Language selection

Integrated risk-based internal audit and evaluation plan 2016-21

Table of contents

  1. Executive Summary
  2. Planning Context
  3. Planning Approach
  4. Audit and Evaluation Plan Summary

1. Executive summary

1.1 Introduction

This document presents the Integrated Risk-Based Audit and Evaluation Plan (RBAEP) for the Office of the Commissioner Lobbying of Canada (OCL) for the five years (2016-17 to 2020-21). The objective of the RBAEP is to allocate resources to the areas of most significant risk and priority to OCL, as well as to align with the requirements of Treasury Board (TB) policies on internal audit and evaluation.

The Risk-Based approach focuses on the most significant areas to meet the organizational priorities, while balancing resources to ensure that they are efficiently and effectively utilized for assurance activities and provide the greatest benefit to OCL.

As an Agent of Parliament, OCL is independent from government and the oversight of the Treasury Board of Canada Secretariat (TBS). Consequently, OCL considers its internal oversight mechanisms (including internal audits and evaluations) of significant importance in helping ensure that adequate management practices are in place.

1.2 Proposed audits and evaluations

The audit and evaluation coverage proposed in the RBAEP strives to achieve an effective balance between a number of requirements and considerations in the context of budget constraint, and allows for one or two projects per year. The five-year plan takes into account alignment with organizational risks and priorities.

Year Audit Project Name Primary Entities Estimated Budget
2016-17 Evaluation of Outreach and Education Outreach and Education $60,000
2017-18 Follow-up Audit to the 2013 Audit of Lobbyists Registration System Registrations and Client Services $25,000
Evaluation of the Lobbyists Registration System $50,000
2018-19 Audit of Information Technology, Information Management and Security Internal Services $75,000
2019-20 Audit of Compliance and Enforcement Activities Reviews and Investigations $60,000
2020-21 Audit of Internal Services Internal Services $50,000

2. Planning context

2.1 Background

The Commissioner of Lobbying is the Agent of Parliament responsible for the administration of the Lobbying Act (the Act). The Act seeks to improve transparency and accountability regarding communications between lobbyists and federal public office holders, and increase the confidence of Canadians in the integrity of government decision-making. The authority of the Commissioner is derived from the Act, and the mandate is threefold:

  • Establish and maintain the Registry of Lobbyists, which contains and makes public the registration information disclosed by lobbyists;
  • Develop and implement educational programs to foster public awareness of the requirements of the Act; and
  • Undertake administrative reviews and investigations to ensure compliance with the Act and the Lobbyists’ Code of Conduct (the Code).

Under the Act, the Commissioner also has the authority to grant exemptions to former designated public office holders who are subject to a five-year prohibition on lobbying activities.

OCL works to achieve the following strategic outcome: Transparency and accountability in the lobbying of public office holders contribute to confidence in the integrity of government decision-making.

Three programs contribute to the achievement of the mandate and strategic outcome. These programs and their expected results are as follows:

  1. Education and Research
    • Lobbyists, their clients, public office holders, and the public are aware of the requirements of the Act.
  2. Registration of Lobbyists
    • Lobbyists can register in accordance with the requirements of the Lobbying Act.
    • Canadians have access to information about lobbying activities.
  3. Reviews and Investigations
    • Suspected, alleged or known breaches of the Lobbying Act and the Lobbyists’ Code of Conduct are reviewed or investigated, and appropriate measures taken to ensure compliance.
    • Exemptions from the five-year prohibition are granted or denied in a manner consistent with the purposes of the Lobbying Act.
    • Information contained in monthly communication reports submitted to the Office of the Commissioner of Lobbying is accurate and complete.

2.2 Government priorities

As one might expect, the priorities of the Government of Canada are quite broad and to a certain extent subject to some fluctuations in the context of the complex global environment. Fiscal Restraint, Blueprint 2020, and Deliverology are Government Priorities that touch the mandate of OCL.

Fiscal restraint

The current government has articulated a number of key priorities that are anticipated to require significant investment, while at the same time stating an intention to achieve a balanced budget by 2019 -2020 while continuing to reduce the debt-to-GDP ratio. In this context, it is reasonable to assume that the current climate of fiscal restraint will continue to be a reality for the foreseeable future.

Blueprint 2020

Blueprint 2020 sets out a vision of a world-class Public Service equipped to serve Canada and Canadians now and into the future. This is a Public Service recognized as having the best people working together with citizens, making smart use of new technologies and achieving the best possible outcomes with efficient, interconnected and nimble processes, structures and systems. The Public Service’s core objective is to improve the lives of our citizens and secure a strong future for our country.

