Thanks, Mr. Chair.
I'll try to pick up where I left off. We were talking about the internal audit process.
It seems to me, on a simplistic level, anyway, that a risk-based audit process would look at areas where it's more likely that you're going to see things going wrong. It would focus attention on those areas as opposed to spending attention on areas of lower probability or lower consequence. Now, in this case, it seems like the internal audit process totally missed something that's really bad. According to the Auditor General in her scathing report, this is really bad stuff. Then, when you did a joint review as ordered by the Prime Minister, you found that indeed it was really bad.
The internal process missed all this stuff because it was looking elsewhere. How is the internal risk-based audit process going to change so that you don't continue to miss big stuff based on your assessment of the risk?