decision-making related to corporate-level management of the Agency including strategic corporate planning, resource allocation, financial management, human resources management, communications and dissemination, program evaluation and information management/information technology; and
• Administrative Practices Committee (APC) oversees the development, implementation and application of administrative, financial management, risk management and evaluation practices.

Statistics Canada also has an independent oversight mechanism in place that allows for anonymous reporting of suspected improprieties. Should employees come across information or evidence that could potentially involve suspected improprieties, they can report any such concerns through the values and ethics framework established within Statistics Canada.

The Agency's project charter is in line with the PIC and follows the approach described in the OCG's Diagnostic Toolkit.

Risk management

Management should have adequate risk management practices in place, to consider and mitigate risks associated with the implementation of ICFR, and achieving PIC compliance. Implementing and maintaining a framework for PIC has inherent risks that may preclude the achievement of compliance with the Policy.

Interviews revealed PIC compliance is subject to four main dependencies: 1) Services provided by an external consultant; 2) Finance staff assigned to activities related to PIC; 3) The collaboration of business process owners for the documentation of processes, the identification of key controls and implementation of remediation actions where control weaknesses are identified; and 4) The support of senior management across the Agency.

Risks to the implementation of ICFR have been considered and mitigated within Finance. FASD has identified a number of short and long-term mitigation strategies to manage risks associated to these dependencies, including, but not limited to:

• Securing a professional services contract for resources to carry out the PIC work plan;
• Oversight activities to ensure quality over the consultants work;
• Access to a pool of rotational staff within Finance to address current and future knowledge resource needs for activities related to the PIC;
• Formal letters of acknowledgement of responsibility towards the implementation of PIC signed by the ASCs in each field; and
• Presentations to senior management across the Agency explaining the requirements of the policy as well as their respective roles and responsibilities.

From its first year of operation, Finance has monitored the effectiveness of mitigation strategies in place, and is in the process of developing additional strategies to increase the level of collaboration of business process owners. As a result, FASD has identified certain challenges with respect to follow-up activities and is considering implementing a steering committee involving key stakeholders at the Director and Director General (DG) levels to increase the support and engagement of management with respect to PIC compliance across the Agency. This new initiative is expected to be implemented in 2013.

Finance has an adequate approach to managing the inherent risks associated with implementing a framework for the annual risk-based assessment of the effectiveness of the system of ICFR.

Planning and scoping

As Statistics Canada's process to assess ICFR has evolved from an initial implementation project to a sustained process, the strategic plan for PIC compliance and work plan should be reviewed periodically and validated by the CFO and CS to ensure continued relevance. As required by the PIC, DAC should be consulted on the risk-based assessment plans for the annual assessment of the effectiveness of the departmental system of internal control.

Statistics Canada has mechanisms in place to plan and scope its strategy for PIC compliance, to address significant issues, and ensure continuous improvement. The two PIC strategy documents describe the approach to be used for the testing of ICFR, roles and responsibilities, reporting requirements, next steps, a work plan with defined timelines, and detailed risk assessments for each in-scope business process.

To develop the strategy documents and associated work plan, the Agency has identified the key risks facing the integrity of the financial statements (F/S), the significant accounts within the F/S, and has determined which business processes are considered in-scope.

The business processes considered in-scope are the following:

• Financial Close and Reporting;
• Payroll and Benefits;
• Census Pay;
• Interviewer's Pay;
• Revenues;
• Operating Expenditures;
• Capital Assets;
• Entity Level Controls, including Budgeting and Forecasting; and
• General Computer Controls (GCCs).

For each in-scope business process, the Agency has identified the significant business units, systems, and entity level controls that are reported in the F/S. The planning documents specify the area to be tested, the inherent risks, the rationale for the inherent risk areas to be tested, the control objectives, the extent of testing, and the frequency of testing.

In March 2013, Statistics Canada will have completed its second year of assessment of ICFR following the original PIC compliance strategy. The strategy guides decision-making regarding which processes, financial statement accounts, and risks are most relevant for consideration in the testing strategy, and the allocation of resources. Over the past two years, Finance has adjusted certain governance components of its framework for assessing ICFR; however Statistics Canada's strategic plan for PIC compliance has not been revised or updated for continued operational relevance since it was first developed. Revisiting and updating the strategy and risk environment on a periodic basis will ensure that the strategy remains relevant, by being reflective of the Agency's operating environment.