The Blueprint 2020 vision sets out four guiding principles to help examine how work is done in the Federal Public Service:

  • An open and networked environment that engages citizens and partners for the public good.
    Together with…
  • A whole of government approach that enhances service delivery and value for money.
    Enabled by…
  • A modern workplace that makes smart use of new technologies to improve networking, access to data and customer service.
    And…
  • A capable, confident and high-performing workforce that embraces new ways of working and mobilizing the diversity of talent to serve the country’s evolving needs.

The mandate of OCL is to achieve transparency and accountability in the lobbying of public office holders and contribute to confidence in the integrity of government decision-making. The demand for accountability mechanisms and transparency is rising in Canada. This is consistent with a global trend of an increasing number of lobbyist offices and/or registration processes at all levels of government. One would expect a world-class Public Service to include mechanisms encompassed within OCL’s mandate and as such, OCL is quite relevant to the vision of Blue Print 2020.

Deliverology

Deliverology focuses on measuring a government’s progress on delivering on things that it announced it would. This approach to managing for results is a significant priority for the current government.

2.3 OCL Strategic outcome and operational priorities

In its 2016–2017 Report on Plans and Priorities (RPP), OCL identifies its strategic outcome as “Transparency and accountability in the lobbying of public office holders contribute to confidence in the integrity of government decision-making”

As outlined in the 2016-17 RPP, OCL’s operational priorities are as follows:

  • Modernize the Lobbyists Registration System (LRS) application.
  • Assess and enhance the effectiveness of the Outreach and Education program.
  • Refine compliance verification processes.
  • Implement the Information Management/Information Technology (IM/IT) strategy by migrating the rest of the OCL's IT infrastructure to the same service provider as for the LRS.

2.4 Key organizational risks

OCL undertook an exercise to update its corporate risk profile between May and July 2016 to identify, update and assess key risks. The risk profile serves as the foundation for effective risk mitigation and management, and informs corporate planning and decisions. The following seven risks were identified by management.

Functional Area Risk
Operational OCL may not be sufficiently proactive in raising awareness with those who could be non-compliant to the Act and/or the Code.
Governance The Commissioner, as Deputy Head, may not be able to effectively and efficiently operate OCL with available resources.
OCL may not be able to define and measure success against its mandate.
Human Resources OCL may not be able to attract and retain the right people with the appropriate mix of skills.
Information Management and Technology OCL’s current information systems may not be optimized to support ongoing operations.
OCL may not have access to expertise to continue appropriate maintenance of the LRS and other systems.
OCL corporate knowledge may not be effectively retained.

3. Planning approach

3.1 Key audit and evaluation requirements

There are a number of TB policies, and TBS directives and guidelines that establish the requirements and best practices for audit and evaluation planning in the federal government.

3.1.1. Treasury board policy on evaluation

In the Government of Canada, evaluation is the systematic collection and analysis of evidence on the outcomes of programs to make judgements about their relevance, performance and alternative ways to deliver them or to achieve the same results.

In accordance with Treasury Board Policy on Evaluation, federal institutions are required to prepare a rolling five-year evaluation plan, and to update the plan annually. According to the Treasury Board Directive on the Evaluation Function, evaluation plans must;

  1. align with and support the departmental Management, Resources and Results Structure;
  2. support the requirements of the Expenditure Management System, including strategic reviews;
  3. include all direct program spending, excluding grants and contributions;
  4. include all ongoing grant and contribution programs for which their department is responsible, as required under section 42.1 of the Financial Administration Act;
  5. include the administrative aspect of all major statutory spending;
  6. include programs that are set to terminate automatically after a specified period of time, if requested by the Secretary of the Treasury Board following consultation with the affected deputy head; and,
  7. include specific evaluations, if requested by the Secretary of the Treasury Board following consultation with the affected deputy head.

3.1.2 Internal audit and evaluation plan

Internal audits and evaluations provide independent, objective and substantiated conclusions on the effectiveness of risk management, control and governance processes. The focus is on all management systems, processes and practices, including the integrity of financial and non-financial information. Internal audit assurance services provide evidence-based opinions on the extent to which the system of internal controls is adequate and effective to support the following imperatives:

  • achievement of operational objectives;
  • safeguarding of assets;
  • economy and efficiency of operations;
  • reliability and integrity of financial and operational information; and
  • compliance with legislation, policies and procedures.

In accordance with TB policy, internal audit and evaluation plans must ensure coverage of areas of higher risk and significance. The internal audit and evaluation plan should also have the following characteristics:

  • be risk-based;
  • be reviewed by the audit committee;
  • be focused predominantly on the provision of assurance services;
  • have a multi-year horizon;
  • address risks and internal audits identified by the Comptroller General as part of government-wide coverage; and
  • support annual assurance reporting on the overall state of organizational risk management, control and governance processes.

3.2 Planning approach

The approach on which this plan is based complies with the Institute of Internal Auditors' International Professional Practices Framework. The RBAEP was developed using the approach outlined in the following figure.

