Evidence of meeting #69 for Public Accounts in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Paul Glover  President, Canadian Food Inspection Agency
Marie Lemay  Deputy Minister, Department of Public Works and Government Services
Hélène Laurendeau  Deputy Minister, Department of Indian Affairs and Northern Development
Ian Shugart  Deputy Minister of Foreign Affairs, Department of Foreign Affairs, Trade and Development
Michael Ferguson  Auditor General of Canada, Office of the Auditor General
Bill Matthews  Comptroller General of Canada, Treasury Board Secretariat
Simon Kennedy  Deputy Minister, Department of Health

9:40 a.m.

Liberal

Paul Lefebvre Liberal Sudbury, ON

Fine.

9:40 a.m.

Deputy Minister, Department of Indian Affairs and Northern Development

Hélène Laurendeau

That allowed us to collect all of the information and to establish that from one region to the next, including our headquarters, it was this or that type of situation that constituted the greatest risk for the department. During the last update after the 2016 budget, we saw that it was important to take a look at construction contracts, because there had been large investments in infrastructure. We then systematically and proactively identified all of the employees who worked in that area and provided them with specific training on fraud in construction. After preparing a training program, we added a part to our mandatory training so that it covered that aspect as well.

And so our objective is to proactively identify, together with our internal audit committee, which sectors need particular attention with regard to ...

9:40 a.m.

Liberal

Paul Lefebvre Liberal Sudbury, ON

Excellent. I really appreciate your answer.

In addition, do you have someone who is responsible for these internal follow-ups? Otherwise, this is done on an ad hoc basis, once a year for instance?

9:40 a.m.

Deputy Minister, Department of Indian Affairs and Northern Development

Hélène Laurendeau

No. We do it systematically, and regularly. We are about to do a complete update and redo the evaluation conducted in 2014. In 2016, we only did an update.

We are currently in the planning phase to redo that risk assessment, and we intend to make this cyclical, that is to say to do it every two or three years, precisely in order to ensure that we identify the risks and respond. We don't stop there, but we redo assessments in order to see whether new fraud risks emerge so that we can deal with them proactively.

9:40 a.m.

Liberal

Paul Lefebvre Liberal Sudbury, ON

Thank you very much.

Mr. Shugart, I'd like to follow up briefly on my colleague's question about lessons learned.

Regarding internal audits, you said that you had taken certain measures and learned lessons from them. Could you briefly explain what you meant by that?

9:40 a.m.

Deputy Minister of Foreign Affairs, Department of Foreign Affairs, Trade and Development

Ian Shugart

Recently, as deputy minister, with my more experienced colleagues, I designed a fraud management action plan. It rests on three pillars: first, prevention through training. We already discussed that here.

The second is monitoring and detection.

Finally, we adopted a more coherent approach within the department as to corrective measures, and the disciplinary measures to be taken when necessary.

This is comprehensive. It has involved all of the relevant organizations within the ministry, including our inspectorate general, our internal audit, finance, and human resources, which are the main delivery points we have.

9:40 a.m.

Liberal

Paul Lefebvre Liberal Sudbury, ON

I will put the same question to you as to Ms. Laurendeau. Is that approach systematic?

9:40 a.m.

Deputy Minister of Foreign Affairs, Department of Foreign Affairs, Trade and Development

Ian Shugart

Yes, it is, absolutely. From the first day, I personally conveyed our concern regarding fraud prevention to our chefs de mission, before they deployed.

Sometimes the involvement of the heads of mission...some of these practices, I think are almost at the level of human judgment and intuition, which even the Auditor General and his team, with respect, are probably not able to detect. They are things like the heads of mission knowing where the storage room is in the mission and what's inside, as opposed to thinking that is the responsibility of somebody else. Also, just being aware of the behaviours of locally engaged staff, so they notice when someone's lifestyle is inconsistent with their income from the mission. Then working with the management and consular officer to keep an eye on the areas of greatest risk and when there is doubt, they call home. I've been explicit with them to call home, call finance, call HR, ask for help, and not just try to figure it out on their own.

9:40 a.m.

Conservative

The Chair Conservative Kevin Sorenson

I'll let Mr. Glover answer. He had signified that he wanted to make a very brief comment.

October 5th, 2017 / 9:45 a.m.

President, Canadian Food Inspection Agency

Paul Glover

In response to some lessons learned, and trying to knit together some of the other questions, for the part of it around data, we realized we needed to centralize the controls. We had too many systems. We now have one system for procurement. We have a vice-president of the corporate management branch, who looks at all contracts, and a procurement person to see if they're splitting. You talked about the company name. We've moved to a business number that's across all governments, so we're taking steps like that to be able to do it.

With respect to our front-line staff, people will recall Sheila Weatherill's report. With regard to regulatory capture, our inspectors in high-risk locations are now rotated. They don't say there for extended periods of time. So there are a number of very specific lessons learned that have driven real changes in what we do and how we do it, and in our policies.

9:45 a.m.

Conservative

The Chair Conservative Kevin Sorenson

Thank you, Mr. Glover.

We'll now move to Ms. Boucher, please.

9:45 a.m.

Conservative

Sylvie Boucher Conservative Beauport—Côte-de-Beaupré—Île d’Orléans—Charlevoix, QC

Thank you.

What you are saying seems very interesting. A lot of questions come to mind, but one in particular stays with me.

We all follow the news and read the papers, and we are all aware that certain countries are the victims of cyberfraud. Within the departments you represent, how do you ensure that Canadian data is completely protected? Cyberfraud is not a marginal concern.

I heard all of the witnesses, but no one spoke to this. And so I am raising the question, because this worries me considerably. We hear more and more about cyberfraud, in news reports on television. I would like to know how you make sure that our Canadian data is entirely secure? Are there any mechanisms in place to prevent that kind of fraud?

9:45 a.m.

Conservative

The Chair Conservative Kevin Sorenson

We figured it out, sorry.

9:45 a.m.

Conservative

Sylvie Boucher Conservative Beauport—Côte-de-Beaupré—Île d’Orléans—Charlevoix, QC

I will put the question to everyone. Does each department have mechanisms in place to protect us against cyberfraud? It is understood that the risk exists.

9:45 a.m.

Conservative

The Chair Conservative Kevin Sorenson

Mr. Matthews.

9:45 a.m.

Comptroller General of Canada, Treasury Board Secretariat

Bill Matthews

Thank you for your question.

There are two parts to my answer.

First, certain organizations are responsible for helping the departments protect Canadians' data.

They're not at this table, so I don't want to answer on their behalf in terms of the protocol to properly protect data and systems. The more relevant piece for me is this.

We carried out an internal audit.

This was related to IT security, and it was across government. We had some findings that we have shared with departments and the other organizations to really reinforce best practices about patching your software and things like that. Those were the key findings of the audit—across government and best practices in terms of protecting data. That has been shared with all departments. That's really all I can add on this question for now.

9:45 a.m.

Conservative

The Chair Conservative Kevin Sorenson

Was there anyone else on cyber?

Mr. Kennedy.

9:45 a.m.

Simon Kennedy Deputy Minister, Department of Health

We have a plan in place regarding cybersecurity in our department. I can give you an example.

It's popular now to use USB keys on computers to share files. We insist that that type of technology be encrypted, which makes it impossible to use without a code. Now it is practically impossible for anyone to share files without a very secure system. We put this type of measure in place, and we will be bringing in other measures over the next few months.

9:45 a.m.

Conservative

Sylvie Boucher Conservative Beauport—Côte-de-Beaupré—Île d’Orléans—Charlevoix, QC

Thank you.

9:45 a.m.

Conservative

The Chair Conservative Kevin Sorenson

Mr. Shugart.

9:45 a.m.

Deputy Minister of Foreign Affairs, Department of Foreign Affairs, Trade and Development

Ian Shugart

I would simply add that we co-operate with Shared Services Canada, where they have protocols, which allowed us to greatly improve our internal practices and security.

9:45 a.m.

Conservative

Sylvie Boucher Conservative Beauport—Côte-de-Beaupré—Île d’Orléans—Charlevoix, QC

Okay.

Thank you very much.

9:45 a.m.

Conservative

The Chair Conservative Kevin Sorenson

Thank you. You have another minute if you want it.

9:45 a.m.

Conservative

Sylvie Boucher Conservative Beauport—Côte-de-Beaupré—Île d’Orléans—Charlevoix, QC

No thank you.

9:45 a.m.

Conservative

The Chair Conservative Kevin Sorenson

Mr. Massé.