Risk-Based Internal Audit Plan - 2015-2016 to 2017-2018

[ * ] An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and Privacy Act.

[PDF 104 KB]

Table of Contents

  1. 1 Introduction
    1. 1.1 Purpose
    2. 1.2 Internal Audit Policy
    3. 1.3 Profile of the Department
    4. 1.4 The PCO Internal Audit Function
    5. 1.5 Performance Relative to Last Year's RBAP
  2. 2 Audit Planning Approach, Methodology and Priorities
    1. 2.1 Planning Approach
    2. 2.2 Planning Inputs
    3. 2.3 The PCO Audit Universe
    4. 2.4 Ranking the Audit Universe
  3. 3 Three-Year Audit Plan
    1. 3.1 Audit Plan Summary
    2. 3.2 Project Profiles
  4. Appendix A - Risk Factors

1 Introduction

1.1 Purpose

This document presents the Privy Council Office (PCO) 2015-18 Risk-Based Audit Plan (RBAP) which replaces PCO’s existing 2014-17 RBAP. This new RBAP identifies and describes the internal auditing engagements PCO’s Audit and Evaluation Division (AED) will conduct over the next three fiscal years to provide independent assurance to the Clerk of the Privy Council and PCO senior management on risk management, control and governance processes within the department.

Robust risk-based audit planning lays the foundation for a strong internal audit function and is necessary to provide the Chief Audit and Evaluation Executive (CAEE) with information needed to plan value added assurance engagements that are both meaningful and relevant to the department. The engagements included in this plan were selected on the basis of a comprehensive analysis supported by consultations with PCO senior executives, the external members of the PCO Audit Committee, the CAEE at Shared Services Canada, and on a review of key documents. The engagements identified herein focus on areas of risk and significance and on PCO priority areas.

1.2 Internal Audit Policy

The Treasury Board (TB) Policy on Internal Audit (2012) defines internal auditing in the Government of Canada as a professional, independent and objective appraisal function that uses a disciplined, evidence-based approach to assess and improve the effectiveness of risk management, control and governance processes. This is also referred to as providing assurance. It is intended to assist decision-makers with exercising oversight and control over their organizations and with applying sound risk management.

The Policy and its supporting Directive on Internal Auditing in the Government of Canada and the Internal Auditing Standards for the Government of Canada confer planning responsibilities on Chief Audit Executives, Departmental Audit Committees (DAC), Deputy Heads and the Comptroller General for Canada. PCO’s CAEE prepares the department’s RBAP and ensures it is vetted with PCO’s Executive Committee and DAC prior to it being recommended for approval by the Clerk.

1.3 Profile of the Department

PCO provides professional, non-partisan advice and support to the Prime Minister, the ministers in the Prime Minister’s portfolio and Cabinet. PCO supports the development of the Government of Canada’s policy and legislative agendas, coordinates responses to issues facing the Government and the country, and supports the effective operation of Cabinet. PCO is led by the Clerk of the Privy Council. In addition to serving as the Deputy Head for PCO, the Clerk also acts as Secretary to the Cabinet and the Head of the Public Service.

PCO has three primary roles:

  1. provide non-partisan advice to the Prime Minister, portfolio ministers, Cabinet and Cabinet committees on matters of national and international importance;
  2. support the smooth functioning of the Cabinet decision-making process and facilitate the implementation of the Government’s agenda; and
  3. foster a high performing and accountable Public Service.

1.4 The PCO Internal Audit Function

The internal audit function at PCO is delivered by the department’s Audit and Evaluation Division, with the scope of AED’s activities being defined in the PCO Internal Audit Charter1. The Director, AED serves as PCO’s Chief Audit and Evaluation Executive with a direct reporting relationship to the Clerk. The CAEE also serves as Secretary to the PCO Audit Committee. In addition to the CAEE, AED is funded for two full-time equivalent (FTE) internal audit positions and one FTE to provide administrative support.

AED has an annual budget of just under $700,000 for 2015-16 and for each of the two subsequent fiscal years. The budget includes salaries of the Division’s four staff and the three external members of the Audit Committee, as well as the operating budgets for both AED and Audit Committee.

AED will manage its financial resources prudently while keeping its focus on delivering the auditing engagements outlined herein. Should financial resources become a constraint to delivering planned audits, the CAEE will work with PCO Finance, management and with the Audit Committee to effectively manage any budget or project delivery issues in light of established audit priorities.

1.5 Performance Relative to Last Year's RBAP

AED completed a variety of diverse projects planned for last year as described in the prior 2013-14 to 2015-16 PCO RBAP. These included finalization of three audits carried-forward from the previous year, completion of a review project and a Fraud Risk Assessment that were each started during the fiscal year, and initiation of an additional audit during the fourth quarter of the fiscal year which will be completed in 2015-16.

Summary of Auditing Engagements Performed in 2014-15
Title Description
Follow-Up Audit of Business Continuity Management Carried forward from previous year and completed in 2014-15.
Audit of Contracting Carried forward from previous year and completed in 2014-15.
Audit of Information Technology Management Carried forward from previous year. Draft report was accepted by Audit Committee in 2014-15; management’s action plan is now to be finalized in 2015-16.
Review of the Implementation of Management Action Plans Initiated and completed in 2014-15.
Fraud Risk Assessment Initiated and completed in 2014-15.
Audit of Internal Control Over Financial Reporting Initiated in Q4 of 2014-15 with completion to be in 2015-16.2

2 Audit Planning Approach, Methodology and Priorities

2.1 Planning Approach

PCO’s first RBAP was prepared in 2008. That RBAP, and all which have followed it, were prepared based on guidance from the Office of the Comptroller General (OCG) and based on audit planning requirements outlined in the TB Internal Audit Policy Suite.

When developing last year’s RBAP, AED adopted and used expanded audit planning consultations (see Section 2.2), a more streamlined audit universe reflective of PCO’s Program Alignment Architecture (Section 2.3), and a more objective approach to assessing risk and internal controls (Section 2.4). Each of these activities has been repeated during the development of this new RBAP. As well, consistent with a change in the RBAP clearance process implemented last year, this year’s RBAPs was vetted first at Executive Committee and then at DAC before being jointly recommended by the DAC Chair and CAEE for Clerk approval.

2.2 Planning Inputs

As in prior years, several sources of information were used in developing this RBAP including:

  • ongoing priority areas for audit coverage identified by the Clerk to Audit Committee;
  • input from Deputy Secretaries and other senior managers provided to Audit Committee;
  • CAEE interviews with Deputy Secretaries, the Assistant Deputy Minister, Corporate Services Branch (ADM-CSB), the external members of PCO’s DAC, and the CAEE at Shared Services Canada;
  • areas of risk identified in PCO’s evolving Risk Profile, and coverage of management priorities in documents such as PCO’s Report on Plans and Priorities, its Departmental Performance Report, and PCOs Integrated Business and Human Resources Plan;
  • Management Accountability Framework assessment results;
  • information on OCG and other external assurance provider audits; and
  • results from prior internal audits including management’s self-reporting on corrective actions implemented in response to prior audit recommendations.

2.3 The PCO Audit Universe

PCO’s audit universe spans the whole of the department. It is based on the department’s Program Alignment Architecture and it includes individual auditable entities that may be subjected in whole or in part to internal audit coverage.

Program Areas Internal Services
Advice and Support to the Prime Minister and Portfolio Ministers
  • Advice and Support to the Prime Minister and Portfolio Ministers on:
    • Issues, Policies and Machinery
    • International Affairs and National Security
    • Intergovernmental Affairs
    • Legislation, Parliamentary Issues and Democratic Reform
  • Government-wide Communications
  • Governor-in-Council Appointments of Senior Personnel
  • Parliamentary Returns
  • Support to Prime Minister and Portfolio Ministers’ Offices
Advice and Support to Cabinet and Cabinet Committees
  • Operation of Cabinet Committees
  • Integration Across the Federal Government
  • Orders-in Council
  • Cabinet Papers and Confidences
Public Service Leadership and Direction
  • Business Transformation & Public Service Renewal3
  • Management of Senior Leaders
Commissions of Inquiry
  • Financial / Administrative Support to Commissions of Inquiry
                                                                                                                                 
  • Management and Oversight, including:
    • Corporate Governance and Reporting
    • Values and Ethics
    • Integrated Risk Management
    • Third-party Services
  • Security and Emergency Management
    • Departmental Security
    • Emergency Management
    • Business Continuity Management
  • Financial Management
    • Financial Planning and Forecasting
    • Financial Operations and Reporting
    • Expenditure Controls / Management
  • Human Resources Management
    • Human Resources Planning, Classification, Recruitment and Staffing
    • Compensation - Pay and Benefits
    • Training, Development and Performance
    • Staff Relations, Consultancy and Well-being
  • Information Technology (IT)
    • IT Support and Service Delivery
    • Distributed Computing and Telecommunication Services
    • Application Development and Program Management
    • IT Security
  • Information and Records Management
  • Access to Information and Privacy
  • Departmental Communication Services
  • Asset Management Services
    • Accommodation and Building Services
    • Procurement and Contracting Services
    • Material and Asset Management
                                                 

2.4 Ranking the Audit Universe

Next, audit planning ranked the 21 auditable entities in the audit universe using a three step process. The following describes the process and criteria, and the manner in which they were applied.

Step 1: Assessing Risk Exposure

First, using the indicators below, the CAEE assessed all auditable entities for their risk exposure based on known risk information and the risk environment:

Risk Indicators Description
a. Degree and recentness of change The more change in the internal and external environments, the more exposed the entity is to risk. This indicator encompasses both the magnitude and the recentness of the change as well as the impacts these factors may have on risk levels.
b. Degree of complexity The more complex the business function, the higher the exposure to operational risk. This indicator refers to the complexity of business processes, technology and regulatory environment; however, the complexity of governance, the arrangements with key stakeholders and the relationships with stakeholders were also considered.
c. Legislative or other compliance requirements The higher the degree of compliance requirements, the more stringent the control requirements. This inherently exposes the entity to risk stemming from insufficient adherence to obligations, whether statutory or otherwise and can expose the department to reputational consequences.
d. Degree of knowledge The higher the knowledge requirements, the higher the exposure to risk that may stem from loss of key personnel, operational or relational knowledge. This indicator incorporates personnel and corporate knowledge that may reside in processes, business rules, and systems.
e. Degree of dependencies The more dependent the entity is on other parties, the more it is exposed to risk that may originate from a lack of control. In addition, the greater the dependencies, the more coordination is required and thus, the higher the exposure to risk.

This analysis provided information on the risk exposure of auditable entities. Internal controls in place to mitigate risk were assessed next.

Step 2: Assessing the Internal Control Framework

The second step involved assessing management’s internal control framework as it applies to each auditable entity. To structure this portion of the analysis, AED adopted the Committee of Sponsoring Organizations’ (COSO)4 Internal Control - Integrated Framework (2013), which consists of the five inter-related components of internal control presented below.

Components Description
a. Control environment The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization/entity. It includes the tone at the top regarding the importance of internal control and expected standards of conduct established by senior management.
b. Risk assessment Involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity's objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.
c. Control activities Actions established by the policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment.
d. Information and communication Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities.
e. Monitoring Activities Ongoing assessments, separate assessments, or some combination of the two are used to ascertain whether each of the five components of internal control are present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management.

Step 3: Bringing it all together

Based on the results obtained from the process described in steps 1 and 2 and the CAEE’s professional judgement, each auditable entity was assigned to one of three audit priority categories as described below. Once the audit universe was prioritized, individual engagements were identified based on planning inputs per section 2.2 above.

Audit Priority Description
High Audit Priority These auditable entities are seen as the most important from an audit standpoint and are the top candidate areas for internal audit activity within the planning horizon.
Moderate Audit Priority While there is value in auditing within these auditable entities during the planning horizon, they are not seen as the highest of priorities from an audit standpoint.
Low Audit Priority Engagements in these auditable entities would only be performed within the planning horizon if time and resources permit.

3 Three-Year Audit Plan

3.1 Audit Plan Summary

Internal auditing is a function that is designed to add value and improve an organization’s operations by providing assurance on those areas to which internal audit resources are applied. Intrinsic in the notion of adding value is the concept of the costs of applying resources versus the benefits of providing independent and objective assurance on areas of governance, risk management and internal control. Recognizing that a “one size fits all” approach is not always best, this RBAP includes two forms of assurance engagements - audit engagements and review engagements. As well, given the skills and experience within PCO’s internal audit and evaluation function, this RBAP also proposes other types of engagements such as risk assessment and evaluation engagements.

Audit and review engagements are similar in that they are both conducted to provide assurance on a given subject. They differ in that a review engagement will not normally involve the extensive data gathering and in-depth substantive testing which are typical characteristics of an audit engagement. For this reason, a review will generally be shorter in duration and less costly than an audit, but an audit will provide a higher level of assurance than a review. When conducting review engagements, the CAEE will closely monitor the results achieved and will, if considered necessary, be prepared to expand testing to audit levels to increase the assurance provided by the engagement.

The focus of an assurance project (an audit or review) may be at the auditable entity level, or it may be on a component organization, operation or activity within an auditable entity. An assurance project may also cut across auditable entity lines if the organization, operation or activity being audited or reviewed similarly cuts across auditable entity lines.

Under the TB Directive on Internal Auditing in the Government of Canada CAEEs are responsible for “.....establishing and updating at least annually a multi-year plan of internal audit engagements....which is focused predominantly on the provision of assurance services...”. The table which follows outlines the recommended audit, review and other proposed engagements over the next three years.

Planned Internal Audit, Evaluation and Other Engagements
2015-2016 2016-2017 2017-2018
  • Audit of Recordkeeping Transformation
  • Performance Measurement Strategy for the Central Innovation Hub
  • Review of Staffing Activities5
  • Audit of the Management and Use of Acquisition Cards
  • Risk Assessment of PCO’s Personal Information Holdings
  • Follow-up Audit of Information Technology Security
  • Review of PCO’s Performance Management Framework for Employees
  • Review of PCO’s Arrival and Departure Processes
  • Review of the Adjusted Process for Reviewing Cabinet Confidence Information for Exclusion from Disclosure
  • Audit of the Parliamentary Returns Process
  • Audit of Integrated Risk Management
  • Audit of PCO Planning for the Continuity of Constitutional Government
  • Review of Financial Forecasting
  • Evaluation of the Central Innovation Hub (to be completed in 2018-19)
  • Preparation for 2018-19 Practice Inspection of PCO’s Audit and Evaluation Division6

The “Planned Engagements After Priority Ranking of the Audit Universe” table on the next page depicts the results from the CAEE’s priority ranking process and indicates in which Auditable Entity the engagements identified above are planned within the overall audit universe over the next three-year cycle.

Auditable Entities in which no engagements are contemplated will be reconsidered for coverage during successive annual audit planning exercises. Should circumstances change in a given Auditable Entity during a given year, audit resources can be reassigned as required.

Planned Engagements After Priority Ranking of the Audit Universe

High Priority Audit Entities   Planned Engagements
Information Technology Yes Follow-up Audit of Information Technology Security
Information and Records Management Yes Audit of Record Keeping Transformation; Risk Assessment of PCO’s Personal Information Holdings
Cabinet Papers and Confidences Yes Review of the Adjusted Process for Reviewing Cabinet Confidence Information for Exclusion from Disclosure
Government-wide Communications    
Security and Emergency Management Yes Audit of Integrated Risk Management; Audit of PCO Planning for the Continuity of Constitutional Government
Moderate Priority Audit Entities   Planned Engagements
Business Transformation & Public Service Renewal Yes Performance Measurement Strategy for the Central Innovation Hub; Evaluation of the Central Innovation Hub
Human Resources Management Yes Review of Staffing Activities; Review of PCO’s Performance Management Framework for Employees; Review of PCO’s Arrival and Departure Processes
Financial Management Yes Audit of Management and Use of Acquisition Cards; Review of Financial Forecasting
Management and Oversight    
Parliamentary Returns Yes Audit of Parliamentary Returns Process
Asset Management Services    
Access to Information and Privacy    
Prime Minister Advice and Support    
Governor-in Council Appointments of Senior Personnel    
Integration Across the Federal Government    
Low Priority Audit Entities   Planned Engagements
Operation of Cabinet Committees                                                                                                                                                                                                                    
Management of Senior Leaders    
Communication Services    
Orders-in-Council    
Support to Prime Minister and Portfolio Ministers’ Offices    
Support to Commissions of Inquiry    

In the following section 3.2 of this RBAP, each planned engagement is presented in a separate “Project Profile” table that outlines the engagement’s preliminary objective(s) and scope, information on the rationale for selection, and additional relevant information. The objective(s) and scope are considered preliminary because they are based on information gathered to date. Once an engagement is launched and more detailed information becomes known, the objective(s) and/or scope of that engagement may be refined to target audit and evaluation resources to the areas of highest risk or significance.

3.2 Project Profiles

2015-2016

Audit of Recordkeeping Transformation

Preliminary Objectives and Scope

  • The objectives of this audit are to provide assurance on the effective implementation of PCO’s Recordkeeping Transformation Strategy and on implementation of commitments made in response to the OCG’s 2011 Horizontal Audit of Recordkeeping.
  • The audit’s scope includes recordkeeping activities in the Department from July 2011, the date the Executive Committee approved the PCO Recordkeeping Transformation Strategy, to the start of the audit. Consistent with the nature of the Recordkeeping Transformation Strategy, the audit is department-wide in nature and includes operational and oversight controls used for the identification of information resources of business value, protection and risk mitigation, recordkeeping tools and methodologies, recordkeeping practices, and awareness and training. The audit includes a review of PCO’s self-assessment of compliance to the Directive on Recordkeeping which was submitted to TBS by the March 2015 deadline TBS had established to achieve compliance.
  • The audit is being conducted using a forward looking approach to maximize the opportunity to provide management with audit results that could support the implementation of recordkeeping transformation related initiatives that are either underway or are planned for the short term period following completion of the audit.
  • The audit will not include an assessment of compliance to the Access to Information Act or the related TB Policy on Access to Information.

Selection Rationale

  • The topic of risk as it relates to the management, handling, storage and/or use of information was discussed last year during several audit planning interviews.
  • Delivering on PCO’s mandate often requires that considerable volumes of information (some of which is sensitive in nature) is obtained, stored and used in the course of normal operations.
  • A number of gaps in compliance with the Directive on Recordkeeping were previously identified.
  • PCO was one of sixteen departments and agencies included in the 2011 OCG Horizontal Audit of Electronic Record Keeping in Large Departments and Agencies. The management action plan developed in response to recommendations from that horizontal OCG audit focussed heavily on the PCO Recordkeeping Transformation Strategy.
  • This audit is retained as approved in last year’s RBAP. As a project related to information management, this audit complements the 2015-16 Risk Assessment of PCO’s Personal Information Holdings and the 2016-17 Follow-up Audit of Information Technology Security.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q1 of 2015-2016
Internal Services - Information and Records Management

Plus: aspects that are department-wide
Operational Risk - IM Risk

Operational Risk - Legal/Compliance Risk
Six month level of effort from PCO project lead with a budget of $50K for contractor support Assurance Audit
Performance Measurement Strategy for the Central Innovation Hub

Preliminary Objectives and Scope

  • The objective of this engagement will be to develop a Performance Measurement Strategy for PCO’s new Central Innovation Hub (The Hub). A Performance Measurement Strategy is a results-based management tool used to guide the selection, development and ongoing use of performance measures. It will be used to support the evaluation of The Hub that is planned for completion in 2018-19 consistent with Treasury Board documentation about The Hub.
  • The Performance Measurement Strategy will include four essential components: a profile of the Central Innovation Hub, a logic model, a performance measurement strategy framework, and an evaluation strategy.
  • This Performance Measurement Strategy will be developed based on guidance from the Treasury Board Secretariat - Centre for Excellence in Evaluation as described in their “Supporting Effective Evaluations: A Guide to Developing Performance Measurement Strategies” publication. The team conducting this project will discuss the overall approach to the project with the TB Centre of Excellence in Evaluation during the early stages of the project’s planning process.

Selection Rationale

  • The Performance Measurement Strategy is important because it will allow management of The Hub and the Chief Audit and Evaluation Executive (CAEE) to ensure that sufficient and appropriate data are generated to effectively support management’s need for on-going performance information and a rigorous evaluation approach for the evaluation that is planned for completion in 2018-19.
  • As the first of two newly proposed projects about The Hub in this RBAP, the outputs of this Performance Measurement Strategy will directly support the 2017-18 Evaluation of the Central Innovation Hub which will be completed in 2018-19.
  • The Performance Measurement Strategy should be developed as early as possible to support key decisions about the program model, delivery approach, reporting requirements, and evaluation. The Performance Measurement Strategy will be developed to assist senior management and the Clerk to:
    • continuously monitor and assess Central Innovation Hub results;
    • make informed decisions and take appropriate, timely action with respect to The Hub;
    • provide effective and relevant departmental reporting; and
    • ensure that credible and reliable performance data are being collected to effectively support the planned evaluation of The Hub.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q2 of 2015-2016
Public Service Leadership & Direction - Business Transformation and Public Service Renewal
  • Transformation / Change Management Risk
  • Operational Risk - Process Risk
Three month level of effort from PCO project lead with a budget of $60K for contractor support Evaluation Planning
Review of Staffing Activities

Preliminary Objectives and Scope

  • The objective of the review will be to provide assurance on the degree that PCO staffing activities are consistent with the Public Service Commission’s (PSC) appointment framework.
  • The scope of the review will include an assessment of a sample of completed staffing actions conducted specifically for PCO against the requirements in the PSC appointment framework, including the appointment authorities delegated by the PSC to the Clerk under the Public Service Employment Act.

Selection Rationale

  • A review of PCO’s staffing activities was suggested by the ADM, CSB for inclusion in last year’s RBAP - a suggestion the CAEE fully supported. With PCO having completed an Audit of Recruitment Planning and Staffing in March 2011, approximately 5 years will have elapsed between this review and the earlier audit.
  • While human resourcing activities have been affected by many change factors over the intervening period, PCO continues to require processes which allow the department to obtain the most qualified, experienced and appropriate personnel in a timely manner.
  • Under the Public Service Employment Act, the PSC, as the entity responsible to ensure public service organizations meet accountability requirements and PSC expectations, instituted one such change when it developed an appointment framework to guide deputy heads in building staffing systems that meet their needs and respect legislative requirements and core values. The Staffing Management Accountability Framework, a key component of the appointment framework, was subsequently revised.
  • This project was approved in last year’s RBAP. Since then, the PSC announced its intention to conduct an organizational audit at PCO, the timing of which remains uncertain. PCO will coordinate its approach with the PSC as necessary to make the best use of available resources and avoid duplication of effort.
  • As a project related to human resource management, this review complements the 2016-17 Review of PCO’s Performance Management Framework for Employees and the 2016-17 Review of PCO’s Arrival and Departure Processes.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q3 of 2015-2016
Internal Services - Human Resources Management Operational Risk - Human Resources Risk

Operational Risk - Process Risk
Four month level of effort from PCO project lead with a budget of $30K for contractor support Assurance Review
Audit of the Management and Use of Acquisition Cards

Preliminary Objectives and Scope

  • The objective of the audit will be to provide assurance on the adequacy of PCO’s control framework for the management and use of acquisition cards.
  • The scope of the audit will include the framework of financial and management oversight controls in place at PCO for the effective management of PCO’s Acquisition Card Program including the alignment of PCO’s Policy on Acquisition Cards with the Treasury Board Directive on Acquisition Cards.

Selection Rationale

  • The management and use of acquisitions cards at PCO has not been the subject of any prior internal audit or review attention.
  • The use of acquisition cards has a degree of inherent risk of fraud associated with it. Auditing the control framework over the use of acquisition cards would be a fundamental audit supporting any fraud prevention program or activities at PCO.
  • This Audit of Acquisition Cards was suggested by the ADM, CSB during last year’s audit planning interviews - a suggestion the CAEE fully supported - the audit was included in last year’s approved RBAP. The audit was discussed with the ADM, CSB during this year’s audit planning interviews at which time the ADM confirmed her ongoing support for retaining this audit in this year’s RBAP.
  • As a project related to financial management, this audit complements the 2017-18 Audit of Integrated Risk Management and the 2017-18 Review of Financial Forecasting.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q3 of 2015-2016
Internal Services -

Primary: Financial Management

Secondary: Asset Management Services
Fraud Risk

Operational Risk - Process Risk

Financial Risk - Financial Management Risk
Four month level of effort from PCO project lead with a budget of $20K for contractor support Assurance Audit
Risk Assessment of PCO's Personal Information Holdings

Preliminary Objectives and Scope

  • The objectives of the risk assessment will be to:
    • Identify the risks associated with the protection and management of personal information under PCO’s control;
    • Assess the relative significance of the risks in terms of the likelihood of each risk occurring and its impact, should it occur; and
    • Determine, on a preliminary basis, whether management's assertions about controls are likely to prevent or mitigate the occurrence of the risks of greatest concern.
  • The scope of this risk assessment will be department wide in nature. It will identify and document PCO’s personal information holdings, including where these holdings exist, and will provide information on the practices PCO is using to manage these holdings. The scope will include consideration of the Personal Information Banks contained in Info Source, which describes categories of personal information collected by PCO including how that information is to be handled, used, retained, and disposed of. As this is a risk assessment, limited testing of controls over the management of these holdings is contemplated.
  • Results from the risk assessment will be used to inform management decision making and next year’s annual audit planning process.

Selection Rationale

  • Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act (the Act). The Government of Canada is committed to protecting the privacy of individuals with respect to the personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust in government.
  • Questions about the extent to which PCO has holdings of personal information and how these are managed have been raised during this and last year’s audit planning interviews. The Act and the associated Privacy Regulations will form the backdrop for this risk assessment as they provide the legal framework for the creation, collection, retention, use, disclosure, accuracy and disposition of personal information in the administration of programs and activities by government institutions.
  • The risk to PCO’s reputation from possible ineffective information management practices is considered high.
  • As a project newly proposed in this RBAP related to information management, this Risk Assessment complements the 2015-16 Audit of Recordkeeping Transformation.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q4 of 2015-2016
Department-Wide Reputation/Public Opinion Risk - Reputational Risk

IM/IT Risk - Information Management Risk

Operational Risk - Process Risk
Three month level of effort from PCO project lead with no budget for contractor support Risk Assessment

2016-2017

Follow-up Audit of Information Technology Security

Preliminary Objectives and Scope

  • The objectives of this audit will be: (i) to provide assurance on PCO’s adherence to relevant Treasury Board polices; (ii) to provide assurance on the adequacy of PCO’s control framework to manage IT security elements in support of the department’s business requirements while coordinating IT security related requirements with SSC; and (iii) to follow-up on the implementation of management action plans established in response to applicable audit recommendations from the 2009 PCO Audit of IT Security and the 2014 PCO Audit of Information Technology Management7.
  • The scope of the audit will include PCO’s IT security function and its mechanisms to coordinate IT security related roles, responsibilities and activities with SSC, but not PCO’s role as a Lead Security Agency under TB’s Policy on Government Security. The OCG is completing its 2014-15 Horizontal Audit on IT Security during which PCO’s Lead Security Agency role was considered.

Selection Rationale

  • IT security remains an area of high risk for PCO and for the government as a whole. Roles and responsibilities for IT security are shared and must be coordinated between SSC and its client departments (including PCO). As SSC continues to evolve, so do the roles and responsibilities for IT security and mechanisms for interdepartmental coordination. This degree of change is accompanied by increasing risk and a need for ongoing risk management attention.
  • [*]
  • This audit was approved in last year’s RBAP. PCO’s CAEE discussed the project again during this year’s annual audit planning interview with the CAEE at SSC who suggested this audit either be conducted in 2015-16 or be deferred to 2018-19. PCO’s CAEE reported this to the PCO DAC in April 2015 at which time DAC members and participants agreed based on prevailing circumstances at PCO that the best time to conduct this audit is in 2016-17.
  • As a project related to information management and information technology, this follow-up audit complements the 2015-16 Risk Assessment of PCO’s Personal Information Holdings, the 2015-16 Audit of Recordkeeping Transformation, and in some respects the 2017-18 Audit of PCO Planning for Continuity of Constitutional Government.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q1 of 2016-2017
Internal Services - Information Technology Operational Risks
  • IT Risk
  • Hazard / Security Risk
Six month level of effort from PCO project lead with a budget of $100K for contractor support Assurance Audit
Review of PCO's Performance Management Framework for Employees

Preliminary Objectives and Scope

  • The objective of the review will be to provide assurance on the extent to which PCO has established an effective control framework for meeting the department’s obligations under Treasury Board’s 2014 Directive on Performance Management as it relates to non-Ex level PCO employees.
  • The scope of the review will include the control framework established to manage non-Ex level employee performance at PCO under the 2014 Directive, including management oversight of the PCO Performance Management Program.

Selection Rationale

  • The TB Directive on Performance Management which came into effect April 1, 2014 promotes a commitment to sustaining a culture of high performance in the public service. This dovetails well with the vision underlying Destination 2020. To the extent that the TB Directive represents a new and higher standard for the development and monitoring of performance objectives for all PCO employees, proactively providing assurance to the Clerk in 2016-17 on the extent to which PCO has an effective performance management framework in place and is meeting its obligations under the new Directive as they relate to non-Ex level employees is seen as both relevant and timely.
  • This project was approved in last year’s RBAP. As a project related to human resource management, this review complements the 2015-16 Review of Staffing Activities and the 2016-17 Review of PCO’s Arrival and Departure Processes.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q1 of 2016-2017
Internal Services - Human Resources Management Operational Risk - Process Risk Four month level of effort from PCO project lead with a budget of $20K for contractor support Assurance Review
Review of PCO's Arrival and Departure Processes

Preliminary Objectives and Scope

  • The objective of the review will be to provide assurance on the adequacy of PCO’s arrival and departure controls and activities and the degree to which they respect the responsibilities, guidelines and procedures outlined in the department’s Policy for Arrival and Departure of Personnel.
  • The scope of the review will include an assessment of a sample of arriving personnel files and a sample of departing personnel files against the requirements outlined in the Department’s Policy for Arrival and Departure of Personnel, including the return of departmental assets.

Selection Rationale

  • PCO is not generally considered to be a large department, but for its size, PCO can at times experience significant staff turnover. This adds to the rationale for reviewing the department’s arrival and departure activities.
  • After this review was suggested by the ADM, CSB during last year’s audit planning interviews - a suggestion the CAEE fully supported - the review was included in last year’s approved RBAP. The review was discussed again with the ADM, CSB during this year’s audit planning interviews at which time the ADM confirmed her ongoing support for retaining this audit in this year’s RBAP.
  • As a project related to human resource management, this review complements the 2015-16 Review of Staffing Activities and the 2016-17 Review of PCO’s Performance Management Framework for Employees.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q3 of 2016-2017
Internal Services - various including:
  • Human Resources Management
  • Asset Management Services
  • Security and Emergency Management
Operational Risk - Process Risk

IM/IT Risk - IM Risk

Fraud Risk - Fraud
Four month level of effort from PCO project lead with no budget for contractor support Assurance Review
Review of the Adjusted Process for Reviewing Cabinet Confidence Information for Exclusion from Disclosure

Preliminary Objectives and Scope

  • The objectives of the review will be to assess and provide assurance on the effectiveness and efficiency of the adjusted procedures for the review of documents for application of s.69 of the Access to Information Act and s. 70 of the Privacy Act.
  • The scope of the review will include application of the procedures and consultation provisions established for the review of potential Cabinet confidence information for exclusion from disclosure in PCO and in other government institutions. The period of coverage will be from when the adjusted procedures were introduced to the time of the review. The review will not challenge determinations made by legal Counsel as to what is, or is not, a Cabinet confidence.
  • The methodology will include working with officials in PCO and in select other government departments (OGDs) who apply the procedures established for (a) reviewing Cabinet confidence information for exclusion from disclosure and for (b) consulting the Office of the Counsel to the Clerk of PCO, as appropriate. The CAEE will select the OGDs for inclusion in the review in consultation with PCO management and Counsel.

Selection Rationale

  • Until 2013-14, per the TBS Policy on Access to Information, all government institutions had to consult PCO Counsel about the review of potential Cabinet confidence information for exclusion from disclosure pursuant to s.69 of the ATI Act and to s.70 of the Privacy Act on behalf of the Clerk as custodian of the Cabinet confidences of all Prime Ministers, past and present. This Policy was changed in 2013-14 resulting in Justice legal counsel in client departments and agencies being given the authority to make exclusion decisions without having to consult PCO.
  • Under s.2.1.4 of the TBS ATI Manual, the Clerk is responsible for ensuring the integrity of the Cabinet process and the stewardship of the documents that support this process. As custodian of Cabinet confidences, the Clerk is responsible for policies on the administration of these confidences and for the ultimate determination of what constitutes such confidences, and must be consulted in a manner consistent with the guidance set out in Chapter 13 of the TBS Manual.
  • Under s.8.2 of the TBS Policy on ATI, the Clerk is responsible for policies on administration of Cabinet confidences and determines what information constitutes a Cabinet confidence. Under s.6.2.7 of the Policy, Deputy Heads must consult their departmental legal counsel, per established procedures, before excluding Cabinet confidences from disclosure.
  • Under s.13.4.5 b) of the TBS ATI Manual regarding procedures to follow in the review of records subject to subsection 69(1) of the ATI Act, if there is any doubt within a department whether a record is a Cabinet confidence in cases involving complex fact situations or when there is a disagreement between the department’s legal counsel and ATIP Office about the nature of the information, or when documents contain discussion papers, that department’s legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council.
  • This project was approved in last year’s RBAP. The merit of providing assurance on the adjusted Cabinet confidences review process was discussed and supported during this and last year’s audit planning interviews.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q3 of 2016-2017
Advice and Support to Cabinet and Cabinet Committees - Cabinet Papers and Confidences Operational Risk - Process Risk

Strategic Risk - Transformation / Change Management Risk
Six month level of effort from PCO project lead with no budget for contractor support Assurance Review
Audit of the Parliamentary Returns Process

Preliminary Objectives and Scope

  • The objective of the audit will be to provide assurance on the adequacy of PCO’s control framework over, and the processes used to manage and coordinate, parliamentary returns.
  • The scope of the audit will include the management controls, processes and procedures that apply to the processing of Parliamentary returns, including those outlined in PCO’s Guide to Producing Parliamentary Returns. The audit will consider the extent to which the current process is capitalizing on the benefits of modern technologies.

Selection Rationale

  • In 2004, the Office of the Auditor General examined the Process for Responding to Parliamentary Order Paper Questions. In 2008, PCO conducted its Follow-up Audit of the Process for Responding to Parliamentary Order Paper Questions. These audits led to the creation of the Guide to Producing Parliamentary Returns and the Glossary of Terms for Parliamentary Returns. No further audit attention has been applied in this area since 2008.
  • Last year’s audit planning interviews indicated a significant rise in the number of Parliamentary Returns had occurred. Given the potential sensitivity associated with processing parliamentary returns, this increases strategic, processing and reputational risk for PCO.
  • Modern technologies and their ability to improve PCO processes continue to advance, yet it has already been 7 years since this area was last audited, and it would be 9 years between audits if this audit is conducted when planned.
  • This audit was approved in last year’s RBAP to start in Q1 of 2015-16. Audit planning interviews this year confirmed ongoing support for this audit. However developments affecting the delivery of other audit projects have resulted in a proposed rescheduling of the start of this audit to the latter part of 2016-17. This was discussed with management who concurred with the proposed rescheduling of the project.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q4 of 2016-2017
Advice and Support to the Prime Minister and Portfolio Ministers - Parliamentary Returns Strategic Risk - risk to achieving PCO's mandate

Operational Risk - Process Risk

Reputational Risk
Six month level of effort from PCO project lead with a budget of $30K for contractor support Assurance Audit

2017-2018

Audit of Integrated Risk Management

Preliminary Objectives and Scope

  • The objective of the audit will be to provide assurance on the effectiveness of PCO’s approach to Integrated Risk Management and the degree to which it is consistent with applicable Treasury Board (TB) authorities.
  • The scope of the audit will focus on PCO’s Integrated Risk Management Framework including PCO systems, processes and practices used in the identification, mitigation and reporting of risks in the PCO Risk Profile.

Selection Rationale

  • Risk management is an essential element of an effective public administration framework. To mitigate against possible losses and capitalize on opportunities, decision-makers must be aware of existing and emerging risks in a timely manner.
  • Treasury Board has issued several authority instruments for the effective management of risks including the TB Framework for the Management of Risk and the TB Guide to Integrated Risk Management. These instruments, which will form part of the backdrop for this audit, outline a principles-based approach to risk management that reaffirms the Deputy Head responsibility for effective management of their organization, including risk management. These instruments, which are further supported by TB’s Guide to Corporate Risk Profiles, a Guide to Risk Taxonomies and a Risk Management Capability Model, describe expectations for an effective risk management practice in a government department.
  • PCO is continuing to evolve its approach to risk management. As recently reported to PCO’s Audit Committee, Finance and Corporate Planning Division is updating the PCO Risk Profile and has recently improved the Risk Profile development process by integrating collection of risk information into the data gathering exercise of the Integrated Business Planning Process. Other changes include expanding the range of consultations on potential risks to include all PCO branches and secretariats, including directorates within Corporate Services Branch.
  • Risk management was included as a component of PCO’s 2011 Audit of Accounting Officer Responsibilities, Including Risk Management. However, an audit solely focussed on integrated risk management at PCO has not been conducted. Such an audit would, especially in light of changes to the integrated risk management process which have occurred since 2011, provide assurance on the extent to which PCO’s integrated risk management activities are consistent with TB authorities.
  • As a project related to (among other things) financial management, this audit complements the 2015-16 Audit of the Management and Use of Acquisition Cards and the 2017-18 Review of Financial Forecasting.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q1 of 2017-2018
Finance and Corporate Planning Division - Corporate Services Operational Risk - Process Risk Six month level of effort from PCO project lead with a budget of $40K for contractor support Assurance Audit
Audit of PCO Planning for Continuity of Constitutional Government

Preliminary Objectives and Scope

  • The objective of the audit will be to assess the effectiveness of the governance structure established and controls put in place to support PCO’s roles and responsibilities in planning for the continued operation of the Executive Branch of the Government of Canada following a catastrophic disruption.
  • The scope of the audit will include PCO’s roles and responsibilities for continuity of constitutional government, including mechanisms to coordinate relevant requirements with Public Safety Canada.

Selection Rationale

  • Continuity of constitutional government (CCG) is the process of establishing plans and procedures for allowing the three branches of the constitutional Government of Canada, namely the executive, legislative and judicial branches, to continue operations in case of an emergency or catastrophic disruption. While Public Safety Canada bears statutory responsibility for CCG under Section 4.1 of the Emergency Management Act, in the event of a catastrophic disruption, PCO needs to be prepared and able to interface with Public Safety Canada to coordinate all aspects of CCG implementation.
  • PCO has conducted two internal audits of business continuity (2011 and a follow-up in 2014); however, CCG was excluded from the scope of these past audits.
  • In the event of a catastrophic disruption, PCO’s ability to meet its core mandate; i.e.: provide advice and support to the Prime Minister and portfolio Ministers and provide advice and support to Cabinet and Cabinet committees will be dependent on the effective functioning of established CCG plans and arrangements.
  • Aspects of the Audit of IT Security proposed elsewhere in this RBAP will complement this audit of PCO Planning for CCG.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q2 of 2017-2018
Internal Services - Security and Emergency Management Strategic Risk - risk to achieving PCO’s mandate

Hazard / Security Risk
Six month level of effort from PCO project lead with a budget of $60K for contractor support Assurance Audit
Review of Financial Forecasting

Preliminary Objectives and Scope

  • The objective of the review will be to provide assurance on whether PCO is forecasting financial information appropriately to inform management decision making.
  • The scope of the review will include those financial forecasting processes and activities in place to inform management decision-making. It will include an assessment of the extent to which PCO is compliant with relevant TB policies and other authorities in place during the fiscal year preceding the year in which this review is undertaken.

Selection Rationale

  • The federal government is expected to manage public funds well by effectively planning, budgeting and making decisions on the allocation, reallocation and use of financial resources based on reliable information and sound analysis of that information. In this context, PCO must be able to demonstrate its financial forecasting processes and activities are compliant with requirements and that they support management decision-making.
  • This project was suggested by the CAEE as a project in last year’s RBAP. It was discussed at PCO’s Executive and Audit Committees. Although the project was not retained in last year’s approved RBAP, the CAEE obtained Executive Committee’s concurrence the project would be brought forward for consideration in this year’s RBAP. It was discussed with the ADM-CSB during this year’s planning interviews at which time it was agreed the review would be proposed in this year’s RBAP.
  • PCO was not one of the departments which participated in the OCG Horizontal Audit of Financial Forecasting in Large and Small Departments that was reported on in June 2014. However, using the Lines of Inquiry from the OCG’s audit as criteria, PCO’s Finance function conducted a self-assessment and reported the results to Audit Committee.
  • As a project related to financial management, this review complements the 2015-16 Audit of the Management and Use of Acquisition Cards and the 2017-18 Audit of Integrated Risk Management.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q3 of 2017-2018
Internal Services -Financial Management - Financial Planning and Forecasting Financial Risk - Financial Management Risk Four month level of effort from PCO project lead with a budget of $30K for contractor support Assurance Review
Evaluation of the Central Innovation Hub

Preliminary Objectives and Scope

  • The objective of this evaluation will be to assess the relevance and performance (effectiveness, efficiency and economy) of the Central Innovation Hub (The Hub). The evaluation will provide information on the results of The Hub that could inform a possible request to Treasury Board to access earmarked ongoing funding.
  • The evaluation will cover The Hub’s activities and performance from its launch to the time of the evaluation. The work will be guided by the evaluation strategy developed as part of the 2015-16 “Performance Measurement Strategy for the Central Innovation Hub” project proposed earlier in this RBAP.

Selection Rationale

  • In May 2014, the Clerk’s Destination 2020 report announced several initiatives intended to respond to challenges, modernize the public service and strengthen its capacity to develop innovative, effective solutions, including establishing the Central Innovation Hub.
  • The Hub has been established to support departments and agencies in adopting new and emerging approaches to policy and program challenges to provide a greater range of effective policy options to government.
  • The Hub expects to carry out three key sets of activities:
    • first, the Hub will act as a central resource, providing easy access to a common set of information on best practices and new tools, approaches and techniques;
    • second, the Hub will function as a connector and convenor, establishing networks and partnerships between departmental project leads and key resources across the public service, as well as linkages to academics and external experts that can support departmental work; and
    • third, the Hub will be a direct innovation driver - members of the Hub will work with interested departments to identify initiatives with potential for system-wide benefit, will assist them as they test and implement new tools and approaches, and will assess and document the results in order to draw on lessons learned in real time and transmit them across departments.
  • The evaluation will provide an evidence-based, neutral assessment of progress toward expected outcomes (including immediate, intermediate and ultimate outcomes) with reference to performance targets and program reach and design.
  • As the second of two newly proposed projects about The Hub in this RBAP, this Evaluation will build on the outputs of the 2015-16 Performance Measurement Strategy for the Central Innovation Hub. The results of this evaluation will inform any request to access earmarked ongoing funding for The Hub beyond 2018-19.
Alignment with PCO Audit Universe Alignment to Risk Factors Expected Project Cost Project Type
Expected Start: Q3 of 2017-2018
Public Service Leadership & Direction - Business Transformation and Public Service Renewal
  • Transformation / Change Management Risk
  • Process Risk
Six month level of effort from PCO project lead with a budget of $60K for contractor support Evaluation

Appendix A - Risk Factors

Operational Risks

Risk Description Potential Risk Events
Human Resource Risk Risk associated with acquiring and consistently maintaining a sufficient and representative workforce with the appropriate experience, competencies and skill-mix.
  • Insufficient human resource capacity
  • Reduced ability to attract and maintain necessary human resources
  • Experience lacking in critical areas
  • Misalignment of skills to job requirements
  • Low retention rate
Legal/Compliance Risk Risk of violation of laws, regulations and international treaties / agreements and non-compliance with government policies.
  • Legal liability that may result from violations
  • Increased or unsustainable litigation
  • Increased Treasury Board Secretariat oversight and specific consequences as described in various TB Policies
Process Risk Risk from business processes, management practices, and supporting policies and procedures that are not well-designed, are inefficient or ineffective, or are not well documented, clearly communicated or implemented.
  • Non-compliant or inconsistent delivery of products
  • Inefficient operations
  • Diminished confidentiality

IM/IT Risks

IT Risk Risk arising from inadequate IT infrastructure, technological and other capital assets.
  • Business delivery compromised by inadequate support from existing systems infrastructure or technology, including total system failure
  • System security breaches
  • System virus penetration
  • Diminished data integrity
IM Risk Risk associated with loss or failure to manage information, including intellectual property, organizational or operational information, and personal information of citizens.
  • Slow response time, repeated mistakes, slow competency development

Financial Risks

Financial Management Risk Risk that expenditures are inappropriate and / or that internal or external financial reports are based on inappropriate policies or include material misstatement or omit material facts making them misleading.
  • Expenditures not properly authorized or recorded
  • Budget misalignment
  • Program opportunities lost
  • Citizens / stakeholders misled

Fraud Risks

Fraud Risk from intentional misrepresentation by an employee or a third-party for the purpose of personal gain.
  • Intentional circumventions of policies / procedures for personal gain
  • Unauthorized disclosure or corruption of personal or other significant information with the intention of gain

Strategic Risks8

Political / Economic Risk Risk that a change of government, bureaucracy, political or policy direction, and economic changes may negatively affect the achievement of established objectives.
  • Loss of momentum or business progress
  • Removal of funding for ongoing operations or new initiatives
Transformation / Change Management Risk Risk associated with the inability to initiate, manage or sustain significant organizational change initiatives - encompasses both cultural and process dimensions of change management.
  • Failure to advance towards new goals, i.e. project management risk
  • Poor adaptability to new business strategies or processes and erratic business delivery
  • Reduced engagement of staff or public in change initiatives, i.e. engagement risk
Environmental Risk Risks outside the scope of government’s control that impact priorities.
  • Significant domestic events
  • Significant world events

Reputation/Public Opinion Risks

Reputation / Public Opinion Risk Risk of loss of reputation or change of public opinion that either directly or indirectly influences negatively the execution of the organization’s mandate.
  • Reduced credibility and influence
  • Lack of public support for major initiatives
Third Party Risk Risk that actions (or inactions) taken by partners or suppliers may negatively affect the achievement of objectives - can include other stakeholder government departments.
  • Non-compliance with legislation, regulations or policy
  • Non-delivery from third parties
  • Quality of products sub-standard

Hazard/Security Risk

Hazard / Security Risk Risk from all types of natural, chemical, biological, nuclear or other hazards, including unintentional human actions or resulting from pre-meditated activities.
  • Injury or loss of life
  • Property damages
  • Compromised business continuity
  • Information breaches

Endnotes

  1. The PCO Internal Audit Charter is reviewed periodically to ensure it remains current and compliant with the Treasury Board Policy on Internal Audit and with applicable professional auditing standards.
  2. The launch of the Audit of Internal Control Over Financial Reporting was delayed to respect a request from management.
  3. Business Transformation and Public Service Renewal includes PCO’s new Central Innovation Hub.
  4. Not to be confused with the Deputy Minister Committee of Senior Officials, also known as COSO.
  5. This Review of Staffing Activities was approved in last year’s RBAP. The Public Service Commission then informed PCO they have planned an organizational audit at PCO in 2015-16, but that this audit may be deferred to fall 2016. As such, the conduct/timing of the Review of Staffing Activities is to be confirmed.
  6. All internal audit functions must be subjected to a Practice Inspection every 5 years and Audit Committee must be made aware of activities that will consume internal audit resources. PCO’s next Practice Inspection is to be completed in 2018-19. This project is included here to inform on the work to be done by internal audit resources starting in 2017-18 in preparation for completing the next Practice Inspection in 2018-19. However, as this project is internal to the Audit and Evaluation Division, it is not included in the “Planned Engagements After Priority Ranking of the Audit Universe” table on page 10 of this RBAP.
  7. The audit report from the 2014 Audit of Information Technology has been accepted by PCO’s Audit Committee - management is finalizing their Management Action Plan to respond to the audit’s recommendations.
  8. These include risks to the policy and legislative agenda, and risk to achieving the mandate of the organization.