Royal Canadian Mounted Police Departmental Audit Committee Annual Report – April 2013 through March 2014

Table of Contents

Message from the Committee Chair

As Chair of the Royal Canadian Mounted Police (RCMP) Departmental Audit Committee (DAC), I am pleased to present the Committee's Annual Report for fiscal year (FY) 2013/14.

During the period covered by this Report the Committee held five meetings. Mr. Alain Jolicoeur served as Chair for the first meeting of the fiscal year. Following Mr. Jolicoeur's resignation in June, Mr. Pierre Richard graciously accepted to serve as Chair for the meetings held in August and September. I had the honour of serving as Chair for the final two meetings of the year, and look forward to continuing to fulfill this role over the course of the next four years.

The Committee held constructive in-camera meetings with both the Commissioner and members of the Senior Executive Committee over the course of this past year. As the newly appointed DAC Chair, I will be meeting with each member of the Senior Executive Committee in order to improve my understanding of the mandate, priorities and challenges of their organizations and the RCMP as a whole. At the February 2014 meeting the Committee had the opportunity to meet with Divisional Commanding Officers and communicate to them our vision for the DAC and the role it can play in strengthening the RCMP. To ensure the Committee continues to provide meaningful support to the Commissioner and his Senior Management team through the provision of insightful and realistic advice designed to strengthen RCMP governance, risk management and internal controls, I will continue to build and foster relationships throughout the RCMP.

In accordance with the Treasury Board (TB) Directive on Internal Auditing in the Government of Canada, the Committee satisfactorily carried out each of its eight mandated responsibilities during FY 2013/14. One of our key activities this past year was our contribution to Internal Audit's external Practice Inspection. Committee members were interviewed as part of the Practice Inspection process, and our annual activities were reviewed to ensure conformance with policy. The Committee was pleased with the positive assessment received as set out in more detail later in this Report.

A key component of the DAC's responsibilities in the area of risk management is review of the Departmental Corporate Risk Profile (CRP). The 2014 CRP identifies four key risk areas for the RCMP: Strategy and Governance; Technology and Infrastructure; External Environment; and Human Resources. The Committee is in agreement with these areas of risk, and is pleased that the IA function has ensured that the Risk-Based Audit Plan has been developed in alignment with these risks, in particular as they relate to Human Resource Management and Information Technology.

Over the course of the reporting period, the RCMP continued with its efforts to implement their contribution to the Government's Deficit Reduction Action Plan (DRAP), as well as prepare for the coming into force of Bill C-42, the Enhancing Royal Canadian Mounted Police Accountability Act, which should have far reaching positive impacts on the culture and management of the RCMP. In this environment, it is critical that internal audit, and by extension the work of the DAC, be prepared to adapt to new and emerging risks. In this way, we can work together to ensure purposeful controls, tailored to the organizational risks, are in place, and to assess whether identified efficiencies and cost saving opportunities are being fully realized.

I would like to take this opportunity to thank those who supported the work of the DAC during the reporting period, including the Chief Audit and Evaluation Executive (CAEE), the Chief Financial and Administrative Officer (CFAO), the Director General Internal Audit, the Director Professional Practices and Administration, and their respective staff. Their ongoing dedication and professionalism is appreciated, and will be cornerstone to meeting the challenges which will arise in the coming years. I'd also like to thank the other members of the DAC for their warm welcome and sage advice.

William V. Baker, ICD.D
Chair, Departmental Audit Committee
Royal Canadian Mounted Police

List of Acronyms

Bill C-42
Proposed Legislation Bill C-42
CAEE
Chief Audit and Evaluation Executive
CFAO
Chief Financial Administration Officer
CRP
Corporate Risk Profile
DAC
Departmental Audit Committee
DRAP
Deficit Reduction Action Plan
DPR
Departmental Performance Report
DSP
Department Security Plan
FY
Fiscal Year
HR
Human Resources
IA
Internal Audit
IIA
Institute of Internal Auditors
MAF
Management Accountability Framework
MAP
Management Action Plan
OPC
Office of the Privacy Commissioner
OAG
Office of the Auditor General
OCG
Office of the Comptroller General
PIC
Policy on Internal Control
PSC
Public Service Commission
TB
Treasury Board
RBAP
Risk-Based Audit Plan
RCMP
Royal Canadian Mounted Police
RPP
Report on Plans and Priorities
SSC
Shared Services Canada

