Horizontal audit of the Public Services and Procurement Canada investigation management accountability framework (final report)

Horizontal audit of the Public Services and Procurement Canada investigation management accountability
framework (final report) (PDF, 229KB)

October 11, 2017

On this page

Background

1. Parliament has enacted several pieces of legislation (acts and regulations) for the Public Service of the Government of Canada related to managing allegations regarding misconduct. The legislation and related policy instruments identify processes and available recourses based on the nature of the allegation and the status of the individual raising the concern.

2. To this end, the 2009 Policy on Government Security, Section 6.1.8 mandates that deputy heads of all departments are responsible for ensuring that allegations of misconduct are investigated, acted on and reported.

3. At Public Services and Procurement Canada (PSPC), the Deputy Minister sub-delegates specific authorities either to investigate or to provide advice to delegated managers to the Departmental Oversight Branch and the Human Resources Branch. Departmental Oversight’s Branch administrative investigations are conducted by the Special Investigations and Internal Disclosure Directorate and Corporate Security Directorate. As for Human Resources Branch, investigative responsibilities reside within the Labour Relations and Staffing Oversight sectors. Each of the PSPC branches with investigative responsibilities acts as an office of primary interest for allegations, reviews, and investigations in their respective areas.

4. To increase the effectiveness and efficiency of their investigative functions and to promote values and ethics in the Department, it is critical to have a holistic approach to the management of fraud, security breaches, and wrongdoing.

5. As such, to provide the Deputy Minister with assurance that the organization was supporting her in discharging Section 6.1.8, audits of PSPC investigative and disciplinary functions were conducted. These audits examined operational processes and controls. Additionally, a directed request for this horizontal audit was made by the Departmental Audit and Evaluation Committee on June 12, 2015 to examine areas of the investigation management accountability framework that are considered to be overarching for all investigative functions.

About the audit

Objective

6. The audit objective was to assess whether the PSPC management accountability framework around the department’s investigative functions is appropriately designed to effectively manage investigations and support an ethical workplace.

Period covered by the audit

7. The Audit examined related practices and activities for the period from April 2013 to March 2016, which covered 3 fiscal years. However, to gain a more complete understanding of the subject matter of the audit, we also examined certain matters that extended beyond the end date of the audit scope.

8. The fieldwork for this audit was completed in July 2017.

Scope

9. The Office of Audit and Evaluation developed an investigation management accountability framework to note areas relevant to the establishment of effective investigative functions and to the promotion of values and ethics in the Department. The framework is referenced in Appendix A.

10. The focus of the audit included areas of the investigation management accountability framework that were considered to be overarching for all investigative functions, as well as, most relevant and important in increasing the likelihood that the department meets its legislative obligations to investigate, act and report on allegations of employee misconduct.

11. The audit examined the following areas of the framework:

12. Elements of the framework that are attributed to specific investigative functions or steps in specific investigative processes were examined as part of the recent audits of PSPC investigative and disciplinary functions, as well as the Office of the Auditor General’s audit on managing the risk of fraud. See Appendix B. These elements of the framework included detective activities, departmental policies and information management.

13. Detailed audit criteria for this horizontal audit are presented in Appendix C.

Statement of conformance

14. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

15. Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions against audit criteria, as they existed at the time. The findings and conclusions are only applicable to the entity examined and for the scope and time period covered by the Audit.

Focus of the report

16. This report includes the key findings for the horizontal audit of the PSPC investigation management accountability framework. Since the initiation of this horizontal audit, efforts have been made by the management of the offices of primary interest to address audit findings that were communicated during the early examination phase of this audit. In recognition of the control gaps addressed, we report on the current state.

17. Some specific horizontal findings identified by this audit have previously been reported via recent audits of PSPC investigative and disciplinary functions, as well as the Office of the Auditor General’s audit on managing the risk of fraud. The progress in the implementation of management actions on the separate investigative function audits is yet to be ascertained. It will be done as part of the Office of Audit and Evaluation’s validation process to assess the implementation of the management action plan to address audit recommendations.

Audit observations

Governance and coordination structure

Governance and coordination structure is effective at managing horizontal risks. Record keeping practices should be improved.

18. Since November 2015, efforts have been made to implement the PSPC governance and coordination structure for the investigation functions, which is comprised of the Investigations Management Framework Committee and the Disciplinary Council.

19. The existing governance and coordination structure is designed and functions as expected to:

20. Additionally, the Deputy Minister’s Executive Committee and the Audit and Evaluation Committee receive periodic updates on the ethics, the progress of organizational well-being and the work of the investigative units.

21. The Investigation Management Framework Committee and the Disciplinary Council had documented mandates that outline their membership, frequency of meetings and roles and responsibilities.

22. Record keeping requirements were not documented. Meeting agendas, records of policy-related item’s discussed, and records of attendance were not consistently kept for the Investigations Management Framework Committee for the audit scope period from April 2013 to March 2016. Consultations with the Treasury Board Secretariat and other federal government organizations indicated that it is a common practice not to keep detailed records of discussion, considering the sensitivity of subjects discussed and related privacy issues. However, high level records that are general in nature are expected to be kept (for example: agendas, records of attendance, and general minutes of discussions).

23. The Departmental Security Committee’s mandate included responsibilities for the investigative function. However, there was no evidence that these roles have been exercised by the Committee.

Preventive activities—Authorities, accountabilities, and roles and responsibilities

A framework for accountabilities, authorities, and roles and responsibilities has been developed.

24. PSPC has developed the Investigations Management Framework to manage investigations of misconduct and disciplinary and corrective measures. This framework notes the key stakeholder’s authorities (legislative and policy drivers) and defines general roles and responsibilities of the PSPC organizations with investigative responsibilities. The roles and responsibilities are consistent with these organizations’ overall mandates.

25. Processes and protocols for information sharing and investigative assistance are in place to support PSPC investigative groups and their external partners in the discharge of their investigative responsibilities under applicable legislation and policies. This includes the following formal agreements and protocols:

26. Efforts have been made by the Chief Information Officer Branch to build IT forensic expertise in the Department. Similarly to the rest of the federal government organizations, PSPC relies on Shared Services Canada for forensic services. However, there have been delays in the services provided by this department due to heavy demands from across the public service. To enhance electronic data searches, the Chief Information Officer Branch created a forensic laboratory, purchased forensic software and hardware tools, and provided specialized training of the staff. Additionally, the IT Security Coordinator has been appointed within the IT Security Directorate to provide investigative support to all PSPC investigative authorities as well as external authorities.

Preventive activities—Risk management

Comprehensive department-wide risk management could be enhanced.

27. As reported by the Office of the Auditor General via the 2017 audit report on managing the risk of fraud, PSPC has a fraud risk management framework and has put in place controls to mitigate the most significant fraud risks. However, the Office of the Auditor General noted that there was a lack of a consolidated efforts in the identification and management of risks related to fraud in all areas of the Department.

28. In response to the Office of the Auditor General’s recommendations, fraud risk was included as one of the top five risks into the 2017 to 2019 Departmental Risk Profile demonstrating the department’s consolidated effort for documenting fraud risk management activities. The Department has also made a commitment to perform a department-wide fraud risk assessment. Mapping of existing and future fraud risk management controls are being conducted through the 2017 to 2019 Departmental Risk Profile.

29. We also reviewed the 2016 to 2019 Departmental Security Plan and noted that the investigative units with security responsibilities were identified among the six PSPC organizations with key security roles. However, respective mitigation activities were not sufficiently linked to their operational responsibilities. The processes and controls around the development of the Departmental Security Plan are expected to be further examined as part of the risk assessment of the Departmental Security Program that is currently being performed by PSPC.

Preventive activities—Training, awareness and tools

Training and awareness programs exist, monitoring of effectiveness could be enhanced.

30. PSPC has in place training and awareness programs and mechanisms to communicate the standards of professional conduct, raise ethical consciousness, and prevent and/or reduce occurrences of fraud, wrongdoing and security breaches by providing information to help employees better understand how to detect, report, avoid, and mitigate such occurrences. Notably, these programs and mechanisms include:

31. Monitoring mechanisms were in place to measure the effectiveness of the Ethics Awareness Program and Security Awareness Programs. The Fraud Awareness Program has been recently established and does not yet have a measurement strategy to assess its effectiveness.

32. Mandatory training was identified to assist managers and employees to discharge their responsibilities with respect to professional standards.

33. Improvements are being made to promote training and awareness effectiveness in the area of fraud. The concept of fraud is not specifically covered in the mandatory training for all PSPC employees. With regard to fraud training, a risk-based approach was initiated by the Department. Mandatory training on fraud is provided to procurement officers in the Acquisition Branch, as this occupational group is at higher risk of being exposed to fraudulent practices. Efforts to ensure that employees in high-risk positions are aware of their obligations with respect to conflicts of interest, values and ethics, and fraud and wrongdoing are to be continued as part of the implementation of the management action plan in response to the recommendations of the Office of the Auditor General’s audit of managing the risk of fraud. As for the fraud training to all employees, in April 2017 an online elective course on how to identify and report fraud was developed and is in the process of being rolled-out.

34. As already reported by the Office of the Auditor General via the audit on managing the risk of fraud, monitoring of employees’ successful completion of training by managers is not efficient. Human Resources Branch is currently developing reporting tools in the new leaning management system—ALTOFootnote 1, which was implemented in April 2017. The new reporting tools are expected to be available in 2018 to assist managers in monitoring training compliance. PSPC-wide statistics on the rate of completion of the mandatory training is not readily available. Monitoring of compliance for mandatory training requirements are only tracked for select courses. According to the Learning Management Directorate, compliance with the requirement to complete mandatory training is unknown, but it is considered to be low.

35. There are currently no policy requirements or criteria for re-training. A mandatory course is expected to be taken once over the course of your employment. A customary practice at PSPC is to offer additional training in the areas where significant changes take place.

36. There has been progress in raising awareness in the areas of wrongdoing, fraud and security incidents as well as increased confidence in disclosure mechanisms. The level of disclosure within PSPC was comparable with the level of disclosure throughout the federal government. The number of reported security incidents has increased from 122 in the fiscal year 2012 to 2013 to 175 in the fiscal year 2015 to 2016. The total losses due to security violations have remained fairly stable at approximately $40,000 per year. An increasing number of employees from 72% in 2008 to 77% in 2014 indicated that they know where to go, if they face an ethics issue. Federal government averages saw the rate change from 67% to 73% in the same timeframe. In 2014, 39% of PSPC employees felt they could make a complaint without fear of reprisal; 40% of the federal government answered the same for this measure. This represented a 2% improvement for both the PSPC and the federal government since the 2011 survey.

Corrective actions—Application of discipline and corrective actions

Discipline and corrective actions are administered in accordance with requirements.

37. The PSPC Discipline Guidelines are in place to support the consistent application of disciplinary measures in similar circumstances. The Guidelines include the disciplinary measure matrix, which notes five groups of disciplinary measures corresponding to the severity of misconduct. The matrix provides examples of types of misconduct and a range of disciplinary measures that could be applied in accordance with the misconduct.

38. Disciplinary measures were being rendered with respect to the Discipline Guidelines and management consulted Labour Relations to support consistency of discipline application across the Department. We reviewed a sample of 54 disciplinary files for which disciplinary decisions were made between the scope period from April 1, 2013 to March 31, 2016. This sample represented approximately 32% of the population. Based on our review, in 50 of the 54 files reviewed, the disciplinary decisions fall within the range as outlined in the discipline measure matrix. In 2 cases, although the discipline decisions did not fall within the range as per the discipline measure matrix, there were sufficient justifications for the exceptions. In the remaining 2 cases, the discipline measure applied was at a lesser degree than directed. The Labour Relations met their due diligence to recommend an appropriate level of discipline and documented their recommendations, which suggested a more strict application of discipline.

39. Additionally, we reviewed 20 grievances related to discipline for the period April 1, 2013 to March 31, 2016 to determine if there were specific breaches in disciplinary procedure, or if there was indication that disciplinary decisions were significantly overturned. We did not identify any grievances related to management or human resources breaching elements of the Treasury Board Secretariat, Public Service Commission or Collective Agreement disciplinary requirements. For the four disciplinary grievances that resulted in a reduction of quantum of discipline, the initial discipline decisions fall within the range as outlined in the discipline measure matrix.

Monitoring and reporting

Senior management is regularly informed of investigation activities.

40. The Treasury Board Secretariat’s role for the administrative investigation functions is to provide advice and guidance. With the exception of founded disclosures under the Public Servants Disclosure Protection Act, which are required to be reported within 60 days of the conclusion of the investigation, the Treasury Board Secretariat does not provide oversight over the investigation functions in the federal government. Neither is there a Treasury Board Secretariat`s established framework for the monitoring and assessment of the performance related to administrative investigation functions. The monitoring and reporting processes by which the work of the investigative functions is assessed are at the discretion of the deputy head. With regard to corporate staffing, the Public Service Commission is mandated to oversee the integrity of the staffing system, which includes the staffing investigation function.

41. Management oversight was performed by the Assistant Deputy Minister, Departmental Oversight Branch and the Assistant Deputy Minister, Human Resources Branch. The Assistant Deputy Minister, Departmental Oversight Branch was briefed bi-weekly on the status of the preliminary assessments and investigations and was provided with the statistics on security sweeps. Additionally, in February 2017, the Assistant Deputy Minister, Departmental Oversight Branch appointed a Special Advisor to counsel on major horizontal initiatives aimed at enhancing the Department’s capacity in the fields of investigations and corporate security and improving the Department’s ability to efficiently detect fraud, collusion and corruption in its contracts and real property agreements. The Assistant Deputy Minister, Human Resources Branch was briefed on a monthly basis. A risk matrix was used to prioritize the cases reported.

42. There were processes in place to inform the Deputy Minister of significant issues related to the investigative functions and management of security incidents, fraud and wrongdoing in the Department. We were advised that the Assistant Deputy Minister, Departmental Oversight Branch and Assistant Deputy Minister, Human Resources Branch informed the Deputy Minister of significant issues as necessary. Additionally, the Corporate Security Directorate, Departmental Oversight Branch makes recommendations to the Deputy Minister regarding revocation of security clearance. The revocations at secret level and above have to be signed by the Deputy Minister.

43. The PSPC organizations with investigative responsibilities systematically reported to senior management on activities undertaken by investigative groups. This includes progress in terms of establishment of values and ethics in the Department, statistical data pertaining to their functions, performance information, and their current plans and priorities.

Efforts to improve performance measurement and information management are underway. Trend analysis could be improved.

44. As a result of the recent associated audits related to the specific investigative processes, management actions are underway to improve overall monitoring and reporting on performance at key milestones throughout the investigative processes. These management actions also entail the integrity of the information being reported.

45. In terms of availability and accessibility of case-related information, we noted that the PSPC investigative units have in place systems to capture key case-related information from the initiation of the case to the conclusion of the investigation. The disciplinary and corrective action data are not tracked in the existing PSPC investigation systems. Human Resources Branch uses separate systems for tracking active high profile cases. The disciplinary data is tracked in MyGCHRFootnote 2.

46. The existing systems are not fully integrated to allow for easy tracking of the information from the beginning to end so that “close-the-loop” reporting can be made. There was no common identifier to easily match the investigative information with the respective discipline information. Plans are in place to improve case tracking between the completion of the investigation phase and the disciplinary process phase lead by management with support and advice from the Labour Relations Directorate.

47. A good practice was noted in having a single case management system or using an available off-the-shelf investigation system (which would include a disciplinary module), in order to support monitoring, trend analysis and “close-the-loop” reporting. However, we recognize the limitations associated with such a case management system, as it may not serve the needs of all investigative units in the Department and may require significant modifications. Additionally, tracking disciplinary data in an investigation system(s) in addition to MyGCHRFootnote 2 will be a duplication of effort.

48. Although the Department collected investigative statistics, there was no ongoing analysis performed to assess the investigative environment, and to identify emerging trends and common themes related to investigative functions. Departmental risk management processes could benefit from such trend analysis.

Monitoring of actions to address systemic issues could be improved.

49. There is no independent verification function to assess the effectiveness of the management actions to correct control weaknesses identified in the course of investigations and/or to ensure that these management actions are adequately implemented. Per departmental policy (026) on Departmental Oversight Branch Investigations, paragraph 5.5.10., the Assistant Deputy Minister, Departmental Oversight Branch should verify and monitor the implementation of government procedures to prevent recurrence of losses.

50. We noted that investigation reports included recommendations to address systemic issues. We were advised that the current process is that these recommendations are agreed to by the Assistant Deputy Minister or Regional Director General, who are accountable for the development and implementation of the respective management actions. We confirmed with the Departmental Oversight Branch management that independent verification of implementation of the management action plans is not performed.

Conclusion

51. Overall, we found that efforts have been made and management actions are underway to put in place the elements of the PSPC investigative management accountability framework examined by this audit. A few opportunities for improvement were identified pertaining to record keeping practices of the Investigation Management Framework Committee, measuring of the effectiveness of the Fraud Awareness Program, performing trend analysis and monitoring of implementation of corrective actions to address systemic issues.

Management response

Management has had the opportunity to review the report, and agrees with the conclusions and recommendations found therein.  Management also developed a management action plan to address these recommendations. 

Recommendations and management action plan

Recommendation 1:
The Assistant Deputy Minister, Policy and Planning and Security Branch in conjunction with the Assistant Deputy Minister, Human Resources Branch should ensure that the record keeping requirements are established and documented for the Investigation Management Framework Committee and the respective records are appropriately kept.
Management action plan 1.1:
The Policy, Planning, and Security Branch will modify the Investigation Management Framework Committee terms of reference to specify record keeping requirements related to decisions/issues raised during meetings of the Committee.
Recommendation 2:
The Assistant Deputy Minister, Policy and Planning and Security Branch in conjunction with the Assistant Deputy Minister, Integrity Regime (formerly the Departmental Oversight Branch) should consider developing a strategy to measure the effectiveness of the Fraud Awareness Program as part of the development of the overall Fraud Risk Management Framework for the Department.
Management action plan 2.1:
During the fiscal year 2017 to 2018, the Policy, Planning, and Security Branch and the Integrity Regime, established an Anti-Fraud, Detection and Prevention Unit, which has the responsibility to undertake a department-wide fraud risk assessment. The Fraud Awareness Program will be part of this assessment. This assessment will focus on contracting activities in the fiscal year 2017 to 2018, real property activities in the fiscal year 2018 to 2019, and all remaining business lines in the fiscal year 2019 to 2020.
Management action plan 2.2:
The Special Investigations and Internal Disclosure Directorate (SIID) created an on-line fraud awareness course in the fiscal year 2016 to 2017. SIID will monitor and report on the percentage of employees per branch/region who complete the on-line fraud course. Additionally, integrity surveys will be conducted to measure environmental and behavioral trends. SIID will also use data from its comprehensive report to further analyze effectiveness of the Fraud Awareness Program.
Recommendation 3:
The Assistant Deputy Minister, Policy and Planning and Security Branch in conjunction with the Assistant Deputy Minister, Integrity Regime should consider: (1) performing ongoing trend analysis for investigative functions; and (2) establishing a system for monitoring the implementation of management actions relating to systemic issues identified as a result of investigations.
Management action plan 3.1:
The Policy, Planning, and Security Branch will conduct an analysis of the statistical data available via comprehensive report to identify trends related to investigations. The Policy, Planning, and Security Branch in conjunction with the Integrity Regime will establish and maintain a framework to monitor whether systemic issues identified as a results of investigations are implemented.

Appendix A—Investigation management accountability framework

Governance and coordination

Governance and coordination – Image description below.
Image description

Figure A depicts the Public Services and Procurement Canada investigation management accountability framework, which was developed by the audit team to note key areas and controls relevant to the establishment of effective investigative functions and to the promotion of values and ethics in the Department. The areas and controls consist of those that are overarching all investigative functions and steps in the investigation processes, and those that can be attributed to a specific investigative function or a step in a specific investigative process. These areas and controls of the framework are discussed below.

