Thank you for the question.
Mr. Chair, the essence of our strategy was to ask departments to do a risk-based evaluation of internal controls. Departments are huge organizations, and controls are many and varied. There are many financial activities and many systems and processes involved. It's not in fact a simple matter to document and evaluate all of these. It does take time to do it thoroughly.
First and foremost, we wanted departments to think about which areas of their operations represented perhaps the most important and the most high-risk activities. We asked them to concentrate their efforts on evaluating risks first in those areas and to then implement appropriate controls.
At the same time, departments are busy with other things. When it comes to the plans to, say, remediate any deficiencies that are noted, we had to also allow for the fact that departments needed to place those demands in the context of other demands and decisions that the accounting officer had to make.
That being said, we are monitoring to get a sense that progress is steady, but we didn't feel it was appropriate to put in place fixed timelines.