1. Context

Strengthening the role and independence of governance bodies, including audit committees, has been a cornerstone of recent corporate governance reforms in the private and public sectors both in Canada and internationally. To strengthen the independence, objectivity and effectiveness of the internal audit (IA) function across government, the Treasury Board (TB) Policy on Internal Audit–first introduced in April 2006 and revised effective April 1, 2012–requires that each large federal department and agency establish an independent audit committee that includes a majority of members from outside the federal public service. Accordingly, in September 2009, TB established the RCMP Departmental Audit Committee (hereafter referred to as the Committee) and approved three external candidates as Chair and members. Since the Committee's establishment there has been only one change in its membership, with Mr. William Baker replacing Mr. Alain Jolicoeur as Chair, effective November 2013.

The Directive on Internal Auditing in the Government of Canada requires that:

The independent members of the audit committee shall submit an annual report to the deputy head that will:

  • Summarize the results of the committee's reviews of areas of responsibility;
  • Provide the independent members' assessment, and make recommendations as needed on the capacity, independence and performance of the internal audit function; and
  • Express views in the annual report that shall be entirely and exclusively those of the independent members, notwithstanding any assistance given by departmental officials in the preparation of the annual report.

This Annual Report, the fourth prepared by the Committee, covers the period from April 2013 to March 2014. It has been developed in consideration of the TB Practice Guide on Departmental Audit Committee Annual Reports, as well as the Committee's Charter.

2. Role of the Departmental Audit Committee

The Committee provides independent oversight of the RCMP's control and accountability processes, and reinforces the independence of internal audit. The Committee reviews and recommends for the Commissioner's approval, audit reports and their associated management action plans, as well as multi-year risk-based audit plans. Other oversight responsibilities of the Committee include review of key areas and processes such as values and ethics, risk management, management control, and accountability reporting.

As a strategic resource, the Committee provides advice and recommendations to the Commissioner on specific emerging priorities, concerns, risks, opportunities, management and/or accountability reporting. In this way the Committee is able to support the Commissioner in his role as RCMP Accounting Officer. The Commissioner is also able to call upon the Committee to provide advice on sensitive or critical issues.

3. Summary of Committee Activities

The Committee held five committee meetings during the period covered by this report, four in-person and one via teleconference. Committee meetings were typically two days in duration and included the review and recommended approval of audit reports, as well as presentations and discussions on the other areas over which the Committee exercises oversight responsibilities. An in camera session with the CAEE was held at each of the in-person Committee meetings held during FY 2013/14.

In addition to addressing the requirements associated with their core mandate, the Committee was also able to provide the Commissioner with advice on existing and emerging issues and challenges.

This section of the report summarizes the key activities carried out by the Committee in each of its eight core areas of responsibility:

  1. Internal Audit Function;
  2. Management Action Plan Follow-Up;
  3. External Assurance Providers;
  4. Financial Statements and Public Accounts;
  5. Accountability Reporting;
  6. Values & Ethics;
  7. Risk Management; and
  8. Management Control Framework.

3.1 Internal Audit Function Responsibilities

The Committee must fulfill a number of responsibilities related to the RCMP's IA function each year, including:

  • Review of the IA Charter;
  • Review and recommend for approval the multi-year Risk-Based Audit Plan (RBAP);
  • Review use of IA resources and progress in achieving the RBAP;
  • Receive and recommend for approval IA reports and corresponding management action plans; and
  • Review the CAEE annual report.

When required, the Committee is also expected to provide advice on the recruitment and appointment of the RCMP's Chief Audit Executive, and on the sufficiency of resources dedicated to the IA function.

IA Charter. The Committee revisits the IA Charter on a periodic basis in order to ensure that it remains consistent with policy and guidelines. The current Charter, which came into effect in early 2013, was reviewed by the Committee at the meeting held in February 2014. It was determined that no changes were necessary.

