Audit of the special administrative investigations function
(final report)
March 2, 2017
On this page
Executive summary
i. This engagement was included in the Department's 2014 to 2018 Risk-Based Audit and Evaluation Plan.
ii. Under the Treasury Board Secretariat Policy on Government Security, Section 6.1.8 deputy heads of all departments are responsible for "ensuring that when significant issues arise regarding policy compliance, allegations of misconduct, suspected criminal activity, security incidents, or workplace violence, they are investigated, acted on and reported to the appropriate law enforcement authority, national security agency or lead security agency."
iii. Within the Department, the authority to investigate allegations or provide advice to delegated managers is sub-delegated to the Departmental Oversight Branch and the Human Resources Branch.
iv. The focus of this report is on the special administrative investigations function,Footnote 1 administered by the Special Investigations and Internal Disclosure Directorate of the Departmental Oversight Branch. The Directorate conducts special administrative investigations into:
- Allegations of fraud
- Conflict of interest
- Breach of trust and unauthorized disclosure of information
- Misuse of public funds or assets
- Public Servants Disclosure Protection Act cases, as required
- Other serious offences in violation of Acts or Regulations of the Government of Canada that other departmental branches are not specifically sub-delegated to address
v. The audit objective was to assess whether the management controls and operational processes were in place to support quality and consistency in the delivery of the special administrative investigations.
vi. The Audit covered the Directorate's practices and activities for the period of April 2012 to December 2014. The following four areas were assessed as part of the Audit:
- Governance Framework for the special administrative investigations function
- Integrity of the special administrative investigations process
- Integrity in safeguarding of information
- Performance monitoring and reporting
vii. Overall, we found that the Governance Framework would benefit from enhancement, particularly in terms of updating the departmental governing policy, formally establishing a quality assurance function, taking an integrated approach to capacity building, and better management of operational procedures. Additionally, there are risks to the integrity of the process due to inconsistent management of operational risks and inconsistent application of procedures. There are also risks to the integrity of safeguarding the information. Finally, performance monitoring and reporting needs improvement.
viii. Subsequent to the completion of our Audit, we were informed by the Office of Primary Interest of specific actions that have been undertaken and/or are underway to address identified gaps and enhance the special administrative investigations function.
Management response
Management has had the opportunity to review the report, and agrees with the conclusions and recommendations found therein. Management also developed a Management Action Plan to address these recommendations.
Recommendations and management action plan
- Recommendation 1:
- The Assistant Deputy Minister of the Departmental Oversight Branch should strengthen the Governance Framework for the special administrative investigations function via:
- Implementation of a life-cycle process for the development, revision, maintenance, and approval of the policies and procedures
- Implementation of a formal quality assurance function that covers the complete lifecycle of the special administrative investigations process
- Implementation of an integrated approach to the human resource capacity building
- Management action plan 1.1:
- Life cycle of 2 years to be put in place to review the policies and procedures that guide the work of the Directorate (such as Departmental Policy 026 and Special Investigations and Internal Disclosure Directorate's Operational Guidelines for the Conduct of Investigations). Articulation of this will be in the Directorate's Operational Guidelines.
Additionally, as part of the life cycle process to manage procedures, the Directorate will address procedural gaps identified by the audit.
- Management action plan 1.2:
- A formal three stage quality assurance process has been developed and is to be implemented by April 1, 2017. The first stage will be prior to seeking a mandate for investigation from the Assistant Deputy Minister of Departmental Oversight Branch, in order to ensure that proper steps have taken and documented, and that the investigation is within the Special Investigations and Internal Disclosure Directorate's mandate. The second phase will be prior to final report being issued in order to ensure that the investigation is on track and the employee subject of investigation has an opportunity to review draft report. The third phase will be at the conclusion of investigation, which will be to ensure that liaison with Labour Relations of the Human Resources Branch is clearly outlined in file; a proper index is enclosed; and that the employee has been notified of investigation as directed in Treasury Board Secretariat's Handbook on Administrative Investigations into Misconduct.
- Management action plan 1.3:
- The Directorate will develop an integrated human resources plan in order to identify its needs with respect to expertise needed to meet its expanded mandate.
- Recommendation 2:
- The Assistant Deputy Minister of the Departmental Oversight Branch should ensure that operational risks are consistently managed and the operational procedures are consistently applied to strengthen the integrity of the special administrative investigations process.
- Management action plan 2.1:
- Implementation of Management Action Plan 1.2. above is expected to result in a more rigorous quality assurance process that will ensure that key steps in the special administrative process are followed and documented so that investigation risks are identified and mitigated.
- Recommendation 3:
- The Assistant Deputy Minister of the Departmental Oversight Branch should implement controls to ensure integrity in safeguarding of information related to the special administrative investigations function.
- Management action plan 3.1:
- The security safeguard concerns related to the use of the Site-Secure application, which houses information related to the special administrative investigations, are expected to be addressed via implementation of the Management Action Plan on response to the recommendations of the 2015-712 Audit of the Corporate Security Investigative Function conducted by the Office of Audit and Evaluation. This Management Action Plan was approved at the Audit and Evaluation Committee meeting on January 23, 2017 and is to be implemented by January 31, 2018.
- Recommendation 4:
- The Assistant Deputy Minister of the Departmental Oversight Branch should implement appropriate service standards and should ensure active monitoring of performance against the service standards in order to support effective delivery of the special administrative investigations function.
- Management action plan 4.1:
- The Directorate's service standards will be modified to ensure that clarity exists around when an investigation starts and ends, as well as percentage of files to be completed within established standards (90 days for Tier 2 files, and 120 days for Tier 1 files). The Directorate will also review the service standards to ensure that appropriate service standards are in place for critical steps in the investigative process (for example, preliminary assessments) in order to support effective delivery of the special administrative investigations function.
Introduction
1. This engagement was included in the Department's 2014 to 2018 Risk-Based Audit and Evaluation Plan.
2. Federal public servants have a fundamental role to play in serving Canadians, their communities and the public interest under the direction of the elected government and in accordance with the law. Furthermore, Canadians expect their public institutions to function at the highest level of ethical standards.
3. The Department plays an important role in the daily operations of the Government of Canada as a common service provider for federal departments and agencies. It supports them in the achievement of their mandated objectives as their central purchasing agent, linguistic authority, real property manager, treasurer, accountant, integrity adviser, and pay and pension administrator. Given its size and importance, security and appropriate use of public money and/or property are essential to the effective management of the Department, as well as in enabling the Department to achieve its mission and support government priorities.
4. Under the Treasury Board Secretariat Policy on Government Security, "government security is the assurance that information, assets and services are protected against compromise and individuals are protected against workplace violence."
The responsibility for compliance and enforcement of the Policy includes the obligation to investigate reported allegations of misconduct. In this respect, Section 6.1.8 of the Policy mandates that deputy heads of all departments are responsible for "ensuring that when significant issues arise regarding policy compliance, allegations of misconduct, suspected criminal activity, security incidents, or workplace violence, they are investigated, acted on and reported to the appropriate law enforcement authority, national security agency or lead security agency."
5. Within the Department, the authority to investigate allegations or provide advice to delegated managers is sub-delegated to the Departmental Oversight Branch and the Human Resources Branch.
6. The focus of this report is on the special administrative investigations function,Footnote 1 which is part of the mandate of the Departmental Oversight Branch's Special Investigations and Internal Disclosure Directorate , formerly the Special Investigations Directorate (SID). Special Investigations and Internal Disclosure Directorate was created in June 2015 by merging the Special Investigations Directorate and the Internal Disclosure Office into one organization. Special Investigations and Internal Disclosure Directorate is led by the Director, Special Investigations and Internal Disclosure Directorate, who reports to the Assistant Deputy Minister, Departmental Oversight Branch.
7. In light of the above-noted organizational changes and for the purposes of this report, the unit responsible for special administrative investigations function will be referred to as the Directorate thereafter, as applicable.
8. The Directorate conducts special administrative investigations into:
- Allegations of fraud
- Conflict of interest
- Breach of trust and unauthorized disclosure of information
- Misuse of public funds or assets
- Public Servants Disclosure Protection Act cases, as required
- Other serious offences in violation of Acts or Regulations of the Government of Canada that other departmental branches are not specifically sub-delegated to address
9. From April 2012 to December 2014, the period covered by the Audit, the Directorate received 33 allegations related to special administrative investigations. At the time of this audit, the special administrative investigation business line of the Directorate consisted of two investigators.
Focus of the audit
10. The audit objective was to assess whether the management controls and operational processes were in place to support quality and consistency in the delivery of the special administrative investigations.
11. The audit scope period was from April 2012 to December 2014, which included the practices and activities for two complete fiscal years and more recent practices and activities. The following four areas were assessed as part of the Audit:
- Governance Framework for the special administrative investigations function
- Integrity of the special administrative investigations process
- Integrity in safeguarding of information
- Performance monitoring and reporting
12. More information on the audit objective, scope, approach and criteria can be found in the section "About the audit" at the end of the report.
Statement of conformance
13. The Audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.
14. Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions against audit criteria, as they existed at the time. The findings and conclusions are only applicable to the entity examined and for the scope and time period covered by the Audit.
Observations
Governance framework for the special administrative investigations function
Authorities, accountabilities and roles and responsibilities for the function need to be updated
15. Well defined and established authorities, accountabilities, and roles and responsibilities are essential to increasing the prospects of an organization achieving its desired objectives. Authority is the right to direct and exact performance, responsibility is the obligation to perform, and accountability is the duty to report on performance.
16. We expected to find that authorities, accountabilities, and roles and responsibilities for the special administrative investigations function would be well defined, documented, and communicated. The Directorate would actively monitor changes in the policy environment and would be aware of specific key changes in policy instruments from which their authorities and general responsibilities are derived.
17. We determined that the services provided by the Directorate in the area of special administrative investigations reflect government priorities, which are most notably stated in the Treasury Board Secretariat Policy on Government Security and Treasury Board Secretariat Directive on Loss of Money and Property.
18. We noted, however, that the Departmental Policy is outdated. Departmental Policy 026 - Audit and Ethics Branch Investigations was the main policy to note authorities, accountabilities, and roles and responsibilities and provide general guidance in managing the special administrative investigations function within the Department. Departmental Policy 026 has not been revised since 2000 and was not reflective of changes in the organizational structure and the policy environment. Thus:
- Departmental Policy 026 noted the Treasury Board Secretariat Policy on Losses of Money and Offences and Other Illegal Acts Against the Crown issued in 1995 as the principal policy upon which the authority for the special investigations function is based. However, this Treasury Board Secretariat Policy was rescinded and was replaced by the Directive on Losses of Money or Property in 2009
- The audit portion of Departmental Policy 026 was replaced by a separate Departmental Policy 096 Policy on Internal Audit in 2013
19. Subsequent to the completion of our audit, management advised that the Departmental Policy 026 was in the process of being updated.
The organizational structure supports the discharge of accountabilities
20. A clear and effective organizational structure is a key enabler to the fulfillment of an organization's authorities, responsibilities, and accountabilities. The clear delineation of responsibilities, delegated authorities, segregation of duties and lines of communication support the effective coordination between all parts of the organization and ensure that all parties within the organization are aware of, and comply with, their responsibilities.
21. We also expected to find a clear, effective, and established organizational structure supporting the authorities, accountabilities and responsibilities for the special administrative investigations function.
22. We found the current organizational structure supports the special administrative investigations functions.
23. The 2014 to 2015 Integrated Departmental Oversight Branch Business Plan identified capacity building and aligning resources with future activities as the planning highlight for the Directorate. As part of this commitment and as part of re-organization within Departmental Oversight Branch, in June 2015, the Special Investigation and Internal Disclosure Directorate was created by merging SID and the Internal Disclosure Office into one directorate. Special Investigations and Internal Disclosure Directorate is led by a director, who reports to the Assistant Deputy Minister, Departmental Oversight Branch. This new organizational structure allows for better coordination of investigative activities and a more effective use of the Public Services and Procurement Canada's investigative resources, as the Director of Special Investigations and Internal Disclosure Directorate has the discretion to use internal disclosure and special administrative investigations resources to meet the Department's most pressing priorities.
A formal quality assurance function needs to be established
24. Quality assurance is the systematic measurement, comparison with a standard, monitoring of processes and an associated feedback loop that focuses on error prevention. This can be contrasted with quality control, which is focused on process output. Quality assurance comprises of administrative and procedural activities implemented in a process so that requirements and goals for a product, service or activity will be fulfilled. The International Organization for Standardization 9000 series of standards define quality assurance as "part of quality management focused on providing confidence that quality requirements will be fulfilled".
25. We expected that the Directorate has in place a formally established quality assurance function in support of its special administrative investigations process, which provides for quality assurance control. Additionally, strengthening of the quality assurance function for administrative investigations was identified as part of the 2014 to 2015 Plans and Priorities for the Departmental Oversight Branch Investigative Units. This was planned to be achieved by developing a rigorous quality assurance process and centralization of the quality assurance function to ensure consistency in investigative reports.
26. We noted that for most of the period selected for audit, from April 2012 to June 2014, the organization had in place a Quality Assurance Manager. This position, however, has not been formally established and identified in the organizational structure. As of June 2014, due to personnel departures and limited resources, the quality assurance role was assumed by the Director. This was not consistent with the Directorate's special administrative investigations process, which provides for a segregation of duties between the Director review and the quality assurance activities.
27. Should management continue to be committed to establishing a separate quality assurance function for investigative units, this function needs to be funded, formalized, implemented, and consistently applied within the investigative process.
The Directorate has identified its plans and priorities to support successful delivery of its operations
28. Plans and priorities provide direction on how to achieve the objectives of the organization and define the required resources to do so.
29. We expected to find that the Directorate has identified its plans and priorities to facilitate the achievement of its operational objectives and support adequate discharge of the Directorate's responsibilities.
30. We noted that the Directorate identified, documented, and communicated to senior management its plans and priorities for the time period selected for audit. However, the status of implementation was not systematically reported upon.
31. Although the Directorate is a small organization and is aware of its objectives and priorities, without active monitoring of implementation of plans and priorities, issues may not be addressed.
There was a lack of an integrated approach to human resources planning
32. In an organization with well-designed controls, employees have the skills necessary to support the achievement of their organizational objectives. The organization should, therefore, have human resources practices aimed at recruitment and retention of staff with the required skill set. Additionally, the organization should have controls in place to support the training and development of staff.
