Internal Audit : Framework for the Management of Compliance Presentation at FMI meeting Sept. 2014

The Framework for the Management of Compliance - along with the Foundation Framework for Treasury Board Policies and the Framework for the Management of Risk - is one of the key architectural elements of the Treasury Board suite of policies. Core responsibilities of the Deputy head within a department include ensuring compliance with legal and Treasury Board policy requirements. Generally performed through an attestation exercise, with oversight and monitoring & reporting. Background 2

Compliance: Executive committee sets expectation and effort (tone) Engage functional community (performance/compensation) Review inventory of ‘TBS and internal’ policies – Relevance, requirements, accountabilities, current monitoring & reporting, consequences of non-compliance, gaps analysis – Develop risk assessment process/tool – Conduct risk assessment of all policies and rank Monitor and report (risk-based approach) (ADM level statements) Feedback mechanism (audit) Non-compliance: Review instances of non-compliance Risk rate the consequences (tone) Develop monitoring approach Report all non-compliance and measures taken to address 3 EX: Framework for Management of Compliance

In 2012, CIC launched an exercise through which functional authorities could attest to their compliance to policy suites, acts, and regulatory requirements. To initiate this, an analysis was performed to determine which Treasury Board policies apply to CIC, and accountabilities by functional area were assigned. An annual compliance attestation exercise has been established to inform the Department’s management of compliance. The self-assessments requested as part of the compliance attestation exercise were not formally challenged or based on risk. Performance requirements against compliance are not formalised. Issues related to non-compliance are addressed on an ad hoc basis. With the completion of this first exercise to assess compliance, CIC has initiated activities to formally assign accountability for Treasury Board policy domains, but a comprehensive framework for oversight, monitoring or reporting on compliance has not been established. 4 Summary of Findings

1.CIC should develop a risk-based oversight framework for monitoring compliance to TB policies. This should include: – accountability for development and implementation of the framework; – risk-ranking and risk tolerance for Treasury Board policies; – accountability for individual policy compliance (including shared when relevant); – documentation requirements to support compliance assessments; – monitoring of activities; and – reporting requirements including pre-determined frequency of reporting. 2.CIC should develop and implement measures to identify and report on non-compliance and the adequacy of the actions taken in a situation of non-compliance with Treasury Board policy requirements. 5 Recommendations

TB Framework for the Management of Compliance TB Foundation Framework for Treasury Board Policies Cadre stratégique sur la gestion de la conformité du CT Cadre principal des politiques du CT 6 References

The objective of the audit was to provide assurance to senior management that effective practices are in place within CIC for the management of compliance with Treasury Board policy requirements. In order to limit the scope, the audit did not include legislative requirements specific to CIC or a subset of government departments, but rather focused on government-wide policy requirements issued by Treasury Board. The audit examined activities from June 1, 2012 to August 31, It also reviewed documents from related to central and independent agency reporting requirements and Policy Suite Renewal, a departmental exercise launched in to simplify and reduce the number of CIC Frameworks, Policies and tools. The audit criteria developed for this audit are included below. Annex: Audit Objective, Scope and Procedures 7

The audit sought evidence that: Governance: – An oversight regime exists to ensure all relevant Treasury Board policy requirements are respected in line with Treasury Board policy expectations. Risk Management: – CIC policies and procedures and monitoring practices over Treasury Board policy requirements have been designed with consideration of risk. Internal Controls: – Approval processes, procedures and control systems of CIC are in line with Treasury Board policy requirements. Annex: Areas of Engagement 8

Governance 1 – An analysis has been done to determine policies relevant to CIC and an appropriate framework of oversight has been determined based on risk. 2 – For policies relevant to CIC, accountability has been assigned and performance management includes compliance considerations. 3 – The results of monitoring of Treasury Board policy compliance are reliable, risk-based and are reported to those with an oversight responsibility, and action is taken when appropriate. 4 – CIC has measures in place to ensure that non-compliance and the nature of the consequences and their severity are commensurate with the nature of the non-compliance. Risk Management 5 – CIC policies and procedures are commensurate with the associated risk of non-compliance with Treasury Board policy. 6 – Policies and procedures foster an organizational environment conducive to innovation and informed risk-taking. Internal Controls 7 – Departmental frameworks for internal controls and management practices are designed to be efficient, transparent, understood and supported in CIC, and, where applicable, are in line with Treasury Board policy requirements. 8 – Employees are trained and have access to learning opportunities and relevant information to increase their awareness and knowledge of applicable Treasury Board policy requirements. 9 Annex : Audit Criteria