Risk-Based Audit Plan. Committee members were briefed on the process to develop and update the RBAP at the meeting held in February 2014. The Draft 2014/15 RBAP was then tabled at the meeting held in March 2014. The Committee recommended that, after incorporating suggested adjustments, the draft RBAP be forwarded to the Commissioner for his approval.

Use of IA Resources. Progress against the 2013/14 RBAP was reported to the Committee at each meeting, as was the status of ongoing audit projects and IA professional practice activities. In instances where audit work had to be postponed, re-scoped or added to the RBAP, the Committee was provided with appropriate rationale. The Committee was also kept apprised of special projects undertaken by both IA personnel and the Professional Practices group. These briefings and updates provided us with information on how IA resources are utilized. The DAC was informed that IA was on track to achieve its performance targets for 2013/14 with respect to RBAP completion. A key activity of IA and the Professional Practices group this past fiscal year was the conduct of an externally validated Practice Inspection. With respect to use of IA resources, the Committee agrees with the Practice Inspection Final Report conclusion that the IA activity is professional, progressive and well-structured.

Internal Audit Reports. The Committee reviewed and recommended for the Commissioner's approval the following seven audit and audit-related reports during the FY 2013/14:

  • Preliminary Survey of Information Technology General Controls (Tabled June 2013) Approval Date: July 18, 2013
  • Audit of Selected Monitoring and Oversight Activities (Tabled June 2013) Approval Date: November 8, 2013
  • Audit of Long Term Sick Leave (Tabled September 2013) Approval Date: November 7, 2013
  • Follow-up to the Operational Communications Centres Audit (Tabled September 2013) Approval Date: November 8, 2013
  • Review of Management of Real Property (Tabled February 2014) Approval Date: March 13, 2014
  • Audit of the Destruction of Hard-Copy Records Pertaining to the Transitional Provisions in the Ending the Long-Gun Registry Act (Tabled March 2014). Approval Date: April 11, 2014
  • Preliminary Survey of Overtime (Tabled March 2014). Approval Date: April 9, 2014

Consistent with the TB Directive on Internal Auditing in the Government of Canada, audit reports reviewed by the Committee included a management response, which indicated client concurrence with the findings and recommendations of the report. In order to provide sufficient time for the client to develop a fulsome approach to addressing the recommendations included in the reports, a detailed management action plan (MAP) was often presented for Committee review at a subsequent meeting.

CAEE Annual Report. The DAC reviewed and was satisfied with the FY 2012/13 CAEE Annual Report, which was tabled at the June 2013 meeting. The Report outlines the contribution the IA group makes to the RCMP through the provision of constructive, relevant and actionable recommendations, and highlights improvements to RCMP risk management, governance and control processes and practices as a result of IA work. In addition, the Report also illustrates the progress IA has made to strengthen its quality assurance processes in preparation for the external Practice Inspection, and in monitoring productivity to ensure timely completion of projects. We will be reviewing the FY 2013/14 CAEE Annual Report at our June 2014 Committee meeting.

3.2 Management Action Plan Follow-up

The Committee monitors on a semi-annual basis the implementation progress of the MAPs developed to address internal audit recommendations. The Committee recommends closure of those MAPs which responsible senior managers report to be completed, and may approve requested extensions to target completion dates. In addition, the Committee also provides advice to the Commissioner on the effectiveness of arrangements in place to monitor and follow-up on MAPs. During FY 2013/14 we were kept apprised of the implementation status of 42 MAPs associated with 15 audit or audit-related projects. Of these 42 MAPs, we recommended the closure/completion of 11.

In instances where senior managers requested extensions to target completion dates, the Committee asked that management explain the requirement for an extension, and provide information on any challenges to implementing the proposed actions in a timely manner. We remain somewhat concerned with the number of amendments to MAP target completion dates. In some cases, initial target dates may not have been realistic, especially in instances where external factors needed to be taken into consideration in their determination. Additional information regarding the rationale for target dates and extensions has been requested for future MAP implementation status updates, and this will be an area of continued oversight in the future.

