What we examined (see Focus of the audit)

This audit examined whether the systems and practices we selected for examination at the Canadian Air Transport Security Authority were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively. We selected systems and practices based on our assessment of risks in the following areas:

• Screening operations;
• Strategic planning, risk management, and performance measurement and reporting;
• Procurement and contracting management;
• Equipment management;
• Project management; and
• Corporate governance.

What we concluded

We concluded that, based on the criteria established, there is reasonable assurance that during the period covered by the examination there were no significant deficiencies in the Canadian Air Transport Security Authority’s systems and practices that we selected for examination. The Corporation has maintained these systems and practices in a manner that provides it with reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

What we found

Screening operations

Overall, we found that the Corporation had systems and practices in place to ensure that the delivery of screening services was effective, efficient, and consistent across Canada, and in the public interest. We also found that the Corporation had systems and practices to ensure that screening services met regulatory requirements. However, we noted weaknesses in relation to the communication of changes in screening procedures to screening officers and the oversight of screening officers’ training.

This is important because the delivery of screening services is at the heart of the Corporation’s mandate and is critical to aviation security in Canada.

• The Corporation developed and communicated screening procedures, but the communication of changes needed improvement

  Recommendation. The Corporation should revise its practices to ensure that changes to screening procedures are communicated to screening officers.

• Training, certification, and oversight programs were in place but certain components needed improvement

  Recommendation. The Corporation should

  • strengthen its oversight of the Recurrent Learning Program and on-the-job training components of the National Training and Certification Program for screening officers to ensure that each element of the programs is delivered and completed as required, and
  • put in place appropriate controls to ensure that the data included in the Learning Management System is accurate and complete.

• The Corporation monitored staffing levels of screening officers and potential screening contractors’ labour disruptions

  Recommendation. We made no recommendations in this area of examination.

• The Corporation worked collaboratively with its regulator, Transport Canada, and with other key stakeholders

  Recommendation. We made no recommendations in this area of examination.

Strategic planning, risk management, performance measurement and reporting

Overall, we found that the Corporation defined strategic directions to achieve its mandate, taking into account government priorities, identified risks, and the need to control and protect its assets and manage its resources economically and efficiently. However, we found areas for improvement. The Corporation did not complete branch plans as part of the 2014–15 fiscal year corporate planning process, its risk management practices needed improvement, and the framework around performance measurement was not documented.

This is important because strategic planning, risk management, and performance measurement assist the Corporation in achieving its legislated objectives and mandate. Performance measurement is also important for informed decision making and accountability reporting.

• The Corporation did not follow its business planning process, but had most elements in place to manage corporate risks

  Recommendation. The Corporation should

  • follow its branch planning process to prioritize projects and develop branch plans that include timing, accountability, and annual targets for key performance indicators within each branch;
  • determine and document its response for all residual risks identified in its Corporate Risk Profile, aligning actions with the Corporation’s risk tolerance;
  • conduct information technology (IT) Threat and Risk Assessments on all critical systems and maintain action plans for each assessment; and
  • update its Business Continuity Plan including a Business Impact Analysis and a Disaster Recovery Plan.

• The Corporation did not document its performance measurement framework

  Recommendation. The Corporation should document its performance measurement framework. This framework should describe

  • how performance indicators, measures, and targets were established, removed, or changed,
  • the sources of performance management data,
  • the systems used to collect performance data,
  • the frequency of and responsibilities for data collection, and
  • the timelines for achieving performance targets.

  The framework should also indicate when the Corporation should review the quality of performance information.

Procurement and contracting management

Overall, we found that the Corporation had systems and practices in place to exercise effective oversight and due diligence in the structuring, awarding, and approving of contracts, including a clear accountability framework. The Corporation also effectively administered contracts to ensure that third-party service providers complied with contract terms and conditions. We found that the Corporation could improve on some of its procurement and contracting practices.

This is important because the Corporation entered into various types of agreements every year and outsourced to third parties significant services such as screening and equipment maintenance.

• Procurement and contracting practices were in place, with some weaknesses

  Recommendation. The Corporation should ensure that its procurement and contracting policies and procedures are followed and that complete documentation is retained in the procurement files.

Equipment management

Overall, we found that the Corporation had systems and practices in place to effectively and efficiently manage its screening equipment. The Corporation planned for the replacement of its screening equipment, performed operational testing on screening equipment, and monitored the maintenance it outsourced to third parties.

This is important because the Corporation’s screening equipment is critical to delivering its mandate to conduct effective, efficient, and consistent screening that is in the public interest while complying with regulatory requirements set by Transport Canada.

• The Corporation operationally tested and maintained its screening equipment and planned for its replacement

  Recommendation. We made no recommendations in this area of examination.

Project management

Overall, we found that the Corporation had systems and practices in place to plan, organize, and control resources to accomplish project objectives and outcomes. However, while the Corporation established project management processes, they were not always followed, and guidance and a methodology on how to carry out projects were not developed. In addition, project management roles and responsibilities were clear, but the oversight of projects needed strengthening in some areas.

This is important because successfully implementing projects often requires rigorous management, a coordinated effort, and significant resources. In particular, joint projects with airport authorities to integrate the Corporation’s screening equipment are typically complex and often cost millions of dollars.

• There were weaknesses in project management systems and practices

  Recommendation. The Corporation should develop a project management methodology and provide guidance on how to carry out project management activities. It should follow its project management processes and strengthen the oversight of projects in three areas: managing risk, reporting on the status of projects, and monitoring project outcomes.

Corporate governance

Overall, we found that the Corporation had in place key elements of a well-performing governance framework that meets the expectations of best practices in board stewardship, shareholder relations, and communications with the public. However, we found that there was room for improvement in some areas.

This is important because good governance helps ensure that the Corporation can fulfill its mandate and meet the statutory objectives outlined in the Financial Administration Act.

• The Corporation had in place key elements of good governance, but there was room for improvement in some areas

  Recommendation. The Corporation should identify key positions below the executive level, including regional management and other management positions, and include them in its succession plan.

Entity Responses to Recommendations

The audited entities agree with our recommendations, and have responded (see List of Recommendations).

Related Information

Report of the	Auditor General of Canada
Type of product	Special Examination
Topics	Air Crown Corporations Safety and Security Transportation
Audited entities	Canadian Air Transport Security Authority
Completion date	14 May 2015
Tabling date	1 June 2015
Related audits	Chapter 2—National Security in Canada—The 2001 Anti-Terrorism Initiative—Air Transportation Security, Marine Security, and Emergency Preparedness, 2005 April Report of the Auditor General of Canada

For more information

Media Relations
Tel.: 1-888-761-5953
E-mail: infomedia@oag-bvg.gc.ca

Twitter: OAG_BVG