2019 Spring Reports of the Auditor General of Canada to the Parliament of CanadaReport of the Joint Auditors to the Board of Directors of the Business Development Bank of Canada—Special Examination—2018
Independent Auditors’ Report
Table of Contents
- Introduction
- Findings, Recommendations, and Responses
- Conclusion
- About the Audit
- List of Recommendations
- Exhibits:
- 1—The Business Development Bank of Canada’s main business activities
- 2—Corporate governance—key findings and assessment
- 3—Strategic planning, and performance measurement and reporting—key findings and assessment
- 4—Corporate risk management—key findings and assessment
- 5—Management of financing—key findings and assessment
- 6—Management of venture capital and other investments—key findings and assessment
- 7—Management of advisory services—key findings and assessment
This report reproduces the special examination report that the joint auditors issued to the Business Development Bank of Canada on 3 December 2018. The Office has not performed follow-up audit work on the matters raised in this reproduced report.
Introduction
Background
1. The Business Development Bank of Canada was established in 1974 to support Canadian entrepreneurship. The Corporation focuses particularly on small and medium-sized businesses. It reports to Parliament through the Minister of Small Business and Export Promotion.
2. The Corporation is a financially self-sustaining federal Crown corporation serving more than 56,000 entrepreneurs of small and medium-sized businesses. It has three main types of business activities:
- financing services, which consist mainly of various lending solutions;
- investment services (including venture capital and other investments), which provide debt and equity solutions; and
- advisory services, which help entrepreneurs grow and develop their business.
Exhibit 1 provides some details of the Corporation’s business activities and income.
Exhibit 1—The Business Development Bank of Canada’s main business activities
Business activity details | Value (in millions of dollars) | ||
---|---|---|---|
2016 | 2017 | 2018 | |
Total financing committed to clients | 23,818 | 26,711 | 28,532 |
Total investment services committed to clients | 1,995 | 2,184 | 2,460 |
Revenues from advisory services | 17 | 20 | 20 |
Consolidated net income | 538 | 465 | 818 |
Source: The Business Development Bank of Canada’s 2018 Annual Report
3. In response to the Government of Canada’s request to increase investments in clean technology (cleantech), the Corporation launched its Cleantech Scale Up Initiative in December 2017. The initiative provides support to promising clean technology firms. It has a budget of $700 million, including contributions of $600 million from the government and $100 million from the Corporation between 2018 and 2022.
4. In 2015, the Office of the Superintendent of Financial Institutions completed a review of the Corporation and made a number of recommendations. The Corporation responded by developing a multi-year action plan and has been carrying it out. The plan deals mainly with governance and risk management policies and practices. The Corporation expects to fully implement the action plan by 31 March 2019.
5. In recent years, the Corporation has also undertaken change initiatives to enhance its service delivery, particularly through the use of new technologies.
6. To fulfill its mandate and successfully implement changes, the Corporation depends largely on the quality of its human resources, its ability to attract and retain skilled and experienced personnel, and its career development programs for employees.
Focus of the audit
7. Our objective for this audit was to determine whether the systems and practices we selected for examination at the Business Development Bank of Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.
8. In addition, section 139 of the Financial Administration Act requires that we state an opinion, with respect to the criteria established, on whether there was reasonable assurance that there were no significant deficiencies in the systems and practices examined. A significant deficiency is reported when the systems and practices examined did not meet the criteria established, resulting in a finding that the Corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.
9. Based on our assessment of risks, we selected systems and practices in the following areas:
- corporate management practices, and
- management of operations.
The selected systems and practices and the criteria used to assess them are found in the exhibits throughout the report.
10. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.
Findings, Recommendations, and Responses
Overall message
11. Overall, we found no significant deficiencies in the Corporation’s systems and practices. We found that the Corporation had systems and practices in place to deliver financing, investment, and advisory services to small and medium-sized businesses. We noted, however, that the total compensation range for the President and Chief Executive Officer was lower than the total compensation ranges for some of the senior executive positions. We also found that the Corporation was working to address the recommendations in the 2015 review conducted by the Office of the Superintendent of Financial Institutions. The recommendations concerned the Corporation’s risk management practices, including in the areas of validating financial and risk models and managing information technology risks.
Corporate management practices
12. The Corporation is governed by a Board of Directors composed of 13 members. The Board is supported by the following six committees:
- Audit Committee,
- Governance/Nominating Committee,
- Board Risk Committee,
- Board Investment Committee,
- Clean Technology Special Committee, and
- Human Resources Committee.
13. Strategic planning is an ongoing corporate responsibility, essential for setting long-term and short-term objectives, and for identifying key risks and indicators of the results to be achieved. In Budget 2017, the Government of Canada allocated $600 million of new funding for the Corporation’s Cleantech Scale Up Initiative, which the Corporation needed to integrate into its most recent planning exercise. This funding was in addition to the $100 million provided by the Corporation.
14. Risk management systems and practices are essential for the Corporation to ensure its sustainability and to fulfill its mandate. A strong corporate risk function should play a challenge role for the business lines and contribute to robust risk management and decision making. Good risk management practices support the achievement of the Corporation’s objectives. The Corporation is exposed to strategic, reputational, and credit risks, as well as various types of operational and other financial risks. Operational risk management includes addressing technology risks—for example, business continuity planning, planning for management of disruptive events, and measures to ensure information technology (IT) security.
15. Financial institutions establish a risk appetite statement as part of their risk management practices. This statement describes the amount and type of risk an organization accepts before it must implement measures to mitigate or reduce risk. An organization’s overall tolerance for losses is broken down into thresholds and limits, which are assigned to the different business areas of the organization. The types of risk include strategic risk, operational risk, and risks related to business activities (for example, risks related to the Corporation’s lending and venture capital investing). Once the thresholds and limits are established, the organization must regularly measure and monitor its position against them to ensure that its overall risk appetite is not exceeded and that corrective action is taken when appropriate.
Compensation for the President and Chief Executive Officer was lower than the compensation for some senior executive positions, and the Corporation had weaknesses in its management of risk
16. We found that the Corporation had good corporate governance, strategic planning, and performance measurement and reporting practices. However, we found that the total compensation range for the President and Chief Executive Officer was lower than the total compensation ranges for some of the senior executive positions of the Corporation. We also found weaknesses in the way the Corporation managed risk: It had not yet completed the validation of its financial and risk models, and it did not have a formal risk management plan in place for IT.
17. Our analysis supporting this finding discusses the following topics:
- Corporate governance
- Strategic planning, and performance measurement and reporting
- Corporate risk management
18. Our recommendations in this area of examination appear at paragraphs 23, 24, 29, and 32.
19. Analysis. We found that the Corporation had good corporate governance practices in place. However, the total compensation range for the President and Chief Executive Officer was lower than the total compensation ranges for some of the senior executive positions (Exhibit 2).
Exhibit 2—Corporate governance—key findings and assessment
20. Weakness—Board appointments and competencies. We found that the total compensation range for the President and Chief Executive Officer had fallen behind the total compensation ranges for some of the senior executive positions. The Governor in CouncilDefinition i sets the total compensation range for the President and Chief Executive Officer, on the basis of salary ranges established in 2012. The Board of Directors established the total compensation ranges for senior executive positions, on the basis of market standards.
21. This weakness matters because the discrepancy could limit the Corporation’s ability to attract and retain qualified individuals to the President and Chief Executive Officer position, putting at risk the management of the Corporation.
22. We also found that the Corporation did not publicly disclose executive compensation—for example, in its annual report. Compensation is one of the Corporation’s largest operational expenditures. Disclosing executive compensation or salary structures would promote transparency and be in accordance with the practice in government and the financial industry. Disclosure would also help stakeholders better understand salary structures and issues related to them.
23. Recommendation. The Corporation should engage with its responsible Minister and the Privy Council Office to address the issue related to the President and Chief Executive Officer’s compensation.
The Corporation’s response. Agreed. The Corporation will review this issue and engage with the responsible Minister and the Privy Council Office as appropriate. The objective will be to ensure the ability to attract and retain qualified individuals for the President and Chief Executive Officer position.
24. Recommendation. The Corporation should consider disclosing its compensation framework as well as total compensation for senior executive positions (for example, in its annual report), to be in line with the practice in government and the financial industry.
The Corporation’s response. Agreed. The Corporation will conduct a review of the annual disclosures of both the compensation framework and the total compensation for senior executive positions.
25. Analysis. We found that the Corporation had good strategic planning practices and good performance measurement and reporting practices (Exhibit 3).
Exhibit 3—Strategic planning, and performance measurement and reporting—key findings and assessment
26. Analysis. During our examination, the Corporation was working to update its risk management policies and practices to address the recommendations of the Office of the Superintendent of Financial Institutions. We found weaknesses in the validation of financial and risk mitigation models and in IT risk management (Exhibit 4).
Exhibit 4—Corporate risk management—key findings and assessment
27. Weakness—Risk mitigation. We found that, in accordance with industry practice, the Corporation relied on financial and risk models when making decisions. It used these models to measure and manage risk by calculating borrowers’ credit ratings. It also used the models to determine the values of loans and to calculate potential losses and establish capital reserves. Models are supposed to be subjected to regular validation, during which they are verified to ensure that they are reliable. The Corporation had recently approved a Model Risk Corporate Directive, including an inventory of models used. It had begun validation as scheduled under the directive. However, the Corporation had not yet completed validation of all of its financial and risk models.
28. This weakness matters because models that have not been subjected to validation could have the unintended effect of producing unreliable information for decision making. This could expose the Corporation to unexpected losses or a shortage of capital.
29. Recommendation. The Corporation should proceed with model validation in accordance with its Model Risk Corporate Directive.
The Corporation’s response. Agreed. As noted in this audit report, the Corporation has in place a Model Risk Corporate Directive. The directive includes an inventory of all the Corporation’s models, a model risk rating assessment process (based on complexity and materiality criteria), and a model validation schedule (based on the aforementioned risk rating). Validations of the applicable models are ongoing, and the Corporation is on track to complete these validations according to the schedule within the directive.
30. Weakness—Business continuity, disruptive events management plan, recovery plan, resiliency plan, and IT security. We found that the Corporation did not yet have a formal IT risk management plan with the risk mitigation measures that focused on the most critical systems, processes, and data, and that ensured security, business resumption, or continuity.
31. This weakness matters because without a formal IT risk management plan, strategies to protect, recover, or resume operations might not be tailored to the importance or relative risk of the key systems, processes, and data concerned. The strategies might therefore not be effective in mitigating IT business continuity or security risks within the Corporation’s expressed risk appetite. This situation could expose the Corporation to operational and financial loss.
32. Recommendation. The Corporation should implement a formal IT risk management plan that lists and assesses all IT processes, systems, and data, and identifies required risk mitigation activities.
The Corporation’s response. Agreed. After the period covered by the audit, the Corporation finalized and approved an IT Risk Management Corporate Directive, which includes an IT Risk Management Framework to address the points raised by this audit. The directive was reviewed by the Audit Committee and the Board Risk Committee. The Corporation is committed to implementing the directive and components of the framework. The Corporation currently has in place a number of documented processes and controls to ensure the mitigation of IT risk.
Management of operations
33. Financing services. Lending to businesses is the largest part of the Corporation’s loan portfolio. Its Financing business line provides term loans and specialized solutions designed to support business creation and business growth, market development and expansion, investment in business growth, the acquisition and modernization of facilities and equipment, and business ownership transition.
34. For one segment of its lending to businesses, the Corporation has begun using new technological and online interfaces to offer clients faster and more convenient access to services. The Corporation plans to broaden use of these new technologies to other segments of its commercial lending as their effectiveness is proven.
35. Investment services (venture capital and other investments). Through its Venture Capital business line and other investment activities, the Corporation offers entrepreneurs various debt and equity solutions. Its investment services offer significant support to Canadian entrepreneurs of small and medium-sized businesses.
36. In 2017, the government mandated the Corporation to play a larger role in supporting clean technology companies. In December 2017, the Corporation responded by launching its Cleantech Scale Up Initiative. During the period covered by the audit, the Corporation was in the process of formalizing the initiative’s governance framework, internal controls, and procedures. The initiative had begun to deploy funds and develop its portfolio. It will rely on good governance and management practices to ensure that its operations help achieve the Corporation’s mandate while remaining within its stated risk appetite. During implementation of these practices, the Board has been involved in reviewing and approving investments under the initiative and has received detailed information on activities.
37. Advisory services. The Corporation’s Advisory Services business line helps entrepreneurs grow and develop their business. Although the business line does not currently generate net income, it provides valuable support to entrepreneurs. In recent years, to enhance its services, the Corporation segmented its clientele by size and tailored its advisory offerings to each segment. Further, the Financing business line’s account managers are becoming more involved in managing client relationships as well as the advisory services offered and delivered.
The Corporation had good practices for managing its operations
38. We found that the Corporation had good practices for managing its operations.
39. Our analysis supporting this finding discusses the following topics:
- Management of financing
- Management of venture capital and other investments
- Management of advisory services
40. We made no recommendations in this area of examination.
41. Analysis. We found that the Corporation had good practices in place to manage its financing services (Exhibit 5).
Exhibit 5—Management of financing—key findings and assessment
42. Analysis. We found that the Corporation had good practices in place to manage its venture capital and other investments (Exhibit 6).
Exhibit 6—Management of venture capital and other investments—key findings and assessment
43. Analysis. We found that the Corporation had good practices in place to manage its advisory services (Exhibit 7).
Exhibit 7—Management of advisory services—key findings and assessment
Conclusion
44. In our opinion, based on the criteria established, there was reasonable assurance that there were no significant deficiencies in the Business Development Bank of Canada’s systems and practices that we examined. We concluded that the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.
About the Audit
This independent assurance report was prepared by the Office of the Auditor General of Canada (the Office) and Deloitte Limited Liability PartnershipLLPFootnote 1 on the Business Development Bank of Canada. Our responsibility was to express
- an opinion on whether there is reasonable assurance that during the period covered by the audit, there were no significant deficiencies in the Corporation’s systems and practices that we selected for examination; and
- a conclusion about whether the Corporation complied in all significant respects with the applicable criteria.
Under section 131 of the Financial Administration Act (FAA), the Business Development Bank of Canada is required to maintain financial and management control and information systems and management practices that provide reasonable assurance that
- its assets are safeguarded and controlled;
- its financial, human, and physical resources are managed economically and efficiently; and
- its operations are carried out effectively.
In addition, section 138 of the FAA requires the Corporation to have a special examination of these systems and practices carried out at least once every 10 years.
All work in this audit was performed to a reasonable level of assurance in accordance with the Canadian Standard for Assurance Engagements (CSAE) 3001—Direct Engagements set out by the Chartered Professional Accountants of Canada (CPA Canada) in the CPA Canada Handbook—Assurance.
The Office and Deloitte LLP apply Canadian Standard on Quality Control 1 and, accordingly, each maintain a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.
In conducting the audit work, we have complied with the independence and other ethical requirements of the relevant rules of professional conduct applicable to the practice of public accounting in Canada, which are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour.
In accordance with our regular audit process, we obtained the following from the Corporation’s management:
- confirmation of management’s responsibility for the subject under audit;
- acknowledgement of the suitability of the criteria used in the audit;
- confirmation that all known information that has been requested, or that could affect the findings or audit conclusion, has been provided; and
- confirmation that the audit report is factually accurate.
Audit objective
The objective of this audit was to determine whether the systems and practices we selected for examination at the Business Development Bank of Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.
Scope and approach
Our audit work examined the Business Development Bank of Canada. The scope of the special examination was based on our assessment of the risks the Corporation faces that could affect its ability to meet the requirements set out by the Financial Administration Act.
In performing our work, we reviewed key documents related to the systems and practices selected for examination. We interviewed members of the Board of Directors, senior management, and other employees of the Corporation. We also tested the systems and practices in place to obtain the required level of audit assurance.
The systems and practices selected for examination for each area of the audit are found in the exhibits throughout the report.
In carrying out the special examination, we did not rely on any internal audits. We did, however, consider the findings of a review conducted by the Office of the Superintendent of Financial Institutions in 2015.
Sources of criteria
The criteria used to assess the systems and practices selected for examination are found in the exhibits throughout the report.
Corporate governance
Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996
20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006
Performance Management Program for Chief Executive Officers of Crown Corporations—Guidelines, Privy Council Office, 2016
Practice Guide: Assessing Organizational Governance in the Public Sector, The Institute of Internal Auditors, 2014
Strategic planning, and performance measurement and reporting
Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005
Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996
Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996
Recommended Practice Guideline 3, Reporting Service Performance Information, International Public Sector Accounting Standards Board, 2015
20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006
Corporate risk management
20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996
Control Objectives for Information and related TechnologyCOBIT 5 Framework—APO13 (Manage Security), BAI10 (Manage Configuration), DSS05 (Manage Security Services), MEA03 (Monitor, Evaluate and Assess Compliance with External Requirements), Information Systems Audit and Control AssociationISACA
Management of financing
Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996
A Guide to the Project Management Body of Knowledge (PMBOK® Guide), fourth edition, Project Management Institute IncorporatedInc., 2008
COBIT 5 Framework—APO05 (Manage Portfolio), BAI01 (Manage Programmes and Projects), ISACA
Plan-Do-Check-Act management model adapted from the Deming Cycle
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
COBIT 5 Framework—EDM02 (Ensure Benefits Delivery), ISACA
20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006
Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996
Policy on Learning, Training, and Development, Treasury Board, 2006
Ultimate Human ResourceHR Manual, Human Resource Professionals Association and Commerce Clearing HouseCCH
Management of venture capital and other investments
Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996
A Guide to the Project Management Body of Knowledge (PMBOK® Guide), fourth edition, Project Management Institute Inc., 2008
COBIT 5 Framework—APO05 (Manage Portfolio), BAI01 (Manage Programmes and Projects), ISACA
Plan-Do-Check-Act management model adapted from the Deming Cycle
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
COBIT 5 Framework—EDM02 (Ensure Benefits Delivery), ISACA
20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006
Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board of Canada, 1996
Management of advisory services
Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996
A Guide to the Project Management Body of Knowledge (PMBOK® Guide), fourth edition, Project Management Institute Inc., 2008
COBIT 5 Framework—APO05 (Manage Portfolio), BAI01 (Manage Programmes and Projects), ISACA
Plan-Do-Check-Act management model adapted from the Deming Cycle
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
COBIT 5 Framework—EDM02 (Ensure Benefits Delivery), ISACA
Policy on Learning, Training, and Development, Treasury Board, 2006
Ultimate HR Manual, Human Resource Professionals Association and CCH
Period covered by the audit
The special examination covered the period between 25 September 2017 and 23 July 2018. This is the period to which the audit conclusion applies. However, to gain a more complete understanding of the significant systems and practices, we also examined certain matters that preceded the starting date of this period.
Date of the report
We obtained sufficient and appropriate audit evidence on which to base our conclusion on 25 October 2018 in Ottawa and Montréal, Canada.
Audit team
Office of the Auditor General of Canada:
Principal: Lissa Lamarche
Director: Patrick Polan
Geneviève Hivon
Kim Villeneuve
Deloitte LLP:
Partners: Umberto Delucilla and Normand Favreau
Managers: Mariama Zhouri and Julie Retik
List of Recommendations
The following table lists the recommendations and responses found in this report. The paragraph number preceding the recommendation indicates the location of the recommendation in the report, and the numbers in parentheses indicate the location of the related discussion.
Recommendation | Response |
---|---|
23. The Corporation should engage with its responsible Minister and the Privy Council Office to address the issue related to the President and Chief Executive Officer’s compensation. (20 to 22) |
The Corporation’s response. Agreed. The Corporation will review this issue and engage with the responsible Minister and the Privy Council Office as appropriate. The objective will be to ensure the ability to attract and retain qualified individuals for the President and Chief Executive Officer position. |
24. The Corporation should consider disclosing its compensation framework as well as total compensation for senior executive positions (for example, in its annual report), to be in line with the practice in government and the financial industry. (20 to 22) |
The Corporation’s response. Agreed. The Corporation will conduct a review of the annual disclosures of both the compensation framework and the total compensation for senior executive positions. |
29. The Corporation should proceed with model validation in accordance with its Model Risk Corporate Directive. (27 to 28) |
The Corporation’s response. Agreed. As noted in this audit report, the Corporation has in place a Model Risk Corporate Directive. The directive includes an inventory of all the Corporation’s models, a model risk rating assessment process (based on complexity and materiality criteria), and a model validation schedule (based on the aforementioned risk rating). Validations of the applicable models are ongoing, and the Corporation is on track to complete these validations according to the schedule within the directive. |
32. The Corporation should implement a formal IT risk management plan that lists and assesses all IT processes, systems, and data, and identifies required risk mitigation activities. (30 to 31) |
The Corporation’s response. Agreed. After the period covered by the audit, the Corporation finalized and approved an IT Risk Management Corporate Directive, which includes an IT Risk Management Framework to address the points raised by this audit. The directive was reviewed by the Audit Committee and the Board Risk Committee. The Corporation is committed to implementing the directive and components of the framework. The Corporation currently has in place a number of documented processes and controls to ensure the mitigation of IT risk. |