IA also continues to monitor the status of MAPs developed to address external audit recommendations. As with the MAPs developed to address IA recommendations, reporting on the MAPs developed to respond to external assurance provider recommendations takes place on a semi-annual basis. The most recent external audit MAP follow-up report was tabled at the Committee meeting held in February 2014. This report included follow-up on MAPs related to five Office of the Auditor General (OAG) audits, and one audit by the Office of the Privacy Commissioner (OPC). The DAC will continue to monitor implementation of these MAPs.

3.3 External Assurance Providers

The Committee received several briefings on completed, active and planned audit work by the OAG, the OPC and the Public Service Commission (PSC). On two occasions during the reporting period, the OAG components of these briefings were delivered by personnel from the Auditor General's Office. Committee members were advised on ongoing OAG audits that involve the RCMP, including Preventing Illegal Entry into Canada (tabled in Parliament Fall 2013), First Nations Policing Program (tabled Spring 2014), Procuring Relocation Services (tabled Spring 2014) and Public Sector Pension Plans (tabled Spring 2014). The CAEE and external audit liaison staff provided updates on the work being undertaken by the OPC and the PSC.

The Senior Director of Policy and Professional Practices at the Office of the Comptroller General (OCG) attended the June 2013 meeting. He provided us with an overview of the recent updates to the Treasury Board Internal Audit Policy suite, as well as the proposed horizontal audits to be led by the OCG. While the RCMP indicated an interest in participating in one of the OCG's horizontal audits planned for 2013/14, the organization was not subsequently included within the audit's scope. The 2014/15 RBAP once again highlights RCMP IA's interest in participating in OCG-led horizontal audits and it is expected that the RCMP will be included in the scope of the Horizontal Audit of Information Technology Security in Large and Small Departments.

DAC has requested that visits from the OAG and the OCG be included as regular agenda items, as a minimum, on an annual basis, as these are important avenues to situate our work in the broader Government of Canada context.

3.4 Financial Statements and Public Accounts Reporting

As part of each DAC meeting, members had the opportunity to meet in-camera with the RCMP's CFAO. In addition, each meeting included review of in-year financial reports. The DAC held a teleconference with the CFAO and the Director General Corporate Accounting, Policy and Controls in August 2013 in order to review the RCMP's unaudited Financial Statements as at March 31, 2013, as well as significant accounting estimates and judgments. In a letter to the Commissioner dated August 23, 2013, given that no material misstatements or omissions came to our attention, we recommended that he approve the RCMP's FY 2012/13 Financial Statements.

In addition, briefings were provided to the Committee to keep us apprised of the RCMP's progress in implementing the Deficit Reduction Action Plan (DRAP), as well as the Policy on Internal Controls.

3.5 Accountability Reporting

The Committee reviewed the 2012/13 Departmental Performance Report (DPR), which was presented at the February 2014 meeting. Review of the 2014/15 Report on Plans and Priorities (RPP) took place at the March 2014 meeting. The Committee once again highlighted the importance of ensuring these documents place appropriate emphasis on the various activities the Force is mandated to carry out, and that associated performance measures and targets are appropriate. It is our view that there has been significant improvement in the quality and readability of both the DPR and RPP during our tenure, and that the further refinements planned for the next iteration of each document will further enhance their usefulness.

The results of the 2012/13 Management Accountability Framework (MAF) assessment were presented to the Committee at the meeting held in June 2013. The Strategic Policy and Planning Directorate gave members an overview of the results for each of the six core areas assessed in 2012/13, while the OCG Senior Director of Policy and Professional Practices provided additional details regarding the RCMP's results in Area of Management 5 - Internal Audit.

3.6 Values and Ethics

Values and ethics received significant attention from the Committee during 2013/14. At the meeting held in September 2013, the leader of the Legislative Reform Initiative Team delivered an update on Bill C-42, Enhancing the Royal Canadian Mounted Police Accountability Act. This Act, which received Royal Assent in June 2013, is expected to have far reaching impacts on the RCMP in the areas of conduct and HR management. The March DAC meeting included a presentation from the RCMP's Professional Integrity Officer, on the changes that will come about as a result of the Act. The focus of the presentation was on how the coming into force of the Act will impact areas such as conduct, harassment, grievances & appeals, and dismissals.

Another important presentation related to values and ethics was given at the March 2014 DAC meeting. The topic was the implementation of the Gender and Respect Action Plan, which was developed in response to the 2012 Gender-Based Assessment completed by the RCMP Evaluation group. This Action Plan is founded on two central themes–culture, and the composition of the RCMP–and includes 37 action items related to areas such as addressing harassment, and creating respectful workplaces. Committee members recognize the importance of the Action Plan to the RCMP, and are encouraged by the progress made to date in its implementation.

As part of a Practice Inspection of the RCMP's IA function (discussed further at section 5 of this report), IA was assessed for its conformance with the IIA's–the international professional association for internal auditors–Code of Ethics. At the February 2014 meeting the DAC was informed that the IA function does generally conform to the IIA's Code of Ethics.

In-camera sessions with the Commissioner and Senior Executive Committee members frequently involved discussions of organizational values and ethics.

3.7 Risk Management

Over the course of 2013/14, the Committee received several briefings and presentations outlining mechanisms for dealing with operational risk. The meeting held in June 2013 included a presentation and discussion on the draft Departmental Security Plan (DSP), and the advice of Committee members was sought to ensure the plan was appropriately risk-based.

The September 2013 meeting included a presentation on the Federal Policing - Major Projects Prioritization Model. This model is intended to create a sound and defendable process for determining investigative priorities, thereby reducing the risks associated with major case management. The March 2014 meeting included a further briefing on Federal Re-engineering. As part of this briefing the Committee was advised that re-engineering efforts are aimed at breaking down organizational silos and creating a more nimble and responsive workforce, thereby mitigating certain operational risks.

A key component of the DAC's requirement to examine risk management each year is review of the RCMP's Corporate Risk Profile (CRP). As such, at the meeting held in February 2014 the Committee was briefed on the methodology used to revise the RCMP's CRP. This revised CRP identifies four key risk areas for the RCMP: Strategy and Governance; Technology and Infrastructure; External Environment; and Human Resources. The Committee is in agreement with the four risks identified, and is pleased to see them reflected in the 2014/15 RBAP.

The Committee's views on risk management within the RCMP can be found at Section 4.2 below.

3.8 Management Control Framework

Status reports regarding the RCMP's audit readiness and implementation of the Treasury Board's Policy on Internal Controls (PIC) were provided at the Committee meetings held in June 2013 and March 2014. As part of the August 2013 teleconference to review the unaudited 2012/13 Financial Statements, members also had a discussion regarding the detailed action plan developed to strengthen controls relating to accounts receivable.

An update on the Departmental Staffing Accountability Report was provided to the Committee in March 2014. As part of this update members were advised that all conditions placed on the RCMP as a result of the findings of a recent PSC audit of staffing have been successfully met by the RCMP and thus removed. As a result of the removal of PSC conditions, the Committee was advised that staffing reports to the PSC are now only required on an annual basis.

In addition to various briefings and presentations in areas related to internal controls, many of the audit reports tabled to the Committee in 2013/14 contained an assessment of the control framework in place within the subject area covered by the audit.

The Committee's view on internal controls, including the implementation of PIC, is discussed in detail at section 4.3.

3.9 Other Activities

In an effort to help facilitate our understanding of RCMP priorities and challenges, Committee meetings were designed not only to ensure our activities related to our eight core areas of responsibility were addressed, but also to make certain that members had the opportunity to meet and discuss issues with various RCMP Senior Executive Committee members. These discussions provided Committee members with valuable insight into issues currently of relevance to the RCMP. A site visit to C Division Headquarters in Montreal, Quebec, took place in September 2013, providing the Committee with first-hand experience of some of the day-to-day challenges facing the organization. In recognition of the synergy that exists between audit and evaluation, the Committee also received several presentations on the activities of the RCMP Evaluation group. Discussions with senior executives, site visits, and presentations on Evaluation activities helped to give Committee members a more holistic understanding of the RCMP mandate and challenges, thereby allowing us to provide increased oversight and improved advice in areas of priority to the Force.

The September meeting included a discussion with the Executive Director Public Affairs. He relayed to the Committee the progress being made in National Communication Services to enhance communication strategies for both internal and external audiences. A further briefing by the Executive Director Public Affairs at the meeting in March 2014 made the Committee aware of a new communications initiative about to be launched called "One RCMP, One Voice". This initiative will harmonize communications from the Commissioner with the messages being delivered by Commanders.

4. Assessment of Governance, Risk Management and Control

4.1 Assessment of Governance

Over the course of our tenure, the Committee has observed significant improvement to the RCMP governance model. Leadership and communication play fundamental roles in governance, and in both of these areas DAC members have observed positive change. The Committee is also of the view that the longer-term measures recently put in place, including the implementation of Bill C-42, restructuring of Federal Policing, and various communication strategies, will help to increase managers' accountability but will require effective monitoring and performance reporting.

Last year we noted that creating an optimal structure for an organization as large and diverse as the RCMP is challenging, and that the organization's governance structure could benefit from some fine tuning and adjustments to ensure, for example, that central policy is observed in all districts and regions. Thanks in large part to the numerous reform initiatives now underway within the RCMP, over the past year we have observed that improvements are being made in this important area. Efforts to harmonize the organizational structure, at both the national and provincial levels, and to streamline major sectors such as Federal Policing, are supported by the Committee. The restructuring of Federal Policing is of particular note, as it is our view that this initiative will better enable the organization to put resources–both people and dollars–where they are needed most. The Committee recognizes that on-going effort is required if intended outcomes are to be achieved, and encourages regular monitoring of progress to ensure efforts remain on track.

The Committee understands that the decentralized nature of the RCMP's policing operations poses particular challenges for the organization. For example, the Force provides policing services at the federal, provincial and municipal levels and, as a result, must deal with issues and challenges unique to each level of government. Additionally, as a result of the organization's large span of control, the Committee recognizes that the connection between the Commissioner, his Senior Executive Committee, and front-line members must be a continued area of focus. To address this, we have been advised that new communication tools are being developed to promote the concept of "One RCMP, One Voice".

One of the biggest challenges currently facing the RCMP is the impending coming into force of Bill C-42. Bill C-42 is broad in scope and complexity, requiring significant organizational effort to ensure the obligations associated with it are successfully applied. Over the past year we received a number of briefings on Bill C-42 and the work being done to ensure successful implementation. The Committee is satisfied with the work carried out to date with respect to Bill C-42, but we are cognizant that risks still remain, and that these will require close attention.

While the implementation of Bill C-42 and the restructuring of Federal Policing are the two most significant drivers of the changes to RCMP governance, the Committee recognizes that they are not the only ones. Recent initiatives such as the pay consolidation project, as well as the creation of Shared Services Canada (SSC), have also had an impact. As articulated in IA's Preliminary Survey of IT General Controls, roles, responsibilities, and accountabilities have not yet been fully clarified between the RCMP and SSC. Further consolidation of support services may be implemented in the near future in order to achieve government-wide efficiencies. As such, the changing governance structures relating to support services needs to be closely monitored to ensure they do not result in new risks.

The RCMP is at a critical organizational juncture. Given the number of change initiatives and restructuring efforts now underway, it is crucial that associated risks be appropriately managed in the months and years ahead. Ultimately, the RCMP requires a governance structure that will ensure the delivery of good police services, and keep the country secure. Since the establishment of an independent DAC four years ago, we have witnessed firsthand changing structures and personnel. While understanding that it is difficult to reconcile all the drivers impacting the organization, the Committee is satisfied with the RCMP's governance structure and the changes that are being made to it. While not yet optimal, this structure is both effective and sustainable. The Committee is of the view that with appropriate governance in place within the organization, issues related to risk management and controls will be more easily addressed.

4.2 Assessment of Risk Management

Overall, risk management is well advanced within the RCMP, especially within the policing environment. Operational risks in particular are constantly monitored and managed appropriately. At the strategic level, we have been briefed on the draft CRP and are satisfied with the process followed to develop it. We agree with the four areas identified as highest risk–Resource Alignment; Management of Information Technology; Changing Threat Environment; and Management Practices (HR). Based on the information presented to us over the past year, as well as in the years previous, we are of the opinion that human resource management remains a significant area of risk for the organization. As such, we are pleased to see it reflected on the CRP and that the 2014/15 RBAP places emphasis on this area. Information Technology risks also remain at the forefront and are particularly challenging for the organization to address during this period of restraint. This area will continue to require focused attention to ensure secure, reliable and affordable IT services are available to personnel.

While sound risk management is practiced in many areas of the organization, risk mitigation approaches remain less than optimal in some areas. Internal audit work, for example, has shown that risk is not always managed well in certain areas of administration, where risk-adverse rather than risk-smart approaches have been adopted. Audits have demonstrated that some areas would benefit from the adoption of more risk appropriate controls. Through the implementation of recommendations to enhance monitoring approaches we have seen some improvement in this area over the reporting period.

4.3 Assessment of Controls

Based on the various briefings we have received over the past year, as well as the discussions held as part of our in camera sessions with the CFAO, we remain comfortable with the progress being made to ensure RCMP compliance with the PIC. The updates provided on the PIC Action Plan, developed to address high and medium-risk control weaknesses, were thorough, and highlighted how far internal controls have advanced in the years since the current DAC was established. The Committee is satisfied with the work done to date in many areas, and the monitoring that is taking place to ensure the Action Plan remains on track and completed in a timely manner. The one area of concern for the Committee relates to IT controls. While the action items associated with IT controls are progressing as expected, we feel additional attention in this area is warranted given its importance to the organization and the security implications associated with IT.

Broadly speaking, internal controls within the RCMP are sound, and there has been noteworthy progress in recent years in this important area. Nevertheless, we recognize the work done by internal audit to identify areas where controls should be strengthened and monitoring and oversight activities improved. The Committee is encouraged by the actions taken to date.

Resource constraints will continue to challenge the organization to ensure that all controls are purposeful and cost-effective, and may make it difficult to rectify some deficiencies in the short term, in particular where controls require system development or modification. Notwithstanding these challenges, we are satisfied that the MAPs developed in response to identified control weaknesses will provide risk-mitigating improvements.

5. Assessment of the Capacity and Performance of the IA Function

Over the past few years, the Committee has observed significant improvement in the performance of the RCMP's IA function. In 2011, the OAG issued a report examining the extent to which the Government acted upon commitments made in response to their 2004 Audit of Internal Audit. This report included a quality assessment of the internal audit activity in six departments, including the RCMP. The RCMP only attained a "partially conforms" rating on this assessment. To address areas of weakness, the IA group implemented a number of process and practice changes designed to improve the function and bring it into line with expectations, keeping the Committee informed of these changes as part of each DAC meeting. To confirm if improvements achieved the outcomes intended, the IA function conducted a self-assessment to determine where the group stands with respect to conformance to policy and standards. The results of this self-assessment were then passed to an external consultant for validation. The external validator confirmed that:

  • RCMP and its internal audit activity generally conform with the requirements of the Treasury Board Policy on Internal Audit Suite, as well as the Internal Auditing Standards for the Government of Canada; and
  • The internal audit activity is in general conformance with the IIA's International Standards for the Professional Practice of Internal Auditing (Standards) and the Code of Ethics.

The Committee was briefed by the consultant on the results of the Practice Inspection in early 2014, and we had a productive discussion on the four recommendations for further enhancements put forward by the consultant, which are based on best practices. The Committee is pleased that the external validation noted the strong working relationship we have with the CAE.

IA reports add significant value to the organization, and the recommendations contained therein are having a positive impact on the efficiency and effectiveness of RCMP activities. The RCMP's MAF results for Internal Audit support this observation as, in both the current and previous two MAF assessments, Internal Audit has received a rating of Acceptable, which as of 2013/14 is the highest possible rating. Further, OCG Senior Director of Policy and Professional Practices told the Committee that RCMP's IA group is engaged and professional, a view that is shared by this Committee. At a recent briefing, personnel from the OAG commented that their organization has a good working relationship with the RCMP, both in terms of the support provided by the IA group, as well as with the groups being audited. More importantly, discussions with RCMP Senior Management, including the Commissioner, have reinforced our belief that the IA function is seen to provide value to the organization, and is making a worthwhile contribution to improving management practices and processes.