At the top of this figure is the area of “governance and coordination”. The objective for this area is defined as “to lead, oversee, coordinate, and communicate the Department’s approach to ensure effective investigation functions and promotion of values and ethics.” “Governance and coordination” overarches the 3 areas of internal controls underneath, being “prevention”, “detection” and “corrective actions”.

The objective of prevention is defined as “to reduce the risk of fraud, security breaches, and wrongdoing through the use of prevention measures.” The prevention controls include:

The objective of detection is defined as “to detect questionable activities and transactions in the Department that lead or could potentially lead to fraud, security breaches, and wrongdoing.” The detection controls include:

The objective of corrective actions is “to takes action(s) when questionable activities and transactions occur in the Department.” The corrective actions control include:

At the bottom of figure A is the area of “monitoring and reporting”, which goes across the aforementioned 3 types of internal controls. “Monitoring and reporting” then feeds back to “governance and coordination”.

Additionally, on the left side of the figure, there are 3 areas that cross cut the independent parties or interests implicated by this framework. The area of “government legislative and policy requirements” is cross cutting to the “governance and coordination” area and the internal controls. The area of “departmental policy instruments” is cross cutting to the internal controls. “Information management” is cross cutting to the internal controls and the monitoring and reporting element.

Appendix B—Recent audits in relevant areas

Five audits have recently been conducted in areas relevant to the Public Services and Procurement Canada’s investigation management accountability framework. These audits are as follows:

  1. The Public Services and Procurement Canada’s audit of the special administrative investigations function. The period covered by the audit was from April 2012 to December 2014. The date of the audit report was on March 2, 2017.
  2. The Public Services and Procurement Canada’s audit of investigation and discipline function in human resources branch. The period covered by the audit was from April 2013 to March 2016. The date of the audit report was on March 2, 2017.
  3. The Public Services and Procurement Canada’s audit of the corporate security investigative function. The period covered by the audit was from April 1, 2015 to November 30, 2016. The date of the audit report was on June 29, 2017.
  4. The Public Services and Procurement Canada’s audit of the internal disclosure process. The period covered by the audit was from April 1, 2014 to March 31, 2016. The date of the audit report was on March 2, 2017.
  5. The Office of the Auditor General’s audit on managing the risk of fraud. The period covered by the audit was from April 1, 2013 to October 31, 2016. The date of the audit report was on March 6, 2017.

Appendix C—Audit criteria

The following audit criteria were used for this audit:

  1. Governance and Coordination Structure: An effective governance and coordination structure for the PSPC investigative function has been established and functions as intended to ensure that PSPC meets its legislative obligations to investigate, act and report on allegations of employee misconduct.
  2. Preventive Activities—Authorities, Accountabilities and General Roles and Responsibilities: Authorities, accountabilities and general responsibilities related to PSPC investigations function are clearly defined, documented, and established to support the organization in fulfilling its legislative obligations to investigate, act and report on allegations of employee misconduct.
  3. Preventive Activities—Risk Management: Risks are systematically identified and managed to ensure the continued integrity of PSPC employees and successful delivery of investigative services.
  4. Preventive Activities—Training, Awareness and Tools: Employees have received the training and tools to discharge their responsibilities with respect to professional conduct, namely through the Treasury Board Secretariat’s (TBS) Values and Ethics Code for the Public Sector, the PSPC Code of Conduct, and disclosure mechanisms.
  5. Corrective Activities—Application of Discipline and Corrective Actions: Disciplinary measures are administered, when required, in consultation with Labour Relations (LR) to promote consistent application and integrity within PSPC; and management actions are implemented to correct internal control weaknesses.
  6. Monitoring and Reporting: Appropriate performance measures and reporting standards are developed and implemented to assess and report on the effectiveness of the Department’s investigative services. Investigative activities, results and discipline are recorded in a system that supports monitoring, trend analysis and “close-the-loop” for reporting.
Date modified: