2020 Spring Reports of the Auditor General of Canada to the Parliament of Canada Independent Auditor’s ReportReport of the Auditor General of Canada to the Board of Directors of the Canadian Commercial Corporation—Special Examination—2019

2020 Spring Reports of the Auditor General of Canada to the Parliament of CanadaReport of the Auditor General of Canada to the Board of Directors of the Canadian Commercial Corporation—Special Examination—2019

Canadian Commercial Corporation—Report of the Auditor General of Canada—2019

Independent Auditor’s Report

This report reproduces the special examination report that the Office of the Auditor General of Canada issued to the Board of Directors of the Canadian Commercial Corporation on 19 March 2019. The Office has not performed follow-up audit work on the matters raised in this reproduced report.

Introduction

Background

1. The Canadian Commercial Corporation is a federal Crown corporation that connects Canadian exporters to global government procurement markets and foreign government buyers. The Corporation reports to Parliament through the Minister of International Trade Diversification.

2. As the Government of Canada’s international contracting agency, the Corporation facilitates government-to-government contracting. The Corporation also helps federal organizations procure goods and services so that the organizations can deliver their programs in other countries. The Corporation charges fees for its services with the exception of sales to the United StatesUS Department of Defense under the Canada–US Defence Production Sharing Agreement.

3. Historically, the Corporation’s operations focused on aerospace, defence, security, and infrastructure. In recent years, the Corporation successfully secured a few large defence contracts that yielded enough revenue to fund operations. The Government of Canada gradually phased out its budget appropriation, with the final $3.5 million appropriation received for the 2016–17 fiscal year (Exhibit 1). In its 2017–18 Statement of Priorities, the Minister of International Trade Diversification directed the Corporation to ensure that it remained fiscally sustainable.

Exhibit 1—The Corporation’s finances for the 2014–15 to 2017–18 fiscal years (in $ millions)

Exhibit 1—The Corporation’s finances for the 2014–15 to 2017–18 fiscal years (in $ millions)
Description 2014–15 2015–16 2016–17 2017–18
Value of contracts $2,440.8 $2,844.5 $2,627.0 $2,387.8
Fees charged $22.8 $28.6 $25.3 $23.1
Net loss before parliamentary appropriation ($5.9) ($0.8) ($3.3) ($5.3)
Parliamentary appropriation $14.2 $8.9 $3.5 $0.0

Source: Canadian Commercial Corporation annual reports

4. The Corporation developed a diversification strategy in 2017 to address the risk of depending on a few significant contracts in one sector and to contribute to long-term fiscal sustainability. The strategy focused on industries that could leverage the Corporation’s value proposition—that is, the value that the Corporation provides to international buyers.

5. To support the strategy, the Corporation reorganized its business lines to focus on five sectors—aerospace, construction and infrastructure, clean technology, information and communications technology, and defence—under two business units:

The Corporation’s five priority regions include the United States, the Middle East, Latin America and the Caribbean, Asia, and Africa.

6. The Corporation is headquartered in Ottawa and employs approximately 135 people belonging to various disciplines, such as finance, procurement, project management, law, and international trade.

Focus of the audit

7. Our objective for this audit was to determine whether the systems and practices we selected for examination at the Canadian Commercial Corporation were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.

8. In addition, section 139 of the Financial Administration Act requires that we state an opinion, with respect to the criteria established, on whether there was reasonable assurance that there were no significant deficiencies in the systems and practices examined. A significant deficiency is reported when the systems and practices examined did not meet the criteria established, resulting in a finding that the Corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

9. Based on our assessment of risks, we selected systems and practices in the following areas:

The selected systems and practices and the criteria used to assess them are found in the exhibits throughout the report.

10. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Overall message

11. Overall, we found no significant deficiencies in the Canadian Commercial Corporation’s systems and practices. We found that the Corporation had well-managed systems and practices for both corporate management and operations; however, we noted areas that could be improved. These areas related to establishing systematic processes at the business unit level for planning operations and identifying risks. Furthermore, we found that the Corporation’s due diligence processes for transactions did not adequately consider human rights issues.

Corporate management practices

The Corporation had good corporate governance practices, but some improvements were needed

12. We found that the Corporation had good corporate governance practices. However, we found that the Corporation did not formally document planning processes and that business units did not prepare operational plans in the same way. We also found that business units did not identify and assess risks systematically.

13. Our analysis supporting this finding discusses the following topics:

14. The Corporation is governed by a Board of Directors, which consists of the Chairperson and nine directors. The Governor in CouncilDefinition i appoints the Chairperson, while the Minister of International Trade Diversification appoints the nine directors with the approval of the Governor in Council. The Governor in Council also appoints the Corporation’s President and Chief Executive Officer. At the start of the period covered by the audit, all nine director positions had expired. By the end of the period, the Minister had appointed six directors, including three who were reappointed to their positions.

15. Our recommendations in this area of examination appear at paragraphs 21, 22, and 26.

16. Analysis. We found that the Corporation had good practices in corporate governance (Exhibit 2).

Exhibit 2—Corporate governance—key findings and assessment

Exhibit 2—Corporate governance—key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Board independence

The Board functioned independently.

The Corporation’s by-laws, Policy Governance Framework, and Conflict of Interest Policy required directors to be independent of management.

Conflicts of interest were declared at Board meetings and through an annual written declaration.

The Board held regular meetings without management.

Check  mark in a green circle, meaning met the criteria

Providing strategic direction

The Board provided strategic direction.

The Board was active in setting the Corporation’s strategic direction.

The Corporation’s strategic objectives aligned with the Corporation’s mandate.

The Board was active in setting the President and Chief Executive Officer’s objectives.

Responsibilities for communications with stakeholders were defined.

Check  mark in a green circle, meaning met the criteria

Board appointments and competencies

The Board collectively had capacity and competencies to discharge its responsibilities.

The Board determined the skills and expertise it needed to be effective.

The Board periodically assessed whether its directors had the appropriate skills and knowledge to carry out their responsibilities.

Board members were provided orientation sessions and ongoing training.

The Board had access to outside expertise and used it when necessary to fill gaps in the Board’s skill and expertise profile.

The Board communicated with its Minister about Board appointments, renewals, and vacancies.

The appointment of six directors—including three reappointments—with staggered terms allowed a smooth transition between experienced Board members and new ones.

Check  mark in a green circle, meaning met the criteria

Board oversight

The Board carried out its oversight role over the Corporation.

The structure of the Board and committees reflected the nature and complexity of the organization.

Board members received the necessary information to challenge, direct, and make decisions.

The Corporation’s Internal Audit team conducted regular internal audits. The Director of Internal Audit met regularly with the Audit Committee without management present.

The Corporation reported the declaration requirements of its Code of Conduct and Business Ethics annually to the Board.

The Board evaluated its own performance annually and reported results transparently.

Check  mark in a green circle, meaning met the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

17. Analysis. The Corporation had good practices in performance measurement, monitoring, and reporting. However, it had several weaknesses in its strategic planning processes (Exhibit 3).

Exhibit 3—Strategic planning—key findings and assessment

Exhibit 3—Strategic planning—key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Strategic planning processes

The Corporation established a strategic plan and strategic objectives that were aligned with its mandate.

The Corporation considered its internal and external environments, and its competitive strengths and weaknesses, as part of its strategic planning processes.

The Corporation’s corporate plan aligned with the Corporation’s legal mandate and government priorities.

The Corporation used risk information in its strategic planning processes.

Management’s performance objectives aligned with the Corporation’s strategic objectives.

The Corporation communicated its strategic plan well throughout the organization.

Weaknesses

The Corporation did not formally document its strategic and operational planning and performance measurement processes.

The Corporation’s business units did not take an integrated approach to operational planning.

The Minister did not approve the 2018–19 to 2022–23 corporate plan.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Performance measurement

The Corporation established performance indicators in support of achieving strategic objectives.

The Corporation established performance measurements, including key performance indicators and targets, to assess ongoing progress in achieving strategic objectives.

Check  mark in a green circle, meaning met the criteria

Performance monitoring and reporting

The Corporation monitored and reported on progress in achieving its strategic objectives.

The Corporation assigned strategic objectives to business units and incorporated the objectives in the business units’ operational plans, along with the expected results.

The Corporation assessed performance against targets each quarter and reported this information to senior management and the Board.

The Corporation periodically discussed progress against strategic objectives and used performance information in decision making.

The Corporation reported the results of its performance measures in its corporate plan, which it updated annually.

Check  mark in a green circle, meaning met the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

18. Weaknesses—Strategic planning processes. We found that the Corporation did not formally document its strategic planning processes to ensure consistent application year over year and across business units. Our findings are consistent with those of the Corporation’s internal audit. We also observed that the Corporation’s business units did not prepare operational plans in the same way—and that those plans did not always consider interdependencies between business units.

19. We also found that the Minister of International Trade Diversification did not approve the Corporation’s 2018–19 to 2022–23 corporate plan. The Corporation originally submitted the draft plan in January 2018, and the Minister returned it requesting amendments to reflect the cancellation of a significant contract. The Corporation resubmitted the plan in August 2018, but it remained unapproved at the end of the period covered by the audit. The Corporation attempted to engage the Minister to secure approval of the plan. Government approval of corporate plans is a process outside the Corporation’s control.

20. These weaknesses matter because inconsistent strategic planning processes may not provide the level of detail required to support the Corporation in achieving its strategic objectives. Furthermore, corporate plans outline a five-year strategic and financial direction. Many of the Corporation’s transactions span several years and require long-term planning. The lack of an approved corporate plan limits the ability of the Corporation to assure its suppliers and the foreign governments it works with that it can carry out its contracts to their conclusion.

21. Recommendation. The Corporation should document its strategic planning processes and link them to operational planning. The Corporation should also ensure that its strategic planning processes are consistently applied and integrated across the organization.

The Corporation’s response. Agreed. The Corporation will document its strategic planning processes and provide better linkages to operational planning. The Corporation will continue to strengthen its business plans through increased guidance while also focusing on integration and interdependencies between the respective plans. The Corporation will continue to evolve its business planning process and include regular touch points throughout the year to ensure accountability for deliverables identified within the plans. The strategic process documentation and related improvements will be completed by 30 September 2019.

22. Recommendation. The Corporation should continue to work with the government to ensure that its 2019–20 to 2023–24 corporate plan is approved.

The Corporation’s response. Agreed. The Corporation notes that government stakeholder consultations take place regularly and that the status of the corporate plan is frequently discussed. The Corporation will continue these discussions and work toward having the 2019–20 to 2023–24 corporate plan formally approved.

23. Analysis. We found that the Corporation had good risk management practices. However, we found a weakness in the Corporation’s risk identification and assessment (Exhibit 4).

Exhibit 4—Corporate risk management—key findings and assessment

Exhibit 4—Corporate risk management—key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Risk identification and assessment

The Corporation identified and assessed risks to achieving strategic objectives.

The Corporation developed an enterprise risk management framework and a suite of policies to help identify and assess risks.

The Corporation identified and assessed its main risks across the strategic, operational, and transactional categories.

Risk assessments included potential impact, severity, and likelihood.

The enterprise risk management framework described the Board’s and management’s risk management responsibilities.

Weakness

The Corporation did not consistently identify and assess risks at the business unit level.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Risk mitigation

The Corporation defined and implemented risk mitigation measures.

The Corporation identified its most significant risks and assigned them to risk owners at the executive level.

Risk owners prepared risk response plans for each of the significant risks identified.

Check  mark in a green circle, meaning met the criteria

Risk monitoring and reporting

The Corporation monitored and reported on the implementation of risk mitigation measures.

The Corporation monitored and reported on risk mitigation activities through a quarterly risk report, which was provided to the Audit Committee.

The Corporation’s Annual Risk Management Report identified risk management activities that were planned and undertaken. The report included an assessment of risk based on impact and likelihood.

Check  mark in a green circle, meaning met the criteria

Business continuity plans and information technology (IT) security

The Corporation had information systems that were available and accessible when needed, and would resist attacks and recover from failures.

The Corporation had a Business Continuity Plan and an IT Disaster Recovery Plan. The Corporation regularly tested the plans and developed action plans to address areas requiring improvement.

The Corporation performed a vulnerability assessment of its IT systems and addressed critical vulnerabilities.

Check  mark in a green circle, meaning met the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

24. Weakness—Risk identification and assessment. The Corporation’s process for identifying and assessing corporate risks included 14 risks across three categories: strategic, operational, and transactional. However, we found that the Corporation did not have formal processes for systematically collecting risk information at the business unit level. This meant that the process for identifying and assessing risk at the business unit level was not systematic.

25. This weakness matters because without a formal process of collecting risk information from business units, the Corporation might not identify, assess, mitigate, and monitor certain risks.

26. Recommendation. The Corporation’s process for identifying risks should ensure that risk information is collected at the business unit level.

The Corporation’s response. Agreed. The Corporation will provide additional guidance on risk identification and assessment to business units as part of its business plan process. Additional focus on the business plans at the Risk and Opportunities Committee will also be established. These improvements will be completed by 30 September 2019.

Management of business development and contracting

27. Through contracts with foreign government buyers, the Corporation guarantees delivery of a Canadian exporter’s goods or services. The Corporation also holds a contract with the Canadian exporter, which requires the exporter to fulfill its contract with the foreign government buyer. As a result, the Corporation assumes and mitigates risks, such as financial or political, for the Canadian exporter and the foreign government buyer. Before concluding these contracts, the Corporation assesses the risks to the transaction, which include

28. The Corporation’s transactions can involve exports of controlled goods, such as some military or dual-use goods or technology. Such controlled goods are subject to the Export and Import Permits Act, which requires that an export permit be issued by Global Affairs Canada before the goods can be exported. Once a contract has been signed, the exporter submits an application for an export permit to the Export Controls Operations Division of Global Affairs Canada, for a review of the facts of the export to ensure consistency with Canada’s foreign and defence policies. On the basis of this review, the Minister of Foreign Affairs decides whether to grant an export permit in a particular set of circumstances. The Corporation is not involved in the decision as to whether the export of a controlled good or service can proceed, but assesses the risk associated with the export permit approval as part of the due diligence process.

The Corporation had good business development practices, but there were weaknesses in its contracting processes

29. We found that improvements were needed in the Corporation’s due diligence processes related to managing risk in its contracts. In particular, the Corporation did not adequately consider risks related to human rights in its contracting processes. We also found weaknesses in the Corporation’s monitoring systems that track contract costs.

30. Our analysis supporting this finding discusses the following topic:

31. Our recommendations in this area of examination appear at paragraphs 35 and 38.

32. Analysis. We found that the Corporation had good business development practices. However, we found weaknesses in the Corporation’s contract management and performance monitoring and reporting processes (Exhibit 5).

Exhibit 5—Business development and contracting—key findings and assessment

Exhibit 5—Business development and contracting—key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Business development

Business development practices ensured increased access to foreign markets for exporters and were in line with the Corporation’s objectives and goals.

The Corporation prepared a business development strategy focused on growth, diversification, and new business sectors (clean technology, information and communications technology, and infrastructure sectors).

The Corporation had appropriately considered the capacity and resourcing requirements for business development growth.

The Corporation established mechanisms to communicate the business development strategy to employees and stakeholders.

The Corporation had a well-defined management framework for business development. The framework’s requirements were designed to ensure that business development activities and outcomes complied with the Corporation’s legislative mandate and contributed to the Corporation’s strategic and operational objectives.

Check  mark in a green circle, meaning met the criteria

Contract management

Contract management practices ensured efficient and effective contracting services, which were in line with the Corporation’s objectives and goals.

The Corporation had a well-defined suite of policies for contract management, including policies for assigning responsibilities for project monitoring, reporting, and issue resolution.

The Corporation established mechanisms for internal and external communications for contract delivery.

The Corporation had a due diligence process for its transactions that considered business integrity issues and technical, managerial, and financial risks associated with proposed transactions.

Weakness

At the time of our audit, the Corporation did not have a formal process to identify and mitigate the risks related to human rights when doing business with foreign governments.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Performance monitoring and reporting

The Corporation monitored and reported on its operational results.

The Board and senior management received timely reporting on the business development strategy’s implementation, operational performance, and the status of contracts under management.

The Corporation had systems and practices to implement, monitor, and revise contract management plans.

Weakness

The Corporation did not have a monitoring system that tracked actual fees charged on a contract to compare those costs with the estimated pricing.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

33. Weakness—Contract management. We reviewed the Corporation’s due diligence processes to assess whether the risks posed by potential contracts were well identified, assessed, and considered before a transaction was approved. In the transactions we examined, we found that the Corporation assessed certain areas of suppliers’ due diligence, such as business integrity (corruption and bribery risks) and suppliers’ technical, managerial, and financial risks associated with a proposed transaction. However, we found that the Corporation did not have a formal process for reviewing human rights issues that related to the transactions. At the time of our audit, the Corporation was implementing due diligence processes to address these issues.

34. This weakness matters because the Corporation has committed to the highest ethical standards in business dealings both in Canada and abroad. Entering into transactions associated with human rights concerns exposes the Corporation to reputational risks and to transactional risks if human rights issues prevent Global Affairs Canada from issuing an export permit.

35. Recommendation. The Corporation should establish and implement due diligence processes for human rights risks. These processes should properly assess and mitigate risks, both as the contract is prepared and for its duration. The Corporation should consult with external partners, such as Global Affairs Canada, as part of these due diligence processes, where relevant.

The Corporation’s response. Agreed. The Corporation is revising its ongoing risk assessment and transactional due diligence to ensure that human rights, transparency, and responsible business conduct (RBC) are core guiding principles. The review will result in modifications to the Corporation’s policy suite to include improved policies and systematic procedures that will constitute an “Enhanced RBC Framework” intended for implementation by June 2019. The framework will assess and develop risk mitigation strategies with respect to human rights risks in the Corporation’s transactions. The Corporation recently established a Human Rights Committee to conduct due diligence reviews for human rights concerns. The Corporation will continue to consult with officials at Global Affairs Canada in its human rights assessments and ensure that human rights risks are reviewed at the outset and throughout a transaction. These improvements will be completed by 30 November 2019.

36. Weakness—Performance monitoring and reporting. The Corporation did not have monitoring systems and practices in place for project costs. As a result, the Corporation was unable to track actual costs incurred on a contract to compare those costs with the estimated pricing, nor could the Corporation be assured that fees charged on contracts covered all related costs.

37. This weakness matters because these systems and practices are needed to validate and inform the pricing for the Corporation’s services and to help the Corporation achieve long-term financial sustainability. The Corporation cannot assess whether its fees on individual contracts contribute to a fiscal sustainability without adequate monitoring information related to fees and profit on contracts.

38. Recommendation. The Corporation should develop and implement monitoring systems and practices that will provide information on contract fees and profit to inform decisions around contract pricing and the Corporation’s fee structure.

The Corporation’s response. Agreed. The Corporation will review options on monitoring systems and practices that could strengthen information gathering on contract costs to better inform decision making around the Corporation’s fee structure. The selected options will be implemented by 31 December 2019.

Conclusion

39. In our opinion, based on the criteria established, there was reasonable assurance there were no significant deficiencies in the Canadian Commercial Corporation’s systems and practices that we examined. We concluded that the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.

About the Audit

This independent assurance report was prepared by the Office of the Auditor General of Canada on the Canadian Commercial Corporation. Our responsibility was to express

Under section 131 of the Financial Administration Act (FAA), the Canadian Commercial Corporation is required to maintain financial and management control and information systems and management practices that provide reasonable assurance that

In addition, section 138 of the FAA requires the Corporation to have a special examination of these systems and practices carried out at least once every 10 years.

All work in this audit was performed to a reasonable level of assurance in accordance with the Canadian Standard for Assurance Engagements (CSAE) 3001—Direct Engagements set out by the Chartered Professional Accountants of Canada (CPA Canada) in the CPA Canada Handbook—Assurance.

The Office applies Canadian Standard on Quality Control 1 and, accordingly, maintains a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.

In conducting the audit work, we have complied with the independence and other ethical requirements of the relevant rules of professional conduct applicable to the practice of public accounting in Canada, which are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour.

In accordance with our regular audit process, we obtained the following from the Corporation’s management:

Audit objective

The objective of this audit was to determine whether the systems and practices we selected for examination at the Canadian Commercial Corporation were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.

Scope and approach

We examined the Canadian Commercial Corporation. The scope of the special examination was based on our assessment of the risks the Corporation faces that could affect its ability to meet the requirements set out by the Financial Administration Act.

As part of our examination, we interviewed Board members, senior management, and other individuals throughout the Corporation to gain insights into its systems and practices. We selected and tested sample items, such as transactions, process control activities, risk mitigation strategies, contracts, projects, and reporting, to determine whether systems and practices were in place and functioned as intended.

The systems and practices selected for examination for each area of the audit are found in the exhibits throughout the report.

In carrying out the special examination, we did not rely on any internal audits.

Sources of criteria

The criteria used to assess the systems and practices selected for examination are found in the exhibits throughout the report.

Corporate governance

Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Performance Management Program for Chief Executive Officers of Crown Corporations—Guidelines, Privy Council Office, 2016

Practice Guide: Assessing Organizational Governance in the Public Sector, The Institute of Internal Auditors, 2014

Strategic planning

Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005

Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996

Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996

Recommended Practice Guideline 3, Reporting Service Performance Information, International Public Sector Accounting Standards Board, 2015

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Corporate risk management

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996

Corporate Social Responsibility: An Implementation Guide for Business, International Institute for Sustainable Development, 2007

Business development and contracting

Control Objectives for Information and related TechnologyCOBIT 5 Framework—EDM02 (Ensure Benefits Delivery), Information Systems Audit and Control AssociationISACA

Plan-Do-Check-Act management model adapted from the Deming Cycle

Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996

A Guide to the Project Management Body of Knowledge (PMBOK® Guide), fourth edition, Project Management Institute IncorporatedInc., 2008

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Period covered by the audit

The special examination covered the period between 17 January 2018 and 23 November 2018. This is the period to which the audit conclusion applies.

Date of the report

We obtained sufficient and appropriate audit evidence on which to base our conclusion on 12 December 2018, in Ottawa, Canada.

Audit team

Principal: Lissa Lamarche
Director: Laurie Girard

Daniel Spagnolo

List of Recommendations

The following table lists the recommendations and responses found in this report. The paragraph number preceding the recommendation indicates the location of the recommendation in the report, and the numbers in parentheses indicate the location of the related discussion.

Corporate management practices

List of Recommendations
Recommendation Response

21. The Corporation should document its strategic planning processes and link them to operational planning. The Corporation should also ensure that its strategic planning processes are consistently applied and integrated across the organization. (17 to 20)

The Corporation’s response. Agreed. The Corporation will document its strategic planning processes and provide better linkages to operational planning. The Corporation will continue to strengthen its business plans through increased guidance while also focusing on integration and interdependencies between the respective plans. The Corporation will continue to evolve its business planning process and include regular touch points throughout the year to ensure accountability for deliverables identified within the plans. The strategic process documentation and related improvements will be completed by 30 September 2019.

22. The Corporation should continue to work with the government to ensure that its 2019–20 to 2023–24 corporate plan is approved. (17 to 20)

The Corporation’s response. Agreed. The Corporation notes that government stakeholder consultations take place regularly and that the status of the corporate plan is frequently discussed. The Corporation will continue these discussions and work toward having the 2019–20 to 2023–24 corporate plan formally approved.

26. The Corporation’s process for identifying risks should ensure that risk information is collected at the business unit level. (23 to 25)

The Corporation’s response. Agreed. The Corporation will provide additional guidance on risk identification and assessment to business units as part of its business plan process. Additional focus on the business plans at the Risk and Opportunities Committee will also be established. These improvements will be completed by 30 September 2019.

Management of business development and contracting

List of Recommendations
Recommendation Response

35. The Corporation should establish and implement due diligence processes for human rights risks. These processes should properly assess and mitigate risks, both as the contract is prepared and for its duration. The Corporation should consult with external partners, such as Global Affairs Canada, as part of these due diligence processes, where relevant. (32 to 34)

The Corporation’s response. Agreed. The Corporation is revising its ongoing risk assessment and transactional due diligence to ensure that human rights, transparency, and responsible business conduct (RBC) are core guiding principles. The review will result in modifications to the Corporation’s policy suite to include improved policies and systematic procedures that will constitute an “Enhanced RBC Framework” intended for implementation by June 2019. The framework will assess and develop risk mitigation strategies with respect to human rights risks in the Corporation’s transactions. The Corporation recently established a Human Rights Committee to conduct due diligence reviews for human rights concerns. The Corporation will continue to consult with officials at Global Affairs Canada in its human rights assessments and ensure that human rights risks are reviewed at the outset and throughout a transaction. These improvements will be completed by 30 November 2019.

38. The Corporation should develop and implement monitoring systems and practices that will provide information on contract fees and profit to inform decisions around contract pricing and the Corporation’s fee structure. (32, 36 to 37)

The Corporation’s response. Agreed. The Corporation will review options on monitoring systems and practices that could strengthen information gathering on contract costs to better inform decision making around the Corporation’s fee structure. The selected options will be implemented by 31 December 2019.