Annual Report of the External Members of the Audit Committee 2016-2017

Audit and Evaluation Directorate

Message to the President of the Canadian Space Agency

On behalf of the external members of the Audit Committee (AC) of the Canadian Space Agency (CSA), it is our pleasure to present the annual report for the year 2016-2017. We consider it an honour to be part of the CSA Audit Committee. We would also like to add that our work was greatly facilitated by the CSA's President at each of our meetings.

The issues associated with the space sector in an international context and the strategic role the CSA plays for the Government of Canada as a whole gave us an appreciation of the complexity of the context in which the CSA must operate. The nature of its intervention with the other departments, industry, international partners and universities exposes it to numerous risks over which it has limited power, which represents a challenge.

It is our opinion, based on our review of last year's achievements, that the CSA successfully integrated all of the new elements of governance developed in the last few years into its current operations. The CSA made full use of its new governance framework to judiciously manage its investments in accordance with the Five-Year Investment Plan (2014-2015 to 2018-2019). We believe that the combination of these elements should allow the CSA to make better-informed investment and project management decisions.

We also believe that the space strategy and the addition of $80.9M in funding for the CSA, as announced in Budget 2017, are major elements that should reduce the uncertainty regarding long-term planning that has been hanging over the CSA in recent years. We nonetheless consider it too early at this time to properly assess the impact these elements will have on the risks associated with CSA long-term planning. The AC will therefore monitor them closely over the next few years.

This report was prepared in accordance with the requirements in section 6.6.1.2 of the Directive on Internal Auditing in the Government of Canada, which specifies that the report will:

• summarize the results of the committee's review of areas of responsibility;
• provide the independent members' assessment, and make recommendations as needed on the capacity, independence and performance of the internal audit (IA) function; and
• present fully and solely the views of the independent members.

We are available to discuss the content of this report with you at your convenience.

During 2016-2017, members of the Audit Committee (AC) had the opportunity to assess a number of documents covering all aspects of Canadian Space Agency (CSA) management, including audit reports, the values and ethics framework, risk management, governance, the management control framework, financial statements, the Departmental Performance Report (DPR) and the Departmental Results Plan (DRP) (formerly the Report on Plans and Priorities [RPP]).

Included in the following sections are the AC members' opinions and recommendations concerning the AC's main areas of responsibility, along with an overview of the actions taken by the CSA to reduce the risks identified in past audits.

Over the course of the three meetings and two teleconferences held in 2016-2017, the AC members and CSA senior management engaged in a direct, transparent and constructive dialog.

1. Audit committee members' comments and recommendations – Main areas of responsibility

External members provide the President of the CSA with independent advice and recommendations on the relevance, quality and results of the assurance provided about the Agency's risk management, control and governance framework and processes. In this respect, the members assessed the various documents presented to the AC, including the Risk-Based Audit Plan (RBAP) and the audit reports.

To support the President of the CSA, the AC provides, in a methodical, integrated and risk-oriented manner, an oversight of the principal areas of management, control and accounting, including report preparation, within the CSA. In their capacity as the President's strategic resource, the external members also provide such advice and recommendations as may be requested by the President on emerging priorities or operational concerns.

The AC's 2016-2017 Annual Report focuses on the roles and responsibilities that the Committee assumed in accordance with its Charter and annual calendar of activities.

i) Evaluation of the internal audit function

The CSA's organizational structure ensures the independence of the audit function, since audit staff report to the Chief Audit Executive (CAE), who reports directly to the President of the CSA. The Internal Audit Charter ensures that audit staff has free access to all information, files, employees and consultants as required, that there is no interference with their Internal Audit function, and that they are free to submit their conclusions to the President of the CSA, to the AC, and to the Comptroller General of Canada.

The IA function complies with all the requirements of the Policy on Internal Audit. During the past year, the audit function has pursued its oversight activities in keeping with its program of quality improvement and assurance and has ensured that the processes and procedures stipulated in its audit manual were followed throughout the execution of the audit projects.

a. Internal Audit Charter

The Internal Audit Charter provides an accountability framework that covers its mission, its authority and its responsibilities. The AC approved the latest update of the charter on June 21, 2016.

b. Availability of resources allocated to internal audit

During 2016-2017, the IA function was fully staffed by four full-time equivalents (FTEs) and the CAE. The AC members believe that these resources have the skills and knowledge needed to do the work.

c. Approval of the risk-based audit plan and progress monitoring

The CAE submitted the RBAP for the years 2016-2017 to 2018-2019 during the AC meeting held on June 21, 2016. Discussions were held concerning the risks associated with several elements of the audit universe. With respect to risk identification, it is important to note that the risks identified by the audit function for each of the elements of the audit universe were corroborated with the relevant department's management. After discussion, the members of the AC recommended to the President of the CSA that the RBAP be approved.

With respect to progress in implementing the RBAP, at each meeting of the AC, the CAE presents a table identifying each of the audit projects in the RBAP, as well as the degree of completion and the target dates for the various milestones of in-progress and upcoming audits.

At the end of the year, the Risk-Based Audit Plan completion rate was 79%, taking into account audit projects' advancement. Two out of the three audit reports were presented to the AC for approval during the fiscal year, as planned; the third will be presented in April 2017. While they would have preferred a greater number of audit reports, the AC members understand that with an audit function consisting of four auditors, three to four audit reports a year is what can be expected.

d. Monitoring and assessment of internal audit performance

The CSA's IA policies and procedures manual describes in detail the monitoring processes that are set out in the IA function's Quality Assurance and Continuous Improvement Program (QAP). This program has three levels:

• The first level consists of the direct supervision of the work of the internal auditor involving the phases of planning, execution and report writing.
• The second level is an independent examination of the audit files to evaluate the quality and relevance of the auditing work carried out, in accordance with the policies and standards of the Treasury Board (TB), the Institute of Internal Auditors (IIA) and the CSA.
• The third level consists of the inspection of professional practices, which takes place every five years, to determine whether the IA function practices comply with the standards of the IIA and the Government of Canada with respect to IA.

In the last year, only one audit project was assessed for compliance with QAP practices. This quality assurance program is based on the TB requirements and IIA standards for the execution of audit missions. This review was conducted by an external service provider. A report summarizing the consultants' opinion on the file's conformity with the standards, as well as opportunities for improvement, was submitted to the CAE in September 2016. The review revealed that overall, audit projects are carried out and managed meticulously and professionally and that the documentation on file is relevant.

However, a number of areas for improvement were identified in terms of planning (clarify the links between risks, the criteria, the audit procedures and the results observed) and execution (ensure that references to source documents are included in all final documents and carry out document reviews within appropriate time frames). It should be noted that the review report also states that the above recommendations were applied to the subsequent audit file, which was in progress during the review.

With regards to independent inspection of professional practices, the one conducted in 2012 had shown that the IA function generally complied with the international standards for professional practices of internal audit and the IIA Code of Ethics. A new professional practices inspection started in March 2017. The results of the inspection were shared at the April 2017 AC meeting.

It should be noted that in the last three years, the Internal Audit component has not been assessed in the Management Accountability Framework (MAF) for any government department. However, the Office of the Comptroller General (OCG) oversees departments' and agencies' activities through an internal audit capacity survey, which is carried out by the IA function and submitted to the OCG annually.

e. Review of the internal audit reports and related management action plans

During the 2016-2017 fiscal year, in addition to preparing documents related to the professional practices of the IA function and AC support activities, the CAE submitted the following reports:

• Audit Report on the sectors' contract award and contract management for AC review and approval; and
• Audit Report on travel, hospitality, conferences and event (THCE) expenditures for AC review and approval.

The audits covered in these reports were included in the RBAP. These audits focused primarily on management processes and the controls in place at the CSA.

The audit of the sectors' contract issuance and contract management shows that, generally speaking, contract agreements were established in accordance with the TB and CSA policies, laws and regulations, and that the related payments were authorized in accordance with delegated authorities and the Financial Administration Act (FAA). However, shortcomings that constitute minor risks were identified in terms of the contract award and administration process and proactive disclosure.

As for the audit THCE expenditure audit, it was determined that, overall, the monitoring and control mechanisms in place for such expenditures are appropriate and the expenditures incurred are in accordance with the Treasury Board Secretariat (TBS) directive on THCE expenditures, the National Joint Council travel directive and the FAA.

The members of the AC are satisfied with the reports and management action plans presented.

f. Advice provided to the Deputy Head on the recruitment and appointment of the Chief Audit Executive

The current CAE has held the position on an indeterminate basis since August 17, 2011. Consequently, during the past year, no advice has been given to the President of the CSA concerning the recruitment or appointment of the CAE.

ii) Follow-up on management action plans

During the June 2016 meeting, the March 31, 2016 Annual Report on the Follow-up of Management Action Plans was presented to members of the AC for their information. The report covered nine internal audit projects for which management action plans were being implemented. The report showed that the action plans for four of the nine projects were almost fully implemented.

This year, the compilation of actions completed for each management action plan showed a substantial increase in the implementation rate, compared to the previous year. In 2016-2017, management implemented 78% of actions scheduled for the year, compared to 27% in 2015-2016. In parallel, extensions were submitted to the AC for approval for 22% of actions scheduled for implementation during the year. In most cases, implementation of the actions had begun but could not be completed as scheduled.

Since 2014-2015, the managers responsible for the delayed implementation of certain management action plans have been invited to AC meetings to discuss the circumstances of those delays. In 2016-2017, AC members were updated on the progress of the implementation of action plans at each AC meeting, and they did not deem it necessary for managers to be invited to these meetings. Over the next year, AC members will continue to monitor this matter closely.

iii) Fovernance process

This year, the CSA was again able to effectively integrate into its daily operations all of the new elements of governance developed in recent years. The control process in place allows the CSA to make informed decisions, effectively report on their results and meet the expectations of the various stakeholders.

Over the past year, the CSA fully used the new elements of its governance, particularly the Integrated Investment Review Board (IIRB). This is where all investment proposals are submitted for approval, as well as the investment governance and monitoring framework, which is a five-phase model with precise decision points in each phase. This framework must be used for all CSA projects. It provides managers with all of the tools they need to properly document their project management. We believe that this combination of elements should help the CSA make better informed investment and project management decisions.

iv) Values and ethics

The values and ethics program is based on a range of activities that have been identified and set out in an integrated values and ethics plan. This past year, a new champion took charge of the Values and Ethics Committee. The committee met several times over the year. At these meetings, the committee reviewed and updated the committee's mandate and discussed the planning of future activities. In these discussions, they focused on the ethical aspect of the organizational culture since, as indicated by AC members last year, the values and ethics activities held in recent years had more to do with values than with ethics. These discussions will continue in 2017-2018 and an action plan will be developed and implemented.

With regard to maintaining a healthy and respectful workplace, the CSA held during the 2016-2017 fiscal year a number of mandatory training sessions for all employees on employment equity and harassment prevention and resolution and finished developing the remaining parts of its occupational health and safety program and published the Occupational Health, Security and Well-being Framework.

In general, AC members are satisfied with all the measures put in place to build a workplace that respects values and ethics. They have not yet had the opportunity to review the various facets of the framework, however. Over the next year, AC members would like to be updated on the degree of implementation of each facet of the Occupational Health, Safety and Well-being Framework. They also want to be updated on the content of the action plan to see if their suggestion from last year on including more ethics-based activities was taken into consideration.

v) Risk management

The Organizational Risk Profile (ORP) was not updated this year, so the AC members did not have the opportunity to speak with the people responsible for developing it. This will be updated in 2017-2018.

The discussions that began in 2016-2017 on the methodology used to establish the ORP will continue over the next year. The purpose of this reflection is to better balance risks and organizational priorities. Consultations on the subject with the various CSA sectors will take place over the next few months.

In light of the above, the AC members were unable to formulate an opinion this year on the current ORP. The AC members reiterated the suggestion they made last year that this is a good time to review the methodology used to establish the ORP to facilitate discussions on risks at the different CSA governance levels. These discussions will help identify the types and degrees of risks in a complex risk universe in which the context is constantly changing.

vi) Management control framework and reports

During the 2016-2017 fiscal year, the AC members had an opportunity to review and comment on the results of the 2015-2016 MAF assessment. The "internal audit" management element was not assessed from 2014-2015 to 2016-2017.

After reviewing the MAF 2015-2016 results, the AC members concluded that the CSA is performing well overall. Best practices were identified for, among others, record keeping (information management), information technology (IT) risk management for the CSA's mission critical applications, reliable financial reporting, and succession planning. However, some opportunities for improvement were suggested, including increasing the use of performance information in proposals to Cabinet and improving representation rates and hiring employment equity groups so that they equal or exceed their respective workforce availability (WFA).

In addition to the MAF results, the AC members were also exposed to various components of the CSA's management control framework throughout the year at presentations of audit reports, current procedures for preparing quarterly financial statements and other departmental reports, or during presentations given to inform AC members of the CSA's activities.

Lastly, since the implementation of Treasury Board's Policy on Internal Control (PIC), Finance has prepared an annual summary of internal control assessments. This summary outlines tests done on various internal controls throughout the year and recommendations to address any deficiencies observed, followed by an action plan to correct such deficiencies. This summary of the internal control assessments was submitted to the AC members for information and discussion in August 2016. In light of the information presented in the summary, the AC members noted the progress made on the implementation of the PIC in the last few years. As well, this summary of control assessments is an element that is essential to the AC members' confidence in the data presented in the regularly reviewed quarterly and annual financial statements.

vii) External assurance providers

No horizontal internal audits were carried out with the Office of the Comptroller General this year. As for other external assurance providers, the Office of the Auditor General (OAG) interviewed a few key individuals of the CSA, as it does every year, to determine whether more in-depth audit work would be carried out within the CSA this year. Following its preliminary review, the OAG decided not to proceed with audit work at the CSA in 2016-2017.

viii) Financial statements and public accounts reporting

During the year, members of the AC examined and commented on the CSA's financial statements, the Annual Statement of Management Responsibility Including Internal Control Over Financial Reporting, the Statement's Annex, the quarterly financial reports and future-oriented financial statements that accompanied the DRP (formerly the RPP), and the public accounts.

With respect to the review of financial statements, the Annual Statement of Management Responsibility and the Annex thereto, AC members' comments were considered in the final version. AC members found that the financial statements complied with current accounting standards and that, to the best of the members' knowledge, the statements contained no inaccuracies or significant omissions.

The AC members recommended to the President of the CSA and the Chief Financial Officer (CFO) that the financial statements and the Annex to the Statement of Management Responsibility be approved with a few minor proposed changes.

With regard to the quarterly financial statements, the AC members noted that they were fully compliant and did not contain any inaccuracies or significant omissions. The quality of these reports has improved over time. This year, once again, the AC members had only a few comments on the reports to improve their content or correct minor errors.

With regard to future-oriented reports accompanying the 2017-2018 DRP, the AC members found that they were fully compliant. However, they said they had trouble seeing the purpose of including future-oriented reports in the DRP.

Finally, the AC members were given an opportunity to review the 2015-2016 public accounts and discuss them with the individuals who had produced them. They concluded that there were far fewer changes, compared with the previous year. No specific comments were made.

In conclusion, the members of the AC found that the financial statements and reports reviewed were of very high quality. They found no inaccuracies or significant omissions.

ix) Accountability (Departemental Performance Report and Report on Plans and Priorities)

During the fiscal year, the AC members reviewed and provided comments on the RPP and the DRP.

a. Departmental Results Plan (previously Report on Plans and Priorities)

The CSA's preliminary version of the 2017-2018 DRP was submitted to the AC on December 19, 2016. Unlike in previous years, AC members were given a reasonable amount of time to comment on the DRP. The individuals responsible for preparing the DRP were aware that the audit committee had been given a very short amount of time to comment on it in previous years, and therefore made a concerted effort to provide a draft of the report for discussion in time for the December 2016 meeting. The AC members were grateful for this effort. The principal changes between the DRP (new model) and the RPP (old model) were presented. A discussion followed the presentation, including some specific questions about the performance indicators in the DRP. After the AC members had commented on the report, the individuals responsible for preparing the DRP agreed to change it to incorporate the suggestions. The AC members did not find any significant inaccuracies or omissions in the 2017-2018 DRP.

b. Departmental Performance Report

AC members reviewed the CSA's 2015-2016 Departmental Performance Report (DPR), and their comments were submitted during a teleconference on August 8, 2016, to those responsible for drafting the report.

Generally, AC members were satisfied with the document. They found it was easy to read but not necessarily more convincing than last year's. Last year, AC members said that it was difficult to distinguish which elements were the most strategic for the CSA. According to the AC members, this year's formatting is better because, among other reasons, it had less repetition and is more strategic.

More specifically, the AC members asked several questions and provided a number of comments to improve the presentation and content of the DPR. Once again this year, several performance indicators drew the AC members' attention because the results were significantly higher than those targeted. The AC members suggest revising certain indicators and choosing targets carefully.

After the teleconference, those responsible for drafting the DPR agreed that they would verify some of the information and make changes to the document as needed. In conclusion, the AC members did not find any significant inaccuracies or omissions in the 2017-2018 DPR.

2. Audit committee's evaluation, membership and activities

i. Audit Committee evaluation

This year, the external members of the AC did not conduct a self-assessment of the Committee's operations since the committee meeting that usually takes place in March took place on April 11, 2017. The self-assessment took place during the April meeting. It was the last self-assessment for the three departing AC members.

ii. Audit committee membership

a) Members

The audit committee consists of four members, the President of the CSA and three external members, one of whom acts as AC Chair. The AC, the first meeting of which took place in February 2010, recently completed its seventh year of operation.

In 2016-2017, the AC consisted of the following members:

• Sylvain Laporte, President of the CSA;
• Alain Jolicoeur, external member, Chair of the Audit Committee (appointed until October 2016);
• Marie Bernard-Meunier, external member of the Audit Committee (appointed until May 2017);
• Gérard Caron, external member of the Audit Committee (appointed until May 2017); and
• Aline Girard, external member of the Audit Committee (appointed in November 2016 for a four-year mandate).

The AC complies with the Directive on Internal Audit in the Government of Canada, in particular, section 6.4 concerning the composition of the AC.

The members were chosen following a rigorous selection process that sought individuals having a suitable combination of experience, knowledge and competence whose synergy would enable them to carry out their functions efficiently and serve as a significant strategic resource for the President of the CSA.

b) Conflict of Interest

During the year, the external members carried out their duties with impartiality and in compliance with the "Conflict of Interest and Ethical Conduct Code for Audit Committee Members Appointed by the Treasury Board", included in Part III of the Treasury Board's Terms and Conditions of Appointment for Audit Committee Members, to which the external members of the AC are subject, as stipulated in each member's appointment order.

c) Meeting participants

During the year, the CAE and CFO participated in the three meetings and one teleconference held in 2016-2017.

Several representatives from all sectors of the CSA, as well as all audit team members, also attended one or more of the meetings held throughout the year.

No external assurance providers were present at the meetings this year. However, the Comptroller General of Canada and the Audit and Finance Assistant Comptroller General attended the AC meeting of June 21, 2016.

iii. Audit committee activities

a) Audit Committee's roles and responsibilities, operations and charter

At the meeting held on June 21, 2016, the AC approved its annual plan, which set out the number of AC meetings to be held and for each meeting, the types of activities on which the AC would focus its attention. Three of the four scheduled meetings were held on June 21, October 6, and December 19, 2016, respectively. The fourth meeting took place on April 11, 2017. In addition to these meeting, there were two teleconferences.

The AC's duties and responsibilities, as well as the activities it is expected to carry out, are described in the Audit Committee Charter. Minor changes were made to the Charter during the past year. The AC approved the updated Charter on June 21, 2016.

During 2016-2017, the cost of the activities of the AC amounted to $38,578, broken down as follows:

• Per diems: $35,620
• Travel expenses: $2,106
• Hospitality expenses: $852
• Training expenses: $0

b) In-camera meetings

During the year, the AC held in-camera meetings with the CAE, the CFO, and the President of the CSA after each of the AC meetings. These meetings promoted an open discussion with AC members and allowed the external AC members to obtain more detailed information about certain issues.

c) Approach taken for the drafting of the annual report

This annual report was prepared by the CAE. However, the information contained herein is based on discussions with AC members that took place during the year. The information contained in the final report represents entirely and exclusively the views of the external AC members.