33. We expected to find a holistic approach to the human resources capacity planning and building to support the Directorate's current and future resource and competency needs. Thus, we expected that competency and capacity requirements would be identified; human resource plans would be developed to secure the required resources; job descriptions and skills requirements would be linked to the mandate and the roles and responsibilities; and, training plans and/or programs would be developed and would link the mandate, roles and responsibilities, and skills requirements.
34. During our interviews,Footnote 2 human resources capacity was identified as one of the top challenges faced by the investigations function in the federal government. This is because there is a limited pool of individuals with expertise in administrative investigations. To address this issue, a common practice used by federal organizations is to choose administrative investigation professionals from law enforcement agencies, who are often engaged on a permanent basis to conduct administrative investigations. These individuals possess skills in criminal-type investigations and are provided with training and job shadowing opportunities to apply administrative investigation techniques.
35. We noted that the 2014 to 2015 Departmental Oversight Branch Integrated Business Plan identified transformational initiatives to build capacity and align resources with future activities as the Directorate's planning highlight. We noted that specific actions were taken to build and strengthen the Directorate's investigative capacity. For instance, the Directorate has hired former members of the Royal Canadian Mounted Police to be investigators. The Directorate also utilized forensic accountants from the Forensic Accounting Management Group in Departmental Oversight Branch. The Directorate's employees attended relevant training courses and seminars. New staff participated in job shadowing.
36. However, the Directorate lacked a holistic approach to the human resources capacity planning and building:
- The Directorate's Human Resources Plan has not been revised since 2011 to 2012 to provide analysis of current and future resource and competency needs and identify human resource strategies
- Job descriptions were developed; however, they were not updated for the Director's position and the Investigative Officer's position to reflect specific changes in the scope of responsibilities
- Based on comparative analysis, we established that competency requirements to staff the Director's position in 2012 did not align with the competency requirements for the equivalent positions in other organizations. As for the competency requirements to recruit investigators, they were comparable to those in other organizations. At the same time, based on audit interviews and consultations, there may be a need to revisit competency requirements for the administrative investigation professionals in the Department and the federal government overall to ensure that they possess the necessary experience, knowledge, and skills to discharge their responsibilities
- Specific training requirements for the special administrative investigations personnel were not formally identified and documented. Sound management practices were noted in other federal organizations, when investigative units had identified mandatory and recommended training for their investigators. Additionally, certain investigative units supported certification in the disciplines relevant to work (for example, Certificate in Access to Information and Protection of Privacy; and Certified Forensic Investigators Accreditation)
37. In the absence of a comprehensive approach to human resource planning, the Directorate may not acquire and secure the required competencies and capacity to provide quality and timely special administrative investigation services. It may also lead to additional recruitment pressures in a competitive field where expertise and experience are limited.
A life cycle process to manage procedures was not implemented
38. Operational policies, procedures and processes serve as the basis for actions to be carried out in a consistent and structured manner. Processes and procedures must be well developed and comply with the relevant policies and directives. Additionally, research, consultation and effective policy development result in sound and relevant policy direction and guidance that, in turn, provides the discipline, standards and structure within which, operational activities must take place.
39. We expected to find that special administrative investigations operational policies, procedures, and processes are developed, formally approved, and are current to support the discharge of roles and responsibilities for the special administrative investigations function. We also expected that there would have been an established process for the development, revision, maintenance, and approval of policies, procedures and processes for the special administrative investigations function.
40. There was no central agency policy and/or directives for the special administrative investigations function; but rather, functional guidance and advice in this area were noted in Treasury Board Secretariat's Handbook on Administrative Investigations into Misconduct. The Handbook lists general principles and offers best practices in the management of administrative investigation processes into misconduct. Thus, federal government organizations are expected to develop their own policies, directives, and/or guidelines to support stakeholders in fulfilling their responsibilities.
41. We found that the general process for the Public Services and Procurement Canada special administrative investigations function has been developed and documented. Additionally, the 2011 Directorate's Operational Guidelines for the Conduct of Investigations were in place to enhance stakeholders' understanding of the process and provide further guidance in carrying out special administrative investigations. The Guidelines include templates to assist the Directorate's staff in fulfilling their responsibilities, as well as to assist in carrying out investigations with consistency and procedural fairness.
42. However, we determined that processes should be further developed and/or established to enhance application of the administrative law principle of procedural fairnessFootnote 3. More specifically:
- We observed that there was no requirement to notify the individual(s) who is (are) subject to the investigation in writing (that is, via a formal letter of notification)Footnote 4. Neither was there a requirement to keep a record of such notification in the investigation file. The responsibility to inform rests with the employee's immediate manager upon advice from the Directorate and in consultations with the Labour Relations, Human Resources Branch. The Privacy Act is not specific as to the means to notify an individual under investigation. Article 5(2) of the Privacy Act states that
"a government institution shall inform any individual from whom the institution collects personal information about the individual of the purpose for which the information is being collected"
. However, in our opinion, absence of a written notification creates a risk that an individual is not duly informed and the principle of procedural fairness is met - An interim investigation report was not required to be provided to the individual under investigation for validation and comments. Only the final investigation report that included conclusions was sent to the individual under investigation, who was allowed five days for rebuttal prior to the invoke of discipline as required. Since an investigation report's conclusions are not shared with the respondent(s) in a preliminary way, this creates a risk that during the disciplinary phase new information may arise, resulting in significant discrepancy between the final report and the end result after the disciplinary phase
- There was no specific notification process for the special administrative investigations unit to know if the investigation file could be closed and be accordingly destroyed at the set up destruction date; or whether the information in the file is still needed by its partners (that is, Human Resources Branch). We were advised that a discussion had been initiated at the Investigations Management Framework Committee regarding the need to develop a notification process to address this issue
43. We also noted that additional guidance was needed for specific key steps in the investigation process, including:
- Clarification for when a preliminary assessmentFootnote 5 concludes and an investigation commences to ensure conformance to the applicable legislation and to optimize the limited resources
- Confirmation of the quality assurance control points in the special administrative investigations process to ensure quality of outputs and consistency in performing these investigations
44. Departmental processes and procedures and their consistent application may be subject to scrutiny in court proceedings, where these processes and procedures are assessed for procedural fairness. To facilitate the establishment of sound and relevant processes and procedures for the special administrative investigations function, the Directorate should establish a process for the development, revision, maintenance, and approval of policies, procedures, and processes.
Integrity of special administrative investigations process
Management of operational risks could be enhanced
45. In an environment with well-designed controls, management and staff have a good understanding of the internal and external factors that may expose their strategic and operational objectives to risk. Accordingly, an organization's control framework must include formal, documented risk management practices to assist decision-making and permit the appropriate response to the residual risk exposure.
46. We expected to find that management would have a formalized process or an approach to identify and manage its operational risks to support the delivery of the special administrative investigations services.
47. We found that operational risks to the delivery of the special administrative investigations services were identified and documented and associated risk mitigation measures were embedded in the special administrative investigations process. For instance, the Directorate took a risk-based approach to investigations by performing preliminary assessments to determine the veracity and nature of allegations and information, and whether a further investigation is warranted. Additionally, the Assistant Deputy Minister, Departmental Oversight Branch was briefed weekly on the status of the preliminary assessments and investigations together with their associated risks.
48. However, we noted that, although specific risk mitigation measures were identified, they were not always consistently or adequately applied:
- Priority assessments:
- As per the Directorate's Operational Guidelines for the Conduct of Investigations, cases that warranted an investigation by the Directorate required completing a priority assessment, which was meant to determine the level of priority for the investigation, the need to engage partners and to identify risks associated to a particular investigation case. A Risk/Priority Matrix was developed by the Directorate to assist with priority assessment. However, the file review revealed priority assessments were either not formally performed or documented.
- Working with partners:
- Assessing the need to engage partnersFootnote 6 early in the process and working with the partners to address potential issues was identified as part of the Directorate's risk management process. For the period in scope for the audit, there was a lack of documented evidence that the Directorate consulted as expected with Labour Relations during specific investigations. Despite this, we noted that effective in the fall 2015, an internal control was introduced whereby the Departmental Oversight Branch and Human Resources Branch Coordination Committee was created. The Committee is expected to meet bi-weekly and includes Special Investigations and Internal Disclosure Directorate, the Corporate Security Services, and the Labour Relations. The Committee allows for early and continuous engagement of the above-noted stakeholders in the process and provides a forum to these stakeholders to discuss specific cases, identify case specific risks, and coordinate investigative activities.
- Legal advice:
- We expected that significant risks would be reviewed by the Legal Services Unit. However, the file review indicated that opportunity was not always taken to obtain a legal opinion. Failure to consult with Legal Services Unit could result in the Department being exposed to unanticipated legal risks.
- Quality assurance:
- There was a lack of documented evidence that quality assurance took place when expected to mitigate the risks associated with investigations and the quality of the Directorate's investigation reports. Failure to adequately execute supervisory review and quality assurance may result in inconsistencies in carrying out investigations. It may also expose the quality and timeliness of the Directorate's services and lead to lack of adherence to regulatory requirements and general administrative principles.
Operational procedures not consistently applied
49. The Directorate's Operational Guidelines for the Conduct of Investigations state that the general purpose of the Directorate's quality assurance is "to ensure that each investigation complies with these guidelines, as well as regulatory and legal requirements, and all reports issued are appropriate for the circumstances."
50. We expected to find that the Directorate's special administrative investigations processes would be consistently followed and adequate supervision and quality assurance of the investigative work would be in place.
51. We reviewed 100% of the Directorate's files closed during the period January 2013 and December 2014. In total, 18 files were reviewed, which included six cases that were investigated and 12 cases that were not investigated. For the six cases that were investigated: three were founded; two unfounded; and one inconclusive. These six cases included interviews of 18 employees.
52. The summary of the file review results is presented in the Table below.
Procedure to be completed | Compliance Results |
---|---|
Investigation Plan Prepared | 2/6 |
Investigation Plan Approved | 1/6 |
Consent Forms Completed | 5/18 |
Employee subject to investigation notified | 2/3 |
Quality Control by Assistant Deputy Minister, Departmental Oversight Branch | 6/6 |
Procedure to be completed | Compliance Results |
---|---|
General Occurrence Report completed | 12/12 |
General Occurrence Report Signed by Director | 8/12 |
53. The file review indicated that the Directorate's Operational Guidelines for the Conduct of Investigations were not consistently followed. The file review also noted that approved templates were not used to ensure that key steps are executed in a consistent manner and are documented. Justification or rationale was not documented, when key steps were not performed. Further, in some instances we also observed that regulatory requirements were not respected and the administrative law principles of delegation of authority, procedural fairness and privacy considerations were not appropriately applied.
Integrity in safeguarding of information
Gaps in the Directorate's information management practices need to be addressed
54. The availability of quality and timely information supports the delivery of efficient and effective services, while meeting operational responsibilities, and legal obligations and accountabilities. The collection and retention of investigation-related information, data and documentation in a designated system can assist with tracking key statistics and critical activities throughout the investigation process and allows for easy access to up-to-date information.
55. We expected that security safeguards would be in place for the records and information handled by the Directorate. We further expected that information management systems would be used effectively to manage records and information. Lastly we expected that requirements for information management retention and disposition would be defined and documented.
56. We found that as per the requirements of the 2014 Department's Guide on Transport, Transmittal, Storage and Destruction of Protected and Classified Information, security safeguards were in place for the Protected B information that the Directorate handled for the period audited from April 2012 to December 2014.
- The Directorate was located in a Security Zone, where access was limited to personnel who worked there and properly escorted visitors
- We were advised that the Directorate uses a separate local area network (LAN) within the Department to store information and records electronically. The safeguards of the LAN allowed it to store information up to Protected B level. Until April 2015, the Directorate used the Lotus Notes system, housed on this LAN, for tracking key file information. The Directorate also used encryption for transmittal of information by email
57. However, we noted gaps in information and records management. The information in the Lotus Notes was not complete and was not consistently tracked for investigation files. For nine out of 18 files reviewed, there were missing open date or closed date (three did not note a specific start date entered; six did not note a specific closed date).
58. Additionally, the Directorate did not use the Lotus Notes system to its full capacity to track pertinent information (that is preliminary assessments, requests for investigation, investigation reports) and/or working papers. Detailed working papers were kept as hard copies.
59. Management was aware of the information management gaps and initiated actions to address them.
- Effective April 2015, the Directorate started systematically tracking key file information and statistical information pertaining to special administrative investigations in an Excel spreadsheet. The new Excel system allows for the generation of specific types of statistics and performance information for the purposes of monitoring and reporting. However, we noted that specific key information was not tracked in the system (that is, the date of the receipt of a complaint, the closing date of an investigation file)
- Office of Primary Interest advised that, effective April 2016, the Directorate employs the Site-Secure application to electronically maintain detailed working papers and records pertaining to special administrative investigations. The Audit did not test the security safeguards and use of the Site-Secure application. However, several security safeguard concerns related to the department's use of the Site-Secure application were identified and will be reported via the 2015-712 Audit of the Corporate Security Investigative Function conducted by the Office of Audit and Evaluation
- In June 2015, the Directorate created an Analyst Officer position whose main responsibility is information and records management
60. With regards to retention and disposition of records, we noted that a formal information retention and disposition schedule was not established for the special administrative investigations function. However, the Directorate consulted with records management prior to the destruction of records.
61. We reviewed the 2015 Disposal Agreement between the Directorate and the Records Management, which provided for the two year retention period and authorized the destruction of the records thereafter. We noted that the retention and destruction period was determined based on the Multi-Institutional Disposition Authority 98/001, relating to common administrative records. Based on our review, the definition pertained to the corporate security investigations records. While it was believed to be the most relevant definition, it may not be appropriate for special administrative investigations records and may affect an individual's rights pursuant to the Privacy Act and/or to the Access to Information Act.
62. We have also noted that as of February 2015, the Department has in place a Departmental Retention and Disposition Schedule, which was approved by the Acting Chief Information Officer and which determines the retention and disposal period for the departmental information resources of business value,Footnote 7 including the special administrative investigations function. This audit did not assess the processes around the development and communication of the Schedule.Footnote 8
Performance monitoring and reporting
Monitoring and reporting on performance could be improved
63. Relevant and reliable information on organizational performance must be gathered for transparent and timely reporting and decision-making. Organizational performance must be actively monitored to explain performance variances, determine trends, and adjust processes, controls, and service standards accordingly.
64. Currently, there are no industry or Treasury Board Secretariat standards in place for the administrative investigations function. Treasury Board Secretariat's role is to provide advice and guidance. There is no oversight by Treasury Board Secretariat or an established framework for the monitoring and overall assessment of the performance related to special administrative investigations in the federal government. Hence, greater reliance is put on the departmental performance monitoring.
65. We expected that management would have developed appropriate service standardsFootnote 9 and performance measures to assess and report on the effectiveness of special administrative investigations function. We further expected, the service standards would be linked to operational performance targets, which are designed to assist management to assess operations against overall organizational objectives. Finally, we expected, the Directorate's performance monitoring to be conducted on a regular basis and reported.
66. The Directorate has established a single service standard for the Directorate's administrative investigations that is 90 business days to prepare an investigation report. The performance target for achieving this standard has been set at 80 percent. We confirmed with management that the period of time to prepare a report is the period from the formal initiation of an investigation, when the request for an investigation is approved by the Assistant Deputy Minister, Departmental Oversight Branch to the date of the approval of an Investigation Report by Assistant Deputy Minister, Departmental Oversight Branch. However, the definition of what the start and the end dates are was not formally established or documented to ensure consistent interpretation and application.
67. The Directorate's performance informationFootnote 10 function was reported quarterly to senior management via the Departmental Oversight Branch Scorecard.
68. The file review indicated that the service standard level of 90 days was not attainable in most cases. For five special administrative investigation files assessed, on average, it took 123 working days to complete an investigation report.Footnote 11 For one of these files the report was prepared within 90 days, and for the rest the 90 day service level was exceeded. Additionally, there was a lack of sufficient justification or rationale on file to explain the variances.
69. We also noted that service standards were not established for specific critical steps in the investigative process. For instance, there was no standard to perform preliminary assessments, which may have an impact on the quality of the services provided. The time taken by the Directorate to perform preliminary assessments was significantly higher than the 20-30 day service standard in the organizations selected for consultations and comparative analysis. Based on the results of the file review, on average, the Directorate's completion time to conduct preliminary assessments was 62 days for investigative files and 134 for non-investigated files.Footnote 12
70. Without active monitoring and analysis of operational performance, the Department may not be able to assess the effectiveness of performance of the special administrative investigations function, identify areas for improvement, address control and process weaknesses, and adjust service standards and performance measurements, as required.
Conclusion
71. Ensuring that management controls and operational processes for the special administrative investigations function are in place and function as intended provides management with a level of assurance that these investigations are being conducted appropriately.
72. Overall, we found that the Governance Framework would benefit from enhancement, particularly in terms of updating the departmental governing policy, formally establishing a quality assurance function, taking an integrated approach to capacity building, and better management of operational procedures. Additionally, there are risks to the integrity of the process due to inconsistent management of operational risks and inconsistent application of procedures. There are also risks to the integrity of safeguarding the information. Finally, performance monitoring and reporting needs improvement. Improvements in these areas will enhance the consistency and quality of the special administrative investigations.
Management response
Management has had the opportunity to review the report, and agrees with the conclusions and recommendations found therein. Management also developed a Management Action Plan to address these recommendations.
Recommendations and management action plan
- Recommendation 1:
- The Assistant Deputy Minister of the Departmental Oversight Branch should strengthen the Governance Framework for the special administrative investigations function via:
- Implementation of a life-cycle process for the development, revision, maintenance, and approval of the policies and procedures
- Implementation of a formal quality assurance function that covers the complete lifecycle of the special administrative investigations process
- Implementation of an integrated approach to the human resource capacity building
- Management action plan 1.1:
- Life cycle of 2 years to be put in place to review the policies and procedures that guide the work of the Directorate (such as Departmental Policy 026 and Special Investigations and Internal Disclosure Directorate's Operational Guidelines for the Conduct of Investigations). Articulation of this will be in the Directorate's Operational Guidelines.
Additionally, as part of the life cycle process to manage procedures, the Directorate will address procedural gaps identified by the audit.
- Management action plan 1.2:
- A formal three stage quality assurance process has been developed and is to be implemented by April 1, 2017. The first stage will be prior to seeking a mandate for investigation from the Assistant Deputy Minister of Departmental Oversight Branch, in order to ensure that proper steps have taken and documented, and that the investigation is within the Special Investigations and Internal Disclosure Directorate's mandate. The second phase will be prior to final report being issued in order to ensure that the investigation is on track and the employee subject of investigation has an opportunity to review draft report. The third phase will be at the conclusion of investigation, which will be to ensure that liaison with Labour Relations of the Human Resources Branch is clearly outlined in file; a proper index is enclosed; and that the employee has been notified of investigation as directed in Treasury Board Secretariat's Handbook on Administrative Investigations into Misconduct.
- Management action plan 1.3:
- The Directorate will develop an integrated human resources plan in order to identify its needs with respect to expertise needed to meet its expanded mandate.
- Recommendation 2:
- The Assistant Deputy Minister of the Departmental Oversight Branch should ensure that operational risks are consistently managed and the operational procedures are consistently applied to strengthen the integrity of the special administrative investigations process.
- Management action plan 2.1:
- Implementation of Management Action Plan 1.2 above is expected to result in a more rigorous quality assurance process that will ensure that key steps in the special administrative process are followed and documented so that investigation risks are identified and mitigated.
- Recommendation 3:
- The Assistant Deputy Minister of the Departmental Oversight Branch should implement controls to ensure integrity in safeguarding of information related to the special administrative investigations function.
- Management action plan 3.1:
- The security safeguard concerns related to the use of the Site-Secure application, which houses information related to the special administrative investigations, are expected to be addressed via implementation of the Management Action Plan on response to the recommendations of the 2015-712 Audit of the Corporate Security Investigative Function conducted by the Office of Audit and Evaluation. This Management Action Plan was approved at the Audit and Evaluation Committee meeting on January 23, 2017 and is to be implemented by January 31, 2018.
- Recommendation 4:
- The Assistant Deputy Minister of the Departmental Oversight Branch should implement appropriate service standards and should ensure active monitoring of performance against the service standards in order to support effective delivery of the special administrative investigations function.
- Management action plan 4.1:
- The Directorate's service standards will be modified to ensure that clarity exists around when an investigation starts and ends, as well as percentage of files to be completed within established standards (90 days for Tier 2 files, and 120 days for Tier 1 files). The Directorate will also review the service standards to ensure that appropriate service standards are in place for critical steps in the investigative process (for example, preliminary assessments) in order to support effective delivery of the special administrative investigations function.
About the audit
Authority
The authority for the conduct of this engagement comes from the Department's 2014 to 2018 Risk-Based Audit and Evaluation Plan, which was approved by the Deputy Minister.
Objective
The audit objective was to assess whether the management controls and operational processes in place to support quality and consistency in the delivery of special administrative investigations.
Scope and approach
The focus of the Audit was on the departmental special administrative investigations function. This function is administered by the Special Investigations and Internal Disclosure Directorate, formerly the Special Investigations Directorate. Special Investigations and Internal Disclosure Directorate was created in June 2015 by merging the Special Investigations Directorate and the Internal Disclosure Office into one organization.
The audit scope period was from April 2012 to December 2014, which included the practices and activities for two complete fiscal years and more recent practices and activities. The Audit focused on the four areas below that were considered to be relevant and important to the special administrative investigations function, based on the risk assessment:
- Governance Framework for the special administrative investigations function
- Integrity of the special administrative investigations process
- Integrity in safeguarding of information
- Performance monitoring and reporting
The Audit was not designed to assess whether or not fraud and wrongdoing has occurred.
This audit reports on the findings specific to the special administrative investigation function only, as opposed to those findings that are more general in nature and cut across all Public Services and Procurement Canada investigative functions. The latter findings will be noted and reported on as part of the Horizontal Audit of the Public Services and Procurement Canada Investigative Management Accountability Framework that is currently being conducted.
This audit was conducted in accordance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing.
Criteria
The criteria for this audit were chosen based on the results of the risk assessment performed during the audit planning and survey phase. The criteria were developed by referencing the 2011 Office of Comptroller General's Audit Criteria Related to the Management Accountability Framework: A Tool for Internal Auditors.
The criteria were as follows:
Lines of enquiry | Audit criteria |
---|---|
Governance framework | 1.1 Authorities, accountabilities and general responsibilities related to the Directorate's special administrative investigations function are clearly defined, documented, and established to support the organization in fulfilling its obligations under the 2009 Policy on Government Security to investigate, act and report on allegations of employee misconduct. |
1.2 Operational policies, procedures and processes are established, documented, and are adequately maintained to support the discharge of the Directorate's responsibilities for the Public Services and Procurement Canada special administrative investigations function. | |
1.3 The Directorate's planning processes aimed at the achievement of operational objectives and commitments, consider risk information, current and future resource and competency needs in support of the special administrative investigations function. | |
Integrity of special administrative investigations process | 2.1 The Directorate has in place a process or an approach to identify and manage risks that may preclude from successfully delivering special administrative investigations. |
2.2 Processes and controls are implemented to provide assurance on the quality and consistency in the performing of special administrative investigations. | |
Integrity in safeguarding of information | 3.1 The Directorate's records and information are maintained in accordance with generally accepted government information management requirements; and organized and handled to support the special administrative investigations function. |
Performance monitoring and reporting | 4.1 The Directorate has appropriate service standards and performance measures to assess and report on the effectiveness of special administrative investigations function. |
Audit work completed
Audit fieldwork for this audit was substantially completed in November 2015.
Audit team
The Audit was conducted by members of the Office of Audit and Evaluation and an audit consultant, overseen by the Director of Continuous Auditing and Advisory Services and under the overall direction of the Chief Audit and Evaluation Executive.
The Audit was reviewed by the quality assessment function of the Office of Audit and Evaluation.
- Date modified:
- 2017-06-16