Archived - Audit of Access to Information - Systems and Processes

Archived information

Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Prepared by
Internal Audit and Evaluation
Department of Finance Canada

Approved by the Deputy Minister of Finance Canada on the recommendation of the
Audit and Evaluation Committee on May 26, 2015

Table of Contents

Executive Summary

Background

Objective and Scope

Statement of Conformance and Audit Approach

Conclusion

Findings by Audit Criteria

Recommendations and Management Action Plan

Appendix A – List of Employees Interviewed

Appendix B – Key Information Reviewed

Appendix C – Good Branch Practices for ATI Retrievals

Appendix D – Members of the Audit Team

Executive Summary

The Access to Information (ATI) Act gives Canadian citizens, permanent residents, or any person or corporation in Canada a right to access information that is contained in government records. ATI requests are expected to be processed within 30 calendar days, although time extensions are allowed should the Department need to consult outside stakeholders. Extensions are also allowed if the volume of records involved would interfere unreasonably with the Department’s operations.

Departments are expected to have systems and processes in place to manage ATI requests so that information is released in line with the established timeframes, while ensuring that the proper exemptions and exclusions under the ATI Act are applied.

The audit objective was to provide reasonable assurance on the effectiveness of departmental processes and reliability of the information systems and related activities used to process access to information requests.

The audit concluded that the Department has effective and reliable information systems and activities for processing access to information requests. While the audit noted recent improvements in the review process, further opportunities exist to reduce the time required to retrieve requested information, and to streamline the process to review release packages.

Background

The Audit of Access to Information - Systems and Processes is part of the Department’s 2014-17 Internal Audit Plan, which was approved by the Deputy Minister at the departmental Audit and Evaluation Committee meeting on May 26, 2014.

The Access to Information (ATI) Act came into force on July 1, 1983. It gives Canadian citizens, permanent residents, or any person or corporation in Canada a right to access information that is contained in government records. ATI requests are expected to be processed within 30 calendar days, however time extensions are allowed should the Department need to consult outside stakeholders. Extensions are also allowed if the volume of records involved would interfere unreasonably with the Department’s operations.

In government institutions, deputy heads are responsible for the effective management of the ATI Act and may decide to delegate these responsibilities to one or more officials of the institution. In the Department, the following officials have been delegated the authority to release information requested under the ATI Act:

  • The Associate Deputy Ministers;
  • Assistant Deputy Ministers for three branches (Communications and Consultations (C&C), Corporate Services (CSB) and Law);
  • The General Counsel and Executive Director (Law Branch); and
  • Director, Access to Information and Privacy (ATIP) Division.

The ATIP Division within Law Branch administers the ATI Act for the Department. The Division is a key player in the timely processing of requests under the legislation, conducting interdepartmental consultations, handling complaints lodged with the Information Commissioner, and responding to informal inquiries. The Division staff also provides advice and guidance to departmental officials on matters related to the Act. All departmental employees are required under the Act to make every reasonable effort to assist requesters, regardless of their identity, and to respond accurately and completely and provide timely access in the format requested.

The current process starts when the ATIP Division receives the request and clarifies the details with the requestor if needed. ATIP Division notifies the appropriate departmental branches who retrieve the relevant records and identify sensitive information. ATIP Division reviews the records and the branch recommendations for exemption or exclusion, and consultations are undertaken with outside parties if necessary. Once completed a proposed release package is sent for review first by C&C Branch followed by Law Branch. Certain complex release packages may be subject to additional approval steps. The reviews help ensure that information is disclosed in accordance with the legislation.

During the 30 month period ending December 31, 2014, the Department processed 1302 ATI requests. Additional ATI information is available in the Department’s Annual Report to Parliament on the administration of the ATI Act for 2013-14 and 2012-13.

Audit Objective and Scope

Objective

The audit objective was to provide reasonable assurance on the effectiveness and reliability of the information systems and related activities used to process ATI requests.

Scope

The audit scope originally included completed ATI requests as well as ATI systems and processes in the Department between July 1, 2012 and June 30, 2014.

The audit found improvements in processing performance towards the end of the original scope; additional data analysis was performed on completed ATI requests between July 1, 2014 and December 31, 2014 to observe whether these trends continued.

The scope did not include:

  • Roles and activities of external stakeholders, such as the Office of the Information Commissioner and the Privy Council Office, on access to information requests.
  • Requests received under the Privacy Act, since the Department receives very few privacy requests.

Statement of Conformance and Audit Approach

Statement of Conformance

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

Audit Approach

The audit was planned and performed so as to obtain reasonable assurance that the audit objective was achieved. During the audit, appropriate procedures were followed and sufficient evidence was obtained to support the accuracy of findings and the overall audit opinion presented in this report. The findings are based on a comparison of the conditions, as they existed at the time of the audit, with the audit criteria identified in this report, which were accepted by management. The opinion applies only to the entity examined.

Audit procedures included, but were not limited to, interviews, review of supporting documentation, walkthroughs, detailed examination of a judgmentally selected sample of 30 complex ATI files and a random sample of 188 pages from ATI release packages. This audit performed data analytics using ATI processing activity and operational data from the Department’s AccessPro system using the software Audit Command Language (ACL).

About thirty individuals (listed in Appendix A) were interviewed for this audit. These individuals were consulted on one or more criteria, and with different levels of depth, depending on their role in the ATI process. The audit team also conducted a review and analysis of applicable authorities and policies, as well as financial and non-financial documents from various relevant sources. A list of key information reviewed is provided in Appendix B. For the purpose of comparing and identifying best practices, the audit team collected information from several other government departments.

The audit approach allowed for the audit findings to be communicated so as to enable management to review and provide feedback on the findings and conclusions before they were finalized.

Conclusion

The audit concluded that the Department has effective and reliable information systems and activities for processing access to information requests.

While the audit noted recent improvements in the review process, further opportunities exist to reduce the time required to retrieve requested information, and to streamline the process to review release packages.

Findings by Audit Criteria

This section summarizes the audit observations based on the factual evidence gathered and analyzed during the audit. Based on these assessments, issues and themes along with potential causes, impacts, management initiatives and recommendations are summarized in the “Recommendation and Management Action Plan” section.

Taking into consideration audit findings and mitigating controls in place in relation to the audit criteria, the audit team has categorized the residual risk exposure for each audit criterion as high, medium or low.

These risk ranking levels correspond to residual risk exposure, which auditors believe may influence organizational objectives. The risk levels also take into consideration the levels of resources required to successfully implement corrective actions. The following describes the standards used to establish the residual risk exposure:

High
Serious impact that requires immediate attention and action (extensive management efforts are required; problems are costly and difficult to repair, if repairable).
Medium
Significant impact that requires ongoing monitoring to ensure risk is contained to an acceptable level (considerable management efforts are required; problems are manageable with management action and investment).
Low
Little impact (limited effort from management is required and low level of investment is needed to address the problems).
Findings by Audit Criteria
Criterion Residual Risk Exposure Assessment
1. Process Effectiveness
The Department has an effective process in place in the branches to manage access to information requests in compliance with applicable policies and delegated authorities. Low The Department has an effective process in place to manage information requests in compliance with requirements. However, opportunities for further improvement exist at the branch retrieval stage and the release stage of the process.

The Department’s ATI process is expected to allow information to be released to requestors in line with the established timeframes, while ensuring that the proper exemptions and exclusions are applied.

To determine the effectiveness of this process, the audit team examined data for all requests closed between July 2012 and December 2014. The audit team also tested a sample of 30 complex ATI request files closed between July 2012 and June 2014. This data analysis, supported by interviews, allowed the auditors to determine which parts of the process contributed to ensuring packages were released in a timely manner and identify areas for improvement.

Branch retrieval of information and identification of sensitive information for exemption or exclusion

According to the current process in place, upon receipt of a request from ATIP Division, departmental branches are expected to complete their retrieval of information and identify sensitive information for protection within two weeks. The audit team’s analysis of closed requests found that several branches were facing challenges in meeting this two week standard. When internal timeframes are not met there is an increased risk that the Department may not comply with legislated timeframes. A benchmarking exercise across select government departments found that other organizations provide their branches less than two weeks for this activity. The audit recommends all branches adopt retrieval practices that are timely.

One division in a branch was found to have considerably improved its performance and was able to complete its retrieval activity, on average, in half the expected time. Examples of best practices that were noted included:
  • The classification of information as it is being created; and
  • The use of a repository of previously released information packages.
These practices allowed the branch to respond more quickly to requests as most of the information was easy to locate and sensitive information was already identified. A complete list of best practices for branch retrieval is provided in Appendix C.

Review and sign-offs of information packages prior to release

Following receipt of the information from the branches, consultation with outside parties (if applicable) and ATIP Division’s own review, most release packages are submitted to C&C Branch for review and then to Law Branch for additional review.

The audit found that all approvals at all stages in the process were performed by those with delegated authority. The audit team also noted significant improvements to the review process had occurred during the period audited, for example:
  • Review activity under C&C Branch became, on average, 3.3 days faster; 
  • The reviews undertaken by C&C Branch became more robust in 2014 by helping ensure that information is disclosed in a consistent manner; and
  • The number of release packages subject to further review after C&C Branch and Law Branch dropped by 80%, resulting in these packages being released an average of 4.5 days faster.
However, there is an opportunity to further streamline the review process. The audit found having Law Branch’s review after the C&C Branch review is finished currently adds 5.3 days to the overall ATI process. The Law Branch review is independent of the C&C Branch review. Interviews indicate that only one issue had been detected in the 897 release packages reviewed by Law Branch during the 30 month audit period. However, C&C Branch questioned 10 possible issues since their review process became more robust in 2014. As such, the audit recommends that the departmental ATI process be revised so that the reviews undertaken by the Law Branch be removed unless legal issues are involved.
2. System Reliability
The Department uses a reliable software system for the purpose of processing access to information requests. Low The Departments Access to Information software system is reliable.

The Department uses AccessPro software to track the redaction of excluded and exempted information, manage the time taken by the various stakeholders involved in processing requests, and, report on departmental and stakeholder performance in processing timeliness.

The audit team analyzed AccessPro data for all closed requests between July 2012 and December 2014 and validated a sample of 30 complex request files against this data. The audit team also tested a sample of 188 randomly selected pages from partially released requests to determine if the software redaction functionality operated as intended.

The audit team found that the data emanating from AccessPro was reliable. All key AccessPro data used for reporting purposes from the sample of 30 files was corroborated with information found in the hard copy files. The audit team also found that the software redaction functionality is reliable. Individuals responsible for using AccessPro indicated that they had no issues with the redaction function since the software was updated in October 2013. The audit team’s testing found that all 188 pages examined in the software matched the hard copy files.

Recommendations and Management Action Plan

The following section summarizes the audit findings based on their causes, highlights their impact and presents the audit recommendations with the corresponding timeframes. The implementation timeframes are assigned as follows:

  • Short term: implementation of the audit recommendation is expected within 6 months from the approval of the audit report;
  • Medium term: implementation of the audit recommendation is expected within 6 to 12 months from the approval of the audit report; and
  • Long term: implementation of the audit recommendation is expected to take more than 12 months from the approval of the audit report.

When applicable, relevant management initiatives already underway are included. For each recommendation, management has provided the following:

  • An action plan that addresses the recommendation;
  • The position responsible for implementing the action plan; and
  • The target date for completion.

Adopt Good Retrieval Practices and Streamline Reviews

Observations and Impact

The ATI Act requires that requested information be provided within 30 days, plus allowable extensions, while ensuring that the appropriate exemptions and exclusions are applied.

The audit examined the ATI process and noted that several branches were facing challenges in meeting the two week standard timeframe for branch retrieval.

Furthermore, the audit noted that the Law Branch's review of release packages was adding time to the overall process and not deemed necessary.

When the timeframes set by the Department are not met, or additional review time is needed, there is a risk that the Department may not comply with legislated timeframes. Adopting good information retrieval practices and streamlining the review process may allow more time to apply the proper exclusions and exemptions and help reduce the time required to release the information to the requestor.

Recommendations

The audit recommends to the Deputy Minister that: 

1) All Branches adopt best practices related to information management, such as those listed in Appendix C, which will enable them to identify and retrieve information for ATI requests in the expected timeframes.

Timeframe for implementation: Medium term

2) The review done by the Law Branch after the C&C Branch review no longer takes place unless legal issues are involved.

Timeframe for implementation: Short term

Management Response

Agreed.

1) Assistant Deputy Ministers will ensure that their respective branches adopt appropriate best practices related to information management that will help with the identification and retrieval of information for ATI requests in the expected timeframes. These practices will be implemented by September 2015.

2) Measures will be taken by the Assistant Deputy Minister of Law Branch to eliminate the review done by the Law Branch after the C&C Branch review unless legal issues are involved. This will be implemented by June 2015.

Appendix A – List of Employees Interviewed

Department of Finance Canada

Consultations and Communications Branch

  • Communications Strategist, Communications Strategy and Parliamentary Affairs
  • Director, Communications Strategy and Parliamentary Affairs 

Corporate Services Branch

  • Chief, IT Security, Information Management and Technology Directorate  
  • Analyst, Information Management and Technology Directorate
  • Senior Developer Analyst, Information Management and Technology Directorate
  • Correspondence Officer, Assistant Deputy Minister’s Office

Deputy Minister’s Office

  • Chief of Staff

Economic Development and Corporate Finance Branch

  • Administrative Assistant,  Microeconomic Policy Analysis Division

Economic and Fiscal Policy Branch

  • A/Executive Assistant, Assistant Deputy Minister’s Office

Federal-Provincial Relations and Social Policy Branch

  • Executive Assistant, Assistant Deputy Minister’s Office
  • Statistical Analyst, Federal Provincial Relations Division

Financial Sector Policy Branch

  • Administrative Assistant, Assistant Deputy Minister’s Office

International Trade and Finance Branch

  • Admin Assistant, International Trade and Finance Branch

Law Branch

  • Assistant Deputy Minister
  • General Counsel, General Legal Services
  • Counsel, General Legal Services
  • Counsel, General Legal Services
  • Director of ATIP Division
  • previous Director of ATIP Division
  • Executive Assistant to the Assistant Deputy Minister
  • Team Leader, ATIP Division
  • Team Leader, ATIP Division
  • Officer, ATIP Division

Tax Policy Branch

  • Administrative Coordinator, Sales Tax Division
  • Chief, Branch Coordination, Personal Income Tax Division

Aboriginal Affairs and Northern Development Canada

  • Team Leader, Access to Information and Privacy Directorate

Environment Canada

  • Team Leader, Access to Information and Privacy

Public Service Commission

  • Director of ATIP Division

Treasury Board of Canada Secretariat

  • Senior ATIP Analyst, Strategic Communications and Ministerial Affairs

Appendix B – Key Information Reviewed

Legislation, Policies and Guidelines

  • Access to Information Act
  • Access to Information Regulations
  • TB Policy on Access to Information
  • TB Directive on the Administration of the Access to Information Act
  • TBS Criteria for Posting Summaries of Completed ATI Requests
  • TBS Right of Access - Access to Information and Privacy
  • TB Guidelines Access to Information – General
  • TBS Guide for Posting Summaries of Completed ATI Requests

Reports

  • Department of Finance Canada Annual Report to Parliament on the Administration of the Access to Information Act 2012-2013
  • Department of Finance Canada Annual Report to Parliament on the Administration of the Access to Information Act 2011-2012

Other Documents

  • Department of Finance Designation Order under the Access to Information Act
  • Report on the TBS Study of Best Practices for Access to Information Requests

Information System

  • AccessPro – data related to closed requests for the period July 1, 2012 to June 30, 2014 and July 1, 2014 to December 31, 2014

Appendix C – Best Practices for Branch ATI Retrievals

Administrative Personnel or Others

  • Easy access to a well-organized repository of previously requested information.
  • Easy access to a repository of information likely to be requested.
  • Provision of a brief document on branch level guidance (e.g. “cheat sheet”) summarizing how to apply frequently used exemptions and exclusions.
  • Individual responsible for processing the branch requests quickly confirms with the authors of the requested information the proposed release package (e.g. same day).

Authors / Officers

  • Classify information when it is being created (e.g. Protected A, Secret, etc.).
  • Apply exemptions and exclusions to information likely to be requested as it is being created.

All Staff

  • Timely disposal of transitory records and records no longer required.
  • Well organized email accounts with small amounts of information.

Appendix D – Members of the Audit Team

  • Zahra La Fargue, B.Comm, Developmental Auditor
  • Chantale Dumornay, BAA, Auditor
  • Dan Steeves, MPA, CIA, Senior Auditor
  • Dan Maloley, B.Comm, CPA, CMA, CIA, Audit Manager
  • Abdillahi Roble, MBA, CPA, CGA, CIA, CRMA, Director, Internal Audit Operations and Practice Management
  • Christian Kratchanov, MBA, CIA, CMC, CRMA, Chief Audit Executive and Head of Evaluation