Common menu bar links
ARCHIVED - Audit of Emergency Preparedness
Internal Audit Report
This page has been archived.
Archived Content
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
October 2008
Table of Contents
- Executive Summary
- Introduction
- Audit Opinion
- Findings, Recommendations and Management Action Plan
- Appendix A — Roles and Responsibilities
- Appendix B — Lines of Enquiry and Audit Criteria
- Appendix C — List of Acronyms
Executive Summary
Background
Emergency preparedness (EP) is defined as the measures or plans in place to protect employees, safeguard assets and assure the continued delivery of critical services in the event of a natural or man-made disaster.
The Treasury Board of Canada Secretariat issued the Government Security Policy in 2002 that prescribes the application of safeguards to reduce the risk of injury to employees, to protect assets and to ensure the continued delivery of critical services. Departments are essentially required to appoint a departmental security officer (DSO), conduct ongoing threat and risk assessments, establish a business continuity planning program for the continued availability of critical services and assets, develop procedures for reporting and investigating security incidents, and actively monitor their security program.
The Emergency Management Act enacted in June 2007 now places responsibility on the Minister of Public Safety to exercise leadership relating to emergency management in Canada by coordinating with government institutions and in cooperation with the provinces and other entities. It also mandates all federal departments and agencies to develop programs to deal with unforeseen and potentially disastrous events.
At the Canada Border Services Agency (CBSA), the Emergency Preparedness and Security Committee (EPSC) oversees EP issues. The Comptrollership and Operations branches have primary responsibility for the EP portfolio. In addition, the Innovation, Science and Technology Branch provides the required protection and support of mission critical information technology systems in a crisis situation.
Objective and Scope
The objective of the audit was to assess whether the Agency has a management and organizational structure in place to effectively deliver the EP program. More specifically, the audit involved the following:
- Reviewing the strategic directions and operational objectives of the EP program; and
- Verifying that the organizational structure is clearly defined, resourced and communicated at all levels in terms of EP.
The audit scope also included a review of EP activities in the Atlantic, Greater Toronto Area and Pacific regions. The audit excluded a review of the CBSA’s business continuity plans or business resumption plans because these were at various stages of development and implementation and they will be subject to a future audit.
The audit was conducted during the period of April 2007 to February 2008 and included a review of governance and strategic direction as well as accountability in EP, which are two of the elements in the Management Accountability Framework.
Statement of Assurance
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada.
Audit Opinion
The audit found that the Agency has a management and organizational structure in place for the EP program. Improvements to the planning and monitoring functions would strengthen the overall EP management framework at the Agency.
Main Observations
The Agency has a management and organizational structure in place for the EP program and it has been widely communicated. The EPSC has been established to oversee EP activities and the Comptrollership and Operations branches have been given the mandate to manage the EP portfolio. The roles and responsibilities of each of the branches are generally understood. Although a temporary situation during the restructuring in the Comptrollership Branch, the level of one co-chair representative could affect the EPSC’s ability to carry out its oversight responsibilities. Currently, there is no overall strategic plan for EP and operational work plans exist for only some branches and regions. Approved budgets do not specify the amounts for EP and monitoring the progress of EP activities and resource use is limited.
Introduction
Background
Emergency preparedness (EP) is defined as the measures or plans in place to protect employees, safeguard assets and assure the continued delivery of critical services in the event of a natural disaster (such as a flood, earthquake, windstorm or infectious disease outbreak) or a man-made disaster (such as a hazardous materials spill, bomb threat, terrorist incident or blackout).
In 2002, the Treasury Board of Canada Secretariat issued the Government Security Policy (GSP), which prescribes the application of safeguards to reduce the risk of injury to employees, to protect assets and to ensure the continued delivery of critical services. Departments are mandated to appoint a departmental security officer (DSO), who is required to establish and direct a security program, as well as conduct ongoing threat and risk assessments for the organization. Further, the DSO must establish a business continuity planning program for the continued availability of critical services and assets, develop procedures for reporting and investigating security incidents, and actively monitor the organization’s security program.
The Government of Canada released its Securing an Open Society: Canada’s National Security Policy in 2004. The policy is a strategic framework and action plan designed to ensure that Canada is prepared for and can respond to current and future threats.
The Emergency Management Act was enacted in June 2007 and replaced the previous Emergency Preparedness Act (1985). It places responsibility on the Minister of Public Safety to exercise overall leadership relating to emergency management in Canada by coordinating with various government departments and institutions as well as seeking cooperation with the provinces and other entities to provide a unified and effective response. The Act also mandates all federal departments and agencies to develop programs to deal with unforeseen and potentially disastrous events, including measures for prevention and mitigation, response preparedness and recovery, as well as protection of critical infrastructure.
