2018 Spring Reports of the Auditor General of Canada to the Parliament of Canada Independent Auditor’s ReportReport of the Auditor General of Canada to the Board of Directors of Export Development Canada—Special Examination—2018
2018 Spring Reports of the Auditor General of Canada to the Parliament of CanadaReport of the Auditor General of Canada to the Board of Directors of Export Development Canada—Special Examination—2018
Independent Auditor’s Report
Table of Contents
- Introduction
- Findings, Recommendations, and Responses
- Conclusion
- Subsequent Event
- About the Audit
- List of Recommendations
- Exhibits:
- 1—Export Development Canada’s business activities
- 2—Corporate governance—key findings and assessment
- 3—Strategic planning and performance measurement and reporting—key findings and assessment
- 4—Simplified overview of Export Development Canada’s risk management framework
- 5—Risk management—key findings and assessment
- 6—Credit risk management for financing and insurance—key findings and assessment
- 7—Management of organizational transformations—key findings and assessment
This report reproduces the special examination report that the Office of the Auditor General of Canada issued to Export Development Canada on 21 February 2018. The Office has not performed follow-up audit work on the matters raised in this reproduced report.
Introduction
Background
1. Export Development Canada (the Corporation) was established in 1969 to help Canadian companies benefit from international business opportunities. It reports to the Minister of International Trade. Its purposes and powers are established by the Export Development Act and the Export Development Canada Exercise of Certain Powers Regulations.
2. The Corporation takes on risk to help Canadian exporters, mainly by providing insurance and financing. The insurance protects exporters against losses incurred as a result of exporting (for example, if a foreign customer defaults on payment). Financing is provided through loans, loan guarantees, and investments, which are given to foreign buyers to help them buy Canadian products or to Canadian companies to help them develop their business abroad. The Corporation also offers information and advice to Canadian exporters.
3. Export Development Canada has approximately 1,500 employees working in 37 locations (18 in Canada and 19 abroad). Exhibit 1 provides some details of its business activities and income.
Exhibit 1—Export Development Canada’s business activities
Details of business activities | 2014 | 2015 | 2016 |
---|---|---|---|
Number of clients served | 7,432 | 7,343 | 7,150 |
Total financing arrangements (loans, investments, and guarantees) ($ billions) |
21.6 | 25.4 | 28.1 |
Total insurance arrangements ($ billions) |
77.3 | 78.8 | 74.0 |
Total business facilitated ($ billions) |
99.9 | 104.2 | 102.0 |
Net financing and insurance income ($ billions) |
1.5 | 1.6 | 1.5 |
Net income ($ billions) |
1.1 | 0.9 | 1.1 |
Source: Export Development Canada’s 2014, 2015, and 2016 annual reports
4. The focus of the Corporation’s 2017–21 business strategy is to increase the number of Canadian companies that export and to support their diversification to new markets. The Corporation adjusts its business strategy to remain relevant to Canadian companies and explores new ways of addressing the challenges they face.
5. The Corporation is financially self-sustaining and does not receive government funding. To achieve its business objectives, it must price its products and services appropriately, manage its risks, and have the right people in place.
6. Since our last audit of the Corporation in 2009, it has begun carrying out several transformation initiatives. One of these is to transform its information technology systems to improve service delivery. Another is a multi-year transformation of its risk management practices to keep pace with evolving best practices in the financial services industry, informed by the review carried out by the Office of the Superintendent of Financial Institutions in 2014.
Focus of the audit
7. Our objective for this audit was to determine whether the systems and practices we selected for examination at Export Development Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.
8. In addition, section 139 of the Financial Administration Act requires that we state an opinion, with respect to the criteria established, whether there was reasonable assurance there were no significant deficiencies in the systems and practices examined. A significant deficiency is reported when the systems and practices examined did not meet the criteria established, resulting in a finding that the Corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.
9. Based on our assessment of risks, we selected systems and practices in the following areas:
- corporate management practices,
- risk management, and
- organizational transformation.
These systems and practices and the criteria used to assess them are found in the exhibits throughout the report.
10. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.
Findings, Recommendations, and Responses
Corporate management practices
In corporate governance, there was a significant deficiency related to the appointment of Board directors and a weakness in Board oversight
Overall message
11. Overall, we found that Export Development Canada had a significant deficiency in corporate governance related to the appointment of Board directors. The appointment of directors is the responsibility of the Governor in CouncilDefinition i and is thus outside the Corporation’s control. At the time of the audit, 1 position was vacant, and 8 of the 12 current Board members, while continuing to serve, had terms that had expired, putting the continuity of the Board’s oversight at risk.