Risk-based audit and evaluation planning approach

  1. Identification of the Audit and Evaluation Universe
    • PAA aligned
    • Defines potential scope of internal audit and evaluation activity
    • Comprised of “auditable” or “evaluable” entities
  2. Environmental Scan of the Audit and Evaluation Universe
    • Strategic consultations with the Commissioner, senior management & Audit Committee Chair
    • Review of key documents (e.g., PAA, RPP, CRP)
    • Leveraging recent Corporate Risk Profile
  3. Prioritization of Audit and Evaluation
    • Context sensitive weighted criteria-based approach for each universe entity
    • Risk exposure – 40%
    • Importance – 60%
  4. Project Selection and Plan Development
    • Consider feasibility, previous audits, evaluations, other assessments
    • Consider available resources, timing, scope and objectives
    • Update annually

3.2.1 Identification of the audit and evaluation universe

The audit and evaluation universe defines the potential scope of proposed engagements and comprises individual “universe entities” that may be the subject of internal audit or evaluation activity. To ensure alignment between the focus of internal audit and evaluation projects with OCL’s operational structure, the universe entities were aligned with OCL’s program and internal services, as identified in the 2016-2017 Program Alignment Architecture (PAA).

The following table presents OCL’s audit and evaluation universe. A more detailed overview of each element is provided in Appendix C.

Strategic Outcome:
Transparency and accountability in the lobbying of public office holders contribute to confidence in the integrity of government decision-making.
Program Audit and Evaluation Universe Entities
1. Registry of Lobbyists Lobbyists Registration System (LRS) Maintenance & Registration Services
Client Advisory Services
2. Outreach and Education Outreach & Education
3. Compliance and Enforcement Administrative Reviews and Investigations of Alleged Non-Compliance
Exemption Reviews
Compliance Verification
4. Internal Services Human Resources Management Information Management Information Technology
Security Management Financial Management Contracting and Procurement

3.2.2 Environmental scan

An extensive environmental scan was conducted for the purposes of updating the OCL Corporate Risk Profile (CRP) in May/June 2016. This exercise represents a timely and accurate picture of OCL’s business conditions and risks as they stand as of July 2016. This formed the basis of the risk analysis that was conducted for each audit universe component.

Input was gained from the Audit Committee at the July 8, 2016 Audit Committee meeting identify organizational changes, key risks to which operations are exposed, and areas in which internal audit or evaluation could provide the most value in supporting the achievement of organizational objectives.

Follow-up conversations were held with the Director of Finance and Deputy Chief Finance Officer to review the initial risk analysis of each audit universe component. The full analysis and risk rankings were reviewed with the management team on August 10, 2016 to ensure that all risk considerations had been captured.

3.2.3 Prioritization of audit and evaluation entities

Relevant to OCL’s operations, overall prioritization of audit and evaluation entities included consideration of inherent risk, the risk that would be posed if no controls or mitigating factors were in place and residual risk, the risk that remained after controls were considered. Each entity of the audit universe was ranked using two criteria: risk exposure and importance. Each criterion was assessed and weighted based on the relative importance of three sub-elements, as follows:

Risk exposure

  • review of corporate risk profile and consultations;
  • degree and recentness of changes; and
  • complexity, dependencies and legislative requirements.

Importance

  • materiality (the entity’s budget: low = <$100,000; moderate = >$100,000 but <$400,000; high =>$400,000);
  • sensitivity and public profile; and
  • link to mandate

Taken together, these criteria were used to derive a total weighted priority score from which preliminary prioritization of the audit universe was generated. Then, recent audit coverage of the entity was considered before assigning it a requirement-for-audit rating. The outcome is a preliminary ranked list of audit priorities, details of which can be found in Appendix B.

3.2.4 Project selection and plan development

The project team selected audit and evaluation projects to be included in the five-year RBAEP. To this end, the highest audit priorities identified served as the starting point and provided the main but not only consideration for project selection. The team examined the top priority entities against a variety of constraints and opportunities, including the following:

  • budget for internal audit and evaluation resources over the five-year period;
  • feasibility of conducting an audit or evaluation;
  • other reviews providing oversight (i.e. evaluations, Office of the Auditor General [OAG] audits);
  • mandated audit projects (i.e. follow-ups, OAG and Public Service Commission obligations for horizontal audits);
  • management requests; and
  • Audit and Evaluation Committee and senior management direction

In finalizing the RBAEP, care was taken to ensure the audit and evaluation universe was appropriately covered.

4. Audit and evaluation plan summary

The audit and evaluation coverage proposed in the RBAEP strives to achieve an effective balance between a number of requirements and considerations in the context of budget constraint, and allows for carrying out one or two projects per year. The five-year plan takes into account the necessary alignment with organizational risks and priorities. An overview of the risk assessment of the OCL universe elements is presented in Appendix B.