At the end of each fiscal year, the CS and CFO are responsible for signing the Statement of Management Responsibility. Therefore, once the testing strategy has been updated, formally validating it with the CS and the CFO would ensure they have an opportunity to review and provide input into the proposed plans. The outlines of the strategy and the Statement were presented to the CFO, senior management and DAC in March 2012, but the testing strategy document was not presented in its entirety. As a result, actual completed testing cannot be compared to planned testing activities. Signing the annual Statement requires an acknowledgement of the conduct of annual risk-based assessment of ICFR, including any deviations from the PIC strategy.

Documentation of in-scope business processes

An adequate process should be in place to document in-scope business processes and identify process-level controls that mitigate risks to the integrity of the financial statements. Business process narratives and flowcharts are used to identify key controls, and map these controls to F/S risks. Documentation maintained for in-scope business processes should be evergreen, reflecting significant changes in processes and/or systems that have an impact on ICFR.

Statistics Canada has completed its initial round of documentation for each in-scope business process. A review of the business process documentation for four in-scope business processes (Pay, Financial Close Reporting, Revenues and GCC-Change Management) found that the Agency follows a standardized approach to documentation (process narratives), which include a description of the process and sub-processes, related systems, key controls and identification of the process owners accountable for each in-scope business process. Key control points and accountabilities were identified in the narratives, or directly within the testing matrices, and linked with key risks. For three out of the four in-scope business processes reviewed, process narratives were prepared using a standard format. The GCC-Change Management process was documented using a process flowchart, with specific sub-processes documented in the testing matrices. This is an acceptable alternative to process narratives.

Process owners develop their own process narrative documentation, which is then validated by the PIC team. Process documentation should be evergreen and as such, should be periodically validated with process owners to ensure documentation remains up-to-date. This practice helps ensure that Statistics Canada is working with an accurate and up-to-date understanding of business processes when identifying and monitoring key controls, risk factors, and determining areas of ICFR testing. Currently, reliance is placed upon process owners to communicate changes in processes to the PIC team, and significant follow-up is required as business process owners do not systematically communicate changes to the PIC team. Accurate and up-to-date information is essential for decisions regarding approach and methodology for testing.

Tests of design (TOD) of key controls

Assessing the design of key controls involves identifying key controls, aligned with the key risks, and completing tests of design. Tests of design are conducted to verify that key controls in place are implemented as described in process narratives.

Statistics Canada has identified key controls that exist within in-scope business processes, has mapped these controls to the risks they mitigate, and has completed tests of design. The audit selected three sub-processes for each of the four selected in-scope business processes for review. The audit confirmed that each sub-process had a key control identified and was aligned to each key control. For those controls that were found to be ineffective through TOD, the finding/weakness was included in a Letter of Recommendation (LOR), and a management response was developed to address the specific finding/weakness.

Tests of operating effectiveness (TOE) of key controls

A process should be in place to assess the extent to which key controls, including ITGC and entity level controls, have been operating as intended over a specified period of time. This process is referred to as a Test of Operating Effectiveness (TOE). The testing strategy should be documented, and include sampling techniques, locations, timing, and the IT application controls to be tested.

Statistics Canada has developed and documented its strategy for completing tests of effectiveness of key controls. The testing strategy describes the scope, approach, methodology, basis for sampling, frequency and lists the application controls to be assessed. Statistics Canada's two PIC strategy documents include sections on the Agency's approach for TOE. The approach to testing contained in each PIC strategy document adequately details key information, including risk information, the degree of reliance on controls, a testing strategy for each in-scope business process, a testing plan with timelines, and sample sizes. The testing matrices further document the testing and sampling strategies for each key control to be tested, and where applicable, identifies the various locations where testing is to take place.

In this regard, the Agency has met the PIC requirements. Processes that are in place are in line with the approach recommended in the Diagnostic Toolkit.

Change management

The Policy on Internal Control requires ongoing assurance on the system of ICFR. In order to meet this requirement, the Agency must follow its strategy for the assessment key controls for in-scope business processes, according to the established timelines. The strategy should include coverage and testing in situations when processes and systems are scheduled to be changed or are in the process of change. Testing activities should be adapted in such cases to ensure compensatory controls are monitored for effectiveness during this time. In the event that testing for an in-scope business process is suspended or cancelled, such decisions should be communicated to the CS and CFO, as it impacts the Agency's ability to monitor the effectiveness of the full system of ICFR on an ongoing basis, as is required by the PIC.

Interviews with management and the review of documentation revealed that there are a number of projects underway that involve significant changes in processes and systems affecting ICFR. Some initiatives originate from within the Agency, while others are initiated by third parties who provide services to the Agency. Examples of significant changes are:

• Business processes affected by Administrative Processes Review and Automation (APRA);
• Transfer of technology to Shared Services Canada (SSC);
• Public Works & Government Services Canada's changes to the Common Departmental Financial System (CDFS), with the implementation of a Capital Assets module;
• Business process changes resulting from letters of recommendations to address weaknesses in key financial controls (e.g. IT Change Management process, HR's system change from GLOBAL to GALAXY).

Where process or system changes are initiated within the Agency, the PIC team proactively reviews the design of processes under development to ensure key controls are imbedded. Interviews revealed that some testing activities had been cancelled for 2012-2013, as they relate to business processes impacted by APRA.

When process or system changes are initiated by third-party service providers, the PIC team monitors the evolution of these initiatives by attending meetings, or through on-going communication with designated Statistics Canada representatives who are part of steering committees.

In the event that significant process or system changes are planned or are being changed by third-party service providers, the ability to provide ongoing assurance regarding the full system of ICFR should be maintained in order to meet the requirements of the policy. In these situations, the current practice has been to suspend, defer or cancel testing. For example, the Capital Assets business process was last tested in 2009, and was scheduled for the next round of testing in the 2011-2012 fiscal year. Due to planned changes to CDFS, testing of Capital Assets has been deferred to the 2014-2015 fiscal year. When testing is cancelled in an area, the PIC team has not been confirming whether the system of internal control has remained the same or if it continues to be effective. If ongoing assurance cannot be provided for a period of time, this situation should be clearly stated in the Statement.

For the transition of technology to SSC, Finance and SSC are engaged in discussions to determine how Statistics Canada will obtain assurance on ICFR from SSC. Departments across the Federal Government are affected by this transition of services to SSC, and it is expected that each department will engage in negotiations with SSC to attain the level of assurance deemed necessary by each department. As expected, timelines for including assurance over ICFR on business processes managed by SSC have not yet been set.

A review of the PIC Follow-up Action Plan revealed that certain key controls scheduled to be tested during the last round of testing had not been tested. Interviews with Finance staff confirmed that testing of certain key controls had been delayed in instances where processes or systems were planned to be changed. Compensatory controls in place during transition periods were not tested. Postponing or cancelling testing of key controls may impact the Agency's ability to monitor the effectiveness of the full system of ICFR on an ongoing basis, as is required by the PIC.

Recommendations:

It is recommended that the Assistant Chief Statistician Corporate Services and CFO ensure that:

• The PIC strategy is periodically updated and validated by the CFO and CS.
• Compensatory controls in place during process and system changes are considered for testing as part of providing ongoing assurance on ICFR.

Management response:

Management agrees with the recommendations.

• The Director, Financial Reporting Division will ensure that the PIC strategy is updated and validated by the CFO, CS and DAC annually.
  
  Deliverables and Timeline: Annual presentation of the PIC strategy to Policy Committee and DAC, in March/April of each year.
• The Director, Financial Reporting Division will ensure that compensatory controls are considered and included in the testing strategy as required, on a risk basis.
  
  Deliverables and Timeline: Completed testing of compensatory controls as planned in the testing strategy, as required.

Ongoing monitoring and reporting on the state of ICFR

Based on the approach suggested in the OCG's Diagnostic Toolkit regarding ongoing monitoring and reporting on the state of ICFR and progress towards audit readiness, management needs to consider the potential impact that control weaknesses may have on the integrity of the financial statements and monitor the implementation of remedial actions required to address specific control deficiencies. As part of the process, there should be timely reports to the CFO and senior management on the nature of the results of the assessments and with attention on the associated action plans. At appropriate times, the DACs should be engaged for advice on the findings and responses.

The following sections provide an assessment of monitoring and reporting activities in place within Finance, and are from the first full cycle of assessing control effectiveness through testing, implementation of remediation actions and reporting results within the Agency.

Monitoring progress towards audit readiness

Following the completion of TOE, Finance obtains proposed remediation actions from respective business process owners and outstanding actions are flagged for follow-up. The PIC team monitors the level of completion of remediation action plans resulting from each cycle of TOD and TOE. To do so, the state of completion of remediation actions is assessed by the business process owner, and communicated to the PIC team, where it is tracked in the PIC Follow-up Action Plan spreadsheet.

Remediation plans were reviewed by the audit team and interviews were conducted with business process owners to verify that remediation actions had been completed, and updates to the plan had been communicated to the PIC Finance team. The audit found that in some cases, the timelines for implementing remediation actions extended past the next scheduled testing. As a result, TOE for those processes had been delayed.

The audit team also selected two completed remediation actions from the Revenues and the GCC-Change Management business processes action plans to verify that changes to the process had been implemented. A sample of 11 control transactions was selected for each of these two business processes:

• The first control tested was the approval process for monthly reconciliations between the cash receipts recorded in the Common Departmental Financial System (CDFS) and the Corporate Sales Support System (CSSS) using the Non Salary Information Management System (NSIMS). The result of our test confirmed that the recommended control was implemented within the process. The completion of this remediation action had also been validated by the PIC team in the last round of testing.
• The second control tested was the approval process for system changes identified in the Team Foundation Server (TFS). Results confirmed that the recommended control over change requests was implemented within the process.

Timely completion of remediation actions is essential to ensuring an effective system of ICFR is operating in the Agency. In both cases, the recommended controls had been implemented and the remediation actions had been completed.

The PIC team's current approach for validating the state of completion of remediation actions is to carry out testing during the next scheduled round of testing established in the Strategy's testing schedule; which could represent a three year time lapse between tests. As a result, it may not be possible for the PIC team to provide assurance on the effectiveness of the changes implemented by the business process owner, as required for annual reporting purposes.

Timely validation of completed remediation actions will enable the PIC team to provide ongoing assurance regarding ICFR.

Reporting on the state of ICFR and progress towards audit readiness

To fulfill their responsibilities as stated in the Policy, it is essential that the CS and the CFO have a clear picture of the overall state of internal control at Statistics Canada, and that their attention is drawn to areas requiring corrective actions. According to the Diagnostic Toolkit,

"there should be timely reports to the CFO and senior management on the nature of the results of the assessments, with attention on the associated action plans. At appropriate times, the DACs should be engaged for advice on the findings and responses".

The PIC team is responsible for reporting to senior management and the DAC on the results of ICFR testing and progress towards the completion of testing plans and remediation actions. The PIC team has made a number of presentations to DAC, CPC and APC for its first PIC reporting exercise. Information presented focussed on the requirements of the Policy and contained high-level information on results of testing.

In accordance with the Policy, the Agency has completed its first Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting (the Statement) for fiscal year 2011-2012, and is currently working towards the preparation of its second statement for fiscal year 2012-2013. The Annex, which was attached to the Departmental Financial Statements for the fiscal year ending March 31, 2012, follows the same structure that is suggested in the OCG's Diagnostic Toolkit. The section pertaining to the Agency's progress provides information on which elements of the testing schedule have been completed.

The intent of the Statement, as stated in the Diagnostic Toolkit, is

"to report to the Departmental Audit Committee, senior management and central agencies on the status of ICFR management; communicate the importance of continuous improvement in internal controls within the organization; and serve as input into the ICFR assessment plans for future years".

In order to achieve this objective, information presented in the Annex should speak to the nature of the work that is required to achieve audit readiness, as it pertains to outstanding remediation items. This process enables decision-makers to have sufficient information to ensure corrective measures are implemented in a timely fashion.

Conversely, when testing of ICFR is not possible during transition periods, the Annex should clearly communicate what in-scope business processes or periods were not assessed. The audit team analysed the information communicated in the Agency's first Statement, issued for the fiscal year 2011-2012. The Statement includes a section pertaining to next steps, in which general information on processes and systems in transition is provided. Decisions to postpone or cancel ICFR testing were not clearly communicated in the Statement. The CFO, CS, and the DAC rely on information from the Statement as it may influence decisions pertaining to areas where assurance was not attained for any given period.

The Statement follows the structure per the OCG's Diagnostic Toolkit, however areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for a given period are not explicitly reported.

Recommendations:

It is recommended that the Assistant Chief Statistician Corporate Services and CFO ensure that:

• The monitoring process include timely validation on the state of completeness of remediation actions reported by business process owners, and formal guidelines and protocols for communicating issues of significance such as a deviation from legislation or TB policy related to ICFR
• The Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting clearly communicates the areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for any given period.

Management response:

Management agrees with the recommendations.

• A PIC Steering Committee was created with as membership the DGs of Finance, IT, HR, Procurement and Assets Management and Census. The Director, Financial Reporting Division will ensure that this core management group provides leadership and oversight on the state of completeness of all reported remediation actions and for communicating issues of significance.
  
  Deliverables and Timeline: Regular meetings of PIC Steering Committee and timely validation on the state of completeness of remediation actions through review of evidence of actions taken by business process owners and/or testing to ensure controls have been implemented. Meetings and validation activities will be held quarterly or as required depending on status of remediation actions, in accordance with PIC reportring timelines. First PIC Steering Committee meeting is planned for May 2013.
• The Director, Financial Reporting Division will ensure that the status of the ICFR strategy and all relevant information in describing the organization's state of audit readiness are clearly communicated.
  
  Deliverables and Timeline: As part of the Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting, which is issued annually, in accordance with PIC reporting timelines.

Appendices

Appendix A: Audit criteria

Appendix B: Acronyms

Note