Evidence of meeting #59 for Public Accounts in the 41st Parliament, 2nd session. (The original version is on Parliament’s site, as are the minutes.) The winning word was policy.
A recording is available from Parliament.
NDP
Malcolm Allen NDP Welland, ON
Ms. Cheng, you were looking at this over a period of time up until 2014. You were looking at whether these were to be updated by 2012. I think I read in your report that you said about half were in 2012. Is that correct?
Assistant Auditor General, Office of the Auditor General of Canada
Yes, that is correct.
I'm just trying to look up the period under examination. Usually it's at the back here....
Assistant Auditor General, Office of the Auditor General of Canada
Right.
At the time when we completed the audit, we found that about half of them had approved plans. This has to go back to the start of the requirement, really. The policy on government security was approved in 2009. Further to that, there was a directive that required departments and agencies to prepare these kinds of plans.
Really, this is a tool to help them put all their risk postures together so that they can understand what they're faced with, from the physical side to the financial side, as well as the cyber, to ensure that they have a comprehensive view, and to ensure that they have a plan to address the different exposures they think they might have. This helps them put it all together so that they know what they have and they can manage accordingly.
The policy and the directive were in place in 2009. Recognizing that it was a significant exercise, departments and agencies were given time to pull together the plan. That's why the plan was not required before June 2012.
In the report, we note that Treasury Board Secretariat actually did some follow-up as well along the way, trying to see if they were coming along. They were not particularly fast in terms of completing the plans. At the end of the audit timing, we saw that about half of them had completed plans.
Now, because we didn't look at the practices, or didn't look at the state of the unfinished plans, we don't know how mature they are. Treasury Board Secretariat probably has more up-to-date information and perhaps can help us with that.
NDP
Malcolm Allen NDP Welland, ON
I think that's where the 64% that's been signed off comes from. We've gone from 50% to 64%, it would seem, from what should have been 100% in 2012. I guess we're moving along by millimetres. I would be hard pressed to say that we're inching along, because that would be too fast. There's incremental movement, albeit it's too slow.
There's ample evidence from last year—not in the report, I must admit—of cyber breaches in some of the departments that, Ms. Cheng, you actually looked at in this audit. I agree with my good friend and colleague Mr. Woodworth that it's not just about cyber breaches, but clearly that's the most egregious part when it comes to the protection of data that's confidential.
Last year, we clearly saw that at Transport Canada. It's one of the departments that's actually in this audit and that is talked about.
Mr. Scott-Douglas, do you know whether Transport Canada is actually finished its particular piece? Has it gotten to the end? Is it one of the 64% that signed off?
I see a nod of the head, so....
Assistant Secretary, Priorities and Planning, Treasury Board Secretariat
Yes, it's non-verbal communication.
Assistant Secretary, Priorities and Planning, Treasury Board Secretariat
It stands in the category of a large department and agency. Its department security plan has been signed off by its deputy head, yes.
NDP
Malcolm Allen NDP Welland, ON
Thank you.
As we look at the security pieces, one of the things I find troubling, to be truthful, is the speed at which we move along, Mr. Scott-Douglas. I recognize, sir, that you're not responsible for writing these for all these departments. They report to you as to whether they've done them or not. I understand that. It would be nice to have the departments here to understand why exactly they're so slow. Clearly, when it's of such critical importance and the Treasury Board Secretariat puts a great emphasis on it.... You have a person responsible for making sure that we have things secure. Why are things so slow when there's a real sense that it needs to be done, that it's very important that it be done?
From 2012 to 2015 we've literally gone up 14%. That's not quite true; it's only 14% more than that. If you actually break it down, it's less, about a 7% increase. Do you have any sense, sir, of why it is that slow?
Assistant Secretary, Priorities and Planning, Treasury Board Secretariat
No. It's a very good question, Mr. Allen.
The Treasury Board Secretariat is concerned as well about movement. We've been working with departments consistently. Nancy indicated that there's been consistent follow-up, and we've taken a number of other measures to try and support departments and agencies in this. We have worked on it. Guidelines came out to support departments in working through their security plans. In addition to that, seminars have been held. Recently, a security seminar was held to move that forward. There are workshops. We've developed enhanced templates.
I might just indicate in parentheses here, and it's actually a feature theme of the Auditor General's report, that we've been paying particular attention to move small departments and agencies along and support their capacities to write this kind of report. That's a feature we're going to continue to press, not just in departments' security plans, but in other reporting requirements as well. There would be some tailoring and some adjustments to try to support them.
NDP
The Chair NDP David Christopherson
Okay, thank you. The time has expired.
Mr. Albas, you have the floor, sir.
Conservative
Dan Albas Conservative Okanagan—Coquihalla, BC
I want to thank all of our witnesses for the work they do for our great country.
I'll start my line of questioning with Mr. Scott-Douglas.
Mr. Scott-Douglas, first of all, within this report there's a lot of conversation around investment plans. Is that a relatively new feature of reporting requirements? Maybe you could explain, first of all, what an investment plan is and how that helps departments plan out their future needs.
Assistant Secretary, Priorities and Planning, Treasury Board Secretariat
We'd be happy to do that. It falls within Bill Matthews' office as comptroller general. I think Bill would be happy to walk you through that, Mr. Albas.
Bill Matthews Comptroller General of Canada, Treasury Board Secretariat
Mr. Chair, the investment planning policy that exists now has been around since about 2007. I would stress, though, that it was implemented in chunks. There were about three major steps we had along way. Full compliance has been in place for a number of years. What we're looking for there is for departments to cost out their planned major investments and share them with the Treasury Board. That includes all aspects of planned investments, including life cycle costs. This is planned as opposed to possible. What it really does is it drives home the importance of a planning document in the department.
The value of this policy is really threefold. One is you get a plan at the end that the Treasury Board Secretariat can monitor. Two, from my perspective, in the departments the value is to put them through a planning process, to make sure you have governance, the right priorities and investments, and things like that. Three, if you have a plan, it means that you are subject to a little less oversight from the Treasury Board itself. If you don't have a plan in place, it means that every time you're doing a project of over a million dollars, you come into Treasury Board for some oversight. If there's a plan in place, it actually makes us more efficient as well.
Conservative
Dan Albas Conservative Okanagan—Coquihalla, BC
Okay. I got the initial impression from the report that this was to help departments be able to plan over a longer period of time, but you add that there's a governance component as well. Could you explain that a little further?
Comptroller General of Canada, Treasury Board Secretariat
Sure. There are a couple of things. Number one, the plan is five years in length, but it is supposed to be refreshed every three years, because plans do change. It is a five-year planning horizon. That's important because as part of the governance process, you want a longer-term view of the investment plans. The governance piece makes sure both from the departmental perspective and from an oversight perspective at the centre that we understand what the priorities of the department are, where they are making investments, and whether they are able to afford the investments they are making.
Conservative
Dan Albas Conservative Okanagan—Coquihalla, BC
More than half the organizations surveyed by the Office of the Auditor General commented that departmental investment plans had a low level of usefulness. That's in paragraph 2.79. As departmental investment plans are intended for internal decision-making, how do you think these plans can be improved so they are more useful to the departments and meet the recommendations of the Auditor General?
Comptroller General of Canada, Treasury Board Secretariat
That was a really interesting piece of the report from the Office of the Auditor General.
What we found in some follow-up, because frankly I was a little surprised by that finding, is that larger departments find them more useful than small departments. That makes perfect sense because large departments have bigger investments than small departments. If there's something going forward, maybe we have to look at lightening the requirements on smaller organizations even more, but the large investment-type departments find it more useful than the small.
The second bit is that the process itself is valuable. Making sure you've actually gone through a department-wide process to land on the priorities is a useful process in itself. As the report also mentions, TBS does make extensive use of the information in doing our own work, so it is used.
Conservative
Dan Albas Conservative Okanagan—Coquihalla, BC
Mr. Scott-Douglas, you mentioned in your opening comments that you are looking at efforts, particularly on how to rightsize the reporting requirements to the organization that will be doing the reporting.
Is that kind of hand-in-glove with what Mr. Matthews is describing as far as the process for investment plans is concerned?
Assistant Secretary, Priorities and Planning, Treasury Board Secretariat
Yes, indeed.
I think, as I mentioned, a core principle of the foundation framework is ensuring that issue of proportionality, that you tailor not just the reporting requirements but all requirements to the risk and to the factors within departments. We're very much building that into the policy feed reset that we're undertaking that is mentioned in the chapter. All of the Treasury Board policies, that is the some 70 policies that currently exist, are being looked at through that lens. An important component of that is the particular challenges that small departments and agencies might have, particularly around capacity to do some of this reporting. In many cases you have one person wearing eight hats, so you have to adjust things accordingly.
NDP
The Chair NDP David Christopherson
Madam Cheng wanted an opportunity to comment also.
Please go ahead.
Assistant Auditor General, Office of the Auditor General of Canada
Thank you, Mr. Chair.
It's just to maybe help explain a point about the investment plan.
I think with respect to what we saw, you'll see in paragraph 2.26 the help needs to be given more to the smaller departments and agencies. What we found from our survey was that about half of the organizations found they could use more help in terms of getting more clarity on completeness, and guidance on completing those investment plans. Maybe that's part of the reason why those plans weren't as completed, as well as maybe they find it less useful because they don't fully understand what was asked of them in pulling that information together.
Conservative
Dan Albas Conservative Okanagan—Coquihalla, BC
This goes back to what I said earlier, that the workshops, the templates, the more interaction you have with these small departments is a good thing. Therefore, moving forward this will help those smaller organizations to be able to report in a more efficient way. Is that correct?
Assistant Secretary, Priorities and Planning, Treasury Board Secretariat
That's right.