At the Canada Border Services Agency (CBSA), the Comptrollership and Operations branches have primary responsibility for the EP portfolio. Further details on specific roles and responsibilities are noted in Appendix A. The Innovation, Science and Technology Branch provides the required protection and support of mission critical information technology (IT) systems in a crisis situation.
Since the inception of the CBSA in 2003, there have not been any EP-related internal audits conducted at the Agency. However, a number of audits were undertaken at one of the CBSA’s legacy organizations. In February 2003, an audit of IT in the Pacific region found that threat and risk assessments required updating and business resumption plans needed to be tested. In March 2003, an audit of security in the Southern Ontario region found that there was a need to clarify security roles and responsibilities, better manage business continuity plans, provide approved training and determine whether customs equipment (i.e. radios) require upgrading. In December 2004, an audit of IT continuity planning found that the IT continuity plans for national applications and IT infrastructure for one of the CBSA’s legacy organizations remain to be fully implemented and tested.
The EP audit was identified in the CBSA Internal Audit Directorate Risk-Based Multi-Year Audit Plan and was approved by the Audit Committee in June 2006.
Risk Assessment
The preliminary risk assessment of EP completed during the planning phase identified the following key risks:
- EP strategic direction, operational plans and objectives may not be clearly defined, communicated or aligned with the EP mandate.
- The approved EP framework/organizational structure, roles and responsibilities may not be clearly defined.
- Managers and employees at CBSA Headquarters (HQ) and in the regions may not have the EP training, knowledge or skills to do their jobs adequately and effectively.
- The funding may not be sufficient to ensure capacity in staffing qualified EP employees.
The risk assessment also identified three other areas: threat and risk assessments, business continuity plans and pandemic plans. However, those areas are currently in various stages of development at the Agency.
Audit Objective and Scope
The objective of the audit was to assess whether the Agency has a management and organizational structure in place to effectively deliver the EP program. More specifically, the audit involved the following:
- Reviewing the strategic directions and operational objectives of the EP program; and
- Verifying that the organizational structure is clearly defined, resourced and communicated at all levels in terms of EP.
The audit scope was limited to a review of the governance and strategic directions and accountability for EP. These are two of the ten elements in the Management Accountability Framework (MAF). Essentially, the governance and strategic directions ensure that the essential conditions for the EP management framework are in place for providing effective strategic direction support to the President and senior management, and for ensuring the effective delivery of EP results. In addition, accountabilities and delegations should be clearly assigned and consistent with resources.
The audit was conducted at HQ and directly involved the Comptrollership and Operations branches. In addition, the audit included a review of EP in the Atlantic, Greater Toronto Area (GTA) and Pacific regions. The audit excluded a review of the CBSA’s business continuity plans or business resumption plans because those were at various stages of development and implementation and they will be subject to an audit at a later date.
Approach and Methodology
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada.
The planning phase consisted of interviews and consultations with the auditee, and a review of EP information, documents and reports. This phase resulted in the development of an audit program and associated tools to complete this audit.
The examination phase of the audit consisted of the following:
- Interviews with management and staff at HQ and in the selected regions (Atlantic, GTA and Pacific) to confirm that the mandate, strategies, procedures, roles and responsibilities pertaining to EP have been clearly established and communicated.
- A review of the strategic direction, organizational structure, roles, responsibilities and work plans for EP to validate that those functions and activities have been clearly identified and defined.
- A review of completed questionnaires and supporting documentation from the Atlantic, GTA and Pacific regions to confirm that regional employees have the necessary skills, training and tools for achieving EP plans.
Audit Criteria
The audit used the elements in the MAF and in control models, such as those recommended in the Canadian Institute of Chartered Accountants’ Criteria of Control (CoCo) and by the Committee of Sponsoring Organizations (COSO), to select the lines of enquiry and develop the necessary audit criteria. The lines of enquiry and audit criteria are set out in Appendix B.
Audit Opinion
The audit found that the Agency has a management and organizational structure in place for the EP program. Improvements to the planning and monitoring functions would strengthen overall EP management framework at the Agency.
Findings, Recommendations and Management Action Plan
The CBSA has a management and organizational structure in place for the EP program, which has been communicated widely. The Emergency Preparedness and Security Committee (EPSC) has been established to oversee EP activities, and the Comptrollership and Operations branches have been given the mandate to manage the EP portfolio and oversee EP issues. While the roles and responsibilities of each of the branches are generally understood, the chairmanship of the EPSC has not been updated. Currently, there is no overall strategic plan for EP and operational work plans exist for only some branches and regions. Approved budgets do not specify the amounts for EP and monitoring the progress of EP activities and resource use is limited.
Governance and Strategic Direction
The Agency is making progress on its EP activities. The EPSC exists to provide oversight and direction on delivering the EP mandate, which is primarily handled by the Comptrollership and Operations branches. Strategic direction for the EP portfolio management, including delivering on the EPSC’s responsibilities, as stated under its terms of reference, is not clearly defined.
Mandate
The CBSA derives its EP mandate from the Government Security Policy (GSP), which stipulates that the DSO is responsible for establishing and directing a security program that includes protecting employees and overseeing security in an emergency and increased threat situation. In addition, the Emergency Management Act of June 2007, and its predecessor the Emergency Preparedness Act (1985), obliges federal government departments and agencies to have an effective emergency management plan in place to ensure continuity of operations.
With the enactment of the new Emergency Management Act in 2007, the Minister of Public Safety now has a leadership role in emergency management in Canada.
The CBSA’s Security Volume [1] specifies that the DSO has the responsibility to ensure that an emergency management program is established for the Agency, as mandated by the GSP and to coordinate, support and monitor all emergency management efforts at the CBSA. The Volume further notes that the EPSC is the executive authority on emergency management at the CBSA. In addition, branches, regions and local offices are responsible for developing emergency management plans in accordance with standards defined by the DSO.
The Comptrollership and Operations branches primarily manage the EP portfolio at the Agency to support the CBSA’s strategic objective of helping to safeguard national security. Operationally this means the Comptrollership Branch is responsible for the EP policy and for coordinating business continuity plans and corporate security. The Operations Branch is responsible for managing EP and crisis management in a way that is consistent with Agency policies and guidelines and in collaboration with the Comptrollership and other branches.
In November 2007, the Comptrollership and Operations branches created a “responsibility agreement” that establishes their respective roles and responsibilities; it is consistent with the Security Volume chapter on emergency management in the Comptrollership Manual (see Appendix A for a summary of the key functions of these branches).
Oversight of emergency preparedness
For effective governance of EP, an oversight body should exist to establish EP objectives and monitor results.
The audit reviewed the oversight function for EP and found that the EPSC had been established to oversee and provide guidance on all aspects of EP and security. The EPSC is a sub-committee of the Executive Management Committee (EMC) and it meets every quarter. Initially, the EPSC was chaired by the Vice-President of the Operations Branch. Effective September 2007, the EPSC has been co-chaired by the Director General (DG) of the Corporate Administration and Security Directorate (Comptrollership Branch) and the DG of the Programs and Operational Services Directorate (Operations Branch), who are also accountable for the specific security and EP functions respectively at the Agency. Because of temporary changes in the Comptrollership Branch, the co-chair position for that branch is now represented at the director level rather than at the DG level. This may affect the oversight responsibilities of the EPSC.
The responsibilities of the EPSC are outlined in its terms of reference. They include overall governance, prevention and preparedness (e.g. business continuity planning) and response and recovery. A review of the terms of reference concluded that it was adequate and had no deficiencies except that the committee structure needed to be updated.
A review of the EPSC’s meeting agendas and records of decision found that the committee has not yet exercised all of its responsibilities. For example, the ESPC had not discussed the strategic direction for EP. As a result, there may be risks that are not adequately addressed in the Agency’s EP program.
Recommendation:
1. The vice-presidents of the Comptrollership and Operations branches should confirm the co-chairs of the Emergency Preparedness and Security Committee and update its terms of reference.
| Management Action Plan | Completion Date |
|---|---|
| The representatives will be those director-general-level individuals under whose responsibilities fall the emergency management and corporate security files. | The review and update of the terms of reference for the Emergency Preparedness and Security Committee will be completed by March 2009. |
Strategic direction and operational plans
Organizations should set a strategic direction for EP priorities and these priorities should be elaborated in operational work plans with key milestones and target completion dates.
Among the EPSC’s governance responsibilities is providing strategic direction for EP. Through interviews with management and a review of the EPSC records of decision, the audit confirmed that no formal EP strategic direction document existed. Without this direction, there could be challenges in allocating resources to EP priorities and gaps may not receive the appropriate attention.
As part of effective management practices, coordinated work plans should be established for EP activities. Work plans should provide feasible time frames and allocated resources to achieve results. These plans should be reviewed periodically to determine continued relevance and progress.
The audit found that the Operations Branch has work plans aimed at achieving its EP objectives. Activity reports were generated every month that provided the status of EP activities. It was noted that the operational work plans could be strengthened if they included key milestones and target completion dates. The audit noted that the Comptrollership Branch and two of the three regions did not have documented EP work plans.
Without coordinated work plans, it is difficult to determine if EP priorities are being addressed effectively across the Agency and whether the EP resources are being allocated in a structured and strategic manner.
Recommendations:
2. The Comptrollership and Operations branches, through the co-chairs of the Emergency Preparedness and Security Committee, should develop a strategic direction for emergency preparedness and obtain the endorsement of the Executive Management Committee.
| Management Action Plan | Completion Date |
|---|---|
| The Comptrollership and Operations branches will collaborate on developing a strategic direction for emergency preparedness. This direction will align with the review and update of the Emergency Preparedness and Security Committee’s terms of reference and will be presented to the CBSA’s Executive Management Committee for approval. | March 2009 |
3. The Comptrollership and Operations branches, in collaboration with other branches, should establish coordinated operational work plans based on the approved strategic direction that include key milestones and target completion dates.
| Management Action Plan | Completion Date |
|---|---|
| Coordinated operational work plans will be established for the 2009–2010 fiscal year and beyond, based on the approved strategic direction for emergency preparedness. | June 2010 |
Communication
Open and effective communication channels are critical for EP.
The audit reviewed the EP communications products and noted that EP activities are effectively communicated to Agency staff. The Comptrollership Branch forwards EP directives, bulletins and/or communiqués out to the branches and the regions for information as and when necessary. Besides internal communications, the Operations Branch communicates internally to the regions and is also in communication with external stakeholders involved in EP collaborative initiatives.
The DSO, as the Agency representative, participates in the government-wide DSO committee. This committee, with representatives from other departments and agencies, discusses national security issues and reviews and refines Treasury Board policy related to security. The DSO briefs the EPSC on an ongoing basis and senior management on any issues.
The Operations Branch participates in numerous interdepartmental committees related to EP, including a federal emergency planning group and the Interdepartmental Exercise Coordinating Committee. The branch also co-chairs a DG working group on border management with Public Safety Canada. In addition, the Vice-President of the Operations Branch represents the CBSA on an interdepartmental emergency management committee of assistant deputy ministers.
The Operations Branch holds monthly teleconference calls with the CBSA regions to communicate objectives and hot issues and to obtain regional feedback on EP activities. No minutes or records of decision on the results of those teleconferences were available. In addition, a conference is held semi-annually between HQ and the regional emergency management coordinators to provide the latest EP updates and issues. The most recent conference was held in Ottawa in May 2008. The Operations Branch also forwarded bulletins and/or communiqués pertaining to EP news and activities to the regions and HQ branches. Additionally, the Emergency Preparedness, All Hazards Approach manual was released recently by the Operations Branch and is now posted on the CBSA intranet. The manual covers all chemical, biological, radiological, nuclear and explosive threats, as well as threats to the food supply, and to public health and safety.
Furthermore, there is ongoing communication between the Comptrollership and Operations branches regarding significant events (e.g. threats or emergency incidents at CBSA).
Accountability
There is an EP organizational structure for both the Comptrollership and Operations branches. Work descriptions are current and reflect the job tasks required by EP staff. Collaborative work with other agencies is ongoing and could be enhanced through formal arrangements. The use of EP resources was not being monitored throughout the Agency.
Organizational structure
To carry out EP activities, a key control is that an organization should have a structure in place where roles and responsibilities are clearly established and widely communicated.
The audit noted that the Comptrollership Branch had an approved organization in place for EP, which was current and posted on the CBSA intranet. Reporting to the DSO is the Manager of Business Continuity and Security Policy and an EP officer tasked with monitoring EP activities. This later position was not staffed at the time of the audit. Work descriptions exist and are current for both positions.
The Operations Branch has a unit responsible for EP activities that develops, negotiates and implements emergency and disaster recovery plans for CBSA operations. Its organizational chart had been widely communicated across the CBSA and in the regions. At the regional level, the audit noted that the regions did not have EP as part of their approved organizational structure. However, the position of a regional emergency management coordinator had been staffed and the work description for the position was in the process of being developed.
Resource management
To manage resources effectively, a budget for EP activities should be planned and resource use should be monitored.
The audit reviewed the budgets for both the Comptrollership and Operations branches for EP activities and noted that the branches had approved budgets. In the case of the Comptrollership Branch, its EP budget was consolidated with security operations so there was no specific amount for EP activities.
With respect to monitoring resource use, the audit found that the Pacific Region uses an internal order number to capture EP expenditures. For the other organizational units, resource use is not tracked. Of particular note, each region is funded for an emergency management coordinator. Interviews in the three selected regions indicated that coordinators’ time use varied between 10 percent and 75 percent on EP activities.
Without capturing actual resource use for EP activities, the Agency is unable to roll up EP expenditures for planning and reporting purposes.
Recommendation:
4. The Comptrollership Branch should explore the use of internal order numbers to budget, manage and report on the Agency’s resources and activities.
| Management Action Plan | Completion Date |
|---|---|
| Meetings have been scheduled by the Comptrollership Branch to begin exploring the possibility of creating internal order numbers in order to budget, manage and report on the Agency’s resources and activities. A communications plan will be developed to instruct regional operations on the use of the new order numbers. | March 2009 |
Collaborative initiatives with external stakeholders
In February 2008, Public Safety Canada developed and issued the Federal Emergency Response Plan (FERP) to provide general guidance to federal departments and agencies. The processes and mechanisms outlined in the FERP aim to facilitate an integrated Government of Canada response in an emergency. While the FERP is the core plan for coordinating the overall federal response to emergencies where an integrated Government of Canada response is required, individual departments and agencies are expected, for the most part, to manage emergencies with event-specific plans based on their own circumstances and authorities.
The Operations Branch works in coordination with other stakeholders and partners from a number of other government departments to reach agreement on the CBSA’s roles and responsibilities related to public security contingency plans. In addition, the regions, under the direction of and supported by the Operations Branch, are involved in tabletop exercises with external stakeholders where the participants’ respective roles and responsibilities are clarified.
The Operations Branch also works with the United States on plans to keep the shared border open in the event of an emergency. A business resumption communication and coordination plan has been developed with U.S. Customs and Border Protection (CBP).
Other than an agreement with U.S. CBP, the CBSA has not formalized its arrangements with other stakeholders and partners with regard to their respective roles and responsibilities in mitigating and/or addressing an emergency should one arise. This could result in tasks being neglected during an emergency because of a misunderstanding of the respective roles of the participants.
In the case of first responders, such as local fire departments or ambulances, there is no requirement for formal arrangements as first responders take charge of emergency situations once they are on the scene.
Recommendation:
5. The Operations Branch, in collaboration with the Comptrollership and other branches, should formalize the CBSA’s roles and responsibilities with external stakeholders for emergency preparedness activities.
| Management Action Plan | Completion Date |
|---|---|
Work to fulfill this recommendation is ongoing. The Operations Branch is working with Public Safety Canada to finalize and operationalize its responsibilities in regard to emergency support function 13 under the Federal Emergency Response Plan (FERP), and it is currently implementing a comprehensive exercise plan to identify the CBSA’s participation in interdepartmental emergency preparedness and security exercises. This work with Public Safety Canada ensures that all departments and agencies understand their respective roles and responsibilities when there is a need to invoke any of the emergency support functions. |
Ongoing |
| The most recent information received by Public Safety Canada indicates that the annexes to the FERP, including the emergency support functions, are due for a full review. Part of this review will involve bilateral meetings with each agency responsible for the emergency support functions, including the CBSA, to outline and update interdepartmental emergency roles and responsibilities. The CBSA’s completion dates associated with this audit recommendation are directly dependent on Public Safety Canada’s work to validate these annexes. | December 2008 |
Appendix A — Roles and Responsibilities
Emergency Management Act (2007)
|
Government Security Policy (2002)* Departments are required to undertake the following:
|
Federal departments/agencies |
|
| Comptrollership Branch
Responsible for developing and coordinating policy and guidelines in terms of emergency management measures, which include the following:
|
Operations Branch
Responsible for developing, negotiating and implementing emergency and disaster recovery plans for CBSA operations (based on policy guidelines developed by the Comptrollership Branch):
|
Joint Responsibilities
|
|
* Policy currently under review by the Treasury Board Secretariat.
** Business continuity plans are still being developed by CBSA.
Appendix B - Lines of Enquiry and Audit Criteria
| Lines of Enquiry | Audit Criteria |
|---|---|
Governance and strategic direction |
|
| Accountability |
|
Appendix C — List of Acronyms
| BCP | Business Continuity Plans |
| CBSA | Canada Border Services Agency |
| DG | director general |
| DSO | departmental security officer |
| EMC | Executive Management Committee |
| EP | emergency preparedness |
| EPSC | Emergency Preparedness and Security Committee |
| FERP | Federal Emergency Response Plan |
| GSP | Government Security Policy |
| GTA | Greater Toronto Area |
| HQ | Headquarters |
| MAF | Management Accountability Framework |
| U.S. CBP | U.S. Customs and Border Protection |
Notes
- Comptrollership Manual, Security Volume – Chapter 2: Emergency Management. [Return to text]