It is expected that OCL will achieve coverage of its highest audit and evaluation priorities over the five-year planning horizon. When the feasibility or value of either conducting or continuing an audit or evaluation project is in question—due to factors such as major changes, new priorities, or lack of resources or subject-matter expertise—the Deputy Commissioner will bring this to the attention of the Audit and Evaluation Committee for formal consideration and approval.

To date, OCL has completed the following audits:

  • Audit of Registration and Client Services, OCL’s Lobbyists Registration System
  • Audit of staffing (Public Service Commission)
  • Audit of procurement and contracting
  • Audit of Internal Controls Over Financial Reporting For Selected Expenditures
  • Threat and risk assessment

The following table summarizes all audit and evaluation projects planned over the next five years. The table is organized according to the audit and evaluation universe. A more detailed overview of the audit and evaluation universe entities is presented in Appendix C.

Planned Internal Audit and Evaluation Projects – 2016-17 to 2020-21
Risk Universe Risk Assessment Timing
2016-17 2017-18 2018-19 2019-20 2020-21
1. Registry of Lobbyists
1.1 Lobbyist Registration System (LRS) Maintenance High

Follow-up Audit – 2013 Audit of Registration and Client Services, OCL’s Lobbyists Registration System

Evaluation of Lobbyist Registration System, Registration Process and Client Services

1.2 Client Advisory Services Moderate

Follow-up Audit – 2013 Audit of Registration and Client Services, OCL’s Lobbyists Registration System

Evaluation of Lobbyists Registration System, Registration Process and Client Services

2. Outreach and Education
2.1 Outreach and Education High Evaluation of Outreach and Education
3. Compliance and Enforcement
3.1 Administrative Reviews and Investigations of Alleged Non-Compliance High Audit of Compliance and Enforcement
3.2 Exemption Reviews Low Audit of Compliance and Enforcement
3.3 Compliance Verification Low Audit of Compliance and Enforcement
4. Internal Services
4.1 Human Resources Management Low Audit of Internal Services
4.2 Information Management Low Audit of Information Technology, Information Management and Security
4.3 Information Technology High Audit of Information Technology, Information Management and Security
4.4 Security Management Low Audit of Information Technology, Information Management and Security
4.5 Financial Management Low Audit of Internal Services
4.6 Contracting and Procurement Low Audit of Internal Services

Appendix A. Detailed audit and evaluation plan

A.1 Detailed internal audit and evaluation plan

The table below provides the scope, objective and rationale for each of the audit and evaluation projects proposed for 2016 to 2021. It should be noted that final scope, objectives and estimated budgets for the proposed audits/evaluations is subject to confirmation as part of the detailed planning phase of each of the respective projects.

Year Audit Project Name Primary Entity Estimated Budget Audit Scope, Objective and Rationale
2016-17 Evaluation of Outreach and Education Outreach and Education 60,000

Scope: Efforts to educate potential registrants about the Lobbying Act and Code requirements

Objective: To evaluate the effectiveness of the following:

  • Advisory letters sent to potential registrants to ensure that those at risk of non-compliance are made aware of the requirements of the Act and the Code.
  • Tracking in the case management system of the awareness (e.g. low/med/high) of the Act and Code of those interviewed related to reviews and investigations for non-compliance.
  • Efforts to integrate education and outreach efforts with ongoing registration and investigation activities.
  • Compliance Advisory Team activities to be proactive in performing analysis to identify groups to target education efforts, in order to reduce the instances of non-compliance.

Rationale: If OCL is not proactive in reaching groups that are not already registered but may be conducting lobbying activities, there may be a missed opportunity in terms of identifying non-compliant activities and therefore reduce the effectiveness of compliance efforts by the Office.

2017-18 Follow-up Audit – 2013 Audit of Registration and Client Services, OCL’s Lobbyist Registration System Lobbyists Registration System
Client Advisory Services
25,000

Scope: Services relating to registration, monthly communications reporting and employee training to handle general enquiries by lobbyists, media and general public including how to interpret the Act.

Objective: To follow-up on the implementation of recommendations of the 2013 audit of registration and client services and OCL’s Lobbyists Registration System to determine if the IT governance framework and management controls and practices around the Lobbyists Registration System are adequate to provide reliable and timely information taking into consideration significant enhancements being made to the LRS in 2016-17.

Rationale: The effective and efficient operation of the Lobbyists Registration System is integral to the success of OCL meeting its mandate of providing a transparent environment for lobbyists to register their activities. Human and financial resources (including IT funds) allocated to registration and the maintenance of the LRS are a substantial part of OCL’s overall budget.

2017-18 Evaluation of the Lobbyists Registration System, Registration Process and Client Services Lobbyists Registration System
Client Advisory Services
50,000

Scope: Services relating to registration, monthly communications reporting and employee training to handle general enquiries by lobbyists, media and general public including how to interpret the Act.

