Audit of the internal disclosure process (final report)

Executive summary

i. This engagement was initiated at the request of the Audit and Evaluation Committee in June 2015 as part of the Horizontal Audit of the Public Services and Procurement Canada Investigation Management Accountability Framework, to provide assurance on the effectiveness of the management controls and investigation practices within the Department.

ii. The Public Servant's Disclosure Protection Act came into force on April 15, 2007 following the adoption of the Federal Accountability Act, in December 2006. The goal of the Public Servant's Disclosure Protection Act is to encourage employees in the federal public sector to come forward if they have reason to believe that a wrongdoing in the workplace has taken place or is about to take place. The following activities are defined as wrongdoings under the act:

• a contravention of an act of Parliament or of the legislature of a province or of any regulations made under any such act
• a misuse of public funds or a public asset
• a gross mismanagement in the public sector
• an act or omission that creates substantial and specific danger to the life, health and safety of persons or to the environment, other than a danger that is inherent in the performance of the duties or functions of a public servant
• a serious breach of a code of conduct or
• knowingly directing or counseling a person to commit any of the wrongdoings as set out above

iii. The Deputy Minister of Public Services and Procurement Canada has designated the Assistant Deputy Minister, Departmental Oversight Branch, as the Senior Officer responsible for the implementation of the Public Servant's Disclosure Protection Act within Public Services and Procurement Canada.

iv. Under the Public Servant's Disclosure Protection Act, federal government employees have a choice of making a disclosure of wrongdoing to their supervisors, the Senior Officer designated by the Deputy Minister or the Public Service Integrity Commissioner. The act protects public servants who make a protected disclosure, in good faith or cooperate in an investigation into a disclosure, against reprisal. Moreover, the act requires the Deputy Minister to ensure the confidentiality of the information collected and to protect the identity of the persons involved in the disclosure - disclosers, witnesses and alleged wrongdoers.

v. In June 2015, the Office of Internal Disclosure and the Special Investigations Directorate were combined to become the Special Investigations and Internal Disclosure Directorate. In October 2015, responsibility for corporate security investigations, previously managed by the Corporate Security Directorate, was transferred to the Special Investigations and Internal Disclosure Directorate. These decisions were taken to create operational efficiencies and to better align investigative expertise with available resources. Currently there are three investigation business lines within the Special Investigations and Internal Disclosure Directorate - Internal Disclosure, Administrative Investigations and Procurement Reviews.

vi. The objective of this audit was to determine whether selected elements of the Management Accountability Framework were in place and functioning as intended to support the internal disclosure process. The audit scope period was from April 1, 2014 to March 31, 2016. Formal administrative investigations related to security incidents and special investigations conducted by the internal disclosure business line were excluded from the scope of this audit, as these investigative functions were assessed as part of the recently completed audits of the Public Services and Procurement Canada Special Investigations Directorate and the Audit of the Corporate Security Investigative Function.

vii. Overall, we found that management controls for the internal disclosure process were in place however opportunities for improvement exist. Increased rigour and managerial review of the investigators' initial assessment of disclosures and the strengthening of controls, particularly in the area of performance monitoring and reporting to stakeholders, will allow the internal disclosure business line to enhance the overall efficiency and quality of their investigation process.

Management response

Management has had the opportunity to review the report, and agrees with the conclusions and recommendations found therein.  Management also developed a Management Action Plan to address these recommendations.

Recommendations and management action plan

Recommendation 1:

The Assistant Deputy Minister of the Departmental Oversight Branch should develop detailed criteria to be used as part of the initial assessment and determination as to whether received disclosures met the threshold for investigation under the Public Servant's Disclosure Protection Act.

The Assistant Deputy Minister of the Departmental Oversight Branch should also ensure that investigator's initial assessments of disclosures are appropriately reviewed and approved prior to commencing a preliminary investigation.

Management action plan 1.1:

Treasury Board Secretariat guidelines as well as Public Sector Integrity Commissioner precedents on what is considered "serious wrongdoing" and "gross mismanagement" to be integrated into the Internal Disclosure procedures manual.

As part of the Quality Assurance process implemented, to review disclosures in the first instance, justification to either proceed or not with an investigation will have to be articulated against the established criteria to ensure that the threshold set out in the Public Servant's Disclosure Protection Act is met.

The Director is fully briefed at all stages of a disclosure and investigation. The Senior Officer is in turn briefed on these matters on a bi-weekly basis by the Director.

Recommendation 2:

The Assistant Deputy Minister of the Departmental Oversight Branch should develop and implement formal quality control activities that cover the complete lifecycle of the internal disclosure process.

Management action plan 2.1:

The lifecycle of protected disclosures is as follows:

1. intake and assessment (Quality assurance form developed as indicated above)
2. preliminary Review which determines the validity and credibility of information provided by the discloser and which result in a recommendation to the Senior Officer with recommendations as to whether the matter should be fully investigated. Quality assurance process has been established for this stage of the disclosure
3. investigation and investigation report will be subject to a third Quality assurance process
4. post investigation requirements. Quality assurance form has been developed for this fourth stage

Recommendation 3:

The Assistant Deputy Minister of the Departmental Oversight Branch should 1) implement appropriate performance indicators and 2) develop and implement controls to ensure the accuracy and timeliness of information being reported to stakeholders.

Management action plan 3.1:

Service standards have recently been amended and approved by the Assistant Deputy Minister of Departmental Oversight Branch.

Special Investigations and Internal Disclosure directorate has developed a Comprehensive Report which tracks all investigations and their status. Priority is given to keeping this report updated and accurate.

In respect to general inquiries, only general enquiries as defined in the Treasury Board Secretariat yearly call letter will be placed in this category.  This definition is as follows, "General inquiries" refers to inquiries regarding procedures established under the act or possible wrongdoings, not including actual disclosures. Also, general inquiries are now being logged in a bulk file for each fiscal year in the Special Investigations and Internal Disclosure directorate comprehensive ledger.

Introduction

1. This engagement was initiated at the request of the Audit and Evaluation Committee in June 2015 as part of the Horizontal Audit of the Public Services and Procurement Canada Investigation Management Accountability Framework, to provide assurance on the effectiveness of the management controls and investigation practices within the Department. 

2. The Public Servant's Disclosure Protection Act came into force on April 15, 2007 following the adoption of the Federal Accountability Act, in December 2006. The goal of the Public Servant's Disclosure Protection Act is to encourage employees in the federal public sector to come forward if they have reason to believe that a wrongdoing in the workplace has taken place or is about to take place. The following activities are defined as wrongdoings under the act:

• a contravention of an act of Parliament or of the legislature of a province or of any regulations made under any such act
• a misuse of public funds or a public asset
• a gross mismanagement in the public sector
• an act or omission that creates substantial and specific danger to the life, health and safety of persons or to the environment, other than a danger that is inherent in the performance of the duties or functions of a public servant
• a serious breach of a code of conduct or
• knowingly directing or counseling a person to commit any of the wrongdoings as set out above

3. The Deputy Minister of Public Services and Procurement Canada has designated the Assistant Deputy Minister, Departmental Oversight Branch, as the Senior Officer responsible for the implementation of the Public Servant's Disclosure Protection Act within Public Services and Procurement Canada.

4. Under the Public Servant's Disclosure Protection Act, federal government employees have a choice of making a disclosure of wrongdoing to their supervisors, the Senior Officer designated by the Deputy Minister or the Public Service Integrity Commissioner. The act protects public servants who make a protected disclosure, in good faith or cooperate in an investigation into a disclosure, against reprisal. Moreover, the act requires the Deputy Minister to ensure the confidentiality of the information collected and to protect the identity of the persons involved in the disclosure - disclosers, witnesses and alleged wrongdoers.

5. In June 2015, the Office of Internal Disclosure and the Special Investigations Directorate were combined to become the Special Investigations and Internal Disclosure Directorate. In October 2015, responsibility for corporate security investigations, previously managed by the Corporate Security Directorate, was transferred to the Special Investigations and Internal Disclosure Directorate. These decisions were taken to create operational efficiencies and to better align investigative expertise with available resources. Currently there are three investigation business lines within the Special Investigations and Internal Disclosure Directorate - Internal Disclosure, Administrative Investigations and Procurement Reviews.

6. The internal disclosure business line has primary responsibility for accepting, triaging, and responding to Public Servant's Disclosure Protection Act inquiries and disclosures, assessing disclosures to determine whether a formal investigation is required or if the matter would be more appropriately resolved by another internal investigative body such as Labour Relations. All investigators within the Special Investigations and Internal Disclosure Directorate, with the exception of procurement review analysts, can be assigned to an internal disclosure file as well as a traditional administrative investigation, as needed. 

7. The internal disclosure business line also coordinates with the Public Sector Integrity Commissioner and the Office of the Chief Human Resources Officer at Treasury Board Secretariat and is required to annually report incidences of disclosures to Treasury Board Secretariat. During the 2015 to 2016 fiscal year, the internal disclosure business line reported 45 disclosures. Of these 45 disclosures, 22 were received during 2015 to 2016 and 23 were carried over from the previous fiscal year. During 2015 to 2016, 22 disclosures were acted upon, 11 were not and 12 were carried over to the 2016 to 2017 fiscal year.

8. At the time of this audit, the internal disclosure business line consisted of two investigators and had an operating budget of $250,000, with salary dollars accounting for roughly 88% of the budget.

Focus of the audit

9. The focus of this audit was to determine whether selected elements of the Management Accountability Framework are in place and functioning as intended to support the internal disclosure process^{Footnote 1}. The audit scope period was from April 1, 2014 to March 31, 2016. Formal administrative investigations related to security incidents and special investigations conducted by the internal disclosure business line were excluded from the scope of this audit as these investigative functions were assessed as part of the recently completed audits of the Public Services and Procurement Canada Special Investigations Directorate and the Corporate Security Investigative Function.

10. More information on the audit objective, scope, approach and criteria can be found in the section "About the Audit" at the end of the report.

Statement of conformance

11. The Audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

12. Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The findings and conclusion are only applicable to the entity examined and for the scope and time period covered by the audit.

Integrity of the internal disclosure process

Processes and procedures governing the management of internal disclosure investigations are in place and consistent with the Public Servant's Disclosure Protection Act

13. Confidence in public institutions is enhanced by establishing effective procedures for the disclosure of wrongdoings and for protecting public servants who disclose wrongdoing. The Public Servant's Disclosure Protection Act requires Senior Officers to establish internal procedures to manage disclosures made under the act. Establishing procedures creates a standard against which to compare and supports consistency of investigation practices.

14. We expected to find established processes and procedures in place for conducting internal disclosure investigations and that these processes and procedures would be aligned with the requirements of the Public Servant's Disclosure Protection Act, as well as, supporting Treasury Board of Canada Secretariat and departmental policy instruments.

15. We found that the internal disclosure business line had established standard operating procedures which define expectations and procedural steps to be followed in an internal disclosure investigation. The Internal Disclosure Procedures Manual (the Manual) explains the principles of the Public Servant's Disclosure Protection Act, roles and responsibilities of the Senior Officer and provides functional direction and guidance to investigators on how investigations should be conducted. The Manual also outlines each of the procedural steps to be taken by investigators from the intake of a disclosure of wrongdoing, conducting an assessment, and/or an (preliminary) investigation, to reporting and communicating the outcome of the disclosure. Overall, we found the Manual to be clear and detailed.

16. We conducted a comparative review of the internal disclosure procedures manual against the Public Servant's Disclosure Protection Act, and applicable Treasury Board Secretariat and departmental policy instruments, such as the departmental Policy on Public Servants Disclosure Protection and found the Manual to be consistent with the requirements defined in these policy instruments.

17. The internal disclosure business line has developed and uses a number of tools and templates to further complement the Manual, such as generic templates for reports, interview preambles and letters to be sent to disclosers and alleged wrongdoers. The development of these tools further supports efficiency and rigour in the conduct of internal disclosure investigations.

18. We noted that absent from the Manual was reference to providing the alleged wrongdoer with a copy of the draft or final investigation report. Although not a legislative or policy requirement, the absence of this procedural step appears to conflict with the concepts of natural justice and procedural fairness which affords individuals the opportunity to know and respond to the evidence that has been gathered against them. While the Public Servant's Disclosure Protection Act does not guarantee an individual the right to be heard, it does, in keeping with procedural fairness, require that all reasonable measures be taken to give the alleged wrongdoer a full and ample opportunity to respond to allegations against them.

19. The internal disclosure business line has recently developed new guidance which appears to address this gap, formalizing the practice of providing the alleged wrongdoer with a copy of the draft investigation report and an opportunity to comment. As of November 2016, when the examination phase of this audit concluded, this guidance had yet to be incorporated into the Manual.

Procedures were adequately implemented however practices for assessing disclosures could be strengthened

20. The consistent application of internal disclosure investigation procedures supports the integrity of the internal disclosure process, ensuring that all employees are treated equitably and given appropriate recourse to due process. We expected established processes and procedures to be consistently applied to ensure compliance with applicable legislation and policies and to support the reliability of the investigation process.

Conducting investigations

21. We reviewed a sample of 10 Public Servant's Disclosure Protection Act files, from a population of 20, covering the audit scope period. Testing criteria were developed based on procedural steps identified in the Manual. Overall, our review indicated that files were administered in a manner consistent with the Manual. For example, all reports, (preliminary and investigation) were appropriately prepared and signed-off by the Senior Officer; alleged wrongdoers were made aware of the investigation; all interviewees were informed of their rights and obligations prior to interviews commencing; and all reports contained evidence that the discloser was informed of the investigation results.

Assessing disclosures

22. For only two of the 10 files in our sample, was there evidence of managerial review and sign-off by the Director of the Special Investigations and Internal Disclosure Directorate or by the Senior Officer as to whether they concurred with the investigators' assessment that the received disclosure(s) should be investigated under the Public Servant's Disclosure Protection Act, rejected or referred to another internal investigative group, such as Staffing Oversight or Special Investigations.

This procedural step is imperative, as the Public Servant's Disclosure Protection Act is intended to address serious forms of wrongdoing that, because of their scale and nature, have the potential to adversely affect public confidence in the integrity of the federal public sector.

We assessed that three of the 10 files reviewed did not clearly meet the Public Servant's Disclosure Protection Act definition of wrongdoing. Two of these files pertained to an undisclosed conflict of interest in a staffing action and the third was related to abuse of tele-work privileges. We noted that the preliminary investigation for the conflict of interest files took 116 business days to complete while the tele-work case took 78 business days. We assessed that a considerable amount of work had been performed for files that were ultimately determined as not meeting the threshold for wrongdoing under the Public Servant's Disclosure Protection Act.

23. During the examination phase of this audit, we met with management at the Office of the Public Sector Integrity Commissioner to discuss how departments could better assess and determine whether an allegation meets the threshold for investigation under the Public Servant's Disclosure Protection Act. Through this discussion, the importance of developing detailed criteria, as well as, the need for the Senior Officer to actively engage pertinent departmental stakeholders, such as legal services, was discussed.  

24. The internal disclosure business line has not developed their own detailed criteria with thresholds such as materiality or position of alleged wrongdoer. Furthermore, files reviewed lacked evidence that the internal disclosure business line regularly engaged Legal Services to obtain their input in assessing disclosures.  However, the business line references two factors developed by the Public Sector Integrity Commissioner (serious misconduct and gross mismanagement), as well as, the Public Services and Procurement Canada disciplinary grid developed by the Labour Relations directorate.

25. Strengthening the initial assessment process through developing assessment criteria, greater managerial oversight and enhanced engagement with departmental stakeholders, such as Legal Services, would ensure that the Senior Officer is effectively utilizing internal disclosure resources on investigations that truly fall within their mandate.

Preventing reprisals

26. The Public Servant's Disclosure Protection Act prohibits reprisal against a public servant or former public servant who has made a protected disclosure or has cooperated in an investigation into a disclosure. Examples of reprisals include disciplinary measures, demotions, terminations and any other measures that adversely affect the employment or working conditions of the public servant. Employees who feel that they are the subject of reprisal may file a complaint with the Office of the Public Sector Integrity Commissioner or can raise the matter with their supervisor or Senior Officer. All formal investigations related to reprisals can only be investigated by the Public Sector Integrity Commissioner. Since 2012, there has only been one case where the internal disclosure business line has had to coordinate with Public Sector Integrity Commissioner with respect to the investigation of a reprisal.

27. The Senior Officer, with support from the Special Investigations and Internal Disclosure Directorate, is responsible for communication and outreach regarding reprisal recourse related to protected disclosers under the Public Servant's Disclosure Protection Act. The Senior Officer must provide disclosers and witnesses with information about the reprisal process and try to prevent potential situations of reprisal from occurring. These responsibilities include having discussions with disclosers and witnesses about their rights, as well as, engaging management in the branch of concern. In our interviews, internal disclosure investigators stated that involved employees were made aware of the reprisal recourse process verbally, at initial contact, and then again by a disposition letter, informing the discloser of the investigation outcome.

28. Through file testing, we saw evidence that the letter of disposition was sent to all disclosers and that these letters included information about reprisal recourse, as well as contact information for the Office of the Public Sector Integrity Commissioner.  Due to the confidentiality provisions of the act, we were not in a position to validate the extent to which information about reprisal recourse was shared with employees and their level of comfort in using this mechanism.

29. We reviewed the 2016 departmental Pulse Check survey results - an annual survey sent to all Public Services and Procurement Canada employees to obtain their opinions on issues such as workforce empowerment, harassment/discrimination and employee engagement, and noted that one of the survey questions pertained to employees' willingness to initiate a formal recourse process without fear of reprisal. The results indicate that 42% responded that they felt free to do so. A further review of the Department's communication and outreach strategy around reprisal recourse will be conducted as part of the Horizontal Audit of the Public Services and Procurement Canada Investigation Management Accountability Framework.

A quality assurance strategy has been developed and is in the process of being implemented

30. The implementation of quality assurance activities provides management with a level of assurance that file administration is aligned with operational procedures. We expected the internal disclosure business line to conduct quality assurance activities to help ensure the quality, consistency and efficiency of its internal disclosure investigations.

31. In the files we assessed, there was limited evidence that formal quality assurance or control activities were performed. However, there was evidence that peer reviews were conducted, a practice which supports quality and compliance with the Manual. [As of November 2016, when the examination phase of this audit concluded, the internal disclosure business line was in the process of implementing a formal quality assurance strategy.]

Integrity in the safeguarding of information

Internal disclosure files are appropriately safeguarded in accordance with Treasury Board Secretariat requirements

32. The Public Servant's Disclosure Protection Act states that the Senior Officer must establish procedures to ensure the confidentiality of information collected in relation to disclosures of wrongdoing.

Safeguarding the confidentiality of information collected is essential to the Public Servant's Disclosure Protection Act, as public servants who disclose must be confident that their anonymity will be respected.

33. We expected internal disclosure information to be secured in accordance with the confidentiality provisions of the act, as well as, Treasury Board Secretariat and departmental information management requirements. We expected that these requirements would be met for both physical (paper) and electronic information holdings.

34. Information about internal disclosure files are kept in paper files and in two different information technology applications, GCDOCS^{Footnote 2} and Site-Secure^{Footnote 3}. The business line also maintains excel worksheets to support the tracking of disclosures and general inquiries they receive about the internal disclosure process.

35. We observed, through on-site observations and information technology application walkthroughs, that paper and electronic files in GCDOCS^{Footnote 2} were appropriately safeguarded as per Treasury Board Secretariat and departmental requirements. Paper files were locked in Royal Canadian Mounted Police approved cabinets located in a secure area and information technology application permissions were in place and appropriate for information stored in GCDOCS^{Footnote 2}.

Significant risks were identified with the expanded use of Site-Secure^{Footnote 3}

36. Based on our information technology application walk-through of two internal disclosure files, it appears that Site-Secure^{Footnote 3} currently contains very limited information about internal disclosure investigations. However, we have identified several significant operational risks associated with the business line's possible expanded use of this system, such as privacy breaches, unauthorized use, loss of data and inappropriate disclosure of information.

All audit observations, and subsequent recommendations, related to Site-Secure^{Footnote 3} are discussed in the Audit of the Corporate Security Investigative Function.

Performance monitoring and reporting

Existing performance indicators were not consistently met and some have yet to be developed

37. Performance indicators are established to assist management and employees in achieving the Department's commitment to continual improvement and service excellence. We expected that appropriate performance indicators would be developed and in place, and that management would consider performance results to inform decision-making.

38. During the audit scope period, the internal disclosure business line had one performance indicator in place, to complete 80% of internal disclosure investigations within 90 days. This calculation was based on the number of days between the Senior Officer approval of the investigation mandate (plan for proceeding with the investigation) and their sign-off of the final investigation report. Based on performance information provided to Public Services and Procurement Canada management, the business line has had difficulty meeting this performance indicator, with only 45% of their investigations having been completed within 90 days during the 2014 to 2015 fiscal year. However, we noted that for the three files we reviewed, as part of our testing sample, the average time taken was 94 business days, with the range being 81 to 107 days. This suggests that there is not a significant discrepancy (that is number of days) between the established indicator and the business line's actual performance.

39. Interviewees stated that, in the past, meeting established service standards had been difficult given a number of internal and external factors which contributed to process delays, such as resourcing constraints within the investigation unit and awaiting information from involved employees and departmental stakeholders.

40. We found that there were no performance indicators to assess the timeliness between the internal disclosure business line's receipt of the disclosure and the Senior Officer's review and approval of the preliminary investigation of the disclosure (decision to proceed with a formal investigation). Based on the results of our file review, we assessed that this procedural step took an average of 140 business days to complete. Also, there were no performance indicators in place to measure the timeliness of informing disclosers about the outcome of the investigation. We assessed an average of 142 business days between the Senior Officer's approval of the final investigation report and the discloser being informed of the outcome of the investigation.

41. The absence of performance information at key milestones of the investigation process limits the internal disclosure business line from assessing the overall efficiency and timeliness of its investigations, from start to finish. Under the Public Servant's Disclosure Protection Act, there is an expectation that that the Senior Officer will address disclosures in an efficient and timely manner. If this expectation is not met, employees may be unwilling to come forward and/or unreasonable delays may create prejudice towards the alleged wrongdoer.

Performance indicators have been revised and are in the process of being implemented

42. We were informed that performance indicators for investigations had recently been revised to better reflect the complexity and risks associated with the disclosure. As of November 2016, when the examination phase of this audit concluded, the internal disclosure business line was in the process of implementing their new performance measurement strategy.

Public Servant's Disclosure Protection Act and Treasury Board Secretariat reporting requirements were not always met

43. Reporting is one of the principal means through which departments are able to fulfill their commitment to the public service value of transparency. Reporting also allows departments to demonstrate compliance with legislation and policy, allowing for appropriate monitoring and oversight. We expected the internal disclosure business line to meet reporting requirements established under the Public Servant's Disclosure Protection Act and by Treasury Board Secretariat, and that the information being reported would be complete, accurate and timely.

Founded Investigations under the Public Servant's Disclosure Protection Act

44. The Public Servant's Disclosure Protection Act requires the Senior Officer to promptly provide public access to information about a founded wrongdoing. Treasury Board Secretariat asks that this information be posted on the Department's website within 60 days of the conclusion of the investigation and in situations where this cannot be met; the Department must provide a rationale explaining the delay. The act also requires the Senior Officer to, when posting information about founded investigations, describe the wrongdoing and corrective actions taken by the Department.

45. As part of our file testing, we reviewed one founded investigation and noted that information about the investigation was posted roughly eight months after the conclusion of the investigation report. As well, the Public Services and Procurement Canada website did not include any details about the corrective measures taken by the Department.

46. Internal processes, such as the need for founded investigations to be presented at the Department's disciplinary council (committee that reviews and provides feedback on proposed employee disciplinary measures), and the absence of a formal process for obtaining information from Labour Relations and/or involved managers about corrective actions, have contributed to the internal disclosure business line being unable to meet Public Servant's Disclosure Protection Act reporting requirements.

General inquiries

47. Treasury Board Secretariat also requires departments to report all general inquiries they receive related to the Public Servant's Disclosure Protection Act and defines general inquiries as those regarding procedures established under the act or possible wrongdoing, not to actual disclosures.

48. We observed that multiple channels exist for the intake of general inquiries - in person, phone and email. To ensure that all inquiries are being received, responded to, recorded and appropriately reported to Treasury Board Secretariat, we expected there to be some rigour around the strategy for tracking inquiries.

49. As part of our file testing we reviewed five inquiries, from a population of eight, covering the audit scope period. In one instance, there was no physical file for the logged inquiry, reducing our file sample to four. Of the four files assessed, only two met the definition of an inquiry as defined by Treasury Board Secretariat. For the other two inquiries, individuals were reporting specific allegations of wrongdoing where internal disclosure investigators either completed an initial assessment of the allegation or referred the matter to another internal investigative unit.

50. In the absence of a defined strategy for tracking general inquiries, and supporting quality controls, ensuring the completeness and accuracy of information being reported to Treasury Board Secretariat is challenging. The observed conditions have resulted in the internal disclosure business line being unable to fulfill this Treasury Board Secretariat reporting obligation.

Conclusion

51. Public servants have an obligation to come forward if they are aware that serious wrongdoing has taken place, or is about to occur, however, disclosing acts of wrongdoing takes moral strength and courage. Individuals who do come forward must be treated with respect and have confidence about the integrity of the process. How disclosers, witnesses and alleged wrongdoers are treated directly impacts the credibility of the Public Services and Procurement Canada internal disclosure investigation process. Ensuring that strong controls are in place provides management with a level of assurance that investigations are being conducted appropriately.

52. Overall, we found that management controls for the internal disclosure process were in place. A few control weaknesses were identified pertaining to processes and procedures, as well as, performance monitoring and reporting. Improvements in these areas will enhance the efficiency and quality of the internal disclosure investigation process.

53. We noted the need for increased rigour and managerial review of the investigators' initial assessment of disclosures; which will provide the Senior Officer with greater assurance that internal disclosure resources are being appropriately and efficiently utilized. Further, strengthening controls, particularly in the area of performance monitoring and reporting to stakeholders, will improve the quality and accuracy of the internal disclosure process.

Management response

Management has had the opportunity to review the report, and agrees with the conclusions and recommendations found therein.  Management also developed a Management Action Plan to address these recommendations.

Recommendations and management action plan

Recommendation 1:

The Assistant Deputy Minister of the Departmental Oversight Branch should develop detailed criteria to be used as part of the initial assessment and determination as to whether received disclosures met the threshold for investigation under the Public Servant's Disclosure Protection Act.

The Assistant Deputy Minister of the Departmental Oversight Branch should also ensure that investigator's initial assessments of disclosures are appropriately reviewed and approved prior to commencing a preliminary investigation.

Management action plan 1.1:

Treasury Board Secretariat guidelines as well as Public Sector Integrity Commissioner precedents on what is considered "serious wrongdoing" and "gross mismanagement" to be integrated into the Internal Disclosure procedures manual.

As part of the Quality Assurance process implemented, to review disclosures in the first instance, justification to either proceed or not with an investigation will have to be articulated against the established criteria to ensure that the threshold set out in the Public Servant's Disclosure Protection Act is met.

The Director is fully briefed at all stages of a disclosure and investigation. The Senior Officer is in turn briefed on these matters on a bi-weekly basis by the Director.

Recommendation 2:

The Assistant Deputy Minister of the Departmental Oversight Branch should develop and implement formal quality control activities that cover the complete lifecycle of the internal disclosure process.

Management action plan 2.1:

The lifecycle of protected disclosures is as follows:

1. intake and assessment (Quality assurance form developed as indicated above)
2. preliminary Review which determines the validity and credibility of information provided by the discloser and which result in a recommendation to the Senior Officer with recommendations as to whether the matter should be fully investigated. Quality assurance process has been established for this stage of the disclosure
3. investigation and investigation report will be subject to a third Quality assurance process
4. post investigation requirements. Quality assurance form has been developed for this fourth stage

Recommendation 3:

The Assistant Deputy Minister of the Departmental Oversight Branch should 1) implement appropriate performance indicators and 2) develop and implement controls to ensure the accuracy and timeliness of information being reported to stakeholders.

Management action plan 3.1:

Service standards have recently been amended and approved by the Assistant Deputy Minister of Departmental Oversight Branch.

Special Investigations and Internal Disclosure directorate has developed a Comprehensive Report which tracks all investigations and their status. Priority is given to keeping this report updated and accurate.

In respect to general inquiries, only general enquiries as defined in the Treasury Board Secretariat yearly call letter will be placed in this category.  This definition is as follows, "General inquiries" refers to inquiries regarding procedures established under the act or possible wrongdoings, not including actual disclosures. Also, general inquiries are now being logged in a bulk file for each fiscal year in the Special Investigations and Internal Disclosure directorate comprehensive ledger.

About the audit

Authority

This engagement was initiated at the request of the Audit and Evaluation Committee in June 2015 as part of the Horizontal Audit of the Public Services and Procurement Canada Investigation Management Accountability Framework; to provide broader assurance on the effectiveness of the management controls and investigation practices within the Department.

Objective

To determine whether selected elements of the Management Accountability Framework are in place and functioning as intended to support the internal disclosure process.

Scope and approach

The audit focused on elements of the Management Accountability Framework that are considered to be relevant and important related to the internal disclosure process, based on the risk assessment. Specifically the audit assessed:

• Processes and Procedures
• Information Management
• Performance Monitoring and Reporting

The audit scope period was from April 1, 2014 to March 31, 2016. Formal administrative investigations related to security incidents and special investigations conducted by the internal disclosure business line have been excluded from the scope of this audit.

This audit was conducted in accordance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

Criteria

The criteria used to assess the internal disclosure process were based on a risk assessment and focused on elements of the Management Accountability Framework that are considered to be relevant and important as they relate to the role played by the internal disclosure business line to support the conduct of internal disclosure investigations.

Specifically the audit examined:

• Processes and Procedures: Processes and procedures related to the internal disclosure process are sufficient, appropriate and consistently applied to ensure compliance with applicable policies and legislation
• Information Management: Internal disclosure records are maintained in accordance with applicable information management policies and procedures
• Performance Monitoring and Reporting: A monitoring approach is in place which allows the internal disclosure business line to assess and report performance against planned results and to adjust course as required

Audit work completed

Audit work for this engagement was conducted between September 2016 and November 2016.

Audit team

The Audit was conducted by members of the Office of Audit and Evaluation, overseen by the Director Continuous Auditing and Advisory Services and under the overall direction of the Chief Audit and Evaluation Executive.

The Audit was reviewed by the quality assessment function of the Office of Audit and Evaluation.