12. We also found that the Board’s ability to oversee risk management could be hindered because the Board did not receive all the information it needed to fully understand some of the Corporation’s risks.
13. We found that the Corporation had some good corporate governance practices in place, and that it had good strategic planning and performance measurement and reporting processes.
14. These findings matter because vacancies on the Board, uncertainty about the appointments or terms of its directors, and insufficient risk information could hinder the effectiveness of the Board’s oversight of the Corporation.
15. For additional information, see Subsequent Event at the end of the report.
16. Our analysis supporting this finding discusses the following topics:
17. The Export Development Act provides for a Board of 13 directors, including the President and Chief Executive Officer.
18. In our 2009 audit, we found that the Corporation had to improve its approach to performance reporting. As of 2017, the Corporation was implementing a new approach to strategic planning and performance measurement and reporting, which will continue into 2018.
19. Our recommendations in this area of examination appear at paragraphs 26, 31, and 32.
20. Corporate governance. There was a significant deficiency related to the appointments of members to the Corporation’s Board of Directors and a weakness in Board oversight. The Corporation had in place good corporate governance practices in other areas (Exhibit 2).
Exhibit 2—Corporate governance—key findings and assessment
Systems and practices | Criteria used | Key findings | Assessment against the criteria |
---|---|---|---|
Legend—Assessment against the criteria Met the criteria Met the criteria, with improvement needed Did not meet the criteria |
|||
Board independence |
The Board functioned independently. |
The Corporation had a Board Charter, a Conflict of Interest Policy, and a Code of Conduct Policy that required directors to be independent of management. Conflicts of interest were declared at Board meetings and through an annual declaration. The Board held regular in-camera meetings without management. |
|
Setting strategic direction |
The Board provided strategic direction. |
The Board was active in setting the Corporation’s strategic direction. The Board was active in setting the President and Chief Executive Officer’s objectives that were aligned with the strategic direction and in assessing the President and Chief Executive Officer’s performance against those objectives. |
|
Board oversight |
The Board carried out its oversight role over the Corporation. |
Board members received the necessary information to challenge, direct, and make decisions. Internal Audit conducted regular internal audits. The Chief Internal Auditor met in camera with the Audit Committee regularly. The Chief Compliance and Ethics Officer met in camera with the Audit Committee and the Risk Management Committee regularly. Weakness The Board did not receive from management complete risk management information, which could hinder effective oversight of the Corporation’s operational risk management function. |
|
Board appointments and competencies |
The Board collectively had capacity and competencies to discharge its responsibilities. |
The Board determined the skills and expertise it needed to be effective. The Board periodically assessed whether its directors had the appropriate skills and knowledge to carry out their responsibilities. Board members were provided orientation sessions and ongoing training. The Board had access to outside expertise and used it when necessary to fill gaps in its skill and expertise profile. The Board communicated with its Minister about Board appointments, renewals, and vacancies. Significant deficiency The terms of eight of the Corporation’s directors had expired, and one position was vacant. For additional information, see Subsequent Event at the end of the report. Weakness The compensation range for the President and Chief Executive Officer had fallen behind the ranges for the senior vice-presidents. |
21. Weakness—Board oversight. We found a weakness in the Board’s oversight of the Corporation in operational risk management. The Board’s ability to oversee this area was hindered because comprehensive reporting on operational risk management was not in place (see paragraph 42). Furthermore, certain other key elements of risk management reporting to the Board were not in place, such as reporting the Corporation’s overall position against its risk appetite statement or having aggregated risk limits across business lines (see paragraphs 34 to 49).
22. This weakness matters because Board oversight of risk management helps ensure that an organization remains aligned with its strategic objectives and manages its risks in line with its risk tolerances.
23. Significant deficiency—Board appointments and competencies. Out of 12 directors (excluding the President and Chief Executive Officer), the Chairperson’s position was vacant and the terms of 8 other directors had expired. (In accordance with the Financial Administration Act, these directors continue to serve until their replacements are appointed.) In addition, the President and Chief Executive Officer’s term will expire in February 2019, and the Corporation may face challenges in attracting a qualified individual for this position (see paragraph 28).
24. The Corporation identified expiration dates of the terms of Board directors, as well as the skills and competencies needed to fill these positions. To initiate an appointment process, the Corporation communicated this information to its Minister in advance of the terms’ expiration. However, its actions did not result in timely appointments or reappointments to the Board of Directors. As these appointments are made by the Governor in Council, this was beyond the Corporation’s control.
25. This significant deficiency matters because if many director positions were filled by new appointments at about the same time, it could compromise continuity in the Board’s oversight. It could also undermine the Corporation’s ability to carry out its significant transformation initiatives and achieve its new strategic objectives.
26. Recommendation. The Corporation should continue to engage with its responsible Minister to help ensure that appropriate appointments to its Board of Directors are made in a timely and staggered manner.
The Corporation’s response. Agreed. The Corporation will continue to engage with our responsible Minister to request that appointments be made in a timely manner—and be staggered as to the number of Directors appointed in any one year—to ensure Board continuity and appropriate governance.
27. For additional information, see Subsequent Event at the end of the report.
28. Weakness—Board appointments and competencies. We found that the President and Chief Executive Officer’s compensation range—set by the Governor in Council and based on salary ranges established in 2012—had fallen behind the Senior Vice President’s compensation ranges, which were established by the Board of Directors based on market standards.
29. This weakness matters because this discrepancy could hinder the Corporation’s ability to attract qualified individuals to the President and Chief Executive Officer position, further putting at risk continuity in the oversight of the Corporation.
30. We also found that the Corporation did not publicly disclose executive compensation—in its annual report, for example. Compensation represents one of the Corporation’s largest operational expenditures. In addition, given the importance of appropriate compensation in attracting individuals with the proper qualifications, and the Corporation’s issue with the level of compensation of the President and Chief Executive Officer, disclosing executive compensation or salary structures would promote transparency, as it does elsewhere in government and in the financial services industry. It would also contribute to a better understanding by stakeholders at large of salary structures and inherent issues.
31. Recommendation. The Corporation should continue to engage with its responsible Minister and the Privy Council Office to address the issue related to the President and Chief Executive Officer’s compensation.
The Corporation’s response. Agreed. The Corporation is very concerned that the total compensation structure of the President and Chief Executive Officer position is significantly below market as confirmed by a chief executive officer compensation benchmarking study conducted on behalf of the Board of Directors by external compensation consultants in August 2017. The Corporation will continue to engage with our responsible Minister and the Privy Council Office to request a review of the total compensation structure of the President and Chief Executive Officer position with the objective of ensuring that the Corporation continues to have the ability to attract, engage, and retain qualified candidates for this position going forward. This is particularly important and pressing, given that the current President and Chief Executive Officer’s term expires in early 2019.
32. Recommendation. The Corporation should consider disclosing its compensation framework as well as total compensation for senior management—for example, in its annual report—in line with government and financial services industry practices.
The Corporation’s response. Agreed. The Corporation is continuously improving disclosure and transparency in external reporting. A review of compensation related to annual report content will be conducted relative to industry peers and best practices over the course of 2018.
33. Strategic planning and performance measurement and reporting. The Corporation had good strategic planning and performance measurement and reporting processes (Exhibit 3).
Exhibit 3—Strategic planning and performance measurement and reporting—key findings and assessment
Risk management
A significant deficiency in the Corporation’s risk management practices was due to a number of weaknesses
Overall message
34. Overall, we found weaknesses in how the Corporation managed risk and in how the Corporation managed credit risk. Combined, these weaknesses amounted to a significant deficiency. The Corporation did not keep up with evolving industry practices in risk management. At the time of our audit, it did not have operational and strategic risk management frameworks in place, and it was developing and implementing credit risk management policies that were aligned with its risk appetite statement.
35. Some of the weaknesses in risk management were not new—we reported on the Corporation’s operational risk management practices in our 2009 special examination. These weaknesses will persist until the Corporation addresses them in its risk management transformation project, which is expected to be completed in 2019.
36. This finding matters because the Corporation’s business was to assume the risk of others, and it operated in an environment of changing risk. Keeping risk management practices in line with evolving industry practices would help manage these risks effectively. At the time of our audit, the Corporation had a risk management transformation project under way to update its practices.
37. Our analysis supporting this finding discusses the following topics:
38. According to the Corporation’s risk management framework, it should consider the following risks:
- Strategic risks including external environment risks (such as the economy, political changes, and global developments) and those associated with the strategic direction of the Corporation.
- Operational risks including those in the areas of human resources (attraction, retention, development, and deployment); information management and technology; governance; legal and compliance; security; and the Corporation’s ability to innovate and transform.
- Financial risks including market risks (those associated with changing cash flows due to interest rates or foreign exchange rates), credit risks (those associated with the failure of an obligor to honour its financial commitments), and liquidity risk (the risk that the Corporation would be unable to meet its financial commitments).
39. Financial institutions establish a risk appetite statement as part of their risk management practices. This statement describes the amount and type of risk an organization accepts before it must implement risk mitigation measures to reduce risk. An organization’s overall tolerance for losses is broken down into limits and targets, which are assigned to the different business areas of the organization. Examples can include obligor, country, and industry limits for financing and insurance transactions. Once the limits and targets are established, the organization must regularly measure and monitor its position against them to ensure that its overall risk appetite is not exceeded and that corrective action is taken when appropriate. Exhibit 4 provides a simplified overview of the Corporation’s intended risk management approach.
Exhibit 4—Simplified overview of Export Development Canada’s risk management framework
Exhibit 4—text version
This chart shows a simplified overview of Export Development Canada’s enterprise risk management framework (including an overall risk appetite statement). The framework lists particular actions by the Corporation for managing three types of risk—strategic, operational, and financial.
Strategic risk management framework
- State the risk appetite in this area.
- Set risk tolerances and limits for each strategic risk.
Operational risk management framework
- State the risk appetite in this area (for example, information technology and human resources).
- Set risk tolerances and limits for each operational risk.
Financial risk management framework
- State the risk appetite for each business line (for example, lending and insurance).
- Set risk tolerances and limits for each business line.
Each of the three risk management frameworks includes supporting policies, guidelines, and procedures.
40. In our 2009 audit, we noted that the Corporation had not yet developed an operational risk management policy.
41. Our recommendations in this area of examination appear at paragraphs 44, 45, 46, and 49.
42. Risk management. We found that Export Development Canada had a framework to describe how it should manage risk across the Corporation. However, in some cases, it did not have comprehensive policies that implemented the framework. Where it did have policies, it had not yet implemented all of them (Exhibit 5).
Exhibit 5—Risk management—key findings and assessment
43. Weaknesses—Risk management. We found a number of weaknesses in the Corporation’s overall management of risk, including the lack of strategic and operational risk management frameworks. Although the Corporation had a significant project under way to renew its risk management framework and practices, we assessed the systems and practices in place at the time of our examination.
-
Weakness—Risk management framework. The Corporation had an overall risk management framework in place, but did not have frameworks for strategic and operational risk management modules. In 2004, it identified the need to strengthen its operational risk management and reiterated this in its response to our 2009 special examination. However, it had still not implemented a comprehensive policy framework for operational risk management.
This weakness matters because the lack of policy frameworks for strategic and operational risk management meant that the Corporation did not have a comprehensive approach to how those risks should be managed. This situation could expose it to unidentified and unmitigated risks.
-
Weakness—Risk appetite statement. The Corporation had a risk appetite statement for its strategic, operational, and financial risks. However, it did not have targets and policies for strategic and operational risk that were aligned with the risk appetite statement. Such targets and policies would guide day-to-day decision making in these areas.
This weakness matters because without these targets and policies, the Corporation could not ensure that its decision making was aligned with its risk appetite statement and risk tolerances.
-
Weakness—Risk identification and assessment. Senior management identified risks and presented them to the Board for validation. However, the Corporation did not systematically gather risk information from its business units to identify risks and use them to inform the risk response plans.
Also, while the Corporation had a number of policies and activities in place to address security threats and their targets, it lacked an inventory and classification of key assets such as information assets or critical systems.
This weakness matters because without processes for identifying and assessing risks in all business units, unanticipated risks may occur or risk response plans may not adequately mitigate risks. Also, without an inventory of key assets, it was difficult to link threats to specific assets. This means that threats could go undetected and unmitigated, exposing the Corporation to reputational and financial losses.
-
Weakness—Risk monitoring and reporting. We found that while the Corporation’s risk reporting included some operational risk management information, it was not comprehensive. For example, it did not include an assessment of the risk response plans’ effectiveness or of how risks were trending.
This weakness matters because without complete operational risk information, the Corporation may be exposed to risks that were not identified or mitigated within its risk appetite statement.
44. Recommendation. The Corporation should complete its risk management transformation project as planned, including the following activities:
- developing and implementing policies to support its risk management framework in each of the three risk modules (strategic, operational, and financial);
- completing its risk appetite statement by developing the remaining supporting policies, training, and risk limits; and
- implementing risk identification and control assessment processes within all business units.
The Corporation’s response. Agreed. The Corporation notes that work on its enterprise risk management project (the Project) is currently under way. The completion of the Project, which will more systematically address each of the elements noted within the recommendation, is and will continue to be a key priority for the Corporation, with regular reporting to the Board of Directors. The prioritization of elements to be addressed by the Project was informed by gaps previously identified by the Corporation as part of the establishment of an enterprise risk management framework and group led by the Chief Risk Officer, and by those raised during an in-depth review by the Office of the Superintendent of Financial Institutions of the Corporation’s risk management and governance practices, which took place in 2014 and 2015. Notwithstanding that a more comprehensive policy framework and approach to manage risk will be addressed by the Project, the Corporation has in place and has periodically updated policies addressing certain operational risks, including information technology, human resources, corporate security and compliance and ethics, among others.
45. Recommendation. The Corporation should ensure that risk reporting includes comprehensive information about operational risk management.
The Corporation’s response. Agreed. The Corporation had developed work plans to enhance risk reporting to include comprehensive information about operational risk management as part of the risk management transformation project (the Project), referred to in the response to the recommendation in paragraph 44. Completion of the Project will address the elements noted within the recommendation. Completion dates for the various work streams of the Project range from the first quarter of 2018 to the last quarter of 2019, as prioritized on a risk basis.
46. Recommendation. The Corporation should develop an inventory and classification of key assets (including information and critical systems) and monitor and mitigate threats against these assets.
The Corporation’s response. Agreed. Although the Corporation has an inventory of technology assets and physical assets, it does not have a comprehensive inventory and classification of information assets. The Corporation will develop and maintain an inventory and classification of all key assets by 30 September 2018 and will monitor and mitigate threats against these assets. The 2018 biannual Enterprise Threat Risk Assessment will use this inventory to complete its internal and external threat risk assessment by 31 December 2018.
47. Credit risk management for financing and insurance. Given the nature of its business, the Corporation is exposed to significant financial risk. We found that it had not yet fully implemented all of its renewed credit risk management systems and practices that were aligned with its updated risk appetite statement (Exhibit 6).
Exhibit 6—Credit risk management for financing and insurance—key findings and assessment
48. Weaknesses—Credit risk management for financing and insurance. We found a number of weaknesses in how the Corporation managed its credit risk for financing and insurance.
-
Weakness—Credit risk appetite. As part of its updated financial risk management framework, the Corporation developed for the first time a risk appetite statement to guide its business lines in decision making. However, it had not updated its credit risk policies, procedures, and limits to fully align them with the risk appetite statement. The Corporation was operating under its existing financial risk management framework, which predated the risk appetite statement. It aimed to complete the updates to the credit risk policies and procedures by June 2018. Also, while the Corporation measured its exposure to credit risk at the business line level, we found that the limits for credit risk were not combined across all business lines.
This weakness matters because credit risk policies, procedures, and limits that are aligned with the risk appetite statement must be in place for each business line to ensure that transactions do not exceed the expressed risk appetite. Also, not having limits for credit risk combined across business lines prevented the Corporation from comparing its combined risk exposure with its risk appetite statement.
-
Weakness—Credit risk identification and measurement. Consistent with industry practice, the Corporation relied on financial and risk models in making credit decisions. These models are used to measure and manage risk by computing lender credit risk ratings, to determine values of loans, and to calculate potential gains and losses. Industry practice includes regular tests of models to ensure that they are reliable. The Corporation recently developed a Model Risk Management Policy for its models and established a team to manage its model risk. However, it did not have supporting guidelines and standards in place for this, and had not yet subjected its models to validation.
Model validation was expected to take place over the course of several years, and a plan was being developed to prioritize high-impact models to be subjected to validation first.
This weakness matters because models that have not been subjected to validation could produce unreliable information for decision making, which could expose the Corporation to unexpected losses.
49. Recommendation. The Corporation should complete its risk management transformation project as planned, with prompt consideration of the following items:
- aligning credit risk policies and procedures with its risk appetite statement;
- implementing the Model Risk Management Policy by completing guidelines and standards, and ensuring that models are subjected to validation according to plan, with higher-impact models being prioritized; and
- developing risk limits that combine risk exposures across all business lines.
The Corporation’s response. Agreed. The Corporation notes that work on our enterprise risk management project (the Project) is currently under way. The completion of the Project, which will more systematically address each of the elements noted within the recommendation, is and will continue to be a key priority for the Corporation, with regular reporting to the Board of Directors. The prioritization of elements to be addressed by the Project was informed by gaps previously identified by the Corporation as part of the establishment of an enterprise risk management framework and group led by the Chief Risk Officer, and by those raised during an in-depth review by the Office of the Superintendent of Financial Institutions of the Corporation’s risk management and governance practices, which took place in 2014 and 2015.
Regarding the element of the recommendation pertaining to model risk management, a Model Risk Management team is now established and reports directly to the Chief Risk Officer. To support the recently approved Model Risk Management Policy, all related guidelines and procedures are now complete. Also, an enterprise-wide model inventory and a plan to validate high-impact models are now substantially complete.
Organizational transformation
The Corporation was managing its organizational transformations well, but improvement was needed in oversight
Overall message
50. Overall, we found that Export Development Canada was doing well in managing its two major transformation initiatives—the transformation of its risk management framework and of its credit insurance systems. However, the Board and senior management did not have consolidated reporting of how the initiatives had an impact on the Corporation as a whole.
51. This finding matters because without consolidated reporting of the initiatives’ impacts, senior management and Board members may not understand the collective effects of these impacts and may not prioritize efforts and resources where needed.
52. Our analysis supporting this finding discusses the following topic:
53. The Corporation is renewing its risk management framework and developing a new service delivery model for credit insurance. These are both significant initiatives.
54. Our recommendation in this area of examination appears at paragraph 58.
55. Management of organizational transformations. The Corporation had systems and practices in place to oversee and report on its transformation initiatives. However, it did not have consolidated reporting on these initiatives and their overall impact on the Corporation (Exhibit 7).
Exhibit 7—Management of organizational transformations—key findings and assessment
56. Weakness—Transformation program and project oversight. We found that management reported to the Board on the progress of its two transformation initiatives separately. This meant that neither the Corporation nor the Board had consolidated reporting of these initiatives and how they had an impact on the Corporation as a whole.
57. This weakness matters because without this reporting, it was difficult for senior management and Board members to understand the collective risks and impacts the initiatives were having on the Corporation. The Board could not oversee effective prioritization of initiatives, or that conflicts or resourcing issues (for example, where many initiatives affected one area at the same time) were identified and addressed in a timely manner.
58. Recommendation. The Corporation should implement reporting that enables it to understand and monitor the consolidated impacts of its transformation initiatives.
The Corporation’s response. Agreed. Although the overall impact of the corporate transformation projects has been reflected at the specific initiative level and is understood by the Board members, the Corporation will develop enhanced reporting to management and the Board, which will enable better understanding and monitoring of the consolidated impacts of significant transformation initiatives. This reporting will be implemented by the end of the first quarter of 2018.
Conclusion
59. In our opinion, based on the criteria established, there were significant deficiencies in the Corporation’s Board appointment process and in its risk management processes, but there was reasonable assurance that there were no significant deficiencies in the other systems and practices that we examined. We concluded that, except for these significant deficiencies, the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.
Subsequent Event
60. The corporate governance section of this report discusses the significant deficiency that we found in the board appointments for Export Development Canada’s Board of Directors. In November 2017, 9 of the 12 Board members’ terms had expired, and the Chairperson’s position was vacant.
61. On 28 November 2017, the Minister of International Trade announced the appointment of a new Chairperson to the Board of Directors. This new appointment will contribute to the Corporation’s oversight.
About the Audit
This independent assurance report was prepared by the Office of the Auditor General of Canada on Export Development Canada. Our responsibility was to express
- an opinion on whether there is reasonable assurance that during the period covered by the audit, there were no significant deficiencies in the Corporation’s systems and practices that we selected for examination; and
- a conclusion about whether the Corporation complied in all significant respects with the applicable criteria.
Under section 131 of the Financial Administration Act (FAA), Export Development Canada is required to maintain financial and management control and information systems and management practices that provide reasonable assurance that
- its assets are safeguarded and controlled;
- its financial, human, and physical resources are managed economically and efficiently; and
- its operations are carried out effectively.
In addition, section 138 of the FAA requires the Corporation to have a special examination of these systems and practices carried out at least once every 10 years.
All work in this audit was performed to a reasonable level of assurance in accordance with the Canadian Standard for Assurance Engagements (CSAE) 3001—Direct Engagements set out by the Chartered Professional Accountants of Canada (CPA Canada) in the CPA Canada Handbook—Assurance.
The Office applies Canadian Standard on Quality Control 1 and, accordingly, maintains a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.
In conducting the audit work, we have complied with the independence and other ethical requirements of the relevant rules of professional conduct applicable to the practice of public accounting in Canada, which are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour.
In accordance with our regular audit process, we obtained the following from the Corporation’s management:
- confirmation of management’s responsibility for the subject under audit;
- acknowledgement of the suitability of the criteria used in the audit;
- confirmation that all known information that has been requested, or that could affect the findings or audit conclusion, has been provided; and
- confirmation that the audit report is factually accurate.
Audit objective
The objective of this audit was to determine whether the systems and practices we selected for examination at Export Development Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.
Scope and approach
Our audit work examined Export Development Canada. The scope of the special examination was based on our assessment of the risks the Corporation faces that could affect its ability to meet the requirements set out by the Financial Administration Act.
As part of our examination, we interviewed Board members, senior management, and other individuals throughout the Corporation to gain insights into its systems and practices. We selected and tested samples of items, such as transactions, process control activities, risk mitigation strategies, projects, and reporting, to determine whether systems and practices were in place and functioned as intended.
The systems and practices selected for examination for each area of the audit are found in the exhibits throughout the report.
In carrying out the special examination, we did not rely on any internal audits. We did, however, consider the findings of a review conducted by the Office of the Superintendent of Financial Institutions in 2014–2015.
Sources of criteria
The criteria used to assess the systems and practices selected for examination are found in the exhibits throughout the report.
Corporate governance
Organisation for Economic Co-operation and DevelopmentOECD Guidelines on Corporate Governance of State-Owned Enterprises, Organisation for Economic Co-operation and Development, 2015
20 Questions Directors Should Ask about Crown Corporation Governance, Canadian Institute of Chartered Accountants, 2007
Review of the Governance Framework for Canada’s Crown Corporations—Report to Parliament, Treasury Board Secretariat, 2005
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
Corporate Governance in Crown Corporations and Other Public Enterprises: Guidelines, Department of Finance and Treasury Board, 1996
20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006
Practice Guide: Assessing Organizational Governance in the Public Sector, The Institute of Internal Auditors, 2014
Strategic planning and performance measurement and reporting
OECD Guidelines on Corporate Governance of State-Owned Enterprises, Organisation for Economic Co-operation and Development, 2015
20 Questions Directors Should Ask about Crown Corporation Governance, Canadian Institute of Chartered Accountants, 2007
Review of the Governance Framework for Canada’s Crown Corporations—Report to Parliament, Treasury Board Secretariat, 2005
Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996
Recommended Practice Guideline: Reporting Service Performance Information, International Public Sector Accounting Standards Board, 2015
20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006
Risk management
20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006
Review of the Governance Framework for Canada’s Crown Corporations—Report to Parliament, Treasury Board Secretariat, 2005
20 Questions Directors Should Ask about Strategy, Chartered Professional Accountants of Canada, 2012
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
Framework for the Management of Risk, Treasury Board Secretariat, 2010
Enterprise Risk Management—Integrated Framework: Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, 2004
Credit risk management for financing and insurance
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
Framework for the Management of Risk, Treasury Board Secretariat, 2010
Enterprise Risk Management—Integrated Framework: Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, 2004
Corporate Governance Guideline, Office of the Superintendent of Financial Institutions, January 2013
Operational Risk Management Guideline, Office of the Superintendent of Financial Institutions, June 2016
Organizational transformation
Project Management Body of Knowledge (PMBOK) Guide, fourth edition, Project Management Institute IncorporatedInc., 2008
Policy on the Management of Projects, Treasury Board, 2013
Standard for Project Complexity and Risk, Treasury Board Secretariat, 2013
8-Step Process for Leading Change, doctorDr. John Kotter, 2012
Period covered by the audit
The special examination covered the period between 1 August 2016 and 30 June 2017. This is the period to which the audit conclusion applies. However, to gain a more complete understanding of the significant systems and practices, we also examined certain matters that preceded the starting date of the special examination. We also noted a subsequent event on 28 November 2017.
Date of the report
We obtained sufficient and appropriate audit evidence on which to base our conclusion on 8 January 2018, in Ottawa, Canada.
Audit team
Principal: Lissa Lamarche
Project Leader: Daniel Spagnolo
Project Leader: Geneviève Hivon
List of Recommendations
The following table lists the recommendations and responses found in this report. The paragraph number preceding the recommendation indicates the location of the recommendation in the report, and the numbers in parentheses indicate the location of the related discussion.
Corporate management practices
Recommendation | Response |
---|---|
26. The Corporation should continue to engage with its responsible Minister to help ensure that appropriate appointments to its Board of Directors are made in a timely and staggered manner. (21 to 25) |
The Corporation’s response. Agreed. The Corporation will continue to engage with our responsible Minister to request that appointments be made in a timely manner—and be staggered as to the number of Directors appointed in any one year—to ensure Board continuity and appropriate governance. |
31. The Corporation should continue to engage with its responsible Minister and the Privy Council Office to address the issue related to the President and Chief Executive Officer’s compensation. (28 to 30) |
The Corporation’s response. Agreed. The Corporation is very concerned that the total compensation structure of the President and Chief Executive Officer position is significantly below market as confirmed by a chief executive officer compensation benchmarking study conducted on behalf of the Board of Directors by external compensation consultants in August 2017. The Corporation will continue to engage with our responsible Minister and the Privy Council Office to request a review of the total compensation structure of the President and Chief Executive Officer position with the objective of ensuring that the Corporation continues to have the ability to attract, engage, and retain qualified candidates for this position going forward. This is particularly important and pressing, given that the current President and Chief Executive Officer’s term expires in early 2019. |
32. The Corporation should consider disclosing its compensation framework as well as total compensation for senior management—for example, in its annual report—in line with government and financial services industry practices. (28 to 30) |
The Corporation’s response. Agreed. The Corporation is continuously improving disclosure and transparency in external reporting. A review of compensation related to annual report content will be conducted relative to industry peers and best practices over the course of 2018. |
Risk management
Recommendation | Response |
---|---|
44. The Corporation should complete its risk management transformation project as planned, including the following activities:
|
The Corporation’s response. Agreed. The Corporation notes that work on its enterprise risk management project (the Project) is currently under way. The completion of the Project, which will more systematically address each of the elements noted within the recommendation, is and will continue to be a key priority for the Corporation, with regular reporting to the Board of Directors. The prioritization of elements to be addressed by the Project was informed by gaps previously identified by the Corporation as part of the establishment of an enterprise risk management framework and group led by the Chief Risk Officer, and by those raised during an in-depth review by the Office of the Superintendent of Financial Institutions of the Corporation’s risk management and governance practices, which took place in 2014 and 2015. Notwithstanding that a more comprehensive policy framework and approach to manage risk will be addressed by the Project, the Corporation has in place and has periodically updated policies addressing certain operational risks, including information technology, human resources, corporate security and compliance and ethics, among others. |
45. The Corporation should ensure that risk reporting includes comprehensive information about operational risk management. (43) |
The Corporation’s response. Agreed. The Corporation had developed work plans to enhance risk reporting to include comprehensive information about operational risk management as part of the risk management transformation project (the Project), referred to in the response to the recommendation in paragraph 44. Completion of the Project will address the elements noted within the recommendation. Completion dates for the various work streams of the Project range from the first quarter of 2018 to the last quarter of 2019, as prioritized on a risk basis. |
46. The Corporation should develop an inventory and classification of key assets (including information and critical systems) and monitor and mitigate threats against these assets. (43) |
The Corporation’s response. Agreed. Although the Corporation has an inventory of technology assets and physical assets, it does not have a comprehensive inventory and classification of information assets. The Corporation will develop and maintain an inventory and classification of all key assets by 30 September 2018 and will monitor and mitigate threats against these assets. The 2018 biannual Enterprise Threat Risk Assessment will use this inventory to complete its internal and external threat risk assessment by 31 December 2018. |
49. The Corporation should complete its risk management transformation project as planned, with prompt consideration of the following items:
|
The Corporation’s response. Agreed. The Corporation notes that work on our enterprise risk management project (the Project) is currently under way. The completion of the Project, which will more systematically address each of the elements noted within the recommendation, is and will continue to be a key priority for the Corporation, with regular reporting to the Board of Directors. The prioritization of elements to be addressed by the Project was informed by gaps previously identified by the Corporation as part of the establishment of an enterprise risk management framework and group led by the Chief Risk Officer, and by those raised during an in-depth review by the Office of the Superintendent of Financial Institutions of the Corporation’s risk management and governance practices, which took place in 2014 and 2015. Regarding the element of the recommendation pertaining to model risk management, a Model Risk Management team is now established and reports directly to the Chief Risk Officer. To support the recently approved Model Risk Management Policy, all related guidelines and procedures are now complete. Also, an enterprise-wide model inventory and a plan to validate high-impact models are now substantially complete. |
Organizational transformation
Recommendation | Response |
---|---|
58. The Corporation should implement reporting that enables it to understand and monitor the consolidated impacts of its transformation initiatives. (56 to 57) |
The Corporation’s response. Agreed. Although the overall impact of the corporate transformation projects has been reflected at the specific initiative level and is understood by the Board members, the Corporation will develop enhanced reporting to management and the Board, which will enable better understanding and monitoring of the consolidated impacts of significant transformation initiatives. This reporting will be implemented by the end of the first quarter of 2018. |