Objective: Examine the extent to which the Lobbyists Registration System, Registration Process and Client Services contribute to OCL’s strategic outcome - “Transparency and accountability in the lobbying of public office holders contribute to confidence in the integrity of government decision-making” with an emphasis on program performance. Evaluation criteria may include the following:

  • The extent to which program objectives were achieved
  • Results that are being achieved relevant to expected outcomes
  • Extent to which processes have been optimized to achieve expected outcomes
  • Extent to which mechanisms for allocating resources (financial, human and material) are appropriate

Rationale: Consistent with the current government priority on “deliverology”, this evaluation is line with a broader government agenda of managing for results.

2018-19 Audit of Information Technology, Information Management and Security Information Technology
Information Management
Security
75,000

Scope: Management practices related to information technology, information management and security.

Objective: To determine if OCL has an effective management control framework in place to govern the management of its IT and IM activities in alignment with corporate goals and applicable statutory requirements.

Rationale: OCL’s ability to manage IT resources and IT strategy has a direct impact on the LRS, which is the driver for registration activities that are integral to meeting the requirements of the Lobbying Act. IT is inherently subject to a significant degree of change and complexity.

Information management is integral to OCL’s capability to demonstrate due diligence in its investigations.

2019-20 Audit of Compliance and Enforcement

Administrative Reviews of Investigations of Alleged Non-Compliance

Exemption Reviews

Compliance Verification

60,000

Scope: Management practices related to administrative reviews of investigations of alleged non-compliance, exemption reviews, and compliance verification.

Objective: To provide assurance that OCL has established a comprehensive and effective control framework to enforce compliance with the Lobbying Act, taking into consideration the following:

Has a comprehensive framework of management controls for enforcement activities been established?

Are enforcement actions conducted consistently and in accordance with requirements of the Lobbying Act?

Are enforcement actions effective?

Rationale: Effective and consistent enforcement activities are in line with the Lobbying Act are integral to meeting OCL’s mandate.

2020-21 Audit of Internal Services

Human Resources Management

Financial Management

Contracting and Procurement

50,000

Scope: Management practices and assessment of controls related to Human Resources, Financial Management, and Contracting and Procurement

Objective: Assess that management practices of controls related to Human Resources, Financial Management, Contracting and Procurement are in line with the expectations of the Policy on Internal Control and adequately support OCL to achieve its mandate.

Rationale: The Policy on Internal Control requires that risks relating to the stewardship of public resources are adequately managed through effective internal controls, including controls over financial reporting. Alignment with the expectations of the Policy can provide OCL management with assurance that Human Resources, Financial Management, and Contracting and Procurement are well managed.

A.2 Audit and evaluation resources

The following table sets out estimates by fiscal year of the resources needed to carry out the proposed audit and evaluation engagement. The actual resources allocated to each engagement may vary depending on the scope of the project.

OCL Audit and Evaluation Engagements 2016-17 2017-18 2018-19 2019-20 2020-21
Evaluation of Outreach and Education 60,000
Follow-up Audit – 2013 Audit of Registration and Client Services, OCL’s Lobbyists Registration System 25,000
Evaluation of Lobbyists Registration System, Registration Process and Client Services 50,000
Audit of Information Technology, Information Management and Security 75,000
Audit of Compliance and Enforcement 60,000
Audit of Internal Services 50,000

Appendix B. audit and evaluation prioritization

B-1 Prioritization criteria

The RBAEP targets higher risk areas; the following criteria are used to evaluate the overall risk of each component in the audit universe.

Risk Importance
Impact on Operations
50%
Materiality
20%
Complexity and Dependency
25%
Sensitivity
40%
Change
25%
Link to Mandate
40%
40% 60%
Risk (40%)
Linked to the results of the CRP exercise, these criteria evaluate the inherent risk of each audit universe component
Impact on Operations (50%)

Using the OCL impact risk scales, these criteria evaluate the impact of the audit universe component on the overall operations (i.e. impact on OCL objectives if there were issues in the audit universe area). In the case of OCL, those areas with the most pervasive impact on all areas of the organization were rated 10 and the remainder, having a direct impact to objectives have been rated 5 (2016 analysis)

1=Low
5=Moderate
10=High/Extreme
Complexity and Dependency (25%)

The higher the complexity and interdependence of an area, the more coordination required and higher the inherent risk. Areas that require a large degree of judgement in decision-making and/or specialized knowledge and infrastructure are more complex and inherently higher risk.

1=Low
5=Moderate
10=High/Extreme
Change (25%)

Impact of change includes the magnitude, history and timing of the change. Changes include legislation, regulations and internal policies, governance structure, personnel, funding, operational restructuring and new technology and systems.

High 1=No major changes done/ anticipated
5= Some significant changes
10=Very significant changes
In the OCL environment Complexity and Dependency and Change have been weighted equally (50%) with Impact on Operations (50%), reflecting the need for audits and evaluations to be focused on areas that would greatly impact operations. Operations are directly linked to the mandate of the Office. Higher degrees of complexity and change further increase the overall risk and elevate the profile of areas, especially those integral to operations.
Importance (60%)
OCL is in the public eye and highly visible in the media; accordingly, these criteria are given a slightly higher weighting than the risk component.
Materiality (20%)i
This criteria looks at a costing model for spending in a component of the audit universe; in other words, all expenses and salary of personnel working in the area to meet objectives are allocated to the overall spending value.
1=<$100,000
5=>$100,000 and <$400,000
10=> $400,000
Sensitivity (40%) External and internal factors and activities influencing an organization’s policy and management agenda, including public visibility, political influence, social influence, media scrutiny and impact on stakeholders. 1=Low
5=Moderate
10=High
Link to Mandate (40%) All activities linked directly to OCL’s strategic outcome are inherently higher risk, since they are critical to fulfilling the organization’s mandate. In the case of OCL, the activities directly describing the three-fold mandate have been rated a 10 (plus information technology, which is embedded in each of these); all other areas have been deemed to be linked to the mandate (with no elements having no direct link). 1= No direct link to mandate
5=Linked, but not directly, to mandate
10=Linked directly to mandate
In the OCL environment Materiality has been less heavily weighted than Sensitivity and Link to Mandate, which are equally weighted, as funding/spending is focused on salaries for personnel; the risk of deficiencies in funding are more directly linked to OCL’s performance of its mandate and its perception in the public eye.

All criteria are based on an equidistant three (3) point scale allocated 1,5,10 points based on the descriptions noted above.

When determining audit priority ratings for each entity, the following scale is used:

  • Low: <6
  • Moderate: 6 to <8
  • High: > or equal to 8

Taken together, these criteria were used to derive a total weighted priority score from which preliminary prioritization of the audit universe was generated. Then, recent audit coverage of the entity was considered before assigning it a requirement-for-audit rating. The outcome is a preliminary ranked list of audit priorities, details of which can be found in Appendix B.

In developing the plan, each universe entity was assessed in relation to the extent of coverage provided and the perceived value of the information gained by management to contribute to the enhanced effectiveness and efficiency of OCL operations.

B.2 Prioritization of internal audit projects

The following table provides a complete analysis of risk exposure, importance and recent audit coverage for each activity included in the audit universe. This analysis ensures that the RBAEP focuses on high-risk areas and areas of concern for management.

2016–2021 Audit Prioritization Proposed 2016–2021 Audits and Evaluations
Audit Requirement Rating and Rationale
1. Registry of Lobbyists
1.1 Lobbyists Registration System (LRS) Maintenance

Audit Requirement Rating: High

Overall risk assessment is high because the effective and efficient operation of the Lobbying Registration System is integral to the success of OCL meeting its mandate of providing a transparent environment for lobbyists to register their activities. Human and financial resources (including IT funds) allocated to registration and the maintenance of the LRS are a substantial part of OCL’s overall budget.

Follow-up Audit – 2013 Audit of Registration and Client Services, OCL’s Lobbyists Registration System

Evaluation of Lobbyists Registration System, Registration Process and Client Services

1.2 Client Advisory Services

Audit Requirement Rating: Moderate

Overall risk is moderate because the Registration directorate is client facing and the first point of contact for most external queries; however, the most sensitive and complex queries generally fall under the LRS and Registration. While the remaining client advisory services are directly linked to maintaining OCL’s mandate, more efforts are directed towards registration.

Follow-up Audit – 2013 Audit of Registration and Client Services, OCL’s Lobbyists Registration System

Evaluation of Lobbyists Registration System, Registration Process and Client Services

2. Outreach and Education
2.1 Outreach and Education

Audit Requirement Rating: High

Outreach and Education activities represent one of the three OCL mandate areas. This area is highly visible to the public; while outcomes of outreach efforts generally do not affect OCL policy and compliance activities, the public response to external communications has an impact on reputational risk.

Evaluation of Outreach and Education
3. Compliance and Enforcement
3.1 Administrative Reviews and Investigations of Alleged Non-Compliance

Audit Requirement Rating: High

Overall risk is high because investigations and reviews are the main source of assurance of compliance with the Act and a pillar in fulfilling OCL’s mandate. The degree of change is moderate, as there have been infrequent changes to the Act and the Code, but there have been changes to the case management system used to document investigations. Complexity of interpretations of the Act can lead to higher risk. The risk to overall operations is moderate, as investigations could be suspended in the short-term and OCL would still meet their objectives; however, in the long-term outcomes in this area are required in order to demonstrate relevance.

Audit of Compliance and Enforcement
3.2 Exemption Reviews

Audit Requirement Rating: Low

Overall risk is low, as exemption reviews are a part of ensuring compliance with the Act (five-year prohibition terms) yet media’s main focus is towards investigations. Exemption reviews experience little change from year to year in their execution with spikes in requests generally only happening after a change in Government.

Audit of Compliance and Enforcement
3.3 Compliance Verification

Audit Requirement Rating: Low

Overall risk is low. Approximately half of OCL’s review and investigation files are opened internally, which requires the Investigation Directorate to be aware of ongoing lobbying activities from their monitoring of the external environment and media publications; however, the processes by which these are executed remain static and have relatively low complexity. The Investigation Directorate’s time is focused on investigations and exemption reviews, with an ongoing but more limited time spent on compliance verifications.

Audit of Compliance and Enforcement
4. Internal Services
4.1 Human Resources Management

Audit Requirement Rating: Low

Overall risk is low; the management of human resources is indirectly linked to the mandate but has a high impact on operations, especially for OCL as a small agency. An MOU is in place with PSPC (formerly PWGSC) for human resources management services and the funds expended on these are not material. Sensitivity of HR management is moderate. The degree of change is moderate in light of recent changes to federal government HR policy, creating an increase in questions and push back from the HR service provider.

Audit of Internal Services
4.2 Information Management

Audit Requirement Rating: Low

Overall risk is low; while it is not directly linked to the OCL mandate and has a low amount of resources directed towards it, information management affects the ability of the office to demonstrate due diligence in its investigations (and ensure privacy) and therefore has a moderate impact on operations. With trends towards digitization and SharePoint about to be implemented, there is some degree of change. Considerations for securing information collected and used by OCL is reflected under “Security Management.”

Note: Despite this area ranking as low, there is some residual concern that information management will be a challenge going forward. OCL’s newly created IM Strategy will require attention and resources going forward.

Audit of Information Technology, Information Management and Security
4.3 Information Technology

Audit Requirement Rating: High

Overall inherent risk is high, as OCL’s ability to manage IT resources and strategy has a direct impact on the LRS, which is the driver for registration activities. IT has an inherently high risk due to a large degree of change and complexity; complexity and change for OCL specifically is high due to the maintenance and development of LRS as an in-house software solution. There is an IT component to all program areas and therefore it is directly linked to achieving the overall mandate.

Audit of Information Technology, Information Management and Security
4.4 Security Management

Audit Requirement Rating: Low

Overall risk is low; while the security of information makes this a highly sensitive area, it is moderately complex and experiences low degrees of change (a new policy for security exists for the GC).

Audit of Information Technology, Information Management and Security
4.5 Financial Management

Audit Requirement Rating: Low

Overall risk is low based on moderate degree of complexity and sensitivity; however, a relatively low amount of resources is directed to this function. Moderate impact on operations (and reputation) if financial reporting is missing or inaccurate. There are some changes ongoing with the implementation of the new SAP system.

Audit of Internal Services
4.6 Contracting and Procurement

Audit Requirement Rating: Low

Overall rating of low; procurement practices have a moderate degree of complexity and inherently have a moderate degree of sensitivity due to scrutiny. OCL has in place contracts with independent consultants that maintain and develop the LRS, which is an integral component of OCL operations, although immaterial resources are directed towards the contracting and management of these.

Audit of Internal Services

i Materiality is the term used to describe the significance of financial statement information to decision makers. An item of information, or aggregate of items, is material if it is probable that its omission or misstatement would influence or change a decision. Materiality is a matter of judgement in the particular circumstances.

Appendix C. audit and evaluation universe

C.1 OCL audit and evaluation universe

The audit and evaluation universe defines the potential scope of internal audit and evaluation activity and comprises individual “auditable and evaluable entities” that may be subjected to audit and/or evaluation activity. This table sets out OCL’s audit and evaluation universe, and includes a description of each of the entities.

Strategic Outcome: Transparency and accountability in the lobbying of public office holders contribute to confidence in the integrity of government decision-making
1. Registry of Lobbyists
Lobbyists Registration System (LRS) Maintenance

The Lobbying Act recognizes that lobbying the federal government is a legitimate activity, but it must be done transparently. The Lobbyists Registration System (LRS) maintained by the OCL allows individuals who are paid to lobby public office holders to disclose their lobbying activities. The OCL reviews all lobbyists’ registrations for completeness and makes them accessible to the public through an online registry, thereby ensuring transparency of lobbying activities. The performance of this program is measured by specific indicators, such as the percentage of registrations that are processed within established service standards.

For purposes of this risk analysis, updates to the LRS database for IT maintenance and upgrades are considered under “Information Technology”; however, changes and maintenance to the LRS as a result of business needs and requirements (e.g. to enhance end-user usability and/or reflect a change in the Act) is included under this audit universe component. This audit universe component also includes the salaries and efforts of the Registration directorate towards answering queries related to the registration of lobbyists.

Client Advisory Services

The Registration Directorate is generally the first point of contact for lobbyists using the LRS and for the general public making enquiries and/or performing searches on the LRS. They provide client services to aid lobbyists in registering and reporting on the LRS, as well as answer queries to all those wishing to find information in the LRS.

For purposes of this risk analysis, the efforts of the Registration Directorate in answering queries related to registration are reflected in Lobbyists Registration System and all other front-line queries are reflected in this audit universe component.

2. Outreach and Education
Outreach and Education

The Lobbying Act provides the Commissioner of Lobbying with a mandate to develop and implement educational programs to ensure that lobbying activities at the federal level are conducted in an ethical and transparent manner, in compliance with the requirements of the Act. Education and Research includes the development and implementation of an outreach strategy to educate lobbyists, their clients, public office holders and the public about registration requirements under the Act.

For purposes of the Multi-Year Audit and Evaluation Plan, Communications and Media Relations functions are included under Outreach and Education.

3. Compliance and Enforcement
Administrative Reviews and Investigations of Non-Compliance OCL conducts monitoring and compliance verification activities to ensure that registrable lobbying activity is properly reported, and information provided by lobbyists is thorough, accurate and complete. Suspected and alleged non-compliance with the Lobbying Act and the Lobbyists' Code of Conduct is reviewed and, where appropriate, formal investigations are undertaken to ensure that lobbying activities are ethical and transparent. The Commissioner reports findings and conclusions in Reports on Investigation submitted for tabling in Parliament.
Exemption Reviews

The Lobbing Act prescribes a five-year prohibition on lobbying for former designated public office holders. The prohibition is intended to prevent former high-level federal decision-makers from using advantages and personal connections derived from their government positions for lobbying purposes. The Act also provides the authority to exempt individuals from the prohibition, when such exemptions are not contrary to the purposes of the Act.

A process to review applications for exemption was developed and implemented to ensure that the Commissioner is provided with sufficient information regarding whether to grant an exemption or not. The Act sets out circumstances or factors that may be considered when determining whether an exemption should be granted.

Compliance Verification

The Investigations Directorate performs a number of compliance verification activities to proactively ensure compliance with the Act and Code. It monitors media and publications for lobbying activities, and then cross-references these to entries in the Lobbying Registration System; discrepancies are reviewed and decisions are made whether to conduct more thorough reviews. Compliance analysis are also undertaken to review sectors of the economy that may be engaged in activity requiring registration.

Assessments are conducted of individuals who have been previously found in breach of the Act or Code, to ensure they have been brought into compliance. A sampling of monthly communication reports is verified to ensure they contain accurate and complete information, and that registrants have not omitted any reports. Information contained in registrations submitted to the Commissioner may also be audited for accuracy.

4. Internal services
Internal services are groups of related activities and resources that are administered to support the needs of programs and other corporate obligations of an organization. These activities and services are management and oversight; human resources; financial management; information management and technology; communications; access to information and privacy; and contracting and acquisition services. Internal services include only those activities and resources that apply across an organization and not to those provided specifically to a program.
Human Resources Management

OCL has an overall Human Resources Strategy for attracting and retaining staff and management and ensuring that they have the skill set required to allow them to perform their duties effectively and efficiently. OCL facilitates the provision of information to external HR related service providers.

A number of HR related functions, such as payroll and HR advisory services are outsourced, but included here for purposes of the risk analysis.

For purposes of this risk analysis, salaries are attributed to the area of influence and reflected in the materiality and risk ratings for the related business audit universe component.

Information Management Information management includes the methods by which OCL organizes their physical and electronic files, with consideration given to appropriate access and privacy. The consideration of and processes to respond to ATIP requests are included in this area.
Information Technology Information technology refers to the overarching IT strategy for all OCL hardware and software, the resources to implement this strategy, and all related OCL hardware software. Most notably, the Lobbyists Registration System (LRS), Case Management System (CMS), CCM Enterprise (correspondence tracker) and Segnet (segregated network). Included in this area is the maintenance and development of the LRS and also the MOU spending to OPC related to the LRS.
Security Management OCL is responsible for ensuring the security of information collected, as well as the personal security of its employees and the facilities in which they operate.
Financial Management Financial Management services internal to OCL include budgeting, forecasting, preparation of financial statements, quarterly reviews. Financial planning and reporting include a wide range of activities such as resources and process management, budget planning and management, salary management, funding decisions, and resource allocations. There is a financial planning and budgeting component of the RPP and DPR.
Contracting and Procurement OCL manages the parts of the contracting process that requires judgement and knowledge of the work being contracted, such as evaluations of tender bids and approving the related invoices. Payment (transactional) services are outsourced to The Canadian Human Rights Commission (CHRC), who perform s33 reviews and release payments. CHRC also provides advice on creating contracts and standing offers.
Report a problem on this page
Please select all that apply:
Date modified: