Public Accounts Committee on Oct. 5th, 2017

Let me begin by saying that we absolutely agree that 34% is not an acceptable number.

As Mr. Kennedy said earlier this week, we take a risk-based approach to these things, so while it is mandatory, we are targeting those we feel need it the most.

With respect to the number, we have a fair number of transients and students, so if we take out those people who are with the agency for less than three months—because we have surge work during the summer, and other things—that number jumps to 59%. That's still not acceptable—we would agree—but it's higher.

With respect to our inspectors, virtually every inspector who has gone through our prep training before heading out into the field—so, 100% of those—have, after graduating probation, gone through values and ethics training, including the issue of fraud.

With respect to our 1,300 delegated managers who are responsible for signing, they have all had to, again, complete the delegation training, which includes a module on values and ethics.

When we look at some of the areas where we feel there is greatest risk, then I have a certain degree of confidence to share with the committee that we have a number significantly above the 34%. Again, as I said in my opening, that's still not acceptable. That's why, at the beginning of this fiscal year, we wrote into all of my executives' management contracts that mandatory means mandatory, and it is part of their performance objectives to make sure we achieve that.

We will be following up. We are approaching the six-month, mid-year review to give them feedback. We have a quarterly report that is shared with us at the management table to ensure that we are actually doing what we said we would do.

The final thing I would share with the committee in terms of confidence is that we take this very seriously, beyond just the mandatory training. Within the Canadian Food Inspection Agency we have an inspector general's office, whose role is to take a look at the work of inspectors to make sure that, when presented with this information, they take the same or consistent action. That's a way for us to see if somebody is taking action that looks a little different from what would be the norm. In the same way we would mine our procurement data for variabilities that would be flags that there is something a bit off, we look at what our inspectors are doing to make sure they are behaving in a consistent manner.

So, I certainly agree that 34% is not where we need to be. We'll be taking action to increase that number. However, we have been focusing on those areas that are at greater risk. We have also made it mandatory in terms of the performance agreements of our executives, and we will be following up with them to make sure this number is moving up significantly and quickly.

Thank you very much, Mr. Chair.

We too find this unacceptable, the numbers that we see in the report. I have to say I was surprised by what I saw. I didn't think it reflected the way we actually operate at PSPC.

I'd like to tell you a bit about what we do. Maybe that explains the numbers that we have.

The first thing is that in every letter of employment, the employee signs the letter, and agrees that they will abide by the code of values and ethics. They will look at the conflict of interest and let us know, and fill in the forms within 60 days of their appointment. They undertake the obligation to take the course of values and ethics through that. Now, I think part of the issue—and it goes back to data and collection of data—has been that this is how we verify that and collect that information.

The second thing we do is we focus a lot on the high-risk areas. For that, where the sense of reassurance for us is that no one will get their delegated authority without having taken that course. That was a bit of the check for us.

Again, I'm not sure that we have the appropriate tools to report some of this so what we did was launch, in April, a management system to actually track and help managers track that so we can report on the numbers, be able to track them in time, be able to be sure that we do as, Mr. Glover said, what we said we would do.

We've also introduced a new online ethics awareness tool. We've also introduced a new online course to identify and report fraud and wrongdoing. That was launched in May. I have to say that in preparing for this committee...I'm going to go back and see what areas we're actually going to make it mandatory. I think not leaving it as an option for some of the high-risk areas is going to be important. We're going to do that.

We also have conflict of interest training that was updated in the spring. We have introduced a number of measures since the report to build on what we were doing already. I think the tracking and making sure we have the tools to really ensure that we're doing what we said we would do, that we keep managers and executives aware of that, and we give them the tools to track that, is very important. We've put that in place.

The new system that we have in place is called ALTO. It is an online virtual tracking tool that allows us to follow the training of our employees in a virtual environment, which we didn't do before.

A lot of this was left to the managers to track and make sure employees took the training that they had to do. We're moving from that to really making sure that we have a centralized repository of who's doing what and when, so we can actually go in and make sure that people are doing it.

So, now we have the tools and we do have the capacity to do it.

Mr. Chair, if you'll allow me to say so, the comments of the honourable member really resonate with me. This is completely unacceptable. We have practices in place. At PSPC we manage more than 50,000 contracts a year. We have to have a rigorous framework and rigorous processes. If you'll allow me, I'd like to give you a sense of the things we have put in place.

There are obviously the codes of conduct. I said in my opening comments that we have codes of conduct not only for employees but for procurement officers. We also have something that I think is fairly unique: a departmental oversight branch. We have put under one branch the investigations, the good practices. We have an investigation capacity at PSPC to make sure that if we hear or receive complaints we have teams who can look into them, make recommendations, and take appropriate measures.

We introduced, as you probably know, an integrity regime back in 2015. We're starting consultation to see whether we can improve it. Also, just recently—in April—we launched a fraud tip line. That was for us a completing of the circle. It's a partnership with the RCMP and the Competition Bureau. If anybody has a complaint and wants to be—

Internally, on a weekly basis now, we do the checks. I'll provide you the numbers; they have improved quite a bit since we started doing this on a weekly basis. We've improved the quality of the data, which is something the Auditor General had identified—

We've put a few measures in place to make sure we can track these things. Some of them were in place, but some of them have been improved since the report from the Auditor General.

We now have a documentation protocol to ensure consistency in contract hard copy files, allowing us to track better whether there are trends that should be preoccupying us.

We also have bolstered our procurement fraud risk sessions and have made sure that all procurement officers will have increased their awareness in order to be able to detect—because we're focusing on detecting—and then correct as needs be.

We also have launched guidelines on quality assurance—

When we detect them, we either do an audit or we verify or investigate, if we have any suspicion that there could have been fraud associated with them. If need be, we will take measures to ensure that the situation is corrected, if it's a problem of ignorance or lack of awareness. If we have any indication that there is actually mismanagement, we take the disciplinary measures that are required.

The procedures would be put in place, and the ultimate authority would be with the Department of Immigration. Functionally, however, on a day-to-day basis the head of mission has responsibility.

In one such case, we were doing a routine inspection of the mission. Misbehaviour was identified in the course of that, and on the spot we interrupted that individual's functional work and then immediately worked closely with IRCC to conduct the investigation and take the remedial action.

Not quite. The individual would be the employee of the immigration department, and therefore the ultimate action and so on would be enforced by immigration at headquarters, but in the post, the head of mission would take the appropriate action. The interaction between the two departments would be immediate so that we would be working together on it.

I agree that is the standard, and that is the practice that should be followed. We have now remedied that with information tools that will track that data so it is retrievable.

We use the Canada School of Public Service for the delivery of our basic core values and ethics training program, and they do have the information base, the data program that allows for that comprehensive tracking. We can download that for each employee as needed through that system. We're confident that in the future that information will be available, as it is now.

We didn't specifically define the term “in a timely manner”. Certainly, I think the results that we found indicate that the issue was more than just new hires who hadn't yet gotten around to taking the course.

I think that is always going to be the case. I think it would be very rare that an organization will get to 100%, because there will be new hires.

Again, I think some of the comments we've heard on this issue mean that there does need to be some reflection on the mandatory aspect of this training. We've heard some things like transient employees, student employees, and things like that. The departments have now said that the training is mandatory for everybody. If it doesn't need to apply to students or somebody else for whatever reason, then don't make it mandatory for them. On the other hand, maybe there should be some other type of program for the transient employees and the student employees.

I think the problem we ran into was that the departments had made this mandatory for every employee in the organization, no matter what. What we're hearing is that most of them are saying that they're actually applying it more on a risk basis, which could make someone ask why then it is mandatory for everybody. If it's only the ones who are the riskiest that this really applies to, then make it mandatory for them, and perhaps adopt some other approach for the rest.

We didn't actually determine the timeliness, but I think there are some fundamental changes the departments need to make, to make sure that the people who are getting the training get the training, and that they get it as quickly as they can. I think it will be up to them to define timeliness. In the end, I think it will come down to a judgment on the reasonableness of their definition of timeliness.

Mr. Chair, certainly we did find issues in the different practices in all of the organizations. None of them were doing them all 100%.

Oh, oh!

Thank you, Mr. Chair. I'll be very quick.

I have two points on this. I think there's an issue to be pursued here around the quality and sophistication of our data analytics. That's a cross-government issue that was touched upon on Tuesday. As the tools get more sophisticated, our data is not always as relevant or useful as we'd hope, due to inconsistencies. So it may not be inaccurate, but it may not be consistent. There's some sophistication related to our analytics that has to be improved.

The second piece is with regard to internal audits across the board, done by both my organization and the chief audit executives in each department. The most consistent finding in internal audits is poor documentation. There may not be a justification on file, or something may be missing. It doesn't mean the rule was broken; there's just a lack of evidence.

If I could sort of pull one finding that crosses all audits, we keep bumping into that one.

Thank you, Mr. Chair. Maybe I'll start, before I turn to Mr. Ferguson to let him finish off.

I don't want to put words in his mouth, but I would tell you, and this is pure opinion, that the data issue is not new. It's coming to the forefront more and more, because the data analytics tools are becoming more sophisticated—we want to make greater use of data. It's thus putting pressure on our data. The people who are collecting the data are often not the people using the data. We have a cultural issue, in the sense that the accuracy and the relevance of our data are becoming more and more important. We need to drive that cultural issue down to make sure we get accurate data.

If I may offer advice to the committee on what to do, it would be to challenge the data that departments are collecting: is it relevant; is it accurate; how are you using it? Those are the three themes that have to come out.

Mr. Ferguson will likely tell you in a moment that we collect all sorts of data. The question is around how we use it and whether it's the right data. We probably collect more data than we need. For me the real issues are around how we use it.

I certainly agree with the committee's challenging the department whenever we are bringing forward issues around data and data quality. The way you just posed the question very clearly sends a message. The fact that the committee is very clear that anybody who is going to be appearing here can expect to get questions about data and that you will continue to challenge it is, I think, a strong message. You need to continue to do so and to continue to reiterate this.

As to what needs to be done to actually fix the problem, the way I keep looking at it—and I think I've said this before to this committee—is to determine whether, if I look at any organization preparing a set of financial statements, the data is good enough in quality.

The quality is there such that we can produce an audit opinion on the set of financial statements. That's because the culture and the environment have been built up to put controls in systems to make sure that what's going into the data is properly captured and recorded. It's my opinion that departments don't have that culture necessarily in all of the other program support systems.

Systems that don't feed into preparing a set of financial statements don't produce a lot of financial information, but they are important perhaps for managing who has taken training or for managing how long it took to resolve a declaration.

When you're dealing with those types of program support systems, which are equally important to making sure that people are getting their values and ethics training and so are a very fundamental issue, the same level of controls isn't applied to the data being entered and to making sure that the data can be used.

The system, then, knows how to make sure that quality data gets entered into a system. The system certainly does it to an acceptable degree to produce a set of financial statements, but it doesn't always do it for the other systems. That's what needs to change. The culture needs to broaden that control-of-data mindset from financial systems only to all their other systems.

Let me just add from the perspective of a department that the Auditor General said has a number of specific data practices on contract management are in the positive ledger.

I would say that program data—and I agree entirely with what Mr. Ferguson just said—has been developed in departments over many years, typically for each program. The kind of culture we've had in the past has neglected to build in the retrospective data analysis that would then allow program managers and auditors to seek what they seek, which is assurance.

It's the assurance, then—how did you know that the right things were happening?—that has been missing in our program data. Program data systems have been designed to run programs effectively but not to do that last piece, of providing auditors and program managers with assurance.

That's one of the things we've done with our new contract data tool, which asks the kinds of questions needed for monitoring on a comprehensive basis. We now have it implemented as of September—last month—to provide assurance. It is, though, an enormous task to go back over all of the program data systems, retool them, and add that last piece.

I have just one bit to add.

One thing we've done concretely—we were using analytical tools and seeing that the data was not good quality—is actually provide training to people who enter the data, so that they really understand what it's being used for. We saw a dramatic increase in the quality, and the results, and that the queries were appropriate ones. That's one thing that's been done that we're seeing success with and that we're going to continue.

Thank you, Mr. Chair.

No. We haven't done any follow-up work on this issue since then, so I think you're better off hearing from the deputies about what they've done since the audit came out.

I have a couple of thoughts on that. I think that the committee is raising a very important point. One of the things that we're seized with in our department is the fact that if we want to have continuity in being able to check whether or not things are being complied with, we need to work at the front end. We need to work on how data is tracked, and we also need to do after-the-fact checking.

To be specific about the tracking of allegations, since the report of the Auditor General, we have modified our allegation logs to make sure that we standardize how we capture the information. This is so that we can do the proper follow-up, to see and track some of the measures that we have put in place. If we have started an audit, a forensic audit, or an investigation of some sort, we can actually track until completion what happened to that allegation. They are recorded in the database, and we are capable of asking, on any given day, where we are on all the allegations that we have received.

We have now also included the status of any recommendation that may be coming out of those various ways of investigating those allegations. I'm also very seized with the fact that whatever comes out of these, even if they're unfounded, sometimes they can reveal the fact that some of our employees may not be properly trained.

We don't stop at saying that the allegation was founded or unfounded. We push it a little further and ask ourselves what we have learned from this. We want to know if there is an awareness that we need to extract in order to feed it back into the front end so that people understand, or so that we can actually correct whatever we see. Even if there is no mismanagement or reason for disciplinary measures, we try to extract the learning from every allegation. We do this to address the issue of transparency but also to correct the training that we're providing so that we mitigate errors as much as possible.

On some aspects of the procurement data, the Auditor General said that we were adopting a good practice. On the issue of the allegations of fraud, we have put in place a new case management tool that would satisfy the observation and the recommendation of the Auditor General, including migrating files that were not in that system into the system. Some of that work is completed and the rest of it is on track for completion by the end of the fiscal year.

I could both answer succinctly and go on at great length on this topic. I'm happy to do that with the committee if there's another round or colleagues want to pursue that further. There have been cases, and we've learned a lot.

Thank you for the question.

In our case this would mostly concern procurement, since that is the high-risk sector; employees must of course have a security rating, but we must also provide training so that employees have adequate guidance and have all of the tools they need to do their work.

If fraud is alleged, there is a mechanism that triggers an investigation. Depending on the allegation, an employee can be moved quickly. There are all sorts of consequences of that sort. You can be certain of one thing, and that is that we would never let an employee who has been accused of fraud work on anything having to do with procurement.

What's interesting is that only 4% of complaints having to do with procurement turn out to have a basis in fact, but 30 % of complaints trigger recommendations from our investigation sector. We are improving things in this regard, and we are taking advantage of the opportunity to improve our processes.

Maybe I'll start, Mr. Chair, and others obviously may wish to chime in.

The way the government works, there is a policy in procurement that outlines the rules—a Treasury Board policy. PSPC would then have additional guidance that impacts contracting roles.

As a manager, if you wish to put a contract in place, you are typically dealing with a contracting expert. They're the people who would ensure that the policies are complied with, etc. You then have internal audit, who can take a look at whatever contract they like, and the same goes for the Office of the Auditor General: they are free to pick whatever they want to pick to do audits.

The additional piece that you'll see in the public sector is transparency. There is a great deal of disclosure that goes around our contracts. You will thus see sole-source contracts, etc., disclosed on a quarterly basis. My experience is that this transparency piece is as effective a control as all the others put together, because realizing that this is going to be public makes people stop and think.

Don't, therefore, lose sight of that transparency piece. I would tell you that it's probably the biggest difference between the government and the private sector.

I'll start on the audit piece and maybe let Deputy Lemay talk about the whistle-blowing piece.

In my experience under audits, I would say that 99.9% is lack of awareness and improper documentation, sloppy paperwork. Rarely do we bump into fraud issues on the contracting piece.

That, however, is just routine audit. On the whistle-blowing front....

I could add that of the complaints we get—this is what I was saying earlier—4% to 5% are founded complaints, but again, 30% we learn from.

I just want to clarify what our role is. When there are those types of allegations, people can bring them to the the Integrity Commissioner, PSIC. They can bring those forward. Our role is to investigate when people have complaints about how PSIC handled one of the allegations. If somebody brings an allegation forward to the Public Sector Integrity Commissioner and feels that organization didn't handle the allegation the right way, they can come to us, and then we can look at how PSIC did it.

Right now, we can't investigate if there's a member of the public saying that PSIC didn't handle an investigation the right way, and we can't investigate certain cases of reprisal within PSIC, so it does not give us a broader mandate in terms of all government departments. It gives us a broader mandate in terms of our role to investigate PSIC if there are complaints about PSIC.

Certainly, it is expanding PSIC's role in terms of investigations.

We get cards and letters all the time about issues within government, and we always take those into account in our planning for the types of programs we want to audit.

We don't have any obligation to investigate each and every one of those. We just take that as information to use in our audit planning, so if there are complaints about how government departments are operating, that tends to go through.... People can do that. There are a lot of ways they can do it. They can do it within the departments themselves, or they can avail themselves of the legislation that allows them to go through the Integrity Commissioner.

What we do with all of them is to look into them to gather enough information for us to understand whether it's something for which we already have an audit plan—so we could include that—whether we feel it is something that is telling us there is an area we should audit, or whether it is telling us there is something we should pass on to the internal audit group of the department.

We look at every one of those to determine what the appropriate course of action is, which could be that we decide to do an audit on the program that the individual has complained about.

Thank you very much for your question.

In 2014 we conducted a risk assessment of the entire department, and we update that on a continuous basis. This was done in 2016, and the data we collect by consulting all of our employees help us to determine in which sectors there is a greater risk of fraud.

We do this in partnership with a private firm that helps us. In 2014, for instance, we hired Deloitte, who helped us to conduct not a survey, but meetings with our employees.

That allowed us to collect all of the information and to establish that from one region to the next, including our headquarters, it was this or that type of situation that constituted the greatest risk for the department. During the last update after the 2016 budget, we saw that it was important to take a look at construction contracts, because there had been large investments in infrastructure. We then systematically and proactively identified all of the employees who worked in that area and provided them with specific training on fraud in construction. After preparing a training program, we added a part to our mandatory training so that it covered that aspect as well.

And so our objective is to proactively identify, together with our internal audit committee, which sectors need particular attention with regard to ...

No. We do it systematically, and regularly. We are about to do a complete update and redo the evaluation conducted in 2014. In 2016, we only did an update.

We are currently in the planning phase to redo that risk assessment, and we intend to make this cyclical, that is to say to do it every two or three years, precisely in order to ensure that we identify the risks and respond. We don't stop there, but we redo assessments in order to see whether new fraud risks emerge so that we can deal with them proactively.

Recently, as deputy minister, with my more experienced colleagues, I designed a fraud management action plan. It rests on three pillars: first, prevention through training. We already discussed that here.

The second is monitoring and detection.

Finally, we adopted a more coherent approach within the department as to corrective measures, and the disciplinary measures to be taken when necessary.

This is comprehensive. It has involved all of the relevant organizations within the ministry, including our inspectorate general, our internal audit, finance, and human resources, which are the main delivery points we have.

Yes, it is, absolutely. From the first day, I personally conveyed our concern regarding fraud prevention to our chefs de mission, before they deployed.

Sometimes the involvement of the heads of mission...some of these practices, I think are almost at the level of human judgment and intuition, which even the Auditor General and his team, with respect, are probably not able to detect. They are things like the heads of mission knowing where the storage room is in the mission and what's inside, as opposed to thinking that is the responsibility of somebody else. Also, just being aware of the behaviours of locally engaged staff, so they notice when someone's lifestyle is inconsistent with their income from the mission. Then working with the management and consular officer to keep an eye on the areas of greatest risk and when there is doubt, they call home. I've been explicit with them to call home, call finance, call HR, ask for help, and not just try to figure it out on their own.

In response to some lessons learned, and trying to knit together some of the other questions, for the part of it around data, we realized we needed to centralize the controls. We had too many systems. We now have one system for procurement. We have a vice-president of the corporate management branch, who looks at all contracts, and a procurement person to see if they're splitting. You talked about the company name. We've moved to a business number that's across all governments, so we're taking steps like that to be able to do it.

With respect to our front-line staff, people will recall Sheila Weatherill's report. With regard to regulatory capture, our inspectors in high-risk locations are now rotated. They don't say there for extended periods of time. So there are a number of very specific lessons learned that have driven real changes in what we do and how we do it, and in our policies.

Thank you for your question.

There are two parts to my answer.

First, certain organizations are responsible for helping the departments protect Canadians' data.

They're not at this table, so I don't want to answer on their behalf in terms of the protocol to properly protect data and systems. The more relevant piece for me is this.

We carried out an internal audit.

This was related to IT security, and it was across government. We had some findings that we have shared with departments and the other organizations to really reinforce best practices about patching your software and things like that. Those were the key findings of the audit—across government and best practices in terms of protecting data. That has been shared with all departments. That's really all I can add on this question for now.

We have a plan in place regarding cybersecurity in our department. I can give you an example.

It's popular now to use USB keys on computers to share files. We insist that that type of technology be encrypted, which makes it impossible to use without a code. Now it is practically impossible for anyone to share files without a very secure system. We put this type of measure in place, and we will be bringing in other measures over the next few months.

I would simply add that we co-operate with Shared Services Canada, where they have protocols, which allowed us to greatly improve our internal practices and security.

Thank you for your question.

In paragraph 1.3 of the audit report, we mention that “there is no reliable estimate of the monetary effect of fraud on the Government of Canada”.

We simply presented the issues that are in the report, those that existed at the time the report was prepared. And so it is impossible for me to tell you if the situation has changed.

Thank you for your question.

As the member said, given the size of the Government of Canada, there will certainly be fraud.

That said, the third volume of the Public Accounts of Canada contains information on the loss of public funds.

That table is the losses that we are aware of. The bigger question is whether there are losses that we're not aware of. That's an impossible question to answer.

What I would tell you is that over the years we have shifted the balance between prevention and detection. In the past, we spent a lot more time auditing, detecting fraud after the fact. We have shifted with a new policy on internal control; I'm going to say it was about five years ago. Departments have to do an ongoing assessment of their internal controls, which includes risk of fraud.

I think one of the questions in this audit is whether that link to fraud and internal controls is explicit enough, or do we have more to do from a policy perspective? That's one of the questions that this audit has us thinking about.

No, it's actually a policy that Treasury Board issues. It tasks each department with doing an annual assessment of their internal control environment, on an ongoing basis.

They have to disclose what they've done to monitor the internal control environment. That includes audits, but more importantly preventative measures. They're on the hook, then, to also take action on any known weaknesses. There are known weaknesses. The internal control environment is not perfect.

That, to me, is the biggest shift we've seen, that disclosure and that focus on internal controls.

The take-away for me on this is whether we have done enough to ensure that in that internal control assessment we've put enough emphasis on fraud as being part of it.

Thank you for your question.

I am happy to inform you that we are going to put in place the necessary system to collect all of the data to ensure that all of our measures are up to date and coordinated. We increased the number of people who manage the allegations in order to be able to give an answer faster. The turnaround to provide an answer is about 40 days, which is shorter than in the past.

We are confident. There is a continuous improvement process. We are putting the system in place and making sure that it functions as expected and that we have the necessary human resources to manage the fraud allegations.

I no longer know which point I wanted to speak to.

Let's talk about conflicts of interest, since that is the topic of your question.

In his report, the Auditor General indicated that Public Services and Procurement Canada had good measures to deal with conflicts of interest. In the letter we give to employees, we ask them to complete a form within 60 days. Afterwards, we assess the conflict, we return the letter to the employee, and we send a copy to the manager.

However, one thing was missing in our system. We had all of the information, but we did not record the decision we made. We shared the decision with the employee and the manager, but it was not entered in our log. So we added that column to make sure that we closed the loop.

There are two other points I'd like to go back to.

First, you asked a question about the internal process. One very important thing changed and that is how we determine the risk profile. It often used to be done according to an ascending process from bottom to top. We changed our approach and now things come from upper management and the employees. As you can see in our risk profile this year, fraud was detected. This is very interesting for us.

There is one last thing I wanted to say. Indeed, internal controls are very important. However, as deputy minister, I believe it is really very important that we give as many opportunities as possible to employees so that they can let us know if something is not right. Consequently, it is very important to create a culture where people and entrepreneurs will feel that they can disclose things and know that we will follow up.

And so we have a multitude of possible entry points. The challenge is that if we do our work well, our numbers are going to increase.

Regarding procurement, for instance, we went into further detail. At each step of the process, we have different groups and committees that identify the risks, determine what we are going to do, and what measures we will put in place.

Absolutely.

Absolutely. However, as several of my colleagues said, we are all very aware of the need to deliver the message continually. We don't just do it once, twice, or three times; we do it constantly.

I can give you the example of the integrity regime. We improved it, in fact. Now we have all of the versions of company names in our data base.

We are learning and we will continue to learn. Audits like the Auditor General's help us to do that.

I would add a brief comment to what my colleague just said. We cannot neglect our internal audit structure either.

Given our large contributions program and the fact that we have a series of partners with whom we transfer a lot of money, the audit process is very systematic. Every year, our audit plan includes one component from our internal control mechanisms, which is audited by our internal audit committee. We make corrections on the basis of the results.

As for fraud allegations, we put in place an audit list. When our auditors start an audit, one element leads them to auditing that aspect as well. I don't want you to get the impression that we work in a strictly linear way, as systematic work also goes on under the radar.

I can tell you quite honestly that my internal audit committee is top-notch. I take their recommendations into account very seriously. The dialogue is very intense, but since these people come from outside, they can help us to see things we can't see from the inside.

I wanted to give you that assurance.

There are two things on this.

The first point, concerning the role of Treasury Board, is that it's first of all a policy function. I think you have been given a sense of the varying risks that each deputy's department faces in terms of fraud. Mr. Shugart's risks are very different from the ones faced by Marie Lemay, if you compare a foreign consulate to procurement. When you're looking at policy, you're doing things that are government-wide.

Personally, I think we have the right policy. The question I have in my own head is, have we done enough to ensure that departments' chief financial officers are aware of all the tools out there to help them in assessing fraud risk? What's great about fraud is that it's not unique to the public sector. There is all sorts of guidance out there already on how to do fraud risk assessment.

We'll wait for the committee's report, but one of the questions for us—we're raising awareness now—is whether there is more we can do to formalize some of the tools and practices that are out there.

The other point I would make, in terms of follow-ups—and Madame Laurendeau touched on it—is that internal audit work in this area is important. In addition to the work the AG has done, over the past four years there have been about eight internal audits that have looked at fraud in one capacity or another—either risk management, conflict of interest, or specific to fraud. Every internal audit department in the Government of Canada does follow-ups on the recommendations, so they know the status. Just as the AG follows up on their recommendations and this committee does as well, internal auditors do the same thing. That's an important mechanism, in terms of tracking any previous recommendations.

I was just expressing sympathy with your task, Chair; I wasn't asking to speak.

Oh, oh!

I think it is very much definitional. It's a matter of deciding what is mandatory, and then mandatory is mandatory. If a department says that something is mandatory, that's going to attract auditors. We take their word that it's something that has to be in place.

If there is an area in which something doesn't need to be mandatory, then just say it isn't mandatory; don't make it mandatory in that part of the organization.

Probably in this case, if we accept that there's always going to be turnover and ask how we get to 100%, the question can be better dealt with by a clear definition. For instance, a definition could require that within so many days of being hired, it is mandatory for a person in a given position to take a certain type of course.

The problem we have right now and when we do the audit is that when we see that something is mandatory, we go in at a point in time. If somebody has just been hired the day before, it's probably not reasonable to expect that they will have followed their values and ethics training by that day. When we do the audit, we pick a point in time, and there is no definition, really, of what “mandatory” means.

I think that if there is a clear message that a given type of training is mandatory for people in given positions and that mandatory means mandatory within a certain time frame—you have to follow the training in x number of days—then you have something for which the expectation is clear, reasonable, and measurable.

I would just say that frankly we do this to ourselves as deputy heads—we set the policies for our own organizations. One thing we've realized is that we have to be smarter in our way of delivering our mandatory training. At CFIA, we have about eight modules that are all mandatory. Rather than run eight different courses, we're looking at how we do orientations for new employees, and we put all of those eight modules into one learning so that we can do it all at once.

The same is true when we promote somebody to the managerial level: there are a number of mandatory courses there. Rather than deal with them as separate courses, we're trying to put them together—working with the Canada School, as Deputy Shugart said—to be smarter about the way we deliver them.

With respect to the risk-based comment that I made, I want to underscore that we do that when we're trying to catch up. Rather than “blunt force” treat everybody as equal, when we realize we haven't been where we need to be we prioritize who is trained first.

I would say that we would look at some of those transient workers and say that there probably is a risk and that they should have training around fraud. It's just that when we look at whether we want to spend some time, while we're catching up, training somebody who is only going to be with us a few months rather than an employee who is indeterminate and there for the long term, we choose.

Once we're caught up, we will behave far more rationally. Mandatory will be mandatory, moving forward.

Along the same lines, Mr. Chair, I think we are a little blunt when we say mandatory. The mandatory training, government-wide, comes from Treasury Board policies typically. Maybe we need to look at some of the wording when we say mandatory—make it within a certain timeline, as the Auditor General suggested, or maybe just make it a little less blunt.

Within each department, if a deputy decides that something is mandatory for their department, that's their decision. But when you're bumping into the issues government-wide, it's typically a Treasury Board policy.

I'll be very brief. The only thing I would add is that in our case, what we are making sure is that when we learn from things that come from audit or a fraud investigation we target the people who absolutely need to have the most detailed knowledge. We do the mandatory training for everybody, because everybody should have a basis, but there are some common job categories for which we really target. That's what we did with the construction fraud. We wanted to make sure we were avoiding the risk of finding out at the end that people didn't know what they should be watching for.

That's all I wish to offer.

Oh, oh!

Yes, it was simply that fraud risk is something that every organization faces, whether it's in the federal government, other governments, or in the private sector. When we did this, we wanted to see what a diverse group of organizations were doing, because they all face the same risk. Even though their businesses are different and even though the types of risks they face may be different, they all should be very aware of what their fraud risks are. We wanted to make sure we weren't looking at a bunch of departments that were all the same.

That's exactly the issue. When we do a policy, it has to be at a government-wide level.

One thing we'll wrestle with when this committee produces its report and makes its recommendations is what we need to do, if anything, to adjust our guidance. I would tell you that my instinct right now is that the policy is probably at the right level, because of various risks that are so different from department to department. There may, however, be some things we can do from a guidance perspective to help out deputies, chief financial officers, and internal auditors in properly framing the risks related to fraud as they fit underneath our internal control policy.

Thank you, Mr. Chair, for the member's question.

We have completed it. Compared with the previous 185 days, as the Auditor General found, we're now operating at just 41 days. The system is in place, and we've seen a marked improvement. We'll continue to make efforts to further improve that response time.

We have completed part of it. The migration of the case files is complete, and the rest is on track, in our opinion.

Yes. It is completed.

I want to take the opportunity to thank you for pointing these things out. I apologize for not giving it in the right format. We'll do better next time.

We believe we are well on track to be doing this. We are working very closely with our bargaining agents.

I will say that as a regulatory agency too, we are using this opportunity not just to look at our own internal risk of fraud; a lot of the work that our inspectors do is to find inappropriate behaviour on the regulated parties. We are working collaboratively to deal with both of those issues.

We feel we are well on track to be reviewing our suite of training and to be able to deliver it as per the work plan.

We believe that with respect to those recommendations and actions we're on track.

In response to the audit, we are now doing our monitoring every week. As we're getting the analytics better, we realize how important the data quality really is. You can get a lot of small inaccuracies, but then people are not focusing their time on the really important issues that are surfacing. Providing training to people who are actually entering data into those databases reduced the number of false positives. This has been helpful because it allows people to focus on the real things and single out what doesn't look good and then put it through the system for verification and identification.

I'm glad to have the opportunity to talk about this, because this is an area where we felt we made some significant progress. From our perspective, we thought that we needed to look at it from different entry points as opposed to being completely linear. We increased the training, but we also did a lot of heavy lifting to make sure that our files were recorded in a standardized way. Through that standardization, we can all capture the same data and compare what we see. We can extract data and examine any funny trends coming out of that. We've done a lot of work in cleaning up our files and training employees to maintain the filing system the same way from coast to coast to coast so that we can do a proper analysis. That was a big piece of work.

The second piece of work was our tracking form, our audit standpoint. People go and check similar things so that we can pick up the things that are not adequate.

The last thing we're working on—and it's not quite completed—is using software analytics to help us speed up and find anomalies in our electronic file. This will allow us to recognize these anomalies, delve a little deeper, find the problems, and spot the trends. I'm confident that we're going to progress significantly in this area in the coming months.

Thank you for the opportunity to mention what we've done.

To answer this question, maybe I could harken back to comments from the Auditor General and those of my colleague, Ian Shugart, around the culture and financial reporting, and the way that program managers can be oriented. That's very relevant for my organization.

Health Canada has far-flung operations, including very small operations in northern Ontario and northern Manitoba, and all over the country. Historically, when it came to procurement, it was a much more decentralized model. You had procurement for various kinds of goods and services taking place at different locations across the country.

The impression I have as deputy minister is that when you look at the needs in the delivery of health care services, for example, they're very different depending on the region. Medical transport procurement and the needs are going to look a lot different in northern Ontario and northern Manitoba than they would, say, in a more developed area like maybe outside of Halifax, Nova Scotia. It's not really surprising in some respects, when you hear some of the concerns around how come the names of companies differ slightly and so on. Well, it's because a lot of this is being done by local people using local systems. It all kind of gets rolled up, and when you roll it up you may not get the consistency you want.

In the last two to three years, we have transitioned to a different procurement system. We basically have a single kind of backbone that handles IT and the management of the contracts. It's much more centralized, so it's going through a single pipe. It's all on a single system, and it's much easier, as a result of that, to do data analytics than it was in the old days when we were having to roll up spreadsheets and so on from all across the country.

If I could take the example that the Auditor General gave of accounting, I think a very big difference, culturally, is that with the people we have doing financial management across the country, their primary purpose is to actually give a picture of the financial situation in the department. They're all working off SAP, a common IT backbone. They're all working to very, very standardized rules. As a result, it's a lot easier to get a very good picture of what's going on and to analyze it. I don't think historically that has been the case.

On program delivery, where the people are more focused on delivering the program, the data is important—I wouldn't suggest it's not—but it wasn't really the business that they were in. They were in the business of delivering medical care to people.

I think one of the good things about IT—it has its challenges—is that with the systems we have now, at least in procurement, it's going to be a lot easier for us to do data mining and look for things like contract splitting. Only in the last two to three years, have we had that capability.

Mr. Chair, maybe this is bumping up against the one that's in my technical understanding. I think, for us, it's less that it's all being bought in Ottawa—and I'm not quite sure that's the case—but it's more that the change we've made has forced a measure of standardization. It's a common process.

We still have people who are identifying needs and making procurement decisions for the west or for the east—

It's kind of centralized. The forms they're using, the fields, and the system and kinds of the process they follow are the same.

I don't want to give the impression that we're all running it out of—

Very briefly, Mr. Chair, in response to the questions, as my colleagues have said, we've put a lot of emphasis on prevention, on training, to make sure that people understand their responsibilities.

As Deputy Kennedy said, we've gone to one system. We realized that there were too many, so we have one system. We have a centre of expertise that looks at this to make sure the fields are populated correctly. If we feel there's contract splitting, they don't allow the procurement person to go to that next step.

The oversight is centralized. What's decentralized is that managers are encouraged to manage, to make their own procurement needs. But we've standardized the system. We have a central sort of challenge function that is helping us make sure the data is there that we need, that it's standardized. Then they're the ones who are tasked with doing the data mining to make sure things are working the way they should.

We're also borrowing, as the auditor said, from the financial sector, to look at control frameworks, the stress test, how we do our data mining, what we should be looking for, and working with our departmental audit committee in that same respect.

Risk management is the management of uncertainty. That's what risk is. The member is absolutely right; things will happen. You look for the anomalies. These standardized systems—the use of dashboards in, say, project management—are becoming more pervasive in departments. They are very useful tools; they flag things that seem wrong.

I agree with you entirely, that's what you watch for. It's certainly how I spend a lot of my time.

Thank you, Mr. Chair.

Maybe we'll just take a glimpse into the future of audit. We've been doing some work over the years with standard audit language, to highlight anomalies that are worth looking into. This is an area that is exploding from an artificial intelligence perspective. Frankly, if you look five years out, you will see this type of analytics applied to almost every transaction, to highlight the risky ones.

We are doing a pilot. We have one brave chief audit executive who has agreed to do a pilot using one of these more advanced artificial intelligence tools on their organization, to be able to say how it works. It is going to change the nature of how we audit. Some of the lessons we learn can, I think, be applied to looking at program data as well.

Thank you.