While the Committee feels that the IA function is resourced sufficiently to meet policy requirements, it is challenged to expand upon the services which it delivers given current resource levels. The Committee knows that there is significant pressure on the IA function to ensure that resources address first and foremost those areas of greatest risk and/or significance to the RCMP, but recognizes that, given the relatively small size of the IA function, audit scheduling must be determined, in part, by the availability of appropriate resources. Scheduling must also take into consideration any need for IA to address certain time sensitive audit requirements imposed by central agencies such as the Treasury Board. As a result, we accept that not all audit work identified as higher priority will be conducted in the immediate term. To help mitigate resource constraints the Committee has been advised that contracted resources will be engaged when appropriate. We are currently satisfied with the efforts underway within IA to ensure that expected results are attained.

One of the innovative ways in which the IA function is leveraging resources is through expanded use of data analytics. At a recent briefing to the Committee, the CAE advised us that additional personnel resources would be dedicated to data analytics in FY 2014/15. The CAE noted that the use of data analytics will help the IA function operate more efficiently by allowing for a greater amount of audit coverage, and more timely project completion. The Committee supports the use of data analytics and looks forward to further briefings on progress in this regard, but we do advise that a horizontal, integrated approach be pursued. The Committee would like to see some of the results of data analytics considered in the development of the 2015/16 version of the RBAP.

While the IA function faces some challenges moving forward, the Committee is of the opinion that IA will continue to deliver significant value to the RCMP. Based on reactions from auditees attending DAC meetings, it is apparent to the Committee that audit clients respect the work done by IA. The high demand for limited audit resources also illustrates to us that the work of IA is sought after throughout the RCMP.

Given the positive results of the Practice Inspection, the IA function's solid reputation within the RCMP for providing value-added service, and in recognition of the efforts now underway to mitigate risks and challenges, the Committee has no significant recommendations for improvements at this time for the IA function.

6. Conclusion

Many positive changes occurred within the RCMP and the IA function during FY 2013/14. Efforts to implement deficit reducing initiatives, adjust to new fiscal realities, address ongoing cultural issues, and prepare for the coming into force of Bill C-42 have been the focus of much attention. Given the scope of change underway within the RCMP, and the number of initiatives associated with it, we stress the importance of significant management attention being paid to each of these initiatives in order for them to achieve expected outcomes.

While the past few years have been difficult from an organizational reputation perspective, it is our opinion that significant positive steps are being taken with respect to improving organizational culture, and we have found morale to be high among the RCMP personnel we've encountered, whether they are Regular Members, Civilian Members, or Public Servants. Further, based on presentations provided to us this past year, and the discussions that stemmed from them, leadership and employees seem engaged, optimistic, and feel like an adequate support network is in place. Committee members are encouraged by the sense of pride in the organization and where it is going displayed by employees. For this positive change to be sustained, however, the Committee notes that it is important for it to be embedded within the structures of the organization.

Internal audit continues to contribute in a meaningful way to the RCMP, helping to identify areas of weakness and to develop recommendations aimed at strengthening governance, risk management and internal control processes. The achievement of a generally conforms rating from an externally validated Practice Inspection illustrates that the work undertaken by the IA function in recent year to improve their operations have been successfully implemented and sustained.

We remain satisfied with the plans in place to improve management controls, in particular with respect to preparing controls-based auditable financial statements. Focus must be maintained to ensure successful implementation of these plans. In the period since our last annual report, there has been continued improvement with respect to management controls, but, in light of the impending coming into force of Bill C-42, some work remains to be done in areas such as human resource management.

Looking ahead to FY 2014/15, we will continue to focus attention on risk management, and the integrity of financial controls, as well as provide oversight, advice and support to the RCMP's IA function. We will also continue to support the work being undertaken on financial and management controls, including audit readiness planning. As always, we will remain available to provide independent advice to the Commissioner on issues related to our core areas of responsibility, as well as on other matters when requested.

William V. Baker, ICD.D.
Chair

John Curran, CPA, CA
Member

Pierre Richard, Q.C., ICD.D.
Member

Date modified: