2022 Reports 1 to 4 of the Auditor General of Canada to the Parliament of Canada Independent Auditor’s ReportReport of the Auditor General of Canada to the Board of Directors of Farm Credit Canada—Special Examination—2021

2022 Reports 1 to 4 of the Auditor General of Canada to the Parliament of CanadaReport of the Auditor General of Canada to the Board of Directors of Farm Credit Canada—Special Examination—2021

Report of the Auditor General of Canada to the Board of Directors of Farm Credit Canada—Special Examination—2021

Independent Auditor’s Report

Audit Summary

We found no significant deficiencies in the corporate management practices and management of operations of Farm Credit Canada during the period covered by the audit. However, we found some weaknesses—specifically, in the board’s self‑assessment of its performance, in board oversight, and in information technology. Nonetheless, the corporation generally maintained reasonable systems and practices for accomplishing its mandate.

Introduction

Background

1. Farm Credit Canada (the corporation) is a Crown corporation that operates under the Farm Credit Canada Act.

2. The corporation’s mandate is to “enhance rural Canada” by providing specialized and personalized business and financial services and products to farming operations. The corporation’s customers comprise family farms and small and medium‑sized businesses related to farming. Farmers make up 84% of the corporation’s customers, while 16% are suppliers and processors.

3. Additionally, the corporation received letters from the Minister of Agriculture and Agri‑Food asking it to deliver on priorities, such as

4. The corporation offers loans, provides software and learning programs, and shares knowledge (such as ideas, advice, and resources) to help customers and others involved in the agriculture and agri‑food industry make sound decisions.

5. Farm Credit Canada is a financially self‑sustaining federal Crown corporation. It operates out of 100 offices located primarily in rural communities and has more than 2,100 employees. The corporation’s head office is in Regina. The corporation has a loan portfolio of more than $41 billion, as of March 2021. The corporation’s employee base and its loan portfolio have grown significantly since our last special examination of the corporation in 2012 (Exhibit 1).

Exhibit 1—The corporation’s growth since 2012

Exhibit 1—The corporation’s growth since 2012
Year Portfolio
(in billions of dollars)
Total assets
(in billions of dollars)
Total borrowings
(in billions of dollars)
Approximate number of employees
2012 23.2 23.8 20.3 1,500
2013 25.1 25.9 22.0 1,600
2014 26.2 27.3 22.8 1,700
2015 27.3 28.7 23.4 1,700
2016 28.7 30.0 24.3 1,700
2017 31.2 33.0 26.9 1,800
2018 34.0 35.3 28.9 1,800
2019 36.2 37.6 30.7 1,900
2020 38.6 41.4 33.6 2,000
2021 41.5 43.9 35.3 2,100

Source: Farm Credit Canada’s annual reports

6. On 23 March 2020, the corporation received an additional $500 million capital contribution from the Government of Canada to allow for more lending and risk exposure to support the industry during the coronavirus disease (COVID‑19)Definition 1 pandemic. This allowed the corporation to offer its customers more flexibility—for example, through longer repayment requirements, reduced interest rates and fees, more interest‑only loans, and an increase to the maximum customer lending limit.

Focus of the audit

7. Our objective for this audit was to determine whether the systems and practices we selected for examination at Farm Credit Canada were providing the corporation with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively, as required by section 138 of the Financial Administration Act.

8. In addition, section 139 (2) of the Financial Administration Act requires that we state an opinion, with respect to the criteria established, on whether there was reasonable assurance that there were no significant deficiencies in the systems and practices we examined. We define and report significant deficiencies when, in our opinion, the corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

9. On the basis of our risk assessment, we selected systems and practices in the following areas:

The selected systems and practices, and the criteria used to assess them, are found in the exhibits throughout the report.

10. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Corporate management practices

The corporation had good corporate management practices in some areas but needed improvement in others

11. We found that the corporation had good corporate management practices but some improvements were needed. Notably, the board did not perform an annual self‑assessment of its performance, and reporting to the board on certain oversight items was lacking or inaccurate.

12. The analysis supporting this finding discusses the following topics:

13. The corporation is governed by a Board of Directors composed of 12 members, including the chairperson.

14. The board is supported by the Risk Committee, the Audit Committee, the Corporate Governance Committee, and the Human Resources Committee.

15. The board oversees the corporation, which reports to Parliament through the Minister of Agriculture and Agri‑Food.

16. To achieve its mandate, the corporation sets out strategic objectives in its strategic plan. It also develops performance indicators to measure its progress toward these objectives. Along with the indicators, the corporation uses targets to specify the success levels or goals it must reach to achieve its strategic objectives. For the 2019–20 fiscal year, the corporation identified 6 strategic objectives:

17. The corporation is exposed to 4 major categories of risk: strategic, financial, operational, and reputational. Examples of these risks include risks related to business continuity, information technology (IT) security, and cybersecurity. One of the corporation’s key financial risks is lending risk, which includes credit risk, market risk, and liquidity risk. Overall risk tolerances are established and broken down into thresholds and limits, which are assigned to and monitored by the various business areas of the organization.

18. The corporation’s overall assessment of risk determines the amount of capital required to support the corporation’s strategic direction and continue the delivery of its services through all economic cycles, including economic downturns and periods of extended loss. Although not formally regulated, the corporation manages its level of capital according to the Capital Adequacy Requirements Guideline issued by the Office of the Superintendent of Financial Institutions Canada.

19. Our recommendations in this area of examination appear at paragraphs 232629, and 32.

20. Analysis. We found a weakness in that the board and its committees did not perform annual self‑assessments of their performance. We also found that the scope and results of a disaster‑recovery exercise were not reported to the board and that the corporation did not follow an evidence‑based process in formulating reports on its compliance with relevant authorities (Exhibit 2).

Exhibit 2—Corporate governance—Key findings and assessment

Exhibit 2—Corporate governance—Key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Board independence

The board functioned independently.

Board members declared conflicts of interest at board meetings and in annual statements. Board members recused themselves from discussions when there were potential conflicts of interest.

The board made decisions independently from management and held regular private meetings without management in attendance.

Board members were informed of and respected the codes and policies on values, ethics, behaviour, and conflicts of interest that applied to them.

 Check mark in a green circle

Providing strategic direction

The board provided strategic direction.

The board provided strategic direction through review and approval of strategic and corporate plans prepared by management. To inform this strategic direction, the board drew on the corporation’s regular communication with stakeholders and the government.

The board’s Corporate Governance Committee provided recommendations to the board on corporate governance, including the corporation’s strategic planning process.

The board conducted an annual assessment of the President and Chief Executive Officer’s performance.

 Check mark in a green circle

Board appointments and competencies

The board collectively had the capacity and competencies to fulfill its responsibilities.

The board determined the skills and expertise it needed to be effective and assessed whether its members had appropriate skills and knowledge to carry out their responsibilities.

The board communicated with the Minister of Agriculture and Agri‑Food about board appointments, renewals, and vacancies. This included proposing skills for vacant positions to improve the overall competency of the board.

Board members were provided orientation sessions and ongoing training.

Two of 12 board positions were vacant and 3 had expired terms as of 31 March 2021. After the period covered by the audit, 2 board members were reappointed and 3 new members were appointed.

Weakness

The board and its committees did not perform annual self‑assessments of their performance.

 Exclamation point in a yellow circle

Board oversight

The board carried out its oversight role over the corporation.

Board members received reports on the corporation’s ethical performance, including employee compliance with its code of conduct and conflicts of interest.

Internal audit conducted regular audits. The chief internal auditor met with the audit committee regularly, without management in attendance. This helped the board exercise its oversight and monitoring responsibilities.

Weaknesses

Although the board received information to exercise its oversight, it had not been informed of the objective, scope, or results of a disaster‑recovery exercise.

Reports provided to the board on the corporation’s compliance with relevant authorities (including laws and regulations) were not supported by documented testing that would ensure that an assessment of compliance with each of the authorities had been completed.

The corporation had not operationalized one such authority, the Impact Assessment Act, in its business areas.

 Exclamation point in a yellow circle

Legend—Assessment against the criteria

 Check mark in a green circle Met the criteria

 Exclamation point in a yellow circle Met the criteria, with improvement needed

 An X in a red circle Did not meet the criteria

21. Weakness—Board appointments and competencies. We found that the board and its committees did not perform annual self‑assessments of their performance. The board last analyzed its performance in January 2019.

22. This weakness matters because performance self‑assessment, at both the committee and board levels, allows the board to identify areas for improvement and stay up to date on best practices for board conduct.

23. Recommendation. The board and its committees should regularly perform self‑assessments of their performance.

The corporation’s response. Agreed. The board’s intention was to conduct a board and committee evaluation when the new board chairperson had been in her role for 1 year (the appointment occurred in April 2020) and once all 3 outstanding director positions had been filled (this occurred in May 2021). Management will support a board and committee self‑assessment by 30 June 2022. Management will recommend that the Corporate Governance Committee Charter be enhanced to require a specific cadence for this assessment on an ongoing basis.

24. Weaknesses—Board oversight. In keeping with its business continuity management policy and plan, the corporation regularly undertook a disaster‑recovery exercise that involved key IT systems and infrastructure. We found that the scope and results of the most recent exercise were reported to the Chief Information Officer but not to the board. This was despite the fact that the corporation had identified information security (including the compromising of critical information) as a key risk area for the 2020–21 fiscal year. As an organization that relies on several IT systems to process and approve loans, provide customers with loan disbursements when needed, and store sensitive customer data, the corporation needs to be able to recover information and quickly resume operations if a disaster occurs.

25. This weakness matters because without this information, the board cannot exercise its oversight over a key risk mitigation measure, that the corporation be able to restart and recover its information in the event of a disaster.

26. Recommendation. The board should request that management communicate the objective, scope, and results of its risk mitigation measures related to business continuity management on a timely basis.

The corporation’s response. Agreed. The board identified the need for an independent advisor to assist with oversight of technology and information risk in February 2021. Following a competitive process, an advisor was selected and the advisor’s contract was finalized in June 2021.

In October 2021, management provided, to the Risk Committee of the Board of Directors and the board’s advisor, its summary report on information and technology risk, including processes for incident response and disaster recovery related to business continuity scenarios for unavailable systems. By 31 December 2021, management will share outcomes of past disaster‑recovery exercises with the committee.

The objectives and scope of the overall business continuity program and ongoing results of its business continuity management risk mitigation will be shared with the board by 15 December 2022.

27. We also found that the corporation lacked a rigorous process for formulating reports that were meant to provide assurance to the board that the corporation complied with relevant federal, provincial, and territorial laws and regulations. The board requires this assurance to fully exercise its oversight in this area. The corporation had a process for compiling an inventory of the laws and regulations that it needed to comply with. Those laws and regulations were operationalized in the corporation’s various business areas through policies and procedures. The corporation had also established an attestation process to confirm compliance with the applicable laws and regulations. Management requested confirmation from senior officers responsible for the corporation’s various business lines that they were not aware of any non‑compliance with such authorities. However, this confirmation was based on the senior officers’ self‑assessments, rather than on testing or documented evidence.

28. This weakness matters because to fully exercise its oversight role, the board requires reporting that is supported by rigorous testing and documented evidence for assessing compliance with authorities. Such a process would validate compliance and improve the rigour of the attestation process.

29. Recommendation. The corporation’s assessment process for ensuring compliance with authorities should be supported by rigorous testing and documented evidence.

The corporation’s response. Agreed. A corporate initiative to strengthen regulatory compliance management was initiated in January 2020 and reporting to the Audit Committee will commence in 2022. The program will enhance the corporation’s practices for ensuring compliance with federal laws, regulations, and Treasury Board instruments. It will also support the regulatory compliance assessment provided to the Audit Committee with formal control testing results and documented evidence. The program will be implemented by 31 March 2023.

30. Furthermore, we found that in its inventory of applicable laws and regulations, the corporation noted that the Canadian Environmental Assessment Act had been repealed and replaced by the Impact Assessment Act on 28 August 2019. However, the corporation had not yet operationalized the Impact Assessment Act in its business areas, as the corporation had not yet completed a full analysis of the effect of the new act on its policies and procedures. Before issuing loans, the corporation would perform environmental assessments in keeping with its Environmental Risk Management Policy and its procedures and assessment documents, which had not been updated to reflect the requirements of the new act.

31. This weakness matters because if the corporation does not update its environmental policies and procedures to incorporate the requirements of the Impact Assessment Act, it cannot fully assess its compliance with this act. In its compliance reports to the board, the corporation did not indicate that the assessments had not been performed against the most recent legislation.

32. Recommendation. The corporation should analyze the Impact Assessment Act and update its policies and procedures accordingly.

The corporation’s response. Agreed. The corporation has analyzed the regulatory requirements of the Impact Assessment Act. Management’s policy and legal attestation process have been updated to reflect the act. Aspects of the act have been embedded within the corporation’s established Environmental Risk Management Policy. Policy, procedures, and support material have been updated and implemented, including training, for Canadian domiciled projects, effective 27 September 2021. Application of compliance requirements for international projects, including training, will be implemented by 30 April 2022.

33. Analysis. We found that the corporation had good practices for strategic planning (Exhibit 3).

Exhibit 3—Strategic planning—Key findings and assessment

Exhibit 3—Strategic planning—Key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Strategic planning processes

The corporation established a strategic plan and strategic objectives that aligned with its mandate.

The corporation had systematic strategic planning processes in place, which included analyzing the corporation’s strengths, weaknesses, and opportunities, as well as key risks and threats.

The corporation established measurable strategic objectives that aligned with its legislative mandate and government priorities.

The corporate plan was well communicated throughout the organization.

The corporation communicated strategic information to employees through the performance objectives set for management and through internal business performance targets. Strategic information was also communicated through the corporation’s intranet.

The corporation was aware of the United Nations’ Sustainable Development Goals and had incorporated elements of the goals into its corporate plan and corporate social responsibility reporting.

 Check mark in a green circle

Performance measurement

The corporation established performance indicators in support of achieving strategic objectives.

The corporation established key financial and operational performance indicators and targets to assess ongoing progress in achieving strategic objectives.

Among these indicators and targets, the corporation opted to include initiatives related to the environment and sustainable development and to 2 of the Sustainable Development Goals.

 Check mark in a green circle

Performance monitoring and reporting

The corporation monitored and reported on progress in achieving its strategic objectives.

The corporation monitored performance against targets each quarter and reported this information to senior management and the board, which periodically discussed progress against strategic initiatives.

The corporation’s 2020 annual report included results on its performance against indicators and targets for its strategic objectives. The corporation held a virtual annual public meeting to communicate the results.

The annual report included measures for environment and sustainable development performance and progress in support of the Sustainable Development Goals. The corporation also published a corporate social responsibility report, which included more information about these initiatives and annual performance against related targets.

 Check mark in a green circle

Legend—Assessment against the criteria

 Check mark in a green circle Met the criteria

 Exclamation point in a yellow circle Met the criteria, with improvement needed

 An X in a red circle Did not meet the criteria

34. Analysis. We found that the corporation had good practices for corporate risk management (Exhibit 4).

Exhibit 4—Corporate risk management—Key findings and assessment

Exhibit 4—Corporate risk management—Key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Risk identification and assessment

The corporation identified and assessed risks to achieving strategic objectives.

The corporation identified and assessed its risks according to its enterprise risk management framework and policy, which defined risk principles, roles and responsibilities, risk appetites, and risk management activities.

The corporation’s credit risk management policies and procedures aligned with the enterprise‑wide risk appetite framework and the board‑approved credit risk tolerances and limits.

The corporation assessed emerging risks and changes in risk levels on a timely basis. The corporation also updated its risk register to add the COVID‑19 pandemic as a new and significant risk.

 Check mark in a green circle

Risk mitigation

The corporation defined and implemented risk mitigation measures.

The corporation defined, developed, and implemented mitigation measures and strategies for identified risks, including credit risk. Risk mitigation strategies for key risks were approved by management and the board.

 Check mark in a green circle

Risk monitoring and reporting

The corporation monitored and reported on the implementation of risk mitigation measures.

Management presented the board with quarterly reports that detailed risk trends and the status of action plans to mitigate identified risks. These reports included information on the status of credit risk, compared with risk tolerances established by the corporation.

 Check mark in a green circle

Legend—Assessment against the criteria

 Check mark in a green circle Met the criteria

 Exclamation point in a yellow circle Met the criteria, with improvement needed

 An X in a red circle Did not meet the criteria

Management of operations

The corporation had good practices for managing its operations, but some improvements were needed in cybersecurity and IT security

35. We found that the corporation had good operational practices, including operational planning, performance monitoring and reporting, and managing operations. However, improvements were needed in cybersecurity and information technology (IT) security.

36. The analysis supporting this finding discusses the following topics:

37. The corporation’s main business is to provide financing to the agriculture and agri‑food industry. It provides loans to primary producers (those that produce raw commodities such as grain, oilseeds, cattle, dairy, hogs, fish and other aquaculture products, fruit, and vegetables) and to the agribusiness and agri‑food sectors (suppliers or processors, such as equipment manufacturers, dealers, or wholesalers, that serve primary producers). The corporation has several loan products available to respond to the needs of the industry. Loan products are also targeted to specific groups, such as younger farmers, women in agriculture, and Indigenous farmers or organizations.

38. The corporation is highly dependent on IT. IT security, including cybersecurity, is a key service area within the corporation, as it provides online services to customers (for example, online credit risk adjudication of loans) and manages a large amount of financial data. The corporation also offers agriculture and accounting software solutions to its customers. As the corporation changes its technology to improve services, increase automation, and provide remote access, IT and cybersecurity risks also increase.

39. The corporation has offices across Canada, to be close to the customers it serves. Moreover, as a result of the COVID‑19 pandemic, the corporation’s workforce had to shift to working remotely and in the 2020–21 fiscal year, the corporation experienced a surge in phishing attempts, underscoring the importance of its cybersecurity program and controls.

40. Our examination covered lending operations, as well as IT security and cybersecurity. The corporation also has a marketing division that develops new lending products and develops and delivers knowledge and software offerings to its customers. For the operational planning criteria below, we have examined marketing programs in addition to lending.

41. Our recommendations in this area of examination appear at paragraphs 47 and 50.

42. Analysis. We found that the corporation had good practices in operational planning, operational plan implementation, and performance monitoring and reporting (Exhibit 5).

Exhibit 5—Operations—Key findings and assessment

Exhibit 5—Operations—Key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Operational planning

The corporation defined operational plans that aligned with strategic plans and the mandate.

Operational plans aligned with the corporation’s strategic plans and mandate. The operational plans considered the business risks and the needs of the corporation’s customers, and identified those responsible for monitoring.

The corporation’s operational planning process included the development of senior management’s performance objectives, which aligned with the corporation’s operational and strategic plans.

 Check mark in a green circle

Operational plan implementation

The corporation implemented the operational plan to deliver results in accordance with the expected output of the business line.

The corporation applied its origination, adjudication, credit assessment and pricing, loan adjustment, loan modification, and loan monitoring policies and procedures.

These policies and procedures were available to lending staff, updated regularly, and approved by management and the board, when updated and as applicable.

The corporation had a confidential phone line, available to the public and to employees, for reporting fraudulent activities. The corporation also had a whistleblower protection policy. Investigations related to complaints were carried out.

The corporation identified the knowledge and skills that lending staff needed, and delivered training accordingly.

Management had processes to identify and report on the deterioration of borrowers’ credits and on impaired loans, as well as policies and guidelines for management of those files. Appropriate actions were taken for such files in accordance with the policies and guidelines.

Management had processes to identify, measure, and respond to extraordinary events and significant external shocks that could affect credit risk.

Management had processes to track policy exceptions when they occurred and to ensure that the exceptions were managed within the corporation’s policy framework.

 Check mark in a green circle

Performance monitoring and reporting

The corporation monitored and reported on its operational results.

Management periodically reported throughout the year on key operational results against targets, including explanations of variances and deterioration of credit.

Management periodically monitored and evaluated progress toward and achievement of annual objectives and performance targets of staff at all levels.

Management surveyed customers to understand whether the corporation’s services were meeting the customers’ needs.

 Check mark in a green circle

Legend—Assessment against the criteria

 Check mark in a green circle Met the criteria

 Exclamation point in a yellow circle Met the criteria, with improvement needed

 An X in a red circle Did not meet the criteria

43. Analysis. We found that the corporation did not have a comprehensive cybersecurity awareness and training program and that it had not thoroughly assessed its exposure to the IT security and privacy risks posed by its third‑party contracts (Exhibit 6).

Exhibit 6—IT security—Key findings and assessment

Exhibit 6—IT security—Key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Cybersecurity

The corporation protected against cybersecurity breaches through a cybersecurity program.

The corporation established a framework for managing cybersecurity risk. This framework mapped operational risks to the enterprise risk. It was reviewed and updated in August 2020.

The corporation defined roles and responsibilities related to cybersecurity. Terms of reference for management’s cybersecurity committees were periodically reviewed.

The corporation established targets and assessed its cybersecurity maturity to determine whether the cybersecurity program was functioning well and meeting objectives. These assessments are conducted every 2 years. The most recent assessment was in 2019.

The corporation established a Cyber Incident Response Plan that described the overall strategy and roles and responsibilities for responding to cybersecurity incidents. Incidents were tracked and recorded in accordance with guidance that supported that plan. Cybersecurity tabletop exercises were conducted.

Weakness

The corporation did not have a comprehensive cybersecurity awareness and training program.

 Exclamation point in a yellow circle

IT security

The corporation protected its information assets through an information security management program.

The corporation’s Enterprise Security Policy served as the overarching policy on protecting the corporation’s employees and assets. The corporation had several other key frameworks, policies, and standards that covered information security management.

The corporation had a backup site available in case of a disaster or a serious event. The corporation developed detailed playbooks to respond to a variety of scenarios and events.

The corporation had a business continuity management policy and plan. The policy was reviewed every 3 years, most recently in October 2018.

Weakness

The corporation had not conducted assessments of older contracts that were still in force to determine whether they contained provisions for notification and reporting of third‑party security and privacy breaches and, if not, the corporation’s risk exposure.

 Exclamation point in a yellow circle

Legend—Assessment against the criteria

 Check mark in a green circle Met the criteria

 Exclamation point in a yellow circle Met the criteria, with improvement needed

 An X in a red circle Did not meet the criteria

44. Weakness—Cybersecurity. We found that the corporation did not have a comprehensive cybersecurity awareness and training program. Nor did it have a formal curriculum for cybersecurity training. There were mandatory cybersecurity training courses for new employees, but the training content was limited to acceptable use of the corporation’s devices and software and protecting IT assets. A cybersecurity curriculum that includes training for all employees—covering examples of phishing attacks and other types of social engineering and malware, as well as what various cyber‑threats could look like—would better inform employees of cyber‑risks.

45. The corporation had performed some cybersecurity exercises and issued communications related to cybersecurity awareness. However, no overall plan specified the nature and frequency of these activities. A comprehensive and up‑to‑date cybersecurity awareness program would include training and communication, as well as monitoring and assessment. It would also include the timing and frequency of these activities and would reflect current threats and response plans for such threats.

46. This weakness matters because the corporation had identified cybersecurity breaches as a key risk area. Awareness programs and training can help employees recognize and react to cyber‑threats and events, reducing the chance that attempts to access the corporation’s systems and information would be successful.

47. Recommendation. The corporation should establish a comprehensive cybersecurity awareness and training program for all employees.

The corporation’s response. Agreed. Following the end of the examination period, management has reviewed the existing cybersecurity awareness and training program. Prioritized implementation of comprehensive enhancements are in progress with full completion by 30 September 2022.

48. Weakness—IT security. The corporation conducted IT security and privacy risk assessments of third parties when onboarding vendors. It also updated the assessments for key vendors through monitoring of controls assurance reports that covered security and privacy risks. It had also recently begun systematically adding provisions covering notification and reporting of third‑party security and privacy breaches for new contracts and those being renewed. We found that the corporation had started to assess some older contracts that were still in force, to determine whether they contained provisions covering notification and reporting of third‑party security and privacy breaches, but this process did not include all contracts.

49. This weakness matters because the corporation could be exposed to IT security and privacy risks for third‑party contracts that did not at their inception require the reporting and communication of IT security and privacy breaches. If the corporation is not able to respond quickly to a security or privacy breach, systems could become unavailable, data could be corrupted, and sensitive information could be lost or stolen. There is also a potential for fraud to occur. Awareness of any such breaches resulting from existing third‑party contracts would allow the corporation to respond accordingly.

50. Recommendation. The corporation should assess all contracts still in force with third parties to determine its exposure to IT security and privacy risks through contracts that might not contain clauses related to reporting and communication of IT security and privacy breaches, and implement mitigation measures as required.

The corporation’s response. Agreed. A corporate initiative to strengthen third‑party risk management was initiated in 2020. The program will enhance the corporation’s practices for ensuring that IT security and privacy risks are understood and mitigated as appropriate with all third parties. As part of this work, management will assess all third‑party contracts for the existence of IT security and privacy clauses by 31 March 2022. In accordance with the risk stratification of the arrangement, for those lacking a clause, the corporation will establish mitigation tactics as required, by 31 December 2022.

Conclusion

51. In our opinion, on the basis of the criteria established, there was reasonable assurance that there were no significant deficiencies in the corporation’s systems and practices we examined. We concluded that Farm Credit Canada maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.

About the Audit

This independent assurance report was prepared by the Office of the Auditor General of Canada on Farm Credit Canada. Our responsibility was to express

Under section 131 of the Financial Administration Act, the corporation is required to maintain financial and management control and information systems and management practices that provide reasonable assurance of the following:

In addition, section 138 of the act requires the corporation to have a special examination of these systems and practices carried out at least once every 10 years.

All work in this audit was performed to a reasonable level of assurance in accordance with the Canadian Standard on Assurance Engagements (CSAE) 3001—Direct Engagements, set out by the Chartered Professional Accountants of Canada (CPA Canada) in the CPA Canada Handbook—Assurance.

The Office of the Auditor General of Canada applies the Canadian Standard on Quality Control 1 and, accordingly, maintains a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.

In conducting the audit work, we complied with the independence and other ethical requirements of the relevant rules of professional conduct applicable to the practice of public accounting in Canada, which are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour.

In accordance with our regular audit process, we obtained the following from the corporation:

Audit objective

The objective of this audit was to determine whether the systems and practices we selected for examination at Farm Credit Canada were providing the corporation with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively, as required by section 138 of the Financial Administration Act.

Scope and approach

Our audit work examined Farm Credit Canada. The scope of the special examination was based on our assessment of the risks the corporation faced that could affect its ability to meet the requirements set out by the Financial Administration Act.

The systems and practices selected for examination for each area of the audit are found in the exhibits throughout the report.

As part of our examination, we interviewed members of the Board of Directors, senior management, and employees of the corporation to gain insight into its systems and practices. We reviewed documents related to the systems and practices selected for examination. We tested the systems and practices to obtain the required level of audit assurance. Our testing sometimes included detailed sampling. For example, we selected samples on the basis of auditors’ judgment in corporate governance, strategic planning, corporate risk management, operations, and IT security.

In carrying out the special examination, we did not rely on any internal audits.

Sources of criteria

The criteria used to assess the systems and practices selected for examination are found in the exhibits throughout the report.

Corporate governance

Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board of Canada Secretariat, 2005

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Directors of Crown corporations: an introductory guide to their roles and responsibilities, Treasury Board of Canada Secretariat, 2019

Performance Management Program for Chief Executive Officers of Crown Corporations—Guidelines, Privy Council Office, 2018

Practice Guide: Assessing Organizational Governance in the Public Sector, The Institute of Internal Auditors, 2014

20 Questions Directors Should Ask about information technologyIT, second edition, Chartered Professional Accountants of Canada, 2012

Strategic planning

Guidance for Crown Corporations on Preparing Corporate Plans and Budgets, Treasury Board of Canada Secretariat, 2019

Recommended Practice Guideline 3, Reporting Service Performance Information, International Public Sector Accounting Standards Board, 2015

Corporate risk management

Enterprise Risk Management—Integrating with Strategy and Performance: Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, 2017

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Operations

Control Objectives for Information and related TechnologyCOBIT 5 Framework—APO05 (Manage Portfolio), BAI01 (Manage Programmes and Projects), Information Systems Audit and Control AssociationISACA

International Organization for StandardizationISO 14001:2015—Environmental Management Systems, International Organization for Standardization

Improving Environmental Performance and Compliance: 10 Elements of Effective Environmental Management Systems, Commission for Environmental Cooperation, 2000

Transforming Our World: The 2030 Agenda for Sustainable Development, United Nations, 2015

Corporate Governance Guideline, Office of the Superintendent of Financial Institutions Canada, 2018

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Operational Risk Management Guideline, Office of the Superintendent of Financial Institutions Canada, 2016

Enterprise Risk Management—Integrating with Strategy and Performance: Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, 2017

COBIT 5 Framework—EDM02 (Ensure Benefits Delivery), ISACA

IT security

COBIT 2019 Framework, ISACA

ISO/IEC 27002:2013 (Information Technology—Security Techniques—Code of Practice for Information Security Controls), International Organization for Standardization

ISO/IEC 27032:2012 (Information Technology—Security Techniques—Guidelines for Cybersecurity), International Organization for Standardization

Information Technology Security GuidelineITSG-33—IT Security Risk Management: A Lifecycle Approach, Canadian Centre for Cyber Security

Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, National Institute of Standards and Technology, 2018

ISO 27001:2013 (Information technology— Security Techniques—Information Security Management Systems—Requirements), International Organization for Standardization

ISO 22301:2019 (Security and Resilience—Business Continuity Management Systems—Requirements), International Organization for Standardization

ISO/IEC 27031:2011 (Information Technology—Security Techniques—Guidelines for Information and Communication Technology Readiness for Business Continuity), International Organization for Standardization

Period covered by the audit

The special examination covered the period from 1 July 2020 to 31 March 2021. This is the period to which the audit conclusion applies. However, to gain a more complete understanding of the significant systems and practices, we also examined certain matters that preceded the start date of this period.

Date of the report

We obtained sufficient and appropriate audit evidence on which to base our conclusion on 25 November 2021, in Ottawa, Canada.

Audit team

Principal: Marise Bédard
Directors: Erin Corbin, Marc Gauthier, and Sze Man (Vivien) Ho

Yifan Zhu
Jodi Grant
Yucong Lu

List of Recommendations

The following table lists the recommendations and responses found in this report. The paragraph number preceding the recommendation indicates the location of the recommendation in the report, and the numbers in parentheses indicate the location of the related discussion.

Corporate management practices

List of Recommendations
Recommendation Response

23. The board and its committees should regularly perform self‑assessments of their performance. (21 to 22)

The corporation’s response. Agreed. The board’s intention was to conduct a board and committee evaluation when the new board chairperson had been in her role for 1 year (the appointment occurred in April 2020) and once all 3 outstanding director positions had been filled (this occurred in May 2021). Management will support a board and committee self‑assessment by 30 June 2022. Management will recommend that the Corporate Governance Committee Charter be enhanced to require a specific cadence for this assessment on an ongoing basis.

26. The board should request that management communicate the objective, scope, and results of its risk mitigation measures related to business continuity management on a timely basis. (24 to 25)

The corporation’s response. Agreed. The board identified the need for an independent advisor to assist with oversight of technology and information risk in February 2021. Following a competitive process, an advisor was selected and the advisor’s contract was finalized in June 2021.

In October 2021, management provided, to the Risk Committee of the Board of Directors and the board’s advisor, its summary report on information and technology risk, including processes for incident response and disaster recovery related to business continuity scenarios for unavailable systems. By 31 December 2021, management will share outcomes of past disaster‑recovery exercises with the committee.

The objectives and scope of the overall business continuity program and ongoing results of its business continuity management risk mitigation will be shared with the board by 15 December 2022.

29. The corporation’s assessment process for ensuring compliance with authorities should be supported by rigorous testing and documented evidence. (27 to 28)

The corporation’s response. Agreed. A corporate initiative to strengthen regulatory compliance management was initiated in January 2020 and reporting to the Audit Committee will commence in 2022. The program will enhance the corporation’s practices for ensuring compliance with federal laws, regulations, and Treasury Board instruments. It will also support the regulatory compliance assessment provided to the Audit Committee with formal control testing results and documented evidence. The program will be implemented by 31 March 2023.

32. The corporation should analyze the Impact Assessment Act and update its policies and procedures accordingly. (30 to 31)

The corporation’s response. Agreed. The corporation has analyzed the regulatory requirements of the Impact Assessment Act. Management’s policy and legal attestation process have been updated to reflect the act. Aspects of the act have been embedded within the corporation’s established Environmental Risk Management Policy. Policy, procedures, and support material have been updated and implemented, including training, for Canadian domiciled projects, effective 27 September 2021. Application of compliance requirements for international projects, including training, will be implemented by 30 April 2022.

Management of operations

List of Recommendations
Recommendation Response

47. The corporation should establish a comprehensive cybersecurity awareness and training program for all employees. (44 to 46)

The corporation’s response. Agreed. Following the end of the examination period, management has reviewed the existing cybersecurity awareness and training program. Prioritized implementation of comprehensive enhancements are in progress with full completion by 30 September 2022.

50. The corporation should assess all contracts still in force with third parties to determine its exposure to IT security and privacy risks through contracts that might not contain clauses related to reporting and communication of IT security and privacy breaches, and implement mitigation measures as required. (48 to 49)

The corporation’s response. Agreed. A corporate initiative to strengthen third‑party risk management was initiated in 2020. The program will enhance the corporation’s practices for ensuring that IT security and privacy risks are understood and mitigated as appropriate with all third parties. As part of this work, management will assess all third‑party contracts for the existence of IT security and privacy clauses by 31 March 2022. In accordance with the risk stratification of the arrangement, for those lacking a clause, the corporation will establish mitigation tactics as required, by